A seasoned people manager with expertise in business, audit services, risk advice, and information technology, Jenny Johanson is a Senior Advisor at RSM.
Jenny is able to provide confidence to boards and executive management teams since she can communicate with people from many disciplines and use evidence-based judgement.
At Hastings Funds Management, Jenny was the Director, Internal Audit and Compliance. She also served as General Manager of Audit-Technology at ANZ and Head of Audit Services. Jenny formerly held the position of Senior Manager of Telstra’s Information Systems & Technology Risk Management & Assurance.
Below are highlights of the interview:
Can you tell us a little about your journey before starting your professional journey?
When I started looking at potential careers, I knew I wanted the opportunity to travel, and to see how business worked. I undertook a Bachelor of Commerce, majoring in accounting, and started my working life as an external auditor with what was then one of the Big Eight (Arthur Andersen). It took me less than a year to realise that wasn’t right for me.
I had always loved learning, and at that time, the use of computers in business was right at the outset. When I went to talk to my mentor partner about my decision to move on, he advised me that the firm was setting up what was then called the “Computer Risk Management” team and asked if I would be interested in participating. While I didn’t know much about computers, the opportunity to continue learning won me over.
Once I started getting involved, and discovered a new passion for information technology, suddenly the pieces of the puzzle started falling into place. I was an accountant who could use my finance knowledge, and my growing understanding of information technology to bridge the divide between our clients’ finance and IT personnel. That opportunity became my launch pad to the career I have built over the last few decades.
Tell us about your role and responsibility at RSM.
I am a Senior Advisor in RSM’s Cyber Security and Privacy Risk Services team, which assists organisations in evaluating control requirements against various frameworks and publications, including International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Cloud Security Alliance (CSA) security frameworks.
What are the company’s extensive security offerings that meet current corporate requirements?
Our Cyber Security & Privacy services include the following, delivered by technical specialists:
- Information & Cyber Security Risk (cyber security maturity, security governance, security management framework, threat risk assessment, IT audit & assurance)
- Cloud Security (governance & risk management, AWS, Microsoft Azure, Google Cloud platform assurance, Microsoft & Office 365 configurations, etc.)
- Security Transformation (strategy, design & implementation, architecture, project management & assurance, vendor selection, identity & access management, etc.)
- Technical Security Assessment (ethical hacking, vulnerability assessments, penetration testing, red teaming, breach & attack simulation, threat intelligence)
- Privacy (data governance, data privacy program, data discovery & classification, privacy impact assessment, third-party data transfer, regulatory compliance)
- Digital Forensics & Incident Response (data preservation & analysis, data breach, e-discovery services, malware analysis, email compromise, data recovery, etc.)
How have you integrated some of the more innovative thinking you developed while working for technology-driven companies into your current organization?
I think innovation comes from the people in the team, so the best way to achieve innovation is to encourage people to be honest and open, share ideas, and explore initiatives without fear of retribution. I focus on hiring people who have different perspectives, come from diverse backgrounds, and have distinct abilities. Having employees with a different set of ideas or approach to problem-solving goes a long way towards collectively generating an innovative culture.
Who do you collaborate with the most to drive growth and success?
I have found that the most productive, innovative teams consist of people who are both task-and relationship-oriented, and particularly those who are adept at changing their style depending on the project and outcomes being targeted.
Over the years, I have invested in building both formal and informal networks and have drawn on both at various times – whether I am looking for input on a particular task, or monitoring and providing feedback.
How do you think about building advanced security team?
Companies are asking their security teams to know more, detect more, and prevent more, recognising that the threats posed by malware and cyber attacks are very real, and that the costs incurred, and the intensity of the breach, can have a significant impact.
I have a few areas of focus for building an advanced security team, and these are the key elements we focus on at RSM:
- The need to have technical acumen but also understand business objectives, take ownership of workflows, and manage within the business’ risk tolerance
- Focus on attracting, developing and retaining professionals who are secure in what they know while eager to continue learning.
- Ensure that the business understands the importance of the security team as a business function and its contribution to managing business risk within manageable levels.
- Focus on the key elements of threat awareness, information risk assessment, information risk reporting, security policy and technical standards, security control assessments, and cybersecurity training.
I aspire to be a leader who inspires people, fosters collaboration, and manages the team in a way that makes the most of their strengths, both individually and collectively.
What does your role look like five years from now?
My vision for the Cyber Security and Privacy Risk Services team at RSM is to continue to grow and develop the team, with a focus on recruitment, training, leadership, and culture. I would love to see our team having a real impact on the broader RSM Australia business.
Personally, I plan to continue building my non-executive portfolio so that I can espouse the need for competent IT security management at the strategic level.
What are the most important attributes of successful leaders?
For me, the best approach to management is to switch back and forth between styles. But when I have the downtime, I like to encourage the team to bond.
A good manager is one that invests in building a close-knit team that works well together. For more immediate crisis situations, I choose to reassign tasks or pick up the slack myself. I try to give clear directions and stay hands-off but be ready and available to jump in to offer guidance, expertise, and help when needed. I also go out of my way to make sure I know when my team needs help. I don’t hang around and wait to be called upon — I go to them.
That means plenty of informal check-ins, both on the work they’re doing and on their general job satisfaction and mental well-being.
What advice would you give to the next generation of female leaders?
Women are vastly underrepresented in the global technology workforce. This is not only a societal concern but also a workforce problem, given the critical shortage of skilled technology professionals faced by many enterprises.
Women specifically need mentors, role models, and strong networking opportunities. It’s clear to me that women have a hunger to learn and benefit from the presence of other women in technology.
I love Sheryl Sandberg’s quote: “Believe in yourself and own your own success”—don’t be shy about touting your accomplishments. Learn about and gain experience in a range of roles. But don’t let work overtake your life—make sure you still find time for family and friends. And lastly, establish good networks and relationships, build a public profile and take opportunities to speak and write about what you know.