Interview: John Colley of (ISC)²

The infosec industry is set apart by its incredible willingness to share information
The infosec industry is set apart by its incredible willingness to share information
John Colley, managing director EMEA, for (ISC)²
John Colley, managing director EMEA, for (ISC)²
The fascinating thing about Colley’s career is how it has evolved right alongside the industry
The fascinating thing about Colley’s career is how it has evolved right alongside the industry

Within only months of Colley’s (almost accidental) entrance into information security, he joined I-4 (The International Information Integrity Institute, now run by KPMG group, but at that time, owned by SRI International), a forum for information security professionals. Interestingly, his career has now come full circle, as he enters his fifth year as managing director EMEA, for (ISC)², the not-for-profit leader in educating and certifying information security professionals throughout their career.

The relevance of industry forums and networking consortiums at both the beginning of Colley’s career, and now in his full-time role at (ISC)² is no coincidence. Indeed, he can’t emphasize enough how much peer-to-peer interaction can make or break a career.

Donn Parker, who Colley fondly describes as “literally one of the founders of information security”, set up I-4. ICL (International Computers Limited) – who Colley worked for at the time – was a member. “[Parker’s] idea was to get a whole group of blue chip companies together, and form a little club – keep it exclusive (limit it to about 60 companies), meet two or three times a year, and share information about what your problems were”. The objective, explains Colley, was learning from one another; an intention that was certainly met.

The first I-4 meeting that Colley went to was in 1991. “I met Paul Dorey, David Lacey, and Bob Fletcher”, remembers Colley. “All these people were incredibly friendly and happy to share information.”

Colley was, in his own words, “parachuted into” the role of information security and data protection advisor at ICL in April 1991. “In June, I was at the forum and still didn’t know much about information security. I guess I learnt everything I needed to from these people, and over the years at the forums, I learnt some incredible stuff.”

The willingness to network and share information is something that Colley believes sets the information security industry apart. “Competitors in the computer market would share information about their security problems, under a confidentiality agreement, obviously. It is really quite amazing”, says Colley, who is proud to still be in contact with most of the people he met 20 years ago.

From Day One

Having studied for a degree in mathematics and physics at Westfield College, University of London, Colley realized that he “better get into IT” not long after graduating.

Colley joined ICL as a trainee programer – “very much a ‘tecchie’” – which he describes in hindsight as an “interesting experience and steep learning curve”. He spent time “in systems doing programing and stuff like that”, but eventually moved into management, completing ICL’s core management courses, the final core which he describes as “top-level strategy, rather like at the MBA level.

“That was quite useful later on in life. I’m not sure if [technical disciplines] these days invest in giving employees the management training that they need in terms of business development”, he says with doubt. “This is a real shame.”

Over the years, Colley did “just about every single job there was to do in IT”, including tenures at Eastern Gas, the Nigerian Ports Authority and, of course, ICL, which he “kept going back to”.

"My generation all sort of parachuted into the [information security] role"

Colley describes his time at Eastern Gas as “privileged – because IT people were paid more than just about everybody else, we always had our lunch in the senior management canteen, with silver service and waitresses”, his time in Nigeria as “an interesting experience”, where he “learnt how to survive in a hostile environment”, and his constant returning to ICL as “a reputation and integrity thing”.

His various roles at ICL included contract work implementing software systems around Europe, but mainly consisted of IT management roles, being responsible for teams of 20 or 30 people at a time.

In 1991, ICL made their information security and data protection advisor redundant. “He had no real responsibility and it showed that they didn’t take him seriously when they made him redundant”. Shortly after, ICL got a bad audit report – “a couple of items concerned information security. They then looked for someone who would take it over, and asked me to do it”.

Colley, like many of his contemporaries, “didn’t even know how to spell security, let alone what it was about” at this point. Others in the industry tell a very similar story, says Colley. “My generation all sort of parachuted into the [information security] role.”

First Things First

“The first thing I did [in my new role] was write some objectives – why did we have a security function, and what was it meant to be doing? I then produced a plan, a strategy, with steps on how we were going to achieve that.”

Twenty years ago, the role of the information security professional was understandably different. “Companies ran their own networks. In the early nineties, most weren’t connected to the internet. We’re talking about lots of personal computers, internal email systems, protocols. So security was getting more and more on the agenda – particularly the worry about computer viruses.

“It was a very exciting time”, remembers Colley. “We got hit with one of the very first Word macro viruses – the I Love You worm. We had to work out ways of defending against this stuff, and how to control it.

