Secret CSO: Ian Cruxton, Callsign

What is the best current trend in cybersecurity? “For most successful cyber security practices, I would say DevSecOps is the most interesting trend… and the most successful ones are (in my opinion) those where security engineers collaborate with developers early on, in the agile teams.”

IDGConnect_secretcso_suppliedart_iancruxtoncallsign_1200x800
Callsign

Name: Ian Cruxton

Organisation: Callsign

Job title: Chief Security Officer

Date started current role: June 2019

Location: London

Ian Cruxton is Chief Security Officer at Callsign. Prior to joining Callsign, he spent nearly 35 years in law enforcement culminating in the role of Director of International Operations for the National Crime Agency leading the UK Interpol, Europol, and Overseas law enforcement network.

What was your first job? I moved to London aged 19 from my home near Birmingham and joined Her Majesty’s Customs and Excise (HMC&E), as an Excise Officer with responsibility for an area of North London.

How did you get involved in cybersecurity? As a Director in the National Crime Agency targeting serious and organised crime, more and more of the work I was involved in related to cyber criminals or criminals using cyber enabled technologies to facilitate their crimes. Additionally, our capability to tackle these criminals relied on law enforcement’s developing array of cyber offensive tactics.

I am not from a technology background but this exposure and the fact that the fundamental underlying principles for Cybersecurity are consistent with non-cyber security and crime prevention, led to me being approached to take up the role of CSO at Callsign.

What was your education? Do you hold any certifications? What are they? I took a vocational path in my career rather than taking a University route. I hold a certificate in Company Direction from the Institute of Directors.

Explain your career path. Did you take any detours? If so, discuss. My first role was as an Excise Officer in Customs and Excise. From there I quickly applied for and was successful in moving into the HM Customs and Excise Investigation specialism targeting top echelon organised criminals involved in International drug trafficking, money laundering and fraud.

After a number of years gaining experience and skills in everything from interviewing suspects to covert intelligence collection and surveillance, I was promoted and joined the relatively new UK National Criminal Intelligence Service (NCIS), which had been set up to bring Police, Customs and other agencies together to tackle organised crime.

I was promoted on a number of occasions eventually holding the role of Director UK Division when NCIS was merged with other organisations to form the Serious Organised Crime Agency (or SOCA). In 2013, SOCA became the National Crime Agency (NCA) and I ended my career in Law Enforcement in the role of Director International Operations after 34 years of service, leading 160 officers covering 104 countries, as well as the UK’s Interpol and Europol Bureaus. I joined Callsign in June 2019.

Was there anyone who has inspired or mentored you in your career? I have met many inspirational people in my career but for me three stand out at different stages of my development. One as a young gung-ho investigator, another as I moved into management, and finally a former colleague and still a friend, Keith Bristow QPM. I worked with Keith a few times and he was the first ever Director General of the NCA, and the most talented and impressive senior leader I have ever worked with.

What do you feel is the most important aspect of your job? Ensuring that we never lose sight of the fact that without commercial success, we don’t have a business. Security is the means by which we provide the right protection to allow the business to be sustainably successful. If our security suppresses our innovation, then we cease to thrive and we become an inhibitor to success.

What metrics or KPIs do you use to measure security effectiveness? This is an area where we are spending a lot of time currently. There is no single ‘killer’ metric here – and security effectiveness is a blend of tangible evidence and active engagement on a day to day basis. We are looking at metrics and KPIs that evidence  our people recognise ‘good’ security from ‘bad’ and take responsibility by being pro-active in keeping Callsign and our clients safe and secure.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are certainly seeing many of the same challenges as others in the marketplace, including balancing a relatively short supply of highly skilled people with driving salary expectations.

That said – we have also found that skilled people want to work in a team of other talented individuals, and we have therefore managed to continue attracting and retaining the right calibre people for Callsign.

Cybersecurity is constantly changing – how do you keep learning? It’s a cliché but change really is the only constant! I aim (but not always successfully) to carve out some time each week for some reflection and self-learning. Ensuring you get a smaller quantity of  more insightful information is far more important than volume!

What conferences are on your must-attend list? Obviously the last 18 months has meant a virtual rather than actual attendance, but for me, Security Awareness and Special Interest Group (SASIG), International Security Expo, and RSAC are on my must-attend list.

What is the best current trend in cybersecurity? The worst? For most successful cyber security practices, I would say DevSecOps is the most interesting trend. I would caveat there are multiple interpretations of this, and the most successful ones are (in my opinion) those where security engineers collaborate with developers early on, in the agile teams.

Ransomware is still at the top of the list in term of impact and cost, but we are starting to see several of the leading groups turning to build their own “Cybercrime cloud platforms” where one can purchase access to botnets software and infrastructure. Think “the AWS of cybercrime”.

What's the best career advice you ever received? A successful career is not about never making honest mistakes – but rather about how you deal with and learn from them.

What advice would you give to aspiring security leaders? Have the courage to speak truth to power about risk exposure. If something goes wrong no-one will remember that you tried to raise the discussion before – just that you weren’t forceful enough to make them listen.

What has been your greatest career achievement? Protecting people from those who would do them great harm. Whether directly or indirectly, that always gave me a real buzz and still does today at Callsign, albeit in a different setting.

Looking back with 20:20 hindsight, what would you have done differently? I was once asked what my career strategy was in law enforcement – and if I had my time again in that world – I would have had one! That said – it all worked out well.

What is your favourite quote? In a business context on performance management – “Work hard to make what is important measurable not what is easily measurable important”.

What are you reading now? Bob Mortimer’s (a British Comedian) autobiography… ‘And Away.'

In my spare time, I like to… Bake bread, paint, watch sport and have fun with my 4 granddaughters… to be fair this is more of an aspirational list than the reality at the moment!

Most people don't know that I… Had an audience with His Holiness Pope Francis.

Ask me to do anything but… Code…