{"id":15439,"date":"2026-01-09T07:37:34","date_gmt":"2026-01-09T07:37:34","guid":{"rendered":"https:\/\/newestek.com\/?p=15439"},"modified":"2026-01-09T07:37:34","modified_gmt":"2026-01-09T07:37:34","slug":"jamie-nortons-journey-to-ciso-started-with-an-early-interest-in-computers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15439","title":{"rendered":"Jamie Norton\u2019s journey to CISO started with an early interest in computers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Jamie Norton\u2019s parents gave him a computer as a child that he played and tinkered with while growing up. When he went to university, he studied IT and accounting \u201cjust as a bit of a side note, really.\u201d This was right around when the internet was emerging, and he started to play with Unix and other operating systems with software development as his background.<\/p>\n

When he left university, he didn\u2019t know what he was going to pursue in tech, but the Dotcom boom presented a range of technology opportunities, and his first role was in intelligence for Defence. \u201cAnd that was where I started to get the mind thinking more in security terms,\u201d he tells CSO of those early days for the department in the tech security space. \u201cBut the concepts of risk and the concepts of protecting networks and some of the fundamentals were there.\u201d And that was when Norton first realized that cybersecurity could be a career opportunity.<\/p>\n

Around 2000, Norton \u201cformally dropped into\u201d cybersecurity.<\/p>\n

\u201cI started out post defence, was on the vendor side and some startups. Went through a period of really strong digital trust systems, authentication, identity and then moved into more mainstream and early cyber leadership roles.\u201d Norton also had several sales roles midcareer, before working his way back to cyber leadership roles with a \u201creturn back to consulting more recently.\u201d<\/p>\n

His cybersecurity career has included stints with the World Health Organization, NEC Australia, and the Australian Taxation Office. Today he is vice chair of the board of directors at ISACA and the CISO at the Australian Securities and Investments Commission (ASIC).<\/p>\n

CSO spoke to Jamie Norton<\/a> about cybersecurity challenges in finance and government and about retaining talent. Following is that conversation, edited for length and clarity.<\/p>\n

What are some of the key challenges that cybersecurity leaders face today?<\/strong><\/p>\n

Norton:<\/strong> Obviously, it\u2019s a very complex space, but at the same time there are foundational things that shift the needle a long way. Part of the challenge for CISOs is how to get that foundational hygiene into organizations. Legacy environments, that\u2019s probably the biggest challenge, particularly in government. Trying to secure systems that are old and out of date, no longer being updated and require significant investment to shift the security posture. <\/p>\n

But sitting on top of that is the concept of broad hygiene across the environment, and just doing the basics can be really challenging. There\u2019s a process element to that, there\u2019s obviously a technology element, but then there\u2019s a human element to that as well. So, it\u2019s trying to get all of those bases aligned.<\/p>\n

Right now, AI and a whole range of things are emerging that are going to be huge, and we don\u2019t really know what 10 years in from now is going to look like, maybe even five years. Things are changing so rapidly and as technology and security people we want to be innovative and move quickly and be at the forefront of this because otherwise there\u2019s a risk you get left behind. But we must do it in a safe manner so we\u2019re not accidentally exposing sensitive information. That\u2019s a challenge as well.<\/p>\n

In your experience as a cybersecurity leader, what does cybersecurity usually mean to organizations?<\/strong><\/p>\n

Norton: <\/strong>It varies. It certainly has changed over time and between organizations. It does depend on size and scale but also a lot depends on the board and the executive security mindset as well. In mid to large government agencies, there\u2019s a real focus on cybersecurity at the executive level. And there\u2019s strong policy and frameworks as well, such as the PSPF [Protective Security Policy Framework] and other frameworks and requirements.<\/p>\n

