My Profile Photo


Information Security (InfoSec) Architect


Systems Engineer by training, InfoSec Consultant by trade focussing on pragmatic security risk assessment and treatment, I lead the InfoSec engagement on high risk, high impact projects that shape large organisations and which you *will*, unknowingly, use! I've worked across a range of sectors in InfoSec from defence, media and Government, and currently focus on AppSec and DevSecOps; developing and implementing AppSec strategies across big organisations by:

  • creating organisation wide networks of security champions.
  • teaching threat modelling and leading threat modelling sessions with development teams.
  • left shifting the implementation of security risk management via security architecture surgeries.
  • developing modern, practical, automated and economically sensible approaches to security assurance testing (i.e. not pen testing).

Being able to teach threat modelling to developers is a skill based on many years of InfoSec risk management across a number of industry sectors and frameworks, such as ISO 27001, NIST and HMG IAS1&2, and my background in systems engineering, working with frameworks such as UML and MODAF/TOGAF.

My approach to InfoSec is built on my systems engineering background and, as such, I'm a huge advocate for InfoSec becoming data driven, measurable and value adding. After all, "user experience is everything, security only needs to be good enough".

Things that currently pique my interest:

  • defining Audience personal data usage and associated security controls.
  • C4 architectural modelling for threat models.
  • advanced threat modelling and the use of LINDDUN.
  • Kubernetes (and other container orchestration service) security.
  • zero trust networks and Attribute Based Access Controls (ABAC).
  • Content-Security-Policy (CSP) strategy for the enterprise.
  • Single Page App/Progressive Web App (SPA/PWA) security.

what's this site all about then?!

This site has been around since 2016 in one form or another and tends to get heavily modified with little warning! I created this site for two reasons:

  1. as a place to put down my thoughts about the things that interest me, such as technology, techno, aviation and travel, amongst others.
  2. as a testing site for some of the new and interesting security related features that are available on the internet.

That second point means that this site is hosted in an AWS S3 bucket, served via Cloudfront (with Lambda@Edge injecting Content Security Policy headers) and is IPv6 enabled. In previous incarnations, it was self hosted on an EC2 instance just to get the CSP headers to work, but Lambda @ Edge smashed that one out the park!