Canadian Information Processing Society (CIPS)



Jerrard Gaertner International Leader in IT Security, Forensics, Governance, Auditing

This week, Stephen Ibaraki has an exclusive interview with Jerrard Gaertner.

Jerry GaertnerJerrard Gaertner CA•IT/CISA, CEGIT, CISSP, CIPP/IT, CIA, CFI, I.S.P., ITCP

Jerrard Gaertner is Director, Technology Assurance Services at a major accountancy and advisory firm. He is a graduate of MIT and a chartered accountant specializing in information technology and information systems auditing. Jerry is certified in the Governance of Enterprise IT (ISACA), a Certified Information System Security Professional (ISC2), Certified Internal Auditor (IIA), Certified Forensic Investigator (ACFI) and Information Technology Certified Professional (CIPS), among other professional designations. He is also a trustee in bankruptcy and Officer of the Court in Ontario, Canada.

Jerry's career spans 30 years and encompasses the development and growth of the IT audit and systems assurance professions; the emergence of privacy and IT security as a concern and then ultimately a specialty practice; the investigation and prevention of computer crime; and the social and political ramifications of technology on the way we live. Jerry is also recognized as one of the leading figures in the emerging field of digital legacy and digital estate administration due diligence.

Jerry has conducted engagements ranging from statutory computer audits and system certification to software quality reviews, computer fraud investigations and advising Boards of Directors on technology strategy, governance and risk management. In addition, his current practice encompasses advising and supporting a variety of technology startups. Jerry has testified as an expert in court and has performed litigation support work regarding the valuation of software. His clients have included governments, Crown corporations, public companies, professional firms, owner-managed businesses and non-profits.

Jerry is a recognized expert in his field and has been featured in broadcasts and newspaper articles on many occasions. He is highly regarded as a speaker and has given presentations at the Canada Revenue Agency, Office of the Superintendent of Financial Institutions, ISACA, ACM, Canadian Institute of Chartered Accountants (CICA), Ontario Bar Association and a number of universities, among numerous others.

Jerry has co-authorized 3 books on business failure (Carswell Publishing). He serves on the Boards of Directors of the Association of Certified Forensic Investigators (Canada) and Canadian Information Processing Society (Ontario), where he is President. Jerry is also a member of the CICA IT specialist certification subcommittee.

To listen to the interview, click on this MP3 file link

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.


Interview Time Index (MM:SS) and Topic

:00:30: Jerry profiles his major roles in his career.
"....Undergrad at MIT....Brief stint at University of Pennsylvania School of Medicine....Price Waterhouse accounting firm....McGill University first as a student in the Chartered Accountant program and then as an instructor....Formed a company that provided consulting services in privacy and cryptography and biometrics....Art school....Trustee in Bankruptcy firm first as an accountant and then as a Trustee....Wrote three books on bankruptcy....Information Technology/Assurance/Governance professional practice....Also currently President of the CIPS Ontario Chapter...."

:02:38: From your remarkable career of success choose three pivotal moments and then some usable lessons to share from each of these moments.
"....Price Waterhouse as a very junior accountant. Lessons: If you see an opportunity to do something better, no matter if you are the most junior employee or the most senior, you should at least give it a shot. Change can be very slow and people are very resistant to new ideas if they are not presented in a very non-threatening way. How important it is to know your audience and communicate the message the appropriate way....My experience with data privacy. Lessons: The difficulty of getting a business off the ground. The importance of having partner(s) with complementary talents. Knowing your stuff is a prerequisite, but it is not enough to make a business grow....When I got my Trustee license. Lessons: The power to be judge and jury over someone's life - that was a very eye-opening experience for me. Some of the things I learned from my bankruptcy clients. People have a tendency to be willfully blind when things are bad. Probably 90% of my clients found that the reality of going bankrupt was much less difficult or onerous than they had contemplated...."

:09:21: What are the five top reasons for business failures?
"....Poor planning and unrealistic expectations....Poor financing....Not knowing your customer and not observing changes in your environment....Not measuring your results properly....Owners not recognizing their own limitations...."

:14:26: What are the disruptive technologies and how will they have impact?
"....Futurist's view of semantic web, expert systems, artificial intelligence, robotics, quantum computing, nano technology....Constantly connected....Intellectual resources....Crowd sourcing....New social structures....Future of technology on the professions...."

:26:04: With regards to security, what does this mean, "Pandora's box is open"?
"....You've seen over thirty to forty years a huge increase in the number of attack vectors, in the sophistication, financing and motivation behind the attacks, in society's dependence on all the devices, systems and applications that are being attacked — that's like a triple-whammy. That's what I meant when I said 'Pandora's box is open'...."

