$whoami
Systems Engineer by training, InfoSec Consultant by trade focussing on pragmatic security risk assessment and treatment, I lead the InfoSec engagement on high risk, high impact projects that shape large organisations and which you *will*, unknowingly, use! I've worked across a range of sectors in InfoSec from defence, media and Government, and currently focus on AppSec and DevSecOps; developing and implementing AppSec strategies across big organisations by:
- creating organisation wide networks of security champions.
- teaching threat modelling and leading threat modelling sessions with development teams.
- left shifting the implementation of security risk management via security architecture surgeries.
- developing modern, practical, automated and economically sensible approaches to security assurance testing (i.e. not pen testing).
Being able to teach threat modelling to developers is a skill based on many years of InfoSec risk management across a number of industry sectors and frameworks, such as ISO 27001, NIST and HMG IAS1&2, and my background in systems engineering, working with frameworks such as UML and MODAF/TOGAF.
My approach to InfoSec is built on my systems engineering background and, as such, I'm a huge advocate for InfoSec becoming data driven, measurable and value adding. After all, "user experience is everything, security only needs to be good enough".
Things that currently pique my interest:
- defining Audience personal data usage and associated security controls.
- C4 architectural modelling for threat models.
- advanced threat modelling and the use of LINDDUN.
- Kubernetes (and other container orchestration service) security.
- zero trust networks and Attribute Based Access Controls (ABAC).
- Content-Security-Policy (CSP) strategy for the enterprise.
- Single Page App/Progressive Web App (SPA/PWA) security.