Cyber Security Consultant

• Aug 2022 - Present

Information Risk and Cyber Security Consultant

• Apr 2013 - Present

An independent, pragmatic and business-focused information security consultant, with a proven track record of working at both senior and operational levels. with extensive experience across both the public and private sectors, across a range of technologies and sensitivities, and able to provide advice and support in a wide range of different areas.

CLAS Consultant

• Oct 2013 - Jul 2015

A CESG certified CLAS consultant, qualified to provide expert advice on the implentation of HMG infosec guidance and policy, compliance with CoCos, and the accreditation of systems and completion of RMADS.

Officials Education Tutor

• Feb 2014 - Present

Occasional delivery of whole-day classroom-based training and online learning discussion sessions on behalf of British Cycling's Coaching and Education department, equipping volunteers to work as officials at cycling races. Occasional delivery of whole-day classroom-based training and online learning discussion sessions on behalf of British Cycling's Coaching and Education department, equipping volunteers to work as officials at cycling races.

Lead Security Architect - UK New Payments Architecture

• May 2018 - Jul 2022

Lead security architect for the next generation national payments system for the UK, that will replace Faster Payments and BACS. A high-availability critical national infrastructure that will facilitate several trillion pounds of bank payments and direct debits every year, requiring dependable protection from highly capable threats. Areas of conceptual design and specialist advice on areas including identity, PKI, digital signatures, network, and use of cloud by both participant banks and for the central infrastructure. Generation of requirements for procurement of system vendor, bidder meetings and evaluation of bids. Engagement with the Bank of England, NCSC, and C-suite executives of member banks.

Cyber Security Regulatory Consultant

• Aug 2021 - Mar 2022

On behalf of the UK Foreign, Commonwealth and Development Office (FCDO), advising the government of Thailand (Thai financial regulators) on approaches to cyber security regulation that would help unlock innovation and enable fintech companies to thrive. On behalf of the UK Foreign, Commonwealth and Development Office (FCDO), advising the government of Thailand (Thai financial regulators) on approaches to cyber security regulation that would help unlock innovation and enable fintech companies to thrive.

Cyber Security Regulatory Consultant

• Aug 2021 - Mar 2022

Security Architect

• Dec 2017 - May 2018

Engaged as the security and network architect for "Project Devon", the renewal of the Faster Payments system. Developed requirements and supported the procurement process to select a vendor. The project was superceded by the New Payments Architecture project. Engaged as the security and network architect for "Project Devon", the renewal of the Faster Payments system. Developed requirements and supported the procurement process to select a vendor. The project was superceded by the New Payments Architecture project.

Senior Security Consultant

• Nov 2017 - Nov 2017

Review of the cyber operating model for the UK Payments family (Bacs, Direct Debit, Faster Payments, cheque clearing, Current Account Switch Service) making recommendations on how cyber risk in operations and the supply chain could be managed more efficiently. Review of the cyber operating model for the UK Payments family (Bacs, Direct Debit, Faster Payments, cheque clearing, Current Account Switch Service) making recommendations on how cyber risk in operations and the supply chain could be managed more efficiently.

Security Architect

• Jul 2016 - Oct 2017

Security architect and advisor for the Image Clearing System. The Image Clearing System is to be introduced in late 2017 as a replacement for the previous manual UK cheque clearing system, speeding up cheque payments by moving to the exchange of digital images in place of the paper cheques. It will enable customers to take a photograph of a cheque on their smartphones, submit it to their bank, and receive payment the next working day. Over a million cheques are cleared in the UK every day, adding up to over £400 billion in value a year. Responsible for stakeholder engagement with the security and fraud SMEs of the clearing banks, GDPR compliance review, and risk assessment. Also responsible for security aspects of contractual negotiations, requirements management, delivery assurance with system providers and engagement with NCSC. Prepared a code of connection for participating banks and reviewed associated responses to compliance questionnaire.

Information Security Consultant

• Jan 2016 - Jul 2016

Created a comprehensive information security policy and standards suite for the entire Co-operative Group, including consultation work with the entire business, writing to the house style (and, where appropriate, to be understandable by the diverse workforce of the group), including gathering technical and business risk drivers, meeting with trade union representatives, and managing through the process of gaining sign-off. The Co-op is a food-to-funerals member's society with 70,000 staff and a £10 billion annual turnover. It has businesses in electrical retail, insurance services, legal services and funerals; and operates out of over 4,200 locations across the UK.

