There are many approaches to Risk Assessment and Risk Management, but most are an iterative process where risk scenarios are identified, assessed, treated with controls, and the residual risk accepted, transferred or treated to reduce it further.

Some risk management methodologies create exhaustive lists of information assets, the business impact if they are compromised, and the threats and vulnerabilities that may result in a compromise. Other methodologies are more scenario based and lend themselves to a more strategic approach that aligns information risk management to other risk disciplines, such as operational risk or holistic enterprise risk.

My risk management experience includes eleven years in the Global IT Risk Management team of a FTSE 10 pharmaceutical company, four years in the IT Risk Advisory function of a Big Four management consultancy and a year as a contract risk manager providing information assurance to a mutual insurance company.

Examples of my Governance, Risk and Compliance expertise include:

• Information Lifecycle Risk Assessment
• GRC tool selection and procurement
• Information Security Forum’s Information Risk Assessment Methodology (IRAM2)
• Supplier and Third Party Risk Assessment (SOC2, SSAE16)
• Cloud Computing Risk Assessment
• Risk of Mergers, Acquisitions and Divestments

CRISC (retired) I was Certified in Risk and Information System Controls, having scored in the top 5% of the December 2016 exam. I allowed this certification to lapse in 2022 when I retired.

Wikipedia defines Security Management as “… the identification of an organization’s assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets.” The problem is, this sounds a lot like Information Risk Management.

I would suggest that the difference between the two is that Security Management implies a coherent Information Security Management System (ISMS) to ensure that all aspects of security have been considered and appropriately controlled.

Security Management projects that I have been involved with are generally a combination of:

• Assessing security maturity against a framework, such as ISO27001 or Cyber Essentials.
• Producing a gap analysis between current maturity and desired maturity.
• Creating a programme plan or roadmap to reach the desired maturity.
• Managing projects to deliver aspects of the roadmap
• Conducting interim maturity assessments to gain assurance that the programme is on course to reach its goals
• Supporting certification exercises to demonstrate that the maturity goals have been met.

CISM (retired) I was a Certified Information Security Manager and achieved an ISACA geographic excellence award for being the highest scoring candidate EMEA in the December 2015 exams. I allowed this certification to lapse in 2022 when I retired.

CISSP I have been a Certified Information Systems Security Professional for seventeen years, meeting the required Continuing Professional Education requirements for five three year recertification cycles.

“Security Architecture” can be interpreted in many different ways. Some definitions focus on the high level building blocks by which security systems are put together, other definitions apply a security context to Enterprise Architecture, others focus on delivering artifacts such as non-Functional Security Requirements,  ensuring that security is considered throughout a Software or System Development Lifecycle.

My preferred approach is to combine elements of the Sherwood Applied Business Security Architecture (SABSA) and The Open Group Architecture Framework (TOGAF) as described by the TOGAF-SABSA Integration Working Group.

This approach ensures that security is considered at every point in the TOGAF Architecture Development Method and is the basis of the Security Architecture course I developed and delivered as part of EY’s internal IT Advisory Architecture training.

I have been TOGAF 9.1 Level 1 and 2 certified since 2013.

Senior-Level Information Risk & CyberSecurity Professional

I am now retired although still available for projects on a part time basis. For example, I supported a client with their CyberSecurity reorganisation three days a week, working remotely, from July 2021 to March 2022.

My Core Skills and Experience
* CISO * Security & Risk Management * Policy Development * Audit *
* IT Governance * Compliance * Cloud Security * Vendor Management *
* Strategic Planning * Offshoring and Outsourcing * Consultancy *
* Mergers, Acquisitions & Divestments * Incident Management *
* Leading Virtual Teams * Security Technology & Architecture *
* ISO27001 * PCI-DSS * Data Protection *

My extensive Risk and Security expertise spans a broad range of business functions and industry sectors including Pharmaceuticals, Financial Services, Travel & Leisure, Outsourcing, Power and Utilities, Oil and Gas and Retail.

GlaxoSmithKline sponsored me to undertake a Master’s degree in Information Security, with Royal Holloway College, University of London, where I graduated with distinction.