It was early in her career that Jennifer Ellerton learned the importance of bringing information security into the discussion early on.

Working as a software engineer with software giant Oracle in the 1990s, she was involved with projects including the development of an enterprise platform for the Western Australian Department of Education and the WA’s Department of Transport’s Online Register of Encumbered Vehicles (REVs) – “one of the first cloud solutions rolled out in WA,” she recalls.

Those and other projects reinforced information-management concepts she had learned while completing her Bachelor of Computer Science Honours just a few years earlier.

“A team of us analysed the business situation, then designed, engineered, and deployed a whole enterprise software platform from scratch,” she says of her work in building centralised databases and software designed for high availability and sensitivity.

“It was years later that people started calling this ‘digital transformation’. I came from a background where we took risk and security very seriously from the beginning.”

Security into business

That security nous was reinforced over time, with Ellerton programming bespoke applications and Oracle integrations using ETL, API, Java, PL/SQL, C and C++.

Yet despite her evolving awareness of data integrity and security issues, it was the business aspects of her degree work that helped focus her interests in applications and information security.

“I realised that I loved two things,” she recalls. “One was the software related to business, aka business-aligned software, and second was the interaction with people.”

“Learning Oracle was a wonderful grounding for me because it meant I could reach out to the international market.”

That opportunity came when Oracle’s US headquarters recruited worldwide for developers to work on its ERP suite within its R&D department.

Ellerton was one of two people chosen from the Australian team, and thus began an international career that included stints developing Oracle for oil and gas producers; managing a multi-lingual technology team delivering data solutions for SwissLife in Zurich; and managing teams from geographically-diverse locations to deliver major client-facing ICT projects as a director of Morgan Stanley in New York City.

In 2013, Ellerton returned to Australia after nearly ten years abroad. She set out to apply that international experience to help Australian organisations strengthen their information security policies, tools and procedures.

She took charge of managing sensitive health data and formalising partnerships to set up CAP-compliant labs for a medical research start-up which has since been acquired.

In her current role as an independent contractor – via consultancy Managed Information and Cybersecurity (MIC) – she is working closely with a WA engineering firm protecting their information.

She reflects on 20 years of real-world project implementations and notes that the importance of information security has only grown over time.

“We’ve been working in digital transformation and modernising infrastructure,” she says. “But it’s critical to make sure that strong information security tools and procedures are in place.”

Improving cybersecurity awareness

There’s increasing awareness around the importance of information security, Ellerton says, noting that executives have come to the table thanks to a growing climate of data governance and compliance requirements.

“The emphasis has shifted,” she explains, “because there have been breaches, and the government has put legislation in place – plus, the media is actively reporting on these topics.”

“Now you have some executives who didn’t take much notice of their data in the past taking notice. It’s a conversation that’s already started, and it makes my job easier when I talk with executives.”

Yet simply starting that conversation is only part of the cybersecurity engagement: it has to be both deep and enduring.

This includes a high-level commitment to addressing cybersecurity from an executive perspective – which includes clear reporting structures – and a CISO who reports directly to the CEO.

Leveraging this structure allows the creation of agile feedback loops in which risks can be identified, projects structured and executed, and feedback secured from all levels of the business within a short period.

“One of the things I learned very early on was that when we are developing something, you can’t just do that in isolation, we need stakeholders involved, ideally at several levels in the organisation,” Ellerton explains.

“This feedback loop is both useful and satisfying: seeing what you’ve implemented being used by other people is one of the things I get a real buzz out of.”

Ensuring effective security throughout this process requires careful attention to key cybersecurity elements such as management of privileged accounts and other internal controls.

“The defence in depth approach is important, but there is also the insider threat,” she says. “That’s what I focus on – looking at the data within the organisation and implementing a need-to-know basis for data access.”

“And that means involving the whole organisation, looking at the roles within that organisation, and determining exactly which people should have access to which areas. This process has been similar in all of my projects.”

Insider threats are a recurring and often underappreciated issue in even the most progressive organisation: the Verizon Data Breach Investigations Report (DBIR) 2018, for one, noted that up 28% of breaches were due to internal actors – although this surged to 56% of breaches in healthcare environments.

The risks of transformation

Managing data – and access to that data from both outside and inside the organisation – is therefore critical for any cybersecurity culture.

And while she has learned enough over the years to know what goes into a successful cybersecurity infrastructure, Ellerton also knows what can go wrong.

With many companies only recently taking cybersecurity seriously, she says, compromises such as the recent PageUp data breach highlighted the inadvertent risks that employees face – often despite the best intentions of their employers.

“What’s worrying about [PageUp],” she says, “is that it shines a light on how easily our personal data can be exposed. It could happen to any of us.”

Digital transformation-minded executives needed to heed these risks and imbue their drive for change with a constant reminder of the humanity of what they are looking after, she said.

“It’s really important that we understand that when there is a data breach, it’s actually someone’s personal data.”

“Executives need to remember these breaches carry serious risks to the organisation,” she continues, and that “ordinary people and the media are increasingly aware of the danger of potential for their data to be lost.

“Executives need to pay attention because culture comes from the top – and they need to ensure that the person looking after digital transformation is taking security very seriously.”

Over time, this culture – supported by privileged access controls – will drive enduring transformation at the employee level, Ellerton says.

“Your people need to be not only aware of security risks, but need to have DNA inside them that says, ‘I’ve got to be really careful about every click that I enter into the system’,” she explains.

“Information security is something that everyone needs to be involved with – and it’s all got to start somewhere.”

Jennifer Ellerton is an ACS Certified Professional (Cyber Security). Jennifer will be presenting at the 2018 WA IT Leadership Summit in Perth on 21-22 August.

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.