This page contains a Flash digital edition of a book.
@InfosecurityMag


INTERVIEW


he now considers “home”. He and his wife were given the option to return to Australia, but they unanimously decided to stay put in the UK. Fourteen years after moving to London, de Crespigny still considers it “the best city in the world”.


Around the World “We initially came across to help set up a business that focused on risk management from the operational and fi nancial perspectives, but also including technology and controls”, de Crespigny says. “I spent fi ve years working with an English partner, and bringing together all of the global fi rms to align strategies and develop services”. He took a role looking after the work that PwC was doing for the ISF around 2005. “From the very earliest days, Coopers & Lybrand (as it was formerly known, before merging with Price Waterhouse in 1998) had a fundamental role in the creation of the ISF. They stepped back very much in the mid-nineties, when the organization took control of its own destiny.”


Within twelve years of working for PwC, de Crespigny had experience working (and living) in Australia, the US, and the UK. He also worked – and travelled – a lot in Asia. Approach to governance and control across the continents is one of the biggest differentiators, he notes, in how they do business. “The British approach to governance, Parliament, and the way that organizations are structured and governed [focuses on] importance of control and segregation of incompatible duties, and running things in a very consistent and reliable manner”, de Crespigny observes. In Asia, he explains, it’s a different story. “There is a very different history, and the focus on control is quite different.” Of the 300 ISF members – in which, the world’s biggest banks and aerospace players are included – engagement with Japanese countries exists only through their subsidiaries in the US or Europe.


Big Shoes to Fill


In December 2009, de Crespigny retired from his twenty-two year tenure at PwC


and stepped into the role of chief fi nancial offi cer and operating offi cer at the ISF, serving under then-CEO, Howard Schmidt. As fate would have it – or perhaps it was that luck that de Crespigny speaks of in relation to his career – soon after he joined the ISF, Schmidt took the role of cyber-security coordinator for the Obama Administration. “It was a fantastic opportunity for him”, he says. Shortly after Schmidt’s departure for the White House, de Crespigny was promoted to CEO. Despite the fairly quick promotion, he doesn’t consider it premature, having worked with the board fi ve years before then in his role as a client service partner. “There was already a degree of trust between me and the board”, he contends. “In a sense, Howard leaving was unfortunate for the ISF because we lost somebody who was very visible externally, but at the same time, what better credentials for the ISF than for its previous CEO being in the White House, advising the Obama administration on cybersecurity?” (At the time of going to print, Howard Schmidt had recently resigned from this position to spend more time with his family.) It’s apparent that de Crespigny is very aware that his external profi le sits in the shadows in comparison to the former CEO. “I certainly don’t have the external profi le that Howard had. He’d been in the White House in the Bush era in a lesser position than he has now, so he’d developed his external position from that.” His concern is no doubt the catalyst for his shift in focus within his CEO role. “In my early days as CEO, I was really concerned with trying to bed down the operational side of things. Since then, I’ve been more visible externally, in terms of [discussing] the sort of topics that are important, and engaging with members”, de Crespigny notes.


When I ask him to break down an average day at work, he is able to give me a very clear and detailed picture of what goes on between the hours of nine to fi ve. “A quarter of my day is spent providing input to our projects – whether it’s reading a fi nal


report before it’s about to be released, thinking about the position we want to take externally, and the insights we want to push, or whether it’s actually getting involved in the conceptual development. I spend another quarter talking to members.” Another quarter of an average day is spent “dealing with stuff”, in which he includes industry reading, research and admin. The remainder of his time is made up of media work, speaking at events and, of course, doing what he does most naturally as a chartered accountant – looking after the fi nances.


All About Risk Given his background, it’s not surprising that de Crespigny considers risk management to be the greatest challenge in the information security industry. The way he presents a case for this is very convincing. “There’s a huge array of software solutions out there to solve most problems. Software vulnerabilities are generally known, so you can decide how to mitigate them”. From the technical side, then, most problems – subject to resourcing and funding – can be solved, he explains.


“The real challenge for security functions nowadays is that they can’t apply the same consistency of controls to every activity that takes place in their international organization”, de Crespigny asserts. “They’ve got to identify where there’s risk and opportunity, and where the organization needs to protect the information it has.” What’s really diffi cult, he explains, is deciding which types of information should be released to which types of people. “Furthermore, if we do enable that access, how do we make sure we secure it effectively? There is this matrix, and it’s very challenging to undertake good risk assessment”.


The key to good risk assessment, de Crespigny believes, is “thinking about the environment in which that application runs, and the motivations of the people who might want to break into it, and steal the information”.


www.infosecurity-magazine.com /// 11


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52