Since leaving university in 1993, I have excelled in a mix of technical and managerial roles, initially spanning IT, but more recently, specifically in InfoSec, with a specialisation in Attack Surface Reduction (Vulnerability Management, Application Security, Pentesting, Bug Bounty Management etc). My successes in this field have led to numerous public and private speaking engagements, industry award nominations and public recognition from industry leaders
Prior to my Infosec career I’ve been a Technical Project Manager responsible for platform integration of big brands and blue chip companies, a Director of a boutique software development studio who specialised in Payment Gateway integrations, a freelance IT consultant as well as spending 13 years with a leading vendor in the ITAM/SAM sector, working my way up from support technian to managing Customer Support & Training and IT Operations.
As well as having very strong technical skills, including strong problem solving skills and an ability to pick up new skills very quickly, I have excelled in customer facing roles, and have a natural talent for bridging the gap between technical and non-technical teams. I also have a proven track record managing both teams and projects successfully.
- Expert knowledge of designing, implementing and delivering sucessful enterprise scale Vulnerability Management (Scanning, Prioritisation and Remeditation, Applications Security (SAST, DAST, IAST), Pentesting & Pentest Scoping, Risk Assessment, Bug Bounty Management and Asset Management (CMDB).
- Designed and implemented a greenfield SOC for an MSSP and later provided support to Incident Response Teams as an SME and Threat Intel specialist.
- In-depth knowledge of wider InfoSec areas including Incident Management, Red & Blue teaming, Threat Modelling and Risk Evaluation, Management & Remediation Procedures as well as logging monitoring and alerting at scale.
- Very good understanding Enterprise Grade infrastructure.
- OSCP Qualified Pentester and sucessful CTF Platform & Challenge Builder.
- Responsibility for understanding, meeting and evidencing numerous compliance and regulatory standards (PCI, ISO27001, SOC 2, SOX, UKGCC etc) in a large oragnisation
- ITIL v3 qualified and experience of implementing many aspects of ITIL in a growing organisation.
- Competant at multiple software development languages (including Python & Powershell).
- Co Organiser of DC151 InfoSec Community, BlueTeamHackers blog founder and contributor, regular InfoSec conference attendee and speaker and CTF builder.
- NCSC Gambling and Lottery Trust Group member and NCSC CISP Member.
- 2 Years Managing a Vulnerability Management, App Sec team, Pen Test and Bug Bounty team and acting as part of the InfoSec Leadership Team.
- 12 years managing an IT department, a customer & internal support team and an online presence team.
- 3 years as team lead for a team of in-house Cyber Security Specialists
- Full responsibility for IT decision making including IT procurement, vendor negotiation, IT staff recruitment and training as well as setting up the technical teams of offices in Australia, France and USA.
- Speaker at numerous private and public functions on topics such as Vulnerability Management, AppSec, Shift Left, Bug Bounty Program Management, WordPress Security, 1990s UK Hacking Culture, and Asset Management. Including at events for organisations such as Qualys and HackerOne and as a guest lecturer at Universities.
- Delivered large scale sucessful Vulnerability, AppSec and Asset Management projects by developing a “people first” approch, embedding security team members with devs, testers and Ops Managers to drive real value to end users, rather than simply imposing security.
- Conducted over 150 training sessions at customer’s premises on both software usage and ITAM / SAM best practice, with groups ranging from 1 to 50 people. More recentlyI conducted numerous types of staff development programs from classroom training, to mentoring, on both technical and non-technical topics, including defensive coding, offensive security, customer support and train the trainer.
- Filled numerous roles in SDLCs under both Agile and Waterfall (Prince2) frameworks, including dev, tester, customer stakeholder, project manager and release manager
- Adept at developing procedures, processes, policies and standards to ensure efficiency, accuracy and consistency across a wide range of technical and non-technical disciplines.
- Finalist in the “Ethical Hacker and Pentester” category of Security Serious “Unsung Hero” awards.
- MPs “Hero of our Community” Award for IT & Cyber voluntary work during lockdown
- School Governor specialising in Finance and Resourcing.
2019 – 2022 Security Vulnerability Manager & InfoSec Leadership Team – SkyBet / Flutter UK&I
Initially reporting directly to the CISO and later the Head of Cyber Security as part of the newly formed InfoSec Leadership Team, I managed a team responsible Vulnerability Management, Application Security, Penetration Testing and general Attack Surface Reduction as well as running the