While at GSK I developed a career development framework based on the BCS Skills For the Information Age (SFIA) model.
I interviewed people in Security, Governance, Risk and Compliance (SGRC) roles to understand their career paths to date and the skills and competencies from the SFIA framework that they felt were most applicable to their role. This enabled me to propose role specifications for different levels of seniority, and development pathways for SGRC professionals to progress to more senior roles.
The concept was adopted by several of the business unit SGRC teams and used as their basis for performance and development planning.
Organisations are realising that they have too much information to be able to protect all of it to the same extent. I led a team identifying and advising on the protection of a FTSE 250 Oil company’s most critical information assets, tracing their “crown jewels” through their lifecycle and recommending targeted security controls for the points at which they were most vulnerable.
The Cyber Essentials Scheme, and Cyber Essentials Plus, is a security certification introduced by the UK Government to encourage businesses to protect themselves against common Internet threats.
The scheme is based around the National Cyber Security Centre’s Ten Steps to Cybersecurity
Although it is predominantly aimed at Small and Medium sized enterprises, organisations are also required to be certified in order to bid for public sector contracts. Consequently it was a priority for EY to achieve certification and I managed an internal project to do so, achieving certification on the first attempt.
Subsequently I led a team to support a retail client in achieving Cyber Essentials.
I was deployed for nine months to one of the Big Six Energy Suppliers as the Security Architect on their Smart Metering Programme, which will bring intelligent Electricity and Gas metering to six million customers by 2019. As the Smartmetering Security Architect I was responsible for the high-level Security Strategy and Architecture and ensuring that systems integrators met the functional and non-functional security requirements that I specified.
Following complaints from a key customer of a loss of service, I led a team assessing the resilience and capacity of the network architecture of a top-tier UK Internet hosting company. This involved understanding the as-was and to-be network architecture, the root cause of the outages and providing an assessment of the likelihood of future failures.
During a six-month engagement with a Mutual Insurance Company, I conducted an information assets audit. Interviewing stakeholders from the Life and General Insurance businesses, as well as core business functions such as HR and IT, I compiled a list of information assets and the systems that process them, and assessed the business impact of compromise of these. I then used the ISF’s IRAM2 risk assessment methodology to assess the potential threats and vulnerabilities that were applicable to each asset class.
Concurrently with this I provided subject matter expertise into an RFP process to source a Governance Risk and Compliance tool that would be capable of ingesting the IRAM2 worksheets and producing a holistic view of information risk across the organisation.
I led a team assessing the cyber programme maturity of a multinational group of companies in the Electrical Components and Equipment sector, covering 13 operating companies in Europe, the US and China. This involved rating a number of security domains against a maturity model, identifying gaps between current state and desired state and proposing a roadmap to improve maturity to the desired level.
My client provides real-time sports data feeds from matches around the world to bookmakers, enabling them to provide online in-match betting. The brief was to review the data flows, security controls and integrity checks and to produce a risk assessment considering how such data might be vulnerable to compromise.
To achieve this, I accompanied data scouts to UK football matches from non-league to Premiership to understand how data are captured, visited their two data processing centres in Europe to understand the integrity checks performed and interviewed staff from a range of roles involved in providing the service. I then wrote up the assessment and presented it to the board.