A Conversation with Spica’s Information Systems and Security Manager, Joshua Stimson

by | 25 Jan 2024

With Data Privacy Week in full swing we delve into the world of safeguarding sensitive information in our digitally interconnected era. What better way to commemorate this week than gaining insight into the responsibilities of a Information Systems and Security Manager. Meet Spica’s Joshua Stimson. We’ll be uncovering the challenges and triumphs inherent in maintaining robust data privacy practices in today’s ever-evolving landscape.

Could you walk us through your typical day as an Information Systems and Security Manager? What does your daily routine look like, and are there any specific tasks or rituals that kickstart your day?

Certainly. My day typically begins with diving into emails, a routine that many of us share. Given the dynamic nature of cybersecurity, I’m subscribed to various mailing lists and newsletters covering topics like cybersecurity, governance, and compliance. The initial scan helps me stay abreast of any significant developments in the info-sphere. Additionally, I look out for any team members facing challenges or seeking clarification on security matters. Addressing these queries promptly is a priority.

The first wave of emails also serves as a catch-up mechanism for any issues that may have arisen during my offline hours. If there’s something urgent, that becomes my immediate focus, whether it’s responding to inquiries or solving problems.

On days when I don’t have immediate tasks from emails, one of my recurring responsibilities is to ensure that our operations remain compliant with established policies. This involves reviewing our policies to ensure they’re up-to-date and align with industry standards. Simultaneously, I go through various documentation pieces, ensuring they adhere to the prescribed guidelines.

A significant aspect of my routine is checking the audit schedule. Throughout the year, we undergo a series of audits crucial for maintaining our certification with the International Organisation for Standardisation . This entails a thorough examination of our practices and protocols to ensure they meet the stringent criteria set by the organization.

In essence, my day revolves around a proactive approach to email management, addressing immediate concerns, and maintaining a strong foundation of compliance in all our operations.

You mentioned audits as a crucial part of your role. Could you elaborate on the significance of these audits and how they contribute to maintaining certification with the Information Standards Organisation?

Absolutely. Audits play a crucial role in maintaining our certification with the British Standards Institution,Information Standards Organisation, serving as comprehensive evaluations of our information systems, security protocols, and overall compliance with established standards. These audits are strategically scheduled throughout the year, each focusing on specific facets of our operations.

My involvement in audits extends across various departments within the company. For instance, I conduct supplier audits, ensuring that our external partners align with our standards and security measures. In the realm of product development, I directly audit the processes to guarantee adherence to established guidelines. Human Resources audits are essential to verify compliance with data privacy regulations, ensuring the protection of personal information.

Effectively, my role places me at the nexus of the company’s various functions, allowing me to have a comprehensive understanding of our operations. Regular sessions with key figures such as Paul Jones, Managing Director and David Perez, Technical Director, provide me with insights and updates. These monthly interactions not only contribute to the continuous improvement of our processes but also serve as a means to address any emerging challenges.

Is there a lot of collaboration in your role as a security manager, or is it mostly independent work?

My role as a security manager involves a dynamic balance between collaboration and independent work. A significant portion of my time is dedicated to working collaboratively with various teams. Activities like audits and policy development inherently require input and cooperation from multiple stakeholders. I engage with colleagues to ensure that existing policies meet our standards and are well-received. Additionally, when onboarding new suppliers, I work closely with teams to ensure all necessary information is collected and set up properly. 

On the flip side, there are moments when I immerse myself in independent work. This could involve staying updated on changes to information policies, drafting new policies, or planning and scheduling audits. During these periods, I have the space and focus to delve into the intricacies of security protocols and make informed decisions.

The balance between collaborative efforts and solitary tasks is essential. While I value the collaborative aspect for its rich interactions and varied perspectives, the independent work allows me the concentration needed to ensure the meticulous execution of security measures. In essence, this dual approach enables me to maintain a comprehensive and well-rounded security management system.

What’s your favourite part of being a security manager?

