Jamie Norton’s parents gave him a computer as a child that he played and tinkered with while growing up. When he went to university, he studied IT and accounting “just as a bit of a side note, really.” This was right around when the internet was emerging, and he started to play with Unix and other operating systems with software development as his background.
When he left university, he didn’t know what he was going to pursue in tech, but the Dotcom boom presented a range of technology opportunities, and his first role was in intelligence for Defence. “And that was where I started to get the mind thinking more in security terms,” he tells CSO of those early days for the department in the tech security space. “But the concepts of risk and the concepts of protecting networks and some of the fundamentals were there.” And that was when Norton first realized that cybersecurity could be a career opportunity.
Around 2000, Norton “formally dropped into” cybersecurity.
“I started out post defence, was on the vendor side and some startups. Went through a period of really strong digital trust systems, authentication, identity and then moved into more mainstream and early cyber leadership roles.” Norton also had several sales roles midcareer, before working his way back to cyber leadership roles with a “return back to consulting more recently.”
His cybersecurity career has included stints with the World Health Organization, NEC Australia, and the Australian Taxation Office. Today he is vice chair of the board of directors at ISACA and the CISO at the Australian Securities and Investments Commission (ASIC).
CSO spoke to Jamie Norton about cybersecurity challenges in finance and government and about retaining talent. Following is that conversation, edited for length and clarity.
What are some of the key challenges that cybersecurity leaders face today?
Norton: Obviously, it’s a very complex space, but at the same time there are foundational things that shift the needle a long way. Part of the challenge for CISOs is how to get that foundational hygiene into organizations. Legacy environments, that’s probably the biggest challenge, particularly in government. Trying to secure systems that are old and out of date, no longer being updated and require significant investment to shift the security posture.
But sitting on top of that is the concept of broad hygiene across the environment, and just doing the basics can be really challenging. There’s a process element to that, there’s obviously a technology element, but then there’s a human element to that as well. So, it’s trying to get all of those bases aligned.
Right now, AI and a whole range of things are emerging that are going to be huge, and we don’t really know what 10 years in from now is going to look like, maybe even five years. Things are changing so rapidly and as technology and security people we want to be innovative and move quickly and be at the forefront of this because otherwise there’s a risk you get left behind. But we must do it in a safe manner so we’re not accidentally exposing sensitive information. That’s a challenge as well.
In your experience as a cybersecurity leader, what does cybersecurity usually mean to organizations?
Norton: It varies. It certainly has changed over time and between organizations. It does depend on size and scale but also a lot depends on the board and the executive security mindset as well. In mid to large government agencies, there’s a real focus on cybersecurity at the executive level. And there’s strong policy and frameworks as well, such as the PSPF [Protective Security Policy Framework] and other frameworks and requirements.
In the corporate space it varies considerably. We’ve seen even some large organizations where it has been a bit of a struggle getting the executives and board functions to accept accountability for security risk. They’re just taking a little bit longer than perhaps others that have been championing security for some time. I think with what’s happening in the market, the broader regulation, the general level of communication around security that’s happening in the media and otherwise, and the incidents is the other thing, the cost of those incidents, like the OPTUS’s and the Medibank’s and Qantas most recently. I think that’s turning that tide with increasing focus on effective cyber governance. I think there’s more and more support emerging at the highest levels of organizations — the executive leadership team and directors — which will enable us to shift the needle even further.
How do you keep your team inspired to prevent cybersecurity professionals from leaving?
Norton: In government, we often don’t have quite the same level of compensation as in the corporate space, so we try to create a positive culture and environment that people love to work in. My personal goal is to provide mentorship and advice to the team while also being very transparent about what career options look like and what the industry is like in different areas. I am my team’s strongest advocate in terms of helping them find their path and achieve career ambitions, whether this is within government or not.
Try to cut red tape. It’s difficult sometimes but try to minimise the impacts of those sorts of things. Training is probably a key lever to give people that advantage and being able to educate and learn further in their careers as well as exposure to some exciting technology.
The mission element in government is also critical. We often attract individuals that are very mission-focused and pursue success that’s bigger than themselves. They’re trying to achieve something for the country or for a certain area of the of the economy. That’s a key outcome we offer.
But equally there’s an element, particularly in the graduate and early career stage that we know we’re often an incubator for the next step in their career. And I think being comfortable with that concept is not a bad thing. Yes, they might come in, we’ll get some great innovation from them for the first three to five years of their careers, they’ll get some training and support from us and then they may go into the private sector for a bit, but they may come back to government later. I think it’s a bit of a push pull across the economy.
