Mar 26, 2017

Over the past 20 years, Alice Sturgeon has been extensively involved in international standardization, primarily with the International Organization for Standardization (ISO), in information security and identity management planning and management, as well as risk, cryptography, biometrics and smart cards. In recognition of her contributions to Canadian and international standardization, the Standards Council of Canada (SCC) presented Ms. Sturgeon with a certificate of recognition and sat down with her to discuss her impressive career and the importance of standards.

You have an extensive history in the international standardization system. Can you tell me about what initially prompted you to get involved in standardization? Why are standards so important?

In the 1970s, I was at the Communications Security Establishment (CSE) as the executive assistant to the chief. I took minutes at executive meetings and that’s when I first heard about SC 27 (the ISO committee on IT security). CSE was always involved in SC 27 and they still are, of course, but I didn’t get involved until after I left the federal government, in 1995. I had a few colleagues who suggested that I might be interested because it was along the lines of the work that I had done and was doing.

So that’s how I got involved, I decided to go to a meeting to see what it was like, and I stayed because it was very interesting. I left the government in 1995 and I spent about two years doing consulting, mostly in the areas of information security and cryptography. Then I joined a small cryptographic hardware company where standards were very important. It was important to have access to the developing standards, and the realization that you could actually have input into the developing standards got me excited about the whole process.

So that’s how I got involved, and I stayed with it because I really enjoyed it.

It might sound nerdy, but I enjoyed the international meetings where you’re working on a draft standard and you sit in a boardroom, with anywhere from 5 to 25 experts from all around the world, and you can sit there and edit a standard. Go over all of the fine points, draw diagrams on the white boards, and have exciting discussions just about these minor points that all go together to make a standard. To me, that was just wonderful. To be with these other people who understood in depth this particular field you happen to be involved in. There’s nowhere else you can get that, especially that broad range and from around the world.

How did your initial involvement expand to cover the range of committees to which you have contributed in your 20 years of standards work?

It’s, in a way, a small community — SC 27, and JTC 1 (the joint technical committee for the International Organization for Standardization (ISO) and International Electrotechnical Committee (IEC) on Information technology) are huge, but it’s a relatively small community. The international group knows each other well, knows each other’s strengths and weaknesses, and knows how to build on them.

I was working for the cryptographic company, and I was also the chief security officer. The majority of my time I was on standards, because they were so important to them. Starting with IT security and then, as I explained, going to SC 17 (the joint ISO/IEC committee on Cards and personal identification) was just a natural progression. Then, when biometrics started to come along, there were very few people in the world working on it, including a few Canadian companies trying to get people to understand what this biometrics stuff was all about. So SC 37 (the joint ISO/IEC committee on biometrics) started up and then, in Canada, we started up our own Canadian Advisory Committee (CAC) for it, CAC 37.

And some of the other committees just sort of fell into place. For instance, ISO/TC 68/SC 2 is about security again, IT security, but it’s in the financial sector.

What are some of your personal highlights from your time working in standards?

I can answer that easily, as it’s one of the highlights of my career: In 2004, I was invited to speak to the ISO General Assembly about the new committee that ISO Technical Management Board (TMB) had formed, the Strategic Advisory Group — Security (SAG-S). It was taking place because ISO was coming to realize that security was important across the board. This was after 9/11 and so on, and within ISO there were a hundred or more groups that dealt with various aspects of security — from transportation security to marine security to IT security and so on — so they created this strategic advisory group to come up with recommendations on how to streamline coordination between all these different groups.

So I was asked to join the SAG-S, more or less as a representative of the IT security world. It was a very small group, chaired by an American, with only about 10-12 people on it. The chair of SCC at the time wanted to put my name forward as the next chair of the SAG-S because the American who was chairing it had said he would only do it for one year. But then he changed his mind.

They asked me to present on the SAG-S to explain to the ISO General Assembly what it was all about. I had a nice half-hour presentation in front of about 500 people, and I just loved it. I feel very proud of it. It was in Singapore, which also helped, because I love Singapore.

I stayed with the SAG-S for a few years, until it was disbanded after submitting its final report.

What have you gained as a result of your contributions to international standardization?

Well, I’ve seen a lot of the world!

By working in depth on standards, I’ve gained a lot of knowledge. And by meeting with experts on the various security-related committees in the field, I’ve learned a lot from them. So it’s been very beneficial from a career perspective, and also from a personal perspective because I’ve met some amazing people from all around the world.

Do you have any advice or insight to share with someone considering getting more involved in standardization? What would young professionals gain by getting more involved?

They stand to gain a different perspective than by working in simply one position in a particular organizational structure, whether that’s public or private sector. By working on international standards, you can learn from the perspectives of a wide range of people who are in different positions and different types of organizations, from single consultants to government officials.

If you’re in government, for example, or if you’re in one organization for 10 years or more, you can get a little bit parochial. But by going out into the world of international standards, the insights gained and experience gleaned will completely counteract parochial perspectives. And even if you’re not involved in the international meetings, by being on the national committees you can learn from the other people who are on it. For young people, for instance, who are early on in their professions, they can meet a lot of people who are further along in their careers and who have gained valuable insights that they can impart to their younger colleagues.

What might the world look like today if not for all the work done by you and the committees you worked on? How have standards mattered in these areas?

The best example I can think of where non-standardization exists is printer cartridges. They drive me crazy. Think about your printer, and how you have to go and look through a hundred packages and determine which number yours is. Just think if electrical outlets were like that. Imagine if you were buying an appliance, and it had to have a certain outlet for you to be able to plug it in. All of these things that we take for granted that are standardized, and the outlet is certainly one of them; without those standards, it would be chaotic, it would be anarchic, it would be like a hundred years ago when things just didn’t work as well as they do now.

This article was first published by the Standards Council of Canada; www.scc.ca/en/news-events/features/2017/chatting-with-a-standards-maker-canadas-alice-sturgeon.