Being a security manager is a role that I find incredibly fulfilling due to the constant stream of new challenges. What I enjoy the most is the diversity of tasks and the ever-changing nature of the work. The fact that I’m not stuck in a monotonous routine is what keeps me engaged. I thrive in an environment where each day presents new problems to solve and tasks to accomplish. Having a workload that keeps me consistently occupied and requires creative problem-solving is perfect for my professional satisfaction.

What do you find most challenging?

On the flip side, the most challenging aspect lies in the vast and ever-evolving landscape of policies and guidelines. Staying well-informed and up-to-date in an environment where rules change frequently is no small feat. The sheer volume of policies and the dynamic nature of the field demand continuous learning and adaptation. Ensuring that I have a comprehensive understanding of everything I need to know and, more importantly, making sure that the policies we have in place are adhered to, adds a layer of complexity to the role. It’s a constant juggling act to stay ahead of the curve and guarantee that our security measures align with the latest standards and regulations. 

Could you let us know why data privacy is important for Spica?

Data privacy holds a paramount role at Spica, encompassing two key dimensions. Firstly, there’s a significant emphasis on safeguarding the privacy of our staff. The information entrusted to us by our team members is invaluable, and it’s our responsibility to ensure its proper protection. Often, the true worth and potential risks associated with personal information can be underestimated. Beyond the nuisance of unwanted mailing lists, there are serious concerns such as identity theft and various other risks that underscore the importance of securing personal data. Thus, prioritizing the security of our staff’s information is of utmost importance.

On the other side of the spectrum, we handle the personal information of our clients and their employees who utilize our platform. The trust bestowed upon us when our clients share data on behalf of their employees is something we hold in high regard. It’s not just a matter of compliance; it’s a genuine duty of care to ensure that we handle this information with the utmost respect and deploy the necessary safeguards. Maintaining the confidentiality and security of our clients’ data is not just about meeting regulatory requirements but is fundamentally aligned with our commitment to doing what is ethically right.

Ultimately, prioritizing data privacy is a fundamental element in our pursuit of maintaining trust with both our staff and clients. It goes beyond mere compliance; it’s an ethical imperative, a commitment to handling sensitive information with the diligence and respect it deserves.

How do you approach problem-solving when it comes to data privacy issues?

So, there are different sorts of data privacy issues.  Since I’ve stepped into this role, we’ve only had very few what we call non-compliances. They’re the big data privacy issues and most of those have been around availability of data, we haven’t had any data leaks or anything. 

We’ve got all sorts of processes in place to make sure that we handle non-compliances properly. We have meetings with everybody involved to make sure we can understand the root cause of any problem that came up, put a containment in place, which is our immediate stopgap, and then actually develop and implement a fix. That process is quite easy to layout and easy to framework, but the actual undertaking can be really quite challenging.  There’s so many different things that could be considered a data privacy issue. 

A recent challenge you had, and how did you approach it?

One of our recent challenges involved a significant setback with a supplier impacting data availability. Despite having robust agreements, backups, and established policies and frameworks, we faced a critical issue when it became evident that one of our suppliers was not adhering to the agreed-upon protocols. This lapse on their part posed a considerable challenge for us, given our commitment to delivering on our contracts and obligations to clients.

The frustration stemmed from the fact that the breakdown was not due to any shortcomings on our end or something within our control. As an organization that upholds exceptionally high standards, it was disheartening to encounter a situation where a supplier’s lapse jeopardized our ability to fulfil our commitments. Overcoming this challenge required not only fixing the immediate issue but also reassessing our supplier relationships to ensure such lapses were minimized in the future. 

Addressing this challenge demanded a comprehensive approach, involving corrective measures, revisiting agreements, and reinforcing the importance of adherence to established standards. While it was a testing situation, it provided an opportunity for us to further strengthen our processes and resilience against external disruptions, reinforcing our commitment to maintaining excellence even in the face of unforeseen challenges.

What tools or technologies do you find most helpful in your role?

In my role, I leverage a variety of tools and technologies that significantly contribute to the efficiency of our governance and compliance processes. There are lots of different governance and compliance tools out there on the market, but I would actually like to take this opportunity to name and pass on thanks to my predecessor in this role – one of Spica’s founders, Paul Collins. He dedicated considerable time and effort to establish a Governance, Risk, and Compliance (GRC) framework within Jira, and its impact has been phenomenal. 