Where do you see the role of the cybersecurity leader going?
Norton: Innovations like AI are going to fundamentally impact the role and our day-to-day activities. There’ll be some aspects that won’t change, but there’ll be a lot of aspects that are going to morph and change over the next little while. As an industry, we’re still evolving away from being seen as a purely tech-related function and sitting more naturally alongside the risk function. It’s not happening in every organization, but it’s already happening across financial services. I’m hopeful that we’ll start to see that trend in government, where security sits with the chief operating officer or chief risk officer, depending on the organization, which removes that very tech lens and conflicts that represents.
But the role itself has changed significantly over the last 20-25 years and from a very technical beginnings to now being much more of a C-level interfacing with the board and the executive [suite]. That’s going to continue and we are starting to see a lot more directors with at least some cybersecurity expertise.
What questions should CISOs be asking themselves that they often overlook in securing organizations today?
Norton: I think asking yourself, what visibility do you actually have and how confident are you that your view of things is either the correct view and will still be the correct view in three months?
What are you most and least proud of in your career?
Norton: I feel the work I’m doing with ISACA has real impact and legacy, with an ambitious agenda of industry-wide, global initiatives that we believe will improve the industry for professionals.
In terms of mistakes there’s been lots. I’m in that fail fast and learn category. Government’s not always been in that space, the executive mindset’s a little bit different so it’s fair to say I’ve had my fair share of failures and fair share of presentations that didn’t land. But I think that the messaging really is that: As a CISO, you can’t be perfectly prepared from day one. When you start a role — a significant one or in a midsized organization — you’re going to have to learn to respond and recover and go back again and not always going to impress everyone along the way because sometimes you have to deliver a tough message. A lot of the challenge of being a CISO is building an effective narrative and gaining the trust of your ELT and board, so they are fully invested and you can deliver the difficult messages when needed.
It’s also about building the resilience because it can be lonely at times. Sometimes you’re going to be the one who’s catching flak from some executives because they’re not happy with your message that impacts them. I think that’s why cyber burnout is such a problem. It’s often taking all the body blows and getting to a point where you’re just like “I don’t want to do this anymore.” A lot of that comes back to organizational culture and hopefully having an organization that’s very supportive.
Do you think AI will widen the skills gap or help cybersecurity?
Norton: I think there’s definitely some roles in cyber that will change significantly over the next 5-10 years and some that may diminish. I think it’s going to impact other parts of the economy in a more profound way. From a tech perspective, I think a lot of the data analytics and some of the decision-making support systems will more and more become something that AI supports and begins to automate. So they’ll start off as more decision support systems where we’ll need less humans because we’re able to get the information we need more quickly out of an AI and then slowly but surely, with agentic AI and what’s coming, that will allow them to make simple decisions and then slightly more complex, and then over time, I think we’ll start to replace some roles. I’m optimistic this will propel human workers further up the value chain as well; they’ll be further up from a leadership perspective, maybe deeper from a deeply technical perspective.
Is there any saying that you live by?
Norton: When I was in the Tax Office our commissioner at the time, Chris Jordan, had a branding which was “Do the basics brilliantly” and it’s stuck with me as a general mantra, but it applies so well to security because if you do the basics well you would have such a significant uplift in your cyber capability. You can’t just focus on that alone because there’s a lot of other moving parts. But if you can’t get those basics right, that’s going to provide a lot of protection.
The other one I like, which I guess has helped me well, and I think it’s still true is the futility of “repeating the same thing over and over again, while expecting a different result.” That applies in a lot of things. You’ve got to try and change things up if you’re expecting to get a different result. Yet I see it so often in many facets of life.
Any tips for those wanting to begin a career in cybersecurity?
Norton: For graduates and for early career cyber people we’re aware it is challenging transitioning into early-stage career and getting that first job. I think tenacity and drive is a critical attribute and I’m aware that’s easy for me to say from here. But I do see that those that are persistent, engaged, reach out and grab what they can in a proactive way, they might get knocked down a few times, but you know they’ll continue to learn. They might join ISACA. They might do an early certification to try and get a little competitive advantage. More often than not the relationships formed by networking and getting involved, putting yourself out there, result in opportunity.
At more senior levels it becomes harder. I think it’s that learning process again, making sure that you’ve got a CV that demonstrates that you’re building capability. Understanding your brand and honing it professionally. So, polishing the CV to really reflect what your brand is and what you bring to the table is key. You can’t just throw the same tired CV out and scatter it and hope that something’s going to bite, because that might have worked when we had scarcity but these days there’s too much supply in the market.
No Responses