Information Security Consultant

• Jun 2015 - Dec 2015

The Co-operative Bank is a retail and commercial clearing bank in the United Kingdom, with its headquarters in Manchester. Information security consultancy support for restructuring of the bank, across a range of projects including • the introduction of a new mobile payment service • branch re-organisation including deployment of new cash and cheque deposit machines into branches • upgrades to the on-line banking website and mobile apps • business process outsourcing Chaired the bank’s Security Architecture Board. Advised on security architecture, outsourcing requirements, and compliance with FCA/PRA rulebook and PCI-DSS. Payment systems experience including Clearing Bank Security Delegate to the monthly Cheque and Credit Clearing Company (C&CCC) Security Working Group in London and engaged, alongside other bank representatives and with partner CGI, in security governance for the Future Clearing Model / Image Clearing System, to be introduced in 2017.

Incident Response Management Consultant

• Oct 2014 - May 2015

Subcontracted to BAE Systems Applied Intelligence as workstream leader for two of the eight workstreams in a large cyber security change programme at Network Rail. Full details of work performed under Network Rail entry. Subcontracted to BAE Systems Applied Intelligence as workstream leader for two of the eight workstreams in a large cyber security change programme at Network Rail. Full details of work performed under Network Rail entry.

Incident Response Management Consultant

• Oct 2014 - May 2015

Consultancy engagement with responsibility or reviewing the incident response processes across Network Rail to ensure fitness for purpose as the railways move towards a digital future, as part of a large BAE Systems cyber security programme for this critical national infrastructure operator. Included a current-state assessment of people and process across railway operations, operational technology for signalling and electrification, telecommunications and IT together with a gap analysis to identify the work required to reach a risk-balanced level of capability, aligned with PAS 555:2013 and Cyber Essentials. Forensic capabilities and the requirements of IEC 62334-2-1:2011 (ICS/SCADA security) were also incorporated. A series of work packages were defined and delivered against agreed milestones, cumulating in a planned and costed project and business case for a CSIRT with SOC integration. ‘War game’ incident rehearsals were delivered with business and technical participants. Lead a second work-stream to define a new cyber security research and development programme for Network Rail, engaging with academic centres of excellence to leverage new developments in SCADA security.

Parish Councillor (Elected)

• May 2007 - May 2015

I was initially elected to my local council in May 2007, and was comfortably re-elected in May 2011 in a heavily contested public poll. Parish councils are the most local level of local government in England, and have tax-levying powers and a wide range of responsibilities for their communities. Being a councillor has given me experience of community politics, working alongside colleagues from very different backgrounds, as well as the operation of the various levels of local and national government, and the issues involved in running a small organisation, including employment and finance matters. As an independent councillor, I learnt to engage others in my views and 'sell' my proposals - gaining broad support being essential to have any matter adopted.

Information Risk Specialist

• Jan 2014 - Sep 2014

Created an OCTAVE-based risk assessment process to cover information security risks across the BBC and third-parties that handle BBC information. Conducted gap-analysis of current information security controls. Arranged workshops and gave presentations on information risk management to key stakeholders. Liaised with information asset owners, data custodians, and risk champions across the BBC. Designed, tested and implemented a manual process for undertaking 'user friendly' information risk management across the BBC - identifying, assessing, evaluating, responding to and monitoring risks for all sensitive and business critical information assets - and capturing the results.

Compliance Specialist

• Oct 2013 - Dec 2013

Conducted ISO 27001/27002 risk assessments for several key BBC broadcast systems. Produced treatment plans to address identified issues.

Information Risk Analyst

• May 2013 - Oct 2013

Engaged to interview senior managers and produce information asset registers including business impact assessments for all BBC divisions and departments outside London, including BBC Sport, BBC Scotland, BBC Northern Ireland and BBC Wales.• Explaining information risk to business leaders.• Obtaining buy-in and commitment to supporting the project.• Guiding business leaders through the process of business impact assessment.

Information Security Operations Manager

• Feb 2009 - Mar 2013

Responsible for operational aspects of information security across ODA computer systems, including electronic security infrastructure for the Olympic Park.Extensive board-level engagement on security issues, and high-level engagement with external government security stakeholders.Responsibilities included:• Scoping, procurement and management of an extensive programme of penetration testing of networks, applications and hardware, including non-usual elements such as CCTV systems.• Ensuring policy was implemented correctly to build and maintain compliance with HMG (CESG) information assurance standards.• Determining resolutions to operational business issues and needs whilst avoiding unacceptable risk.• Scoping and procuring an organisation-wide security awareness programme.• Cascading of information security requirements into supply chain.• Physical security standards, policy and implementation for computer rooms across the Olympic Park.• Arranged and responded to physical security assessments of corporate offices.• Design and risk assessment of systems up to SECRET, work assured and approved by CESG technical leads.• Arranging and managing extensive assurance activities.• Liaising with managed service providers (Atos, Fujitsu and Honeywell) on operational security matters.• Supplier management.• Arranging and managing technical survelliance countermeasures ('bug sweeping') for London 2012 premises and venues.• Forward programme planning and business-case input.• Technical advice for Olympic-related intelligence activities.• Assessing communications security requirements and providing high-level protected communications for Olympic stakeholders.• Line management of system security officer for C3I/security systems on the Park.

