He's no tambourine man, but the Salvation Army's CIO isn't there by accident - and he tailors his work to its high mission. By Paul Fisher.
In our world, we hear a lot about the challenges of maintaining data integrity in the financial sector, retail, industry – all those frenetic, fast-moving citadels of commerce. But what of that increasingly visible and important sector that exists to help others – charity, ‘the third sector'?
A visit to the UK headquarters of the Salvation Army in Elephant & Castle, London to meet its CIO Martyn Croft was one way to find out.
Croft, now in his late 50s, has been with the Salvation Army UK since 1995. In August 2009, he was appointed CIO with responsibility for all information systems – and of course their security.
It's been a long and winding road: “In a nutshell... I started out my career as a medical lab technician; got seduced by computers through using SPSS to analyse lab data on the nearby Leeds University mainframe; built my Compukit microcomputer back in ‘79; learned 6502 machine code programming; evangelised micros on Radio Leeds during the 80s; worked on expert systems and AI at the university; co-wrote a book on packet radio; found the beauty of relational databases; worked in the NHS bringing IT to the hospitals; gave up that unequal struggle and came to the Sally Ann.”
He has an MSc in information security from Royal Holloway and is on the steering group of Socitm, representing the IT community in the public sector.
Our visit was suitably friendly and devoid of PR nonsense. Croft was keen that we understood the nature of the Salvation Army's work and its structure. So much so, that we had an unexpected half hour with his manager, Lieutenant-Colonel David, who spoke passionately of the Army's history and its goals, about which he obviously cares deeply.
As does, it transpires, the CIO, who despite his softly-spoken manner is proud of the operation he looks after.
“People are often surprised when they come into a third sector organisation. I'm sure they expect quite a small operation, but we've got 7,000 staff in the UK operation alone. We work in 119 countries, and some of those operations are extremely sophisticated. We've got technology as good as anybody else's. You have to have,” Croft says.
Does he feel that being in the third sector affects the type of attack that comes their way? “I thought it would have done,” he says. “After all that tightening up of security in the banking sector, I would have expected the focus to shift to us and the so-called softer targets. Charities in particular, I think, are vulnerable to phishing attacks and social engineering. But in the end we get pretty much the same as other people get.”
I suggest that working across so many different countries must bring some extra risk – working in countries which are, say, less well protected than US or European markets? “Absolutely,” he says, without hesitation. “Overseas, sometimes you're lucky to get an internet connection. So you've got to target the technology. Even sending a laptop into some countries is a dangerous occupation.”
But if the organisation is no different in terms of attack, then what makes the people who work there different? People may well earn more in the private sector, so why work for an organisation such as the Salvation Army? The answer is, again, one of commitment. “We're privileged to have people who are dedicated either to IT, or especially to IT in the charity sector. It is perhaps a slightly different breed of people. You've got to be in line with the aims of the organisation you're working for, otherwise there's not much point working for them. We're perhaps not the best payers as a sector, but I don't think we're much different.”
He admits the organisation could do more when it comes to staff development and training, saying that it's an area they continually look at. His IT people tend to come, as he puts it, “ready baked”.
It's often overlooked that the third sector turns over huge amounts of cold, hard cash. According to Croft, the sector as a whole was responsible for £33 billion worth of turnover in 2009. The Salvation Army contributed some £225 million to that. “I think we're the fifth or sixth largest charity in the UK. Charity is not an easy gig. It really is a cut-throat business. There's lots of competition out there,” he says. Anyone forced to sidestep the ‘chuggers' on any British high street in recent years will testify to that statement. And increasingly the behaviour and compliance activity of charities are being closely scrutinised by the Charities Commission, eager to ensure that a generous public is not short-changed.
Croft says that all this impacts on the systems and technologies that the Salvation Army deploys. “You can't do it in an amateur way; it has to be professional all the way through. And that includes information technology, looking after the data, and, these days, having a security plan that guarantees that you are going to keep that information safe and sound,” he says.
“What concerns me is perhaps not the larger charities; it's the smaller ones, where perhaps they don't have resources to invest in the levels of protection that they ought to be looking at.”
What then of the other employees and partners of the Salvation Army – are they prone to temptation, or are they angels sent from heaven? “You'd love to be able to say that, wouldn't you?,” he says with the faintest of smiles. “You would imagine that would be a tick in the box. But I don't think we are different from anybody else.” In other words, Croft does have to worry about the insider threat.
“We deal with donations. A lot of that is handled by external agencies. We still have to have the procedures and processes in place to safeguard that and to minimise the risk.”
