Michael de Crespigny does not strike me as a man who bases his life choices on luck. Someone who takes challenges in stride, yes, but someone who leaves his career to chance? Not so much. Which is why I’m surprised when de Crespigny tells me that he has “not planned many of the moves in my career. They have all been a matter of being in the right place at the right time”.
As someone who has spent most of his working life assessing risk (and advocating information security risk assessment), it seems almost ironic that his approach to his own career has been somewhat adverse to too much forward-planning and structure. Perhaps it’s the Australian in him. Nonetheless, judging from his current position and CV to date, it seems to have paid off.
Unlike many of the information security professionals I’ve profiled over the years, de Crespigny’s roots are firmly in business and the financial sector, and prior to his role at the Information Security Forum (ISF), most of his career was spent at PricewaterhouseCoopers (PwC). “I found my way, by matter of luck, into PwC in Melbourne, where I became a chartered accountant”, he recalls. Having studied for a business degree in Melbourne, Australia, de Crespigny said he embarked on this path “because lots of other people were doing it”. Thus began his career in auditing.
The IT piece of the puzzle came to fruition when de Crespigny developed an interest in computerization, “and I became known as a bit of an expert in technology – how systems and programming worked”, he recounts. His expertise was cemented by a transfer to New York in the late eighties to “work on a global project looking at systems and controls. Of which, of course, security was one of the fundamentals”. It was around this time that de Crespigny became a partner in the firm.
A decade later, and de Crespigny was re-locating again – this time to London, which he now considers “home”. He and his wife were given the option to return to Australia, but they unanimously decided to stay put in the UK. Fourteen years after moving to London, de Crespigny still considers it “the best city in the world”.
Around the World
“We initially came across to help set up a business that focused on risk management from the operational and financial perspectives, but also including technology and controls”, de Crespigny says. “I spent five years working with an English partner, and bringing together all of the global firms to align strategies and develop services”.
He took a role looking after the work that PwC was doing for the ISF around 2005. “From the very earliest days, Coopers & Lybrand (as it was formerly known, before merging with Price Waterhouse in 1998) had a fundamental role in the creation of the ISF. They stepped back very much in the mid-nineties, when the organization took control of its own destiny.”
Within twelve years of working for PwC, de Crespigny had experience working (and living) in Australia, the US, and the UK. He also worked – and travelled – a lot in Asia. Approach to governance and control across the continents is one of the biggest differentiators, he notes, in how they do business. “The British approach to governance, Parliament, and the way that organizations are structured and governed [focuses on] importance of control and segregation of incompatible duties, and running things in a very consistent and reliable manner”, de Crespigny observes. In Asia, he explains, it’s a different story. “There is a very different history, and the focus on control is quite different.” Of the 300 ISF members – in which, the world’s biggest banks and aerospace players are included – engagement with Japanese countries exists only through their subsidiaries in the US or Europe.
Big Shoes to Fill
In December 2009, de Crespigny retired from his twenty-two year tenure at PwC and stepped into the role of chief financial officer and operating officer at the ISF, serving under then-CEO, Howard Schmidt.
As fate would have it – or perhaps it was that luck that de Crespigny speaks of in relation to his career – soon after he joined the ISF, Schmidt took the role of cyber-security coordinator for the Obama Administration. “It was a fantastic opportunity for him”, he says.
Shortly after Schmidt’s departure for the White House, de Crespigny was promoted to CEO. Despite the fairly quick promotion, he doesn’t consider it premature, having worked with the board five years before then in his role as a client service partner. “There was already a degree of trust between me and the board”, he contends.
“In a sense, Howard leaving was unfortunate for the ISF because we lost somebody who was very visible externally, but at the same time, what better credentials for the ISF than for its previous CEO being in the White House, advising the Obama administration on cybersecurity?” (At the time of going to print, Howard Schmidt had recently resigned from this position to spend more time with his family.)
It’s apparent that de Crespigny is very aware that his external profile sits in the shadows in comparison to the former CEO. “I certainly don’t have the external profile that Howard had. He’d been in the White House in the Bush era in a lesser position than he has now, so he’d developed his external position from that.” His concern is no doubt the catalyst for his shift in focus within his CEO role. “In my early days as CEO, I was really concerned with trying to bed down the operational side of things. Since then, I’ve been more visible externally, in terms of [discussing] the sort of topics that are important, and engaging with members”, de Crespigny notes.
| "I’d quite like to get involved in industry-level consolidation for the plethora of standards that are creating fog and confusion" |
When I ask him to break down an average day at work, he is able to give me a very clear and detailed picture of what goes on between the hours of nine to five. “A quarter of my day is spent providing input to our projects – whether it’s reading a final report before it’s about to be released, thinking about the position we want to take externally, and the insights we want to push, or whether it’s actually getting involved in the conceptual development. I spend another quarter talking to members.”
Another quarter of an average day is spent “dealing with stuff”, in which he includes industry reading, research and admin. The remainder of his time is made up of media work, speaking at events and, of course, doing what he does most naturally as a chartered accountant – looking after the finances.