:29:40: What are the five top reasons for security failures?
"....Human error or social engineering....Failure to follow the procedures, control protocols....Lack of understanding of the way systems interact and communicate....Sloppy coding and testing....Embedded weaknesses in hardware, software, firmware...."

:33:03: What are your views on digital assets?
"....Digital assets constitute everything from the IP sitting on a corporate computer to the Linden currency you have in Second Life - there are a lot of different kinds of digital assets. A digital asset can be an online business, a blog, a website, a domain name. The area in which I've become involved in the past couple of years is helping people keep track of these kinds of assets...."

:36:52: Where do you see privacy and security heading and why?
"....The modality for security is going to morph to some extent and we are going to see much more biometrics because how many passwords can somebody manage? We'll see heavier reliance on cryptography until quantum computing arises. In terms of viruses I think you're going to see more whitelisting. You are going to see more security as a service or security monitoring by a third party....Switching gears and talking about privacy, I'm not sure where we are going. Really the big elephant in the room that privacy specialists don't talk about is 'who are you trying to be private from and why?'...."

:43:26: Where is the computer auditing profession heading based upon your view from your years of experience?
"....I see the profession as becoming more technological, more data and process oriented, much more real time, very much into complex terabyte analysis and really intelligent modeling going forward. I see a merger between security and (to a lesser extent) privacy and computer audit, providing assurance from the development cycle right through to the end application, even third party certification...."

:45:04: What are the top 5 reasons for auditing failures?
"....Management override....Failure to follow up small clues....Failure to keep skeptical....Sampling issues....A tendency not to see the forest for the trees...."

:49:09: Is professionalism necessary and why?
"....Professionalism is absolutely essential with a big 'P' and equally essential with a small 'p'. The small 'p' means the individual takes responsibility for the quality of the work, doesn't look at the clock but looks at the result, considers their client's interest above theirs, is committed to doing the best possible job in the circumstances, takes responsibility for their own training and knowledge, and won't accept an engagement if they don't have the training and knowledge....Big 'P' professionalism is the way society protects itself and ensures that the really important things are done properly and if they're not, someone is there to be held accountable...."

:51:13: Is there a role for professional certification and why?
"....Professional certification doesn't necessarily mean exclusivity of right to practice and information technology is a great area to explore that. Certification basically means that a third party organization, presumably objective and at arm's length, has said that this individual has certain skills, knowledge, practical experience, ethical standards, has passed the exam and has committed to maintain standards going forth at the risk and penalty of losing their certification if they don't. That to me seems an excellent way to ensure quality....Another aspect is the third party component where you've got a big organization with a governance infrastructure in play basically standing behind the work, and as an end consumer that gives me much more comfort...."

:54:08: What is the value in professional associations for computing professionals?
"....The association supports and maintains the body of knowledge....Administers the discipline and complaints mechanism....Advocates for the profession and for the professionals....Examination and recertification process....Provides networking opportunities....Educational opportunities....Starting point for research....Gives the individual practitioner a much larger voice...."

:56:41: Can you specifically talk about the value of Canadian Information Processing Society (CIPS)?
"....In Canada it's the only IT professional organization that has been mandated by statute. It's a forum for knowledge sharing, manages a body of knowledge, it has a disciplinary process, certification process, accredits university programs, provides great opportunity for networking, for employers it provides a great clearinghouse if an employer is looking for a certain kind of professional...."

:01:01:40: What specific challenges and opportunities should IT practitioners and businesses embrace today and into the future?
"....I think the important areas today are the integration and alignment of systems and business processes....Into the future all of the trends active today, artificial intelligence, expert systems, you are going to see who is in control and who should be in control becoming much more important....seamless interface becoming much more ubiquitous....perpetual ways of living and interacting...."

:01:06:05: For those thinking of becoming entrepreneurs, how does one engage investors?
"....A really good idea....Enthusiasm....Good presenter....Strong business plan and cash flow....A realistic vision where you want your company to be in 1, 2, and 5 years....A good team....Credibility and track record of the people involved....When you look for investors, look not only for financing, but also people who can provide guidance and even hands-on assistance...."

:01:09:14: Jerry shares some stories from his extensive speaking, travel, and work experiences.
"....The message is about communication; make sure your assumptions are correct and real happiness comes from inside not from measuring yourself against others...."

:01:17:13: If you were conducting this interview, what questions would you ask, and then what would be your answers?
"....Why did you jump around so much in your career and what would you recommend to your children?....What in your career has been the most satisfying?....What do you hope to do in the next 20 to 30 years?...."