Croft is aware of the cloud and virtualisation tricks but, unlike his private sector peers, he isn't using the cloud to reduce costs and maximise profits. Instead, he has to be seen to be spending wisely to ensure the maximum can go to the Army's charitable activities.
“We got into cloud-based stuff with email filtering very early on, because it seemed like such a natural thing to do. Why were we handling 80 per cent of the traffic that was total rubbish? Just leave it at the front door, why bring it inside? Right now we use Mimecast and that has been absolutely great,” he says.
It seems that the pressures on Croft are closer to those in the private sector than the public sector, which, for example, suffers far less in consequences if it loses 23 million public records. Is that fair?
“I think you're right we're closer to the private sector. We do the same things, we have the same operations – it's just that we don't make any money,” he says.
“The biggest risk we have is to our reputation. If we lose all our supporters' credit card details, then they're not going to donate in the future.”
He points out that the Salvation Army supports the homeless, vulnerable people whose details are taken very seriously and kept very safe. As Croft says, if you are going to steal an identity, that of a homeless person is a valuable target.
Fraudsters will exploit charities in other cynical ways. Donating a small amount to a charity to see if the details of a stolen credit card are valid is one. Phishing emails are another, exploiting the better side of human nature when responding to disasters such as the Haiti earthquake.
“There's generally a six or seven day lag after the event before these emails go out, when the full enormity of the disaster is starting to sink in.”
Martyn Croft was appointed CIO of the Salvation Army in August 2009. How has it affected his blood pressure? “It's crazy!” is his opening salvo. “The Salvation Army has perhaps begun to realise that it's got a lot of information and it's about time we started making good use of it – so it becomes a resource just like any other. We've spent the past ten or 15 years concentrating on the hardware, but now there's a bit of a sea-change going on. In the next couple of years, you'll see IT departments cease the normal sort of IT stuff. You know, computers are commodity items, so why not bring your own computer? That's going to change the dynamic completely,” Croft says.
So would Croft be happy for Salvation Army employees to march in with iPhones, netbooks and other computing devices of their own choosing?
“Personally, I'm happy, but as for the organisation it's something we have not explored yet, but we have to look at the possibility. For the third sector, it's tempting, because it means you don't have to spend your money on IT – but it raises lots of new questions in IS.”
He explains that the organisation has got a sizable investment in thin-client computing, which he says is “great”.
“Because the data stays put, stays on the server where it's safe and sound, doesn't go wandering off on anybody's laptop. So as a secure environment, that's a much better environment. How do you do that if people are habitually transferring data onto their laptops? That's a problem we've all been wrestling with for the past few years. How you do it if that's somebody else's laptop? It's an enormous issue, but it's a tantalising one. So we're looking at things like virtual desktop infrastructures, streaming desktops, so you can bring your laptop with you and we'll plonk a virtual desktop on it and let you work on our corporate systems. The data doesn't move around, it stays put in the data centre,” he says.
Croft is less keen on the vendor community's part in delivering on the brave new world he describes. “I thought the days of people overselling product had been left behind. But more and more people are perhaps selling to the same level and delivering less.
“Is there new product around? Are we beginning to address any of the questions that we have over this wonderful cloud computing? If we were so innovative and so good, so technically advanced, then asking questions about security in cloud computing wouldn't be a problem, would it? What are we doing? We're all wandering around saying, this cloud computing sounds very interesting and it's great. But is it secure? I bet it isn't. Can anybody prove it? Can anybody secure it? Nobody's got an answer for it. Well then, how smart are we?”
It's refreshing that Croft is black and white about his job and what he understands. He doesn't have much time for risk management parlance or the fuzzy but increasingly fashionable science of information risk.
“I'm not a big fan of the risk management side of information security. It does boil down to those two camps, IT security and risk management. I'm firmly in the IT security camp. I come from IT. I was a programmer; I know databases inside out. So I pretty much know what's going on under the hood. If you come at it from the risk side of things and don't know what the technology can do, then I don't know how you can make a risk assessment that's sensible. Sure, you can say, high probability, high impact, big risk. But what do you do about it?”
I mention that at a conference an audience of IS professionals were asked how many had regular access to the board. Not one person put their hand up.
“You see, that's such a shame. I take it as a personal insult when people say, ‘you can't have IT guys on the board'. Why not? Oh, because nobody understands them. Well, for goodness' sake, if the board doesn't understand the IT guy then you have a major problem in your organisation. And if your IT guy is not eloquent enough to get his point across to the board, then he's in the wrong job or there's somebody missing in the chain,” he says. Not Martyn Croft, though...