In the corporate space it varies considerably. We\u2019ve seen even some large organizations where it has been a bit of a struggle getting the executives and board functions to accept accountability for security risk. They\u2019re just taking a little bit longer than perhaps others that have been championing security for some time. I think with what\u2019s happening in the market, the broader regulation, the general level of communication around security that\u2019s happening in the media and otherwise, and the incidents is the other thing, the cost of those incidents, like the OPTUS\u2019s<\/a> and the Medibank\u2019s<\/a> and Qantas<\/a> most recently. I think that\u2019s turning that tide with increasing focus on effective cyber governance. I think there\u2019s more and more support emerging at the highest levels of organizations \u2014 the executive leadership team and directors \u2014 which will enable us to shift the needle even further.<\/p>\n

How do you keep your team inspired to prevent cybersecurity professionals from leaving?<\/strong><\/p>\n

Norton: <\/strong>In government, we often don\u2019t have quite the same level of compensation as in the corporate space, so we try to create a positive culture and environment that people love to work in. My personal goal is to provide mentorship and advice to the team while also being very transparent about what career options look like and what the industry is like in different areas. I am my team\u2019s strongest advocate in terms of helping them find their path and achieve career ambitions, whether this is within government or not.<\/p>\n

Try to cut red tape. It\u2019s difficult sometimes but try to minimise the impacts of those sorts of things. Training is probably a key lever to give people that advantage and being able to educate and learn further in their careers as well as exposure to some exciting technology.<\/p>\n

The mission element in government is also critical. We often attract individuals that are very mission-focused and pursue success that\u2019s bigger than themselves. They\u2019re trying to achieve something for the country or for a certain area of the of the economy. That\u2019s a key outcome we offer.<\/p>\n

But equally there\u2019s an element, particularly in the graduate and early career stage that we know we\u2019re often an incubator for the next step in their career. And I think being comfortable with that concept is not a bad thing. Yes, they might come in, we\u2019ll get some great innovation from them for the first three to five years of their careers, they\u2019ll get some training and support from us and then they may go into the private sector for a bit, but they may come back to government later. I think it\u2019s a bit of a push pull across the economy.<\/p>\n

Where do you see the role of the cybersecurity leader going?<\/strong><\/p>\n

Norton: <\/strong>Innovations like AI are going to fundamentally impact the role and our day-to-day activities. There\u2019ll be some aspects that won\u2019t change, but there\u2019ll be a lot of aspects that are going to morph and change over the next little while. As an industry, we\u2019re still evolving away from being seen as a purely tech-related function and sitting more naturally alongside the risk function. It\u2019s not happening in every organization, but it\u2019s already happening across financial services. I\u2019m hopeful that we\u2019ll start to see that trend in government, where security sits with the chief operating officer or chief risk officer, depending on the organization, which removes that very tech lens and conflicts that represents.<\/p>\n

But the role itself has changed significantly over the last 20-25 years and from a very technical beginnings to now being much more of a C-level interfacing with the board and the executive [suite]. That\u2019s going to continue and we are starting to see a lot more directors with at least some cybersecurity expertise.<\/p>\n

What questions should CISOs be asking themselves that they often overlook in securing organizations today?<\/strong><\/p>\n

Norton: <\/strong>I think asking yourself, what visibility do you actually have and how confident are you that your view of things is either the correct view and will still be the correct view in three months?<\/p>\n

What are you most and least proud of in your career?<\/strong><\/p>\n

Norton: <\/strong>I feel the work I\u2019m doing with ISACA has real impact and legacy, with an ambitious agenda of industry-wide, global initiatives that we believe will improve the industry for professionals.<\/p>\n

In terms of mistakes there\u2019s been lots. I\u2019m in that fail fast and learn category. Government\u2019s not always been in that space, the executive mindset\u2019s a little bit different so it\u2019s fair to say I\u2019ve had my fair share of failures and fair share of presentations that didn\u2019t land. But I think that the messaging really is that: As a CISO, you can\u2019t be perfectly prepared from day one. When you start a role \u2014 a significant one or in a midsized organization \u2014 you\u2019re going to have to learn to respond and recover and go back again and not always going to impress everyone along the way because sometimes you have to deliver a tough message. A lot of the challenge of being a CISO is building an effective narrative and gaining the trust of your ELT and board, so they are fully invested and you can deliver the difficult messages when needed.<\/p>\n

