Current role: Chief Information Security Officer
Current organisation: Origin Energy
Last role at PwC: Information Security and IT Risk Management Advisor
Time at PwC: 2004 - 2005
What’s the one career achievement you’re most proud of?
Creating a highly engaged and diverse team that delivers value to Origin every single day.
The team’s engagement score is 80+ based on the AON Hewitt model, which is a top quartile score. Our key stakeholders rate the team 4.2 out of 5. More than 40% of the team is female, compared to a global average of ~20%. Our attrition / poaching rate is 5%, compared to 15% - 25% average. We just got shortlisted into the final five companies for the AWSN best place for women to work in security award.
What’s been your biggest career challenge and how have you overcome it?
When I came to Australia in 2003, my prior international experience in the US and Europe didn’t count for anything. Despite all my experience, recruiters kept asking “what is your local experience?”, implying that international experience didn’t count at all. I was used to the complete opposite. I had to start at a much lower level again and work my way up to more senior roles.
What’s the most valuable lesson you learnt during your career at PwC and how has that helped you get to where you are today?
PwC and the leaders that I worked for taught me how to be a better consultant, frame up a report in a manner that is engaging, and present it in a way that works for the target audience. These skills are still very helpful. Working for a big four company is a great training ground.
What was your dream job ‘growing up’ and why?
I always wanted to work with technology. That was clear from very early on after I got my first computer, and everything else was just about taking the opportunities as they presented themselves. I know people always talk about having a clear vision and plan for what you want to become or do. I always felt the opposite. New opportunities always present themselves and it is far better to go with the flow as long as your decisions are aligned with your passion and interests. This takes you to unknown territory and experiences you probably couldn’t have imagined.
If you could have an hour lunch with anyone - dead or alive - who would it be and why?
I know I should pick someone famous like Albert Einstein, but I think I would pick my granddad. I didn’t get to say goodbye and tell him enough how important he was for me.
How is Origin Energy’s employment value proposition being developed as we move into new ways of working?
Origin was always very flexible compared to most companies before COVID was a thing. This flexibility helped me greatly to attract talent.
During COVID, we learned that functions that we previously thought couldn’t be done remotely actually can be done remotely. The technology environment was already well prepared for large-scale remote working conditions but of course we had to make a number of adjustments to get it to the right level of business resilience and security.
We further refined our ways of working during COVID and we are now in a permanent hybrid model. We believe there is value in bring people together in person but with a lot of flexibility on how we do it.
Have you faced any unexpected security challenges with moving Origin's systems to the public cloud? If so, how are you overcoming them?
We have moved more than 92% of our systems to the public cloud. The biggest challenge was that we had to completely pivot the security team’s skillset, culture, and delivery model. We had to embrace a new paradigm built on agile practices, bringing together development and ops (DevOps) with strong engineering and automation disciplines, and a mindset that it is OK to experiment, fail, and pivot to something new. This was a big shift in the team’s capability which was previously focused on governing outsourced security services. We made mistakes and learned from it but ultimately, we succeeded.
As part of moving to the public cloud, we took the opportunity to completely reimagine our security stack and capability. We went from a largely outsourced and inflexible model to an in-house security capability that leveraged security building blocks within the public cloud to protect workloads in the cloud as well as on premises. As part of that move, our security monitoring cost dropped by 81% while security visibility increased dramatically. Setting up new security monitoring use cases now takes minutes and not weeks.
We now have many automated security posture checks that happen every few hours instead of quarterly manual assessments. We have full automation in place to remediate the biggest security hiccups to keep our business safe.
Security guardrails enable a risk-based approach and security is baked into the environment and people don’t need to ask for security approval every time they want to run up a workload.
How are you and your business making a difference for your customers, employees and society?
I think it all boils down to being a purpose-driven organisation. Our purpose is getting energy right for our customers, communities and planet. Our purpose drives everything. It’s why we’re here and how we make a difference to people’s lives. It’s an aspiration that acknowledges we’re not there yet.
We’re one company, and within us there are thousands of amazing people and a million opportunities to get energy right. We want people to know us by the way we bring a little bit of good energy to everything we say and do.
We are proud to be a purpose-driven organisation. I think this is important in a world where significant changes are happening:
- Decarbonisation of our world and a rapid move towards renewable energy.
- Decentralisation and a greater desire by customers to control their energy generation and storage.
- Digitisation of energy services, customer services, smart homes, smart grid and every aspect of our industry.
Our purpose helps us to focus on how we deliver value every single day to our employees, customers and communities.