“To some extent, the internet was a much more complex place. FTP was one protocol, and mail was another protocol, telnet was another one. From that point of view, it has got much simpler, but it has also got more complicated, because everything goes down one big pipe.” To some extent, Colley theorizes, information security professionals had to “write the rule book as we went along. There were no standards then”.

"I still get this guilty feeling that I’m out of the office and not doing my proper job"

Colley recalls how Ken Cutler, from American Express, shared his security standards with everybody and allowed them to “rip the front cover off and use them within your own organization”. An example of cost savings, says Colley, in addition to a great example of the industry’s willingness to help each other.

The evolution of the industry has kept Colley’s career and education progressing, in parallel with it, at a fast pace. Although he claims to hate the thought of having been in the industry for twenty years, he laughs when he recounts his old belief that “anyone who has been in the industry ten years doesn’t know what they are talking about”.

After ten years of running information security at ICL, Colley decided to move on. Citing internal conflict as his reason for leaving, Colley explains how his boss’ inability to “be mature about the conflict of interest”, drove him away from the organization. The conflict of interest he references is that of what the IT director delivers and what it costs, in relation to availability and security of production systems. “Most IT directors are fairly mature about that. But the last person I worked for wasn’t quite as mature, which was why I left. I thought, there’s not a future here if my boss isn’t interested in what I’m doing and only sees me as an obstruction.”

The Glory Days

After leaving ICL for the final time, Colley spent a brief but glamorous spell at Atomic Tangerine, a dot-com consultancy with “a very interesting business model”.

Atomic Tangerine “commercialized new technology, getting stuff from research labs all over the world”. Colley joined not only for the “after-work parties, and free coffee and soda in the offices”, but with lots of share options. “I was going to make at least a million dollars”, he remembers, and then reminds me that this was 2001. “You know what happened in 2001?”, he says, referring to the dot-com crash. “It went bust after six months of me joining them”.

Colley’s next move was into the role that really helped to shape the rest of his career, and is perhaps the position that many will associate him with. Initially joining Royal Bank of Scotland (RBS) as head of consultancy services, Colley was challenged by two things. “Firstly, they already had a CISO, and secondly, I had no financial services background”. Neither proved to be much of a concern for long. For reasons Colley didn’t want to go into, the CISO at the time left and he took over her role as group head of information security for the bank.

“In those days, if you wanted to earn lots of money [in information security], and do all the leading edge stuff, you wanted to work for a bank”, Colley says of his decision to join RBS.

"I think that’s what I bring to (ISC)² – that I can truly speak as a practitioner"

Despite declaring Barclays as “the leading lights in those days, under people like Paul Dorey”, Colley is confident that he built “one of the best information security teams in the UK” at RBS, although he admits that it is difficult to measure. “You’ve got this gut feeling that you’ve got a really good team, that are all behind what you’re trying to do, and are all high performers, but it’s more difficult to measure than if you’re writing a program.”

Within only a few months of Colley beginning his tenure at RBS, “Graham Edwards was brought in as director of group security and fraud; the first attempt at bringing the physical, the information security, the fraud people and the business continuity people under one directorate”.

The key to information security at a financial institution is quite straightforward, says Colley. “You just have to understand what the motivators are, and what the crown jewels are. In financial services, it’s customer information. You might think that the crown jewels in a bank is money, but it’s not – it’s customer information.” It is therefore essential to put a lot of controls around maintaining the confidentiality of systems that process customer information, he advises.

I Get by With a Little Help

Colley casts his mind back to 2003 and yet another forum that he places incredible value on. “We had what was called a London Security Managers’ Forum”, Colley says, correcting his initial label of ‘lunch club’. “There were about ten of us involved, and we’d host the lunch every six weeks or so. “Barclays was the first bank in the UK to be hit with a phishing attack”, Colley remembers. Despite competing at a commercial level with members of the forum, “Bob Fletcher, who was then the acting CISO there, hosted one of these lunches, and told us everything that had happened. He gave us a blow-by-blow account. This phishing attack was the first one in the UK – nobody knew how to deal with it”, he recalls.

Three weeks later, NatWest (part of the RBS group) “got hit”. Thanks to Fletcher’s openness and willingness to share Barclays’ experience a few weeks before, “we knew exactly what they were going to do. I wouldn’t say we were one step ahead, but we could certainly mitigate losses.”

From the first phishing attack to when Colley left two and a half years later, NatWest had the best record for minimizing losses. Why? “Because we had a fantastic threat management and investigation team. We didn’t just respond [to attacks], we sat down and said, ‘what’s next?’ We predicted DNS poisoning and farming and all that sort of stuff.” The team would carefully consider what they’d do in certain predicted scenarios. “So when [cybercriminals] did it, we were ready. You can’t always predict the future by looking behind you. You also have to do a little bit of ‘crystal balling’, and think ahead”, he insists.

