It’s not the first place you’d expect to find an Australian business technology consultant, but when Jo Stewart-Rattray stepped into the United Nations General Assembly in New York City in March, she felt like a life’s ambition had been achieved.

“It was a life-changing experience and I don’t say that lightly,” Stewart-Rattray recalls of the trip that saw her join a contingent of high-level Australian representatives participating in the 62nd Session of the UN Commission on the Status of Women in March.

“When I stepped through the diplomatic entrance at the UN, walked down the corridor of flags, and set foot in the UN general assembly – the tears flowed.”

“For someone who had wanted to make a difference at the UN since I was 7 years old, it was the most incredible experience.”

Stewart-Rattray spent two weeks as one of two civilian representatives within the official delegation from Australia – which included Minister for Women Kelly O’Dwyer, Australian Ambassador for Women and Girls Dr Sharman Stone, Sex Discrimination Commissioner Kate Jenkins, and others.

Their goal: to help resolve an impasse from previous sessions, which ended without a consensus, and nut out a detailed action plan covering ways to use access to technology to empower rural girls and women in both developed and developing countries.

A fortnight of sharing, learning, and energy bar-powered all-night sessions finally helped the delegates – who hailed from 193 member states in total – reach a consensus and outline a way forward.

And when the gavel came down on that session, Stewart-Rattray says, there were cheers and tears galore.

“The room went ballistic,” she recalls. “There were people crying and laughing, and it was such a feeling of achievement. I was hugging an African woman and I still have no idea what her name was.”

“I came back to Australia thinking that my dream had been achieved because I had helped make a difference, to help empower rural women and girls globally.”

Cyber security awareness for the board

New York City is a long way from Stewart-Rattray’s usual work in Adelaide, where she works as Director of Information Security & IT Assurance with commercial advisory firm BRM Holdich.

With a string of industry certifications under her belt, Stewart-Rattray has a national scope that sees her working with board members and C-level executives to help them navigate the complexities of cyber security and, increasingly in recent times, technology governance.

That governance focus has been driven by increasingly onerous requirements of legislation such as Australia’s new notifiable data breaches (NDB) scheme and the European Union’s general data protection regulation (GDPR), which have become the poster children for an evolving privacy climate built around consumer-driven data protections.

“There is a lot of focus on cyber but still not necessarily a good understanding of what it incorporates,” Stewart-Rattray explains. “We are protecting our perimeters, but what we really have to concentrate on is protecting our data.”

Protection is only one part of the challenge, however: visibility and control are just as important.

This is a point that every company will encounter when they receive their first request for a dump of the data the company holds on them, or a Right To Be Forgotten request that requires the company to delete all data on a person.

“It’s not a dark art, and some of the most simple cyber hygiene rules can be put in place to help an organisation on its way,” she says.

“The first thing is for organisations to understand what data they’re collecting and why.”

“Ask whether it’s going to be used for the purpose for which it’s collected. If not, it’s no longer acceptable behaviour to hold it.”

A long road to the UN

If educating executives about security is Stewart-Rattray’s job, engaging with her adopted industry is her passion.

One of the industry’s most easily recognisable personalities, she is a regular speaker on the conference circuit and long-time executive member of IT governance association ISACA.

Having served in numerous ISACA roles since 2004 and been appointed international director of ISACA in 2015, Stewart-Rattray now acts as global leader for the organisation’s SheLeadsTech program, which aims to increase the representation of women in the tech workforce and tech leadership roles.

She has also served as Chair of the Australian Computer Society’s South Australian branch executive committee; served as general manager of group information technology for the Experience Australia Group; chaired ISACA’s Professional Influence & Advocacy Committee; and held myriad other governance-related roles since she began her career working in infrastructure services.

Yet despite her enthusiasm, when pressed as to why she got into the IT-governance space Stewart-Rattray says it was an acquired taste.

“I can’t say that I suddenly woke up one day and decided I was going to be an information or cyber security governance specialist,” she explains.

“It evolves over time and you begin to realise what floats your boat – but it’s not always something that floats everyone’s boat.”

The importance of governance and information security became increasingly clear many years ago, when she was working in infrastructure services and co-ordinating information security with teams of engineers charged with maintaining the integrity of an electricity grid.

“That was a really interesting period for me,” she recalls. “I was responsible for both operational IT - the SCADA and operational control systems, as well as business IT. I learnt so much; it was just extraordinary.”

Big, hairy, audacious goals

For someone who is so engaged with teaching industry leaders, Stewart-Rattray’s calendar is also loaded with learning opportunities.

Her professional life has been marked by continuous learning, to which her five information-security credentials – CISM (Certified Information Security Manager), CGEIT (Certified in the Governance of Enterprise IT), CISA (Certified Information Systems Auditor), CRISC (Certified in Risk and Information Systems Control), and CP (IP3P/ACS Certified Professional Cyber Security) – attest.

Yet while her credentials speak volumes about her ability to drive change throughout her client organisations, it is her work with causes such as SheLeadsTech that continue to represent a key focus for her energies.

Addressing the chronic underrepresentation of women in tech positions – particularly leadership positions – remains “a big, hairy, audacious goal” but Stewart-Rattray is up for the challenge.

Raised in country Victoria, she is particularly attuned to helping develop career paths and technological engagement for girls and women in rural areas – hence the excitement over the global focus of the UN mission.

“We’re looking to help women prepare to lead,” she says. “But there’s an age group where we lose women, generally around those child-rearing years.”

“We need industry bodies, like ACS and ISACA, to look at opportunities for members to allow them to continue to help their professional development in their own time – to make sure that women are encouraged to come back into the workforce.”

Jo Stewart-Rattray is an ACS Certified Professional (Cyber Security).

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.