CISO, Security Architect, Security Assurance Consultant, Information Security Manager

Overall responsibility for the security service and the security of the services delivered. 27001
ISMS operation, remediation and audit preparation, leveraging ISO 33000, 27002. Measurement of
control effectiveness leveraging 27002/CSF, creation and implementation of a Risk Management
process. Oversight/challenge of operational controls effectiveness against internal IT and SecOps.
Coordination of risk remediation and coordination of remediating actions against their owners.
Coordination of risk communication and governance framework. Security metrics and report creation
and presentation, driving of monthly and fortnightly cadences and assignment of responsibilities.

Contract rewrite for MSSP Service. Collation, assessment and consolidation of supplier service
information for MPS third party suppliers into a formal database and ongoing data management.
Vulnerability remediation data and performance analysis.

Azure tenancy solution design, architecture and implementation of NIST/CIS controls within tenant,
design of Azure AD Conditional Access.

ISM responsible for and leading account security operations and customer security strategy. Overall
responsibility for the security service, with focus on service design, vulnerability management,
incident management, SecOps architecture and service, cloud migration and governance over delivery
of IT and Security services.

Contract project to oversight and report on risks within IAM BAU and Programme, reviewing business
governance, transformation, control environment, architecture, change operating model, Programme to
Business communication, alignment of deliverables to risk reduction objectives, determination of
residual risk and the underlying rigour of the risk reduction journey. Secondly to assess
effectiveness of Security Policy Roles within 1. Line Policy Management & Continuity Management to
identify and document risks and recommend remediations.

Prokura Information Security Officer for Clearstream Banking AG reporting to Board and CISO.
Implementation/management of Transition of Corporate Security Risk Register to RSA Archer. Risk and
Control Assessment of Settlement & CSD systems, infrastructure projects. Development of Risk
Algorithms. Creation of Risk Reporting and KPIs, coordination of Risks, Issues, Audit Findings
between CISO, IT Operations and monthly reporting of same to Board. Development and provision of
Board Reporting and subsequent Board attendance. Communications responsibility between CISO Office
to Risk, Measure and Information Owners. Technical review of systems configurations (Build,
CyberArk, NACLs) and reporting, assessment and review of regulatory/BaFin audit findings and
responses.

Information Security Architect for the CRH plc account providing information security architecture
consultancy to the customer and account team. Vulnerability management, scanning and reporting with
Qualys and writing of incident management procedure.

I led the IA team ensuring the Smart Meter Data Solution complies to contractual security and ISMS
requirements, defining the security state targets for going live and ensuring controls are
implemented, operated and measured, and the extent of Compliance is captured, gaps are managed and
Supplier risks treated. I designed the integration of the Risk Governance Framework, working with
Business, Legal and Audit & InfoSec functions on ensuring the ISMS and Risk Management has an
effective framework and the ISMS processes and cadences are implemented, documented and operating
effectively. I assess and measure effectiveness of the IRMS, control flow down, Assured Engineering
Process and specify security assurance requirements to be met for gate to Live.

I led the Information Risk team within the Cyber programme, implementing and developing a Risk
Assessment and Management process, assessing information risks to data, assessing access models and
identity management, DP Directive and Regulation controls gaps and maturity and developing the
methodology, Risk-Control-Matrices, Control process maturity assessment and Risk Register. I
instituted business level committee to manage and stakehold technology and cyber supplier risk and
aligning to the enterprise risk function, and recommend appropriate information security
architecture and function in relation to findings and observations. I design the utilisation of CSF,
27005, OCTAVE, COBIT and ISO15504 process assessment as bases. As part of the assessment work I
perform assurance interviews and workshops with business and technology functions and develop
outcome reporting, dashboards and RAGs. I set the direction of the approach, underlying metrics and
automation of findings and reporting, mostly through Excel. Areas within scope of assessment
included AWS, Cloud, SAP services, suppliers and security contractual provisions.

I provided security penetration testing, auditing and risk consultancy in relation to Smart Grid
assurance, where I audited against 27002 and identified risk and control gaps and developed
structured remediation planning matrixing control deficiencies and gaps against standardised
controls, control processes and regulatory requirements. As part of this role I contextualised
business risk, identified risks and control gaps, developed the risks, contextualised risk impacts
to business objectives, analysed and prioritised risks and managed the risk register, coordinated
between different levels of risk committees, performed governance over risk management and
contributed to business unit technology risk governance. In relation to risk remediation I developed
and promoted risk controls options, remediation business cases and work packages, and then performed
remediation performance measurement, coordination and mentoring, controls operation consultancy. I
also provided corporate risk framework definition and interoperation and 27001 ISMS operation and
support and performed contract review to support and define supplier management and governance. For
the BU I also performed controls mapping and traceability to the AWS environment.