The GRC framework within JIRA has proven to be an invaluable asset, streamlining our operations by centralizing information and interlinking relevant data. The setup involved an initial investment of time and effort, and I further updated it to align with the latest standards that were released this year. The software has made my responsibilities more manageable, providing easy access to the necessary information. 

Aside from our internal tools, external platforms like Slack play a crucial role in facilitating communication. Its user-friendly interface makes it effortless to engage in real-time conversations and share essential visuals such as images and screenshots seamlessly. 

Additionally, I would like to acknowledge the effectiveness of TeamViewer, which has proven to be an indispensable tool for remote support. Given my role as the Information Systems Manager, providing Tier 1 and Tier 2 support to our staff members, TeamViewer has enhanced our ability to troubleshoot and resolve issues efficiently.

Insights for those considering a career as a security manager:

In the dynamic and rapidly evolving field of information security, my advice is to focus on building a robust mental toolbox rather than attempting to memorize policies or internalize specific details that might change tomorrow. The key is to develop skills that make you adaptable, allowing you to not only understand what security measures are in place but also comprehend the reasons behind them—grasping both the letter and the spirit of policies to ensure comprehensive compliance.

It’s crucial to move beyond seeing data as mere information that requires securing. Always keep in mind that, at the end of the day, there are real people associated with that data. This perspective is essential in recognizing the gravity of the responsibility you hold. Treating people’s information with the utmost respect and delicacy is not just a compliance requirement; it’s a fundamental ethical consideration in the realm of data security.

Outside of your professional commitments, how do you choose to spend your personal time and engage in activities beyond the workplace?

Outside of work, a significant portion of my time is devoted to quality moments with my two-year-old son. Parenthood has become a central focus, and I cherish the time spent with him, watching him grow and exploring the world.

What’s your preferred culinary delight, and if you enjoy cooking, is there a particular dish that you love preparing or ordering?

One of my go-to dishes to cook is a flavourful fried rice. Achieving that perfect balance of seasonings, textures, and flavours brings immense satisfaction to the cooking process.

As for the ingredients, I usually opt for long-grain rice. To elevate the dish, I add my own twist to a teriyaki sauce, incorporating a blend of soy sauce, honey, ginger, and garlic. The ensemble is complemented with the inclusion of eggs, assorted vegetables, and occasionally some chicken or steak, resulting in a delicious and personally crafted fried rice experience.

FAQ About the Day-to-Day of Information Systems and Security Manager:

What are the main responsibilities of an Information Systems and Security Manager?

The role encompasses dual responsibilities. On the information systems front, it involves overseeing suppliers, ensuring the operational efficiency of business system environments, and maintaining a pivotal connection with our parent company, Nordomatic, and their group IT division. This liaison acts as a lubricant, ensuring seamless collaboration between Spica and Nordomatic. As an information security manager, the key tasks involve upholding policies, overseeing audits (both internal and external) to maintain certification, and serving as a central point of contact for various teams. This includes assessing the security requirements of developing products and communicating necessary changes to senior leadership, sometimes requiring judgment calls on legal and ethical considerations.

Is a security manager’s day-to-day stressful?

Yes, at times, especially leading up to an external audit. The intricate coordination required on the day of the audit to maintain accreditation can be stress-inducing. However, in periods without impending audits, there is more breathing room and flexibility to prepare, resulting in lower stress levels. Adequate time and effort invested in preparation significantly contribute to minimizing stress.

What are the most challenging aspects of security management?

The most challenging aspects involve dealing with the “unknown unknowns.” This refers to potential security threats that are not only unknown but also instances where the security professional is unaware of their existence. For example, staying updated on the latest malware attacks can be daunting, especially when attackers utilize vectors that were previously unknown. The challenge lies in continually learning about emerging threats and adapting strategies to defend against them effectively.

In conclusion, a heartfelt thanks to Josh for providing a detailed glimpse into his role as an Information Systems and Security Manager at Spica.