1. Can you walk us through your role at Cromwell, Daniel? What are some of the key responsibilities you take on daily?

I’m the Chief Technology Officer and, though I’m based here in Australia, the remit is across the European and Singapore platforms as well. I am largely responsible for building and implementing our technology capability and IT roadmap, as well as looking at governance to support our current and future infrastructure.

Cybersecurity obviously is a large part of my role – I’d suggest that as much as 25% of my time is spent on cybersecurity initiatives, presentations, and considerations. Of course, many of our governance frameworks that relate to selecting, evaluating, or protecting technology links back to cybersecurity anyway.

It’s a very risk-based approach – we have risks that are managed at a corporate level, but we also need to embed risk assessments into every platform that we consider for implementation – as well as for all the change initiatives we undertake.

So, if there is an upgrade, or if there is some functional change that we are making to our environment, we need to consider all the risks involved.

2. Looking back, how did your career in information technology begin?

My father had an IT consulting company, so I was always around computers as a kid. I played a lot of computer games, and I went into a technology degree following school.

After pursing another passion for a short while, I then came back to the industry working with customer relationship management systems (CRM) systems, and spent a lot of time working with manufacturing systems and in investor relations systems.

My first engagement with Cromwell was nearly 20 years ago, and I was designing and implementing an investor management system with Richard Foster, one of Cromwell’s founders. Richard and I would build these big A3 investor reports using a platform called Goldmine – which was Cromwell’s first investor relations platform.

I think I certainly have an aptitude for work in IT – I’m very good at putting things in boxes; I have a lot of skills in developing methodology and proceduralising tasks, and I have a strong technical background, which has been helpful.

3. How does technology factor into the decision-making processes at Cromwell?

Cromwell sets out an annual business strategy – and we, as a technology function, look at the strategy and how it aligns with our roadmap. For instance, if the business wants to increase funds under management, we review our current platforms and capability to examine what we can do to support that goal.

So, when we look at technology factoring into decision-making processes, data obviously plays a large role in everything that we do. Much of the data we hold is stored on platforms that the technology department is largely responsible for – in conjunction with marketing or finance (for example) or whichever team owns the information. We help oversee the security of that information, and the consistency of that information, and help business stakeholders implement governance to manage the information effectively.

A lot of the decisions that we undertake from a business perspective are around streamlining, including questions like, “can we utilise technology to generate efficiencies in the business?” And, you know, a good percentage of the effort that we apply is in trying to identify, and then achieve those efficiencies – and we often succeed.

4. There have been some very public privacy/data breaches in some very large organisations recently, how does Cromwell manage risk and protect our business – and our investors? How do we minimise the chance of these kinds of hacks happening to us at present?

So, I guess the first question that comes up is, “what is the sensitivity of the information that we’re protecting?”. The most sensitive data we hold is information relating to our investors, so it’s essential we have robust protections in place.

When we look at things from a cybersecurity perspective, we’re looking at four key risk areas: integrity, accessibility, unauthorised access, and unauthorised disclosure. We look at the integrity of the information to make sure that it’s not corrupted, that it’s regularly backed up, and ensuring we have enough controls to protect against deliberate or accidental actions that may compromise files or important data.

We also need to look at accessibility of data– that is, “how can we ensure staff and stakeholders can access the information they need, when they need it?” So, we have systems and interfaces that are dependent on the latest cloud technologies to ensure our staff can securely access the data they need to run the business.

We also ensure that none of the data resides in a specific single location (such as a building’s server room) – we always have data distributed geographically to ensure we can maintain access in the unlikely event of business interruption.

Just as important as accessibility, is our need protect our data from unauthorised access. The two highest profile attacks from last year (Optus and Medibank) both resulted in unauthorised access of information, followed by unauthorised disclosure of that same data. Clearly, these breaches caused significant damage to both company reputation, as well as inconvenience and risk within people’s lives. Cromwell maintains a robust landscape of measures to ensure that the only people who access our data, are those authorised to do so. These measures include tools to confirm a users’ identity (such as multi-factor authentication) as well as tools and procedures to confirm suitable access levels.