I was contracted to become Risk lead, implementing an IT Risk governance framework, and performing
risk management and assessment as well as penetration testing internally against ecommerce systems.
I developed a IT Security Capability & Maturity framework, a Standardised Controls Framework
matrixed to the IT Operational Framework, and wrote/rewrote the Information Security Policy and
Document Control Procedure. The Risk methodology was a combination of COBIT and OCTAVE and the
Controls Framework was based around COBIT, SP500-83 and 27002, soliciting and gaining business
(Group) approval for use. Within the framework I created a grading and coverage system matrixed to
the internal functional security architecture in order to prioritise implementation of controls
based on risk, critical assets, mandatory requirements and gap and return. Penetration test findings
against Data Centre systems were related within the Excel system to actual documented risks to
demonstrate live instances of risk effects. I developed the IT Risk-Controls Matrix, identified
existing Controls and maturity & performance measured them using COBIT PAM/ISO 15504. I developed a
phased plan for refinement of Risk and Controls position assessment, socialising and recommending
the approach to peers and management. From these different areas I aggregated/summarised metrics
into monthly MI and RAG status. I performed Assurance interviews with Risk Area owners and managers
in order to collate, identify, collate and rate existing controls, contextualising findings to
business terms and objectives in order to articulate level of risk.

In this role I delivered a vulnerability and patch management ISMS and technical capability service
to the MoD DII and was SPOC for vulnerabilities. I manage and govern across multiple service lines,
business units and component companies of the Consortium integrating the disparate teams and
processes involved in the vulnerability management lifecycle for the national defence IT estate into
a single service. I coordinated the delivery of a £20m project to remediate vulnerabilities within
Data Centre systems. To deliver the service I worked on integration of Change with the VM
(Vulnerability Management) lifecycle, and developed performance measurement data into reportable
metrics and MI, improved accountability for performance. I championed VM as a key element within
technical risk management and as part of the set of risk framework functions. I am responsible for
governance of timely delivery of vulnerability risk assessment, mitigation and prioritising
remediation against competing business activities. I raised the profile of vulnerability remediation
(VM) by risk quantification and integration within the enterprise risk management framework.
Directly customer facing I successfully led VM in ATLAS from an immature process to a governed
framework of activities, processes, policies and committees with reliable MI reporting. Analysis and
interpretation of vulnerability scans.

The role with C&W involved security management for our largest customer, Aviva as well as security
management for the MBDA and Barclays accounts. I developed a successful relationship with customer
information security management and C&WW operations and service management. Prior to my appointment
the contract was at risk due to a series of audit failures and I created and managed the risk,
compliance and governance structure and ISMS to turn the account around and successfully resolved
all audit points. I developed a professional set of MI for review relating to specific projects as
well as Information and IT Security PI, in order to bring the account to a professional standard and
provide risk status and performance reporting for account and identity management functions and
creating IAM procedures and processes. As part of those activities, I chaired a framework of
management and technical forums, and developed MI and metrics. I generated management reports on
delivery, identified gaps and trends and drove improvement of processes and policy. I managed the
ISMS and governance framework and created the terms of reference for the functions and committees
within the governance framework. I also created a risk management process for recording, assessing
risks and defining remediating/mitigating controls and residual risk and used the process for
tracking failing controls. A large component of my audit response was to audit and manage identity
and account management in AD in order to resolve an audit failure.

I worked in the network team supporting change and proactive management of the Centrica network and
security Data Centre infrastructure systems, providing design, architecture and compliance
consultancy service. My responsibilities included architecture, design, implementation, delivery and
technical project management of network and network security related change in a large national
infrastructure for British Gas and related brands. I proactively managed the network security estate
contributing to and implemented large projects relating to firewalls and network security. I
administrated the backend firewall logging and management systems and performed internal penetration
testing and scanning in order to minimize risks and attack surfaces both against backend systems,
remote network security devices and corporate assets. I was involved in a number of projects
requiring systems and network design, architecture and deployment of IPS and SIEM solutions and
assessment and definition of IS/IT risk within systems and network architectures related to SCADA
and Process Control Systems and network and disk encryption.

Key roles and accomplishments

*Integration and technical projects coordinating network security with www, middleware and backend
*Technical Project coordination and delivery for large Data Centre integration and migration
projects
*Project Delivery of network security element of National Grid and other large projects -VPN
administration
*Architecture, design and compliance consultancy and audit -Firewall admin
*Penetration testing (Retina, Nessus, WiFi, netcat, Nmap + scripting on Solaris platform) -Disk
encryption
*ArcSight/log aggregation analysis and design -Routes, ACLs & VLANs
*Development, approval and design of firewall security policies and process
*Assessment and reporting of network security risks, -PCI & IT Controls Compliance assessment, gap
analysis & reports

Responsible for IT and information security in the EMEA region in particular the architecture,
design, implementation and operation of network and systems security. I performed relationship
management across working groups, conducted pentesting and vulnerability scanning for EMEA
assets/systems. Full lifecycle ownership and responsibility for the firewall estate
(Checkpoint,Sun,IPFilter,Nokia) and IDS/SIEM (Snort/Logrhythm) infrastructure having introduced IDS
to the company and deployed an EMEA wide network of data collection and management points. I
operated the SOC to EMEA region in regards analysis, investigation & correlation of information and
network security events and incident data, packet analysis, source correlation, threat level
establishment -source, intent, definition & coordination of resolution. Internet Services Team Lead
1999-2000 implementing BS7799 and CMU CERT controls.