Focusing on InfoSec Risk, Policy, Standards, PCI Compliance and awareness. Leading the migration from PCI 3 to PCI 4, through a strategy of scope reduction and working closely with the QSA. Leading the migration of ISO 27001:2013 to ISO27001:2022Creating a controls and evidence based continuous compliance regime that allows evidence to be reused across multiple audit frameworks.

Advising on the design and use cases of a ground breaking attack surface management product. Which has now been acquired by Rapid7 to enhance their portfolio of offerings.

Standing up a new multi skilled function within Covea. Accountable for defining and implementing Information Security and Risk best practices to support both regulatory compliance and contractual obligations.Leading 2 teams, Cyber Security Operations and Security Risk and Assurance. Cyber Security Operations is the operational side of the team and respond to security events and monitor the security controls for compliance. Risk and Assurance focus on the risk identification and control objective definition within project delivery and across the existing estate including Supplier security assurance reviews.Key achievements.• Defining and implementing a new Target Operating Model• Recruiting a complete team• Put in place a complete Information and IT Risk Management framework for both business as usual and project support.• Successfully achieving board approval of the IT Risk Appetite statements, Threats and Information types and classifications.• Put in place an IT Policy Governance framework to support the ISO27000 certification process.• Defining and implementing new ways of working across security, architecture and service teams• Successful implementation of a managed Security Operations centre to provide 24x7 monitoring and alerting.• Working with Service and Software Delivery/Engineering to successfully define new cloud secure operating support and development models in both an Agile and Waterfall methodology. • Providing an ISO27001 gap analysis and Security Maturity assessment that allowed me to develop a full IT Strategy.• Providing the board with a full Cyber Attack threat and Impact Assessment.

This is a new function within the technology office of the bank and am accountable for defining and integrating the Security Architecture capability into the wider architecture function within the bank.My role also included:• Definition and delivery of the Cyber Security Strategy including Cloud Adoption.• Definition and delivery of a Security Architectural Governance process.• Definition and management of the Enterprise Security Principles.• Liaison with the other Security Functions within the bank. • Definition of the security controls and key performance and risk indicators, o People – capabilities and the level of expertise required within the organisation.o Process – What processes and outcomes are required to effectively manage information security.o Technology – What enterprise technology will be used to effectively manage risks in line with the Enterprise and Security Principles.• Defining and maintaining the Enterprise Security Architecture.• Development of logical security patterns. • Development and maintenance of security question sets for use in RFQ, RFI.• Maintaining an understanding of the Security Threat landscape.• Maintaining an understanding of the Enterprise Security Posture.• Definition and maintenance of the Enterprise Security Landscape (Catalogue) and the Approved List of Enterprise Security Control Technologies.

Accountable for delivering world class information security solutions to Rolls Royce as part of the “EcoSystem Supplier Framework”, working with Rolls Royce senior stake holders (CTO, CISO and Head of Operations.) to advise and influence on emerging threats, counter measures and help define the global Rolls Royce Security Strategy.

Accountable for the all elements of the Enterprise Security Architecture, working closely with the other architects and key stakeholders to drive the delivery of a cohesive security capability. Deputising for both the CISO and the CTO at numerous business and stakeholder meetings.My role also includes:• Definition and delivery of the Cyber Security Strategy including Cloud Adoption.• Definition and management of the Enterprise Security Principles.• Liaison with the Chief Information Security Officer’s organisation. • Defining the security information that must be captured as part of any documentation produced by the Solution Architects.• Definition of the security controls and key performance and risk indicators, o People – capabilities and the level of expertise required within the organisation.o Process – What processes and outcomes are required to effectively manage information security.o Technology – What enterprise technology will be used to effectively manage risks in line with the Enterprise and Security Principles.• Defining and maintaining the Enterprise Security Architecture.• Development of logical security patterns. • Development and maintenance of security question sets for use in RFQ, RFI.• Maintaining an understanding of the Security Threat landscape.• Maintaining an understanding of the Enterprise Security Posture.• Definition and maintenance of the Enterprise Security Landscape (Catalogue) and the Approved List of Enterprise Security Control Technologies.

Responsible for all elements of Information Security across the group, including risk assessments, control identification and strategy development. Accountable for maintaining PCI-DSS accreditation and ISO27001 certification.

Having successfully implemented a Vulnerability Management Program, Security Event Management processes and Operational Security disciplines, implemented IDS/IPS and built a strong IT Security Governance Framework. Had the opportunity to develop a risk based security architecture that allowed a high level of control and re-use of components at all levels.

Whilst at the Commission I was responsible for developing security processes for the new computer system and took on the role of Security Architect working on the design of a Confidential network within a Restricted Datacentre.

Responsible for Threat, vulnerability and product exploitation