Cyber Security Response

• Jul 2012 - Sep 2012

On standby for incident response, on a shift-basis, throughout the Olympic and Paralympic Games.The role included pro-active assurance of physical, technical and personnel controls for corporate and C3i (command, control, communications, and intelligence) systems across the Olympic Park.Present whilst on shift as the lead cyber security responder in the main Olympic Park control room, monitoring the situation and providing an interface to support government security agencies off Park, as well as any computer forensic first-response that was required.Monitored LOCOG TOC (technology operations centre) reporting for relevance to the Olympic Park systems.Sat on and provided direct 'cyber' situation reports and threat briefings for LOCOG Olympic Park security management meetings.Provided security situation reports for Olympic Delivery Authority daily senior executive meetings.

CIRT Team Leader

• Sep 2004 - Jan 2009

• Responsible for leading a team responsible for security incident response and forensic investigations.• Team covered Ford's entire corporate operations in Europe, the Middle East, Africa, Asia, and the Pacific; encompassing the Volvo, Jaguar, and Land Rover brands with their distinct corporate cultures, and in total approximately 120,000 employees on one of the world's largest intranets.• Managed rapidly-developing IT security incidents, working quickly under pressure to understand the underlying problems, the technologies in use, and how technology and wider remedial actions could be utilised to resolve the problem.• Experienced in communicating security-related issues in non-technical terms for both senior management and the general employee population.• Coordinated all IT or communications technology aspects of internal investigations across EMEA and Asia Pacific.• Personally provided forensic support for a large number of investigations, in collaboration with law enforcement and government.• Experienced in the use of Guidance Software EnCase Forensic and EnCase Enterprise products, as well as Helix Live CD forensic toolkit.

IT Security Analyst

• Apr 2002 - Sep 2004

• Working as a member of the group-wide central IT security team with responsible for IT control risk assessments for major infrastructure projects.• Providing consultancy on IT policy implementation to IT security teams within group companies.• Managed Europe-wide IT security awareness programme, producing materials deployed world-wide.• Working against ISACA COBIT control set.• Conducted Sarbanes-Oxley (SOX) reviews of key corporate systems.• Completed structured risk and vulnerability reviews for major systems, including Ford's central mainframes, third-party service providers, and the internal telephone and voicemail systems.• On own initiative, re-engineered mainframe security controls: six-month project, achieving efficiencies freeing up 30 FTP administrator positions at little project cost and with minimal disruption.

IT Analyst / Graduate Trainee

• Oct 2000 - Apr 2002

• Responsibility for third-level IT support at FCE Bank plc, a licenced financial institution.• Specific areas managed included senior executive support and project management of IT changes for building moves.

Sponsored Student - Year In Industry

• Jun 1998 - Sep 1999

My degree year in industry consisted of two placements within the Ford group: 1. Programmer within team responsible for pricing analysis software. 2. Working on assurance activities as part of the IT team supporting large-customer vehicle leasing in Ford Credit. My degree year in industry consisted of two placements within the Ford group: 1. Programmer within team responsible for pricing analysis software. 2. Working on assurance activities as part of the IT team supporting large-customer vehicle leasing in Ford Credit.

Sponsored Student - Summer Placement

• Jun 1997 - Sep 1997

A three month placement within the team providing software for executive financial decision support, developing a data mining application using the Seagate 'Holos' development platform. A three month placement within the team providing software for executive financial decision support, developing a data mining application using the Seagate 'Holos' development platform.

Administrative Assistant (Agency Worker)

• Mar 1997 - Apr 1997

Temporary holiday work during university Easter break, updating customer records. Temporary holiday work during university Easter break, updating customer records.

Outward Remittances Clerk (Agency Worker)

• Jul 1996 - Sep 1996

Between leaving school and starting university I worked as a remittance clerk at Barclays foreign currency operation, making up despatches of foreign currency for dispatch to bank and Post Office branches across the country. Between leaving school and starting university I worked as a remittance clerk at Barclays foreign currency operation, making up despatches of foreign currency for dispatch to bank and Post Office branches across the country.

Work Experience

• Oct 1993 - Oct 1993

Work experience for a week with ICL CSS (Client-Server Systems) Customer Care. Work experience for a week with ICL CSS (Client-Server Systems) Customer Care.