Systems Engineer by training, InfoSec Consultant by trade focussing on pragmatic security risk assessment and treatment, I lead the InfoSec engagement on high risk, high impact projects that shape large organisations and which you *will*, unknowingly, use! I've worked across a range of sectors in InfoSec from defence, media and Government, and currently focus on AppSec and DevSecOps; developing and implementing AppSec strategies across big organisations by:

  • creating organisation wide networks of security champions.
  • teaching threat modelling and leading threat modelling sessions with development teams.
  • left shifting the implementation of security risk management via security architecture surgeries.
  • developing modern, practical, automated and economically sensible approaches to security assurance testing (i.e. not pen testing).

Being able to teach threat modelling to developers is a skill based on many years of InfoSec risk management across a number of industry sectors and frameworks, such as ISO 27001, NIST and HMG IAS1&2, and my background in systems engineering, working with frameworks such as UML and MODAF/TOGAF.

My approach to InfoSec is built on my systems engineering background and, as such, I'm a huge advocate for InfoSec becoming data driven, measurable and value adding. After all, "user experience is everything, security only needs to be good enough".

Things that currently pique my interest:

  • defining Audience personal data usage and associated security controls.
  • C4 architectural modelling for threat models.
  • advanced threat modelling and the use of LINDDUN.
  • Kubernetes (and other container orchestration service) security.
  • zero trust networks and Attribute Based Access Controls (ABAC).
  • Content-Security-Policy (CSP) strategy for the enterprise.
  • Single Page App/Progressive Web App (SPA/PWA) security.