“We were so good at defending that we found phishing attacks started to drop off”, Colley remembers proudly, explaining that cybercriminals started to aim for softer targets. “There were companies that weren’t perhaps quite so good at getting the money back and tracking them”. The RBS Group “were actually involved in getting cybercriminals arrested, so it was basically, ‘don’t mess with NatWest’”.

New Pastures

His departure from RBS was similar to that from ICL. “I’ve got a bit of a reputation for disagreeing with management”, he laughs. “We were increasingly being forced into what I call traditional management lines, so there was a lack of recognition that we were a highly specialized unit with specific rare skills that required a different sort of management style.”

This concerned Colley enough for him to jump ship and get a job at rival bank, Barclays. “Initially I looked at the consultancy team, and then ran risk services. Getting things done across the group was difficult. Even now, I’m not quite sure what Steve Bonner’s [Barclay’s current MD of information risk] role is, and whether he’s right the way across Barclays or not? Banks have very different cultures.”

After a year, Colley was ready for a change of scenery once again, which lead to his current role at (ISC)².

Knowing Colley as I do, and hearing about his career and great enthusiasm for industry networking and sharing in such detail, it leads me to conclude that he is in the perfect role. His long history with (ISC)² – he took the CIISP exam and joined the board in 1998, and became managing director EMEA in 2007 – is the result of his “wanting to give something back to the profession, which I’ ve got so much out of”.

When Colley joined the board in the late nineties, there were 3200 members globally, and (ISC)² was run as an amateur, volunteer organization. “I remember going to three or four board meetings when we were almost discussing whether we could afford to have another board meeting. It was that sort of hand-to-mouth existence”, he recalls.

During the eight years Colley served on the board – including two as chairman – the decision was taken to put in professional management. (ISC)² currently has 74,000 members globally – “We wouldn’t have been able to do that with a volunteer organization”, he says.

“While I was chairman, we re-wrote ‘the bibles’, because they originally reflected the volunteer organization. We made it more democratic as well, giving access to the board and the members, and things like that.”

With his contract at Barclays coming to an end at the same time that (ISC)² started looking for regional MDs, the timing was perfect. “The idea was to put someone like myself in who was recognized within the industry; not just as a figurehead, but as a spokesperson, to open doors in terms of professional development, and talk about things that I knew about as a professional. I think that’s what I bring to (ISC)² – that I can truly speak as a practitioner”.

Job Profile

Colley admits his own surprise that he has lasted four years – and counting – in his current role, without “getting bored and seeking out new challenges”.

Perhaps it’s the generous amount of conferences and industry events that he gets to attend, or the frequency of which he talks to press. “I still get this guilty feeling that I’m out of the office and not doing my proper job. I still haven’t got it into my mind that this is actually my proper job”, he laughs.

The less glamorous aspects of his role include budget management, objectives setting, and “business-as-usual stuff”. He still has personal ambitions at (ISC)² that he is chasing: running many more events, revitalizing the power of its membership, and perhaps the goal he is most passionate about – getting the UK to the number two spot in terms of membership. “We are currently number three, about 120 members short of Canada. It’s a moving goalpost though. Our chairperson is a Canadian, so I’ve told her to watch out”, he jokes, but it’s obvious that this is an ambition he takes very seriously.

It’s Not What You Know

Colley attributes much of his success in the industry not to what he knows, but to who he knows. “I think the whole of this industry works on who you know and personal contacts”, he says solemnly.

When I ask him who, in particular, has influenced his infosec career, and who he has the utmost respect for, he cautiously answers that there are “too many to mention. It’s a bit like the Oscars, if you miss someone out, they’re going to be offended”. He restates his “enormous debt of gratitude” to the people he met in the early days at I-4, “and their willingness to help a complete novice. I still keep in touch with Donn Parker. My approach [to helping others] has been exactly the same [as his]”.

Like in almost all Oscar acceptance speeches, Colley does finally give into temptation, and lists a few of his most influential colleagues. “Ray Stanton, Paul Dorey, David Morgan, Martin Smith, Robert Coles, Marcus Aldridge...”, he acknowledges. “There’s a whole raft of them”, he says. So if your name isn’t on the list, don’t be offended...

With that, I say goodbye to John Colley, a man who undoubtedly deserves his sterling reputation and his seat on a ‘Cowell-esque’ pedestal.

What’s hot on Infosecurity Magazine?