All About Risk
Given his background, it’s not surprising that de Crespigny considers risk management to be the greatest challenge in the information security industry. The way he presents a case for this is very convincing. “There’s a huge array of software solutions out there to solve most problems. Software vulnerabilities are generally known, so you can decide how to mitigate them”. From the technical side, then, most problems – subject to resourcing and funding – can be solved, he explains.
“The real challenge for security functions nowadays is that they can’t apply the same consistency of controls to every activity that takes place in their international organization”, de Crespigny asserts. “They’ve got to identify where there’s risk and opportunity, and where the organization needs to protect the information it has.”
What’s really difficult, he explains, is deciding which types of information should be released to which types of people. “Furthermore, if we do enable that access, how do we make sure we secure it effectively? There is this matrix, and it’s very challenging to undertake good risk assessment”.
The key to good risk assessment, de Crespigny believes, is “thinking about the environment in which that application runs, and the motivations of the people who might want to break into it, and steal the information”.
Is the industry losing sight of risk management, though, I ask? “Not at the board or senior management level, because they’ve seen the impact of very significant incidents”, de Crespigny says, confidently. “The challenge is finding people that understand the business perspective, and can translate that into actions that leave their people focusing on the right topics.”
At the moment, there are a significant amount of large public companies in London seeking to appoint CISOs. “They’re looking for people that have the business influence capability, who can talk to CEOs in their language – not the language of IT”, de Crespigny says. This supports his argument that information security is best seated not within the IT function, but in the business stream.
Stroppy Teenager
Mr de Crespigny uses a fascinating analogy to explain just how far the industry has come – and still has to go. “We’re very much still in a late adolescent stage. If you think about psycho-social development, most security functions are still at a stage where they’re focused on the importance of self; being seen as capable and having an identity of their own. Adolescence is all about being independent, and being seen as strong; whereas in early adulthood, it is all about relationships.”
“I think there’s a real issue at the moment around the maturity and development of a core profession, and particularly the importance of organizations in the public and private sector being much more open with each other”, he continues. “We need to move from this late adolescent stage into early adulthood”.
The ISF’s objective is to facilitate the stage of ‘early adulthood’ for their members – enabling the collaboration of people with common problems and interests, and talking about how to solve those problems when needed. “The ISF is growing at a time when the economy around the world is still not particularly healthy, and it’s driven by this maturing approach to the way to solve the problem.”
During a revision of strategy in 2011, de Crespigny and the ISF determined key areas of focus: visibility, growth, and critical mass in key markets. “We need to be more visible externally on issues important to the public and private sector, and have invested more in public relations. The ISF is particularly focused on growing membership in Germany and the US.”
If the information security industry is in the stages of late adolescence, then surely its ‘teenage’ members will welcome a new social networking site with open arms? The ISF is launching a new member website based on enterprise social technology, which de Crespigny has been “actively involved in. ISF Live will be launched in July. There are features which will enhance the way our members can keep in touch”.
Skills Gap
American members of the ISF are reporting zero unemployment in the information security field at the moment. Why? “Because there’s a limited number of people that are really credible in this space”, responds the ISF’s CEO. “Now that boards and business ‘get it’, they need well-qualified people to beef up their teams. So they’re out recruiting people, and at the moment they just don’t exist.” Without doubt, demand is outstripping supply. “There are fantastic employment opportunities, and very credible universities and institutions offering well-regarded qualifications. [Demand for information security professionals] is not going to tail off. It’s going to grow, and it’ll grow faster than the economy”.
To support demand for highly skilled professionals, information security budgets are growing, providing the perfect opportunity for people to come in at the grass roots level. “I imagine MBA programs, in due course, will become of greater interest to people in security roles. At the moment, I don’t see a lot of people in security actually thinking about an MBA as a career development option, but I’m sure that will change.”
Life After the ISF
Of course, not all ISF CEOs get a fast track ticket into the White House after serving their time, so I ask de Crespigny what he imagines his next move might be. “I’d quite like to get involved in industry-level consolidation for the plethora of standards that are creating fog and confusion”, he replies. “As the industry matures, there’s a need for this to come together at an industry level – I’d like to be a part of that.”
While he doesn’t envision this happening any time soon, he is a strong believer in the concept of self-imposed fixed terms, of which he judges five to seven years to be the limit. “In my working life, the organizations I’ve seen suffer the most are the ones where there’s been a dominant chief executive who really hasn’t moved on.” As a result, he openly admits he does not expect to be in the role of ISF CEO until the day he stops working.
Perhaps that next move will be another of luck or chance, arising out of being in the right place at the right time. Or perhaps de Crespigny is in more control of his destiny than he allows himself to believe. His dream job of racing sports cars from the seventies and eighties (“before they became complicated by electronics”) is unlikely to become a reality, but de Crespigny settles for taking his “old Porsche out on racetracks every now and again” to get his adrenaline pumping. Perhaps, like the information security industry, de Crespigny has a little bit of adolescence left in him.