It\u2019s also about building the resilience because it can be lonely at times. Sometimes you\u2019re going to be the one who\u2019s catching flak from some executives because they\u2019re not happy with your message that impacts them. I think that\u2019s why cyber burnout<\/a> is such a problem. It\u2019s often taking all the body blows and getting to a point where you\u2019re just like \u201cI don\u2019t want to do this anymore.\u201d A lot of that comes back to organizational culture and hopefully having an organization that\u2019s very supportive.<\/p>\n

Do you think AI will widen the skills gap or help cybersecurity?<\/strong><\/p>\n

Norton: <\/strong>I think there\u2019s definitely some roles in cyber that will change significantly over the next 5-10 years and some that may diminish. I think it\u2019s going to impact other parts of the economy in a more profound way. From a tech perspective, I think a lot of the data analytics and some of the decision-making support systems will more and more become something that AI supports and begins to automate. So they\u2019ll start off as more decision support systems where we\u2019ll need less humans because we\u2019re able to get the information we need more quickly out of an AI and then slowly but surely, with agentic AI and what\u2019s coming, that will allow them to make simple decisions and then slightly more complex, and then over time, I think we\u2019ll start to replace some roles. I\u2019m optimistic this will propel human workers further up the value chain as well; they\u2019ll be further up from a leadership perspective, maybe deeper from a deeply technical perspective.<\/p>\n

Is there any saying that you live by?<\/strong><\/p>\n

Norton: <\/strong>When I was in the Tax Office our commissioner at the time, Chris Jordan, had a branding which was \u201cDo the basics brilliantly\u201d and it\u2019s stuck with me as a general mantra, but it applies so well to security because if you do the basics well you would have such a significant uplift in your cyber capability. You can\u2019t just focus on that alone because there\u2019s a lot of other moving parts. But if you can\u2019t get those basics right, that\u2019s going to provide a lot of protection.<\/p>\n

The other one I like, which I guess has helped me well, and I think it\u2019s still true is the futility of \u201crepeating the same thing over and over again, while expecting a different result.\u201d That applies in a lot of things. You\u2019ve got to try and change things up if you\u2019re expecting to get a different result. Yet I see it so often in many facets of life.<\/p>\n

Any tips for those wanting to begin a career in cybersecurity?<\/strong><\/p>\n

Norton: <\/strong>For graduates and for early career cyber people we\u2019re aware it is challenging transitioning into early-stage career and getting that first job. I think tenacity and drive is a critical attribute and I\u2019m aware that\u2019s easy for me to say from here. But I do see that those that are persistent, engaged, reach out and grab what they can in a proactive way, they might get knocked down a few times, but you know they\u2019ll continue to learn. They might join ISACA. They might do an early certification to try and get a little competitive advantage. More often than not the relationships formed by networking and getting involved, putting yourself out there, result in opportunity.<\/p>\n

At more senior levels it becomes harder. I think it\u2019s that learning process again, making sure that you\u2019ve got a CV that demonstrates that you\u2019re building capability. Understanding your brand and honing it professionally. So, polishing the CV to really reflect what your brand is and what you bring to the table is key. You can\u2019t just throw the same tired CV out and scatter it and hope that something\u2019s going to bite, because that might have worked when we had scarcity but these days there\u2019s too much supply in the market.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Jamie Norton\u2019s parents gave him a computer as a child that he played and tinkered with while growing up. When he went to university, he studied IT and accounting \u201cjust as a bit of a side note, really.\u201d This was right around when the internet was emerging, and he started to play with Unix and other operating systems with software development as his background. When… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15439","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15439"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15439\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}