Secret CSO: Scott Richardson, Crayon

What advice would you give to aspiring security leaders? “Be ready to be the first person on and off the scene…”

Headshot of Scott Richardson, CSO at Crayon

Name: Dr. Scott Richardson

Organisation: Crayon

Job title: Head of Cyber Security

Date started current role: December 2019

Location: Helsinki, Uusimaa, Finland

Dr. Scott Richardson is the CSO of Crayon and is accountable for information security, data protection, business continuity, crisis management and operational safety for Crayon worldwide. In doing so, he is also responsible for ensuring every company within the group delivers on Crayon's commitment to Data Protection, including protecting personal data with state-of-the-art security measures, and facilitating data subjects to exercise their privacy rights in a service-oriented approach. Before Crayon, Dr. Richardson obtained his Doctorate of Philosophy in Europolicing and Coordination System Design at the University of Lincoln. 

What was your first job? I had many jobs from a very young age. One that stands out is working on a production line at a thread manufacturing company for four months when I was 18. While the chemical hazards bonus helped pay for my studies, the drawbacks were 40 degrees Celsius factory conditions and 12 hour shifts on Sundays. That said, it taught me the value of striving to achieve your best and earn the respect of others, even in the harshest of conditions.

How did you get involved in cybersecurity? Effectively it was a transition. I used to work at Europol where I built a tactical intelligence unit that focused on the full scope of organised crime and terrorism. From this, I dealt with a lot of cybercrime and even the predecessors to the nuances of cybercrime (such as the Nigerian 419 scams). I then eventually transitioned from tactical intelligence and recommendations for member states combating cyberthreats, to the internal cybersecurity defence route. 

What was your education? Do you hold any certifications? What are they? I have a PhD in Europolicing and Coordination System Design from the University of Lincoln. I also built and delivered tactical intelligence training for law enforcement around the world.

Explain your career path. Did you take any detours? If so, discuss. I was always motivated by the concept of an organisational “fit”. For instance, I would say that the CSO role is my “fit” in Crayon rather than the CISO role. At Crayon we hold great value in protecting the people within our company and we’ve gone to great lengths to do so. The fact that we have a corporate security team, which is all about protecting our people, parallel to our information security and data protection team is a distinguishing factor for me. Trying to understand what type of challenges you really enjoy and by default then potentially excel at, actually allows you to hone in on your organisational “fit”.

Was there anyone who has inspired or mentored you in your career? Two people. My professor at University of Lincoln taught me analytical research-based problem solving; he was the reason why I pursued a PhD in the first place. And, a senior figure at the European External Action Service, who taught me how to build a design from the perspective of the organisational structure which needs a solution or needs to be created to achieve sustainable solutions.

What do you feel is the most important aspect of your job? Trust and dependability. Trust from the senior management team that we are 100% committed to protecting the organisation, trust from the data subject whose personal data our organisation processes, and trust from team members across the business for whom we seek to deliver secured productivity. Trust is the foundation for my entire role and everything else falls underneath – but this isn’t blind trust at the same time. Personal integrity is a key factor in gaining trust and being dependable to your team – it’s something we pride ourselves on here at Crayon.

What metrics or KPIs do you use to measure security effectiveness? It depends on the objective as we have tailored KPIs for each. That said, the most important one is building a security culture where we rely on feedback we receive from our team members across the business who we, in turn, rely on to be committed to our security effort. Across our KPI set, ‘impact’ is a recurring concept; we need to be able to measure the impact of our work.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At the moment, everyone is struggling to fill their open roles. We use a network-based approach and if that doesn’t work, we activate our internal talent acquisition. Without tempting fate, we’ve always been fortunate enough that our network-based approach has helped identify the relevant high performers that fit our profile.

We look for people who bring diversity so that we have different perspectives based on various market challenges we face worldwide. Our markets are not homogenous, so we don’t want our way of thinking to be homogenous.

Cybersecurity is constantly changing – how do you keep learning? On the technical level, I 100% rely on my team. I need to understand the logic and learn how the cogs fit together, but I don’t need to know how every single cog is made. When you have a team of the best technical specialists in the world, you don’t feel any pressure to think you have to be super technical.

What conferences are on your must-attend list? The Nordic Infrastructure Conference (NIC). NIC is a Crayon conference that takes place every year and gives us an opportunity to interface with our customers, suppliers, and leading speakers in the security space.

What is the best current trend in cybersecurity? The worst? The most interesting cybersecurity focus for us right now is deceptive security. That said, you don’t really want to jump there before you have squeezed everything out of your Security Information and Event Management capabilities.

The worst side is still organisations selling snake oil. Scare tactics and promises of silver bullets remain a major threat to the risk-based allocation of resources which will always be in limited supply relative to the size of the security challenge.

What's the best career advice you ever received? To be the quality controller of your own outputs, whether it’s for you or as a team. Always try to bring something to the optimal output you can deliver, before passing it on to the next. Always design solutions based on the analysis of your organisational reality and needs in order to identify high-impact outputs which are reliable and sustainable.

What advice would you give to aspiring security leaders? Recruit the best or most promising, empower and enable them, and support them when needed. Be ready to be the first person on and off the scene. Be ready to commit and always be available 24/7. If something goes sideways, stand accountable and take the hit.

What has been your greatest career achievement? When we retire, no one cares what your title was or what your certification and education was; what you have is your personal growth and your memories of shared journeys and joint achievements.

If I were to retire tomorrow, my greatest achievement would have been putting together the unit we have at Crayon. Every single member is an autonomous, critical thinking, high performing, solution orientated actor. In the future, I want them to turn to me and say we’ve got this and it’s time for you to move on. And, while I have been fortunate to amass many great experiences during my career, this will have been my greatest achievement as our trajectory keeps going up and up.

Looking back with 20:20 hindsight, what would you have done differently? Everything we do shapes us. There’s not a thing I wouldn’t do differently.

What is your favourite quote? I don’t have a favourite quote but rather love powerful concepts, like ‘Secured Productivity’ as something Crayon’s Security Unit focuses on delivering ‘with’ and ‘for’ our stakeholders across the business.

What are you reading now? Alan Carr’s easy way to stop smoking.

In my spare time, I like to… Spend time with my family and in the garage restomodding a 1971 Jaguar XJ6.

Most people don't know that I… don’t like the sound of my own voice, even though I tend to talk a lot. In pursuit of getting high-quality input or disagreement from others I do lean towards overexplaining.

Ask me to do anything but… to complete an arbitrary bureaucratic task.