We also have a very highly regulated information security management system, ISMS.

This is the basis of our ISO 27001 certification. Every year for the past four years, we have gone through ISO 27001 certification – where an independent auditor reviews and tests our information security management system. They also make recommendations as to where improvements can be made. We have a second external organisation to help us prepare for these audits, so that we can pre-empt issues that may occur. So, we have both internal and external audit functions in that space.

In the unlikely event we experience some kind of breach, we have a cybersecurity incident response plan that is tested every year. These tests involve a wide array of stakeholders from across the business, to ensure we are all aligned to respond to any kind of cyber breach or attack. While we believe our cyber-response capabilities are strong, we are always looking for ways to enhance the way we work, and these tests often highlight opportunities for improvement. We also have a range of vendors that we engage to support us in the unlikely event of a cyber incident.

5. What are some changes or shifting attitudes/trends/practices that you currently see playing out in the corporate IT space, particularly around cybersecurity?

I think there’s been a lot of activity in the proptech space. Proptech is the application of technology to help optimise the way people buy, sell, research, market, experience, and manage real estate. At Cromwell, we have a proptech working group that involves participants from both Europe and Australia. My primary interest is focused on governance of our proptech initiatives.

For example, let’s imagine we decide to implement a theoretical occupant management system – a system (with associated mobile app) to allow building occupants to order coffee or lunch to their desk; get their dry cleaning picked up and delivered; turn the building lights on and off; or possibly report safety incidents, etc.

Before beginning such an implementation, we’d need to make sure that we understand the requirements and resources necessary to make the implementation successful.

In the event we start deploying the system and realise we have underestimated the resources required to be successful, the damage could be profound – and could severely impact any future technology activation. So, part of our governance is to ensure we fully understand what that implementation looks like before we take the first steps. Sometimes it can just be a matter of managing people’s expectations and enthusiasm.

6. What opportunities in the IT space excite you, and how do you think Cromwell’s use of technology overall could be developed moving forward?

There seems to be a shift towards presence-based interactions and immersive VR experiences. This is the progression of technology so that, rather than just sitting on a video call and looking at a laptop screen, attendees of a meeting from across the world can all experience sitting in an interactive, immersive virtual reality office space. We know big tech vendors such as Microsoft and Meta are spending huge amounts of money on research and development in this area. While, at the moment, these investments have largely been realised in the gaming market, it’s only a matter of time before these developments start driving mainstream change in the way we work as well.

In my view, I think in 10 years we’ll all have VR headsets to join Microsoft Teams (or Zoom) calls. While we’ll still be using a laptop for documents and information systems, our meeting experiences will be more like a virtual reality-based exercise. We’ll be able join meetings in virtual rooms; we’ll be able to draw on whiteboards; we’ll be able to sit and turn and talk to each other. I think this will be a big improvement in driving the productivity of virtual meetings and, with the current trends in remote working, this technology will improve the productivity of many teams as a whole. It’s a really exciting time!

So, my expectation is that we’ll probably start going down that pathway. Right now, Microsoft’s not quite there, but the licenses that we are buying, and our roadmap, allows us to leverage these developments when the technology is ready.

7. What do you enjoy most about your role?

I like that I’m genuinely able to make a difference. When we sit down as a team to look at a problem, we know that we’ll be able to solve that problem and drive an initiative through to achieving a positive outcome for the business.

My background is in consulting, so I’ve always been able to go and make a difference in businesses. However, in consulting, you find that you just go from organisation to organisation to organisation, making a difference in the same space over and over – you are rarely able to build upon your past accomplishments. At Cromwell, this is an ongoing journey and we’re continually able to leverage the team’s past achievements to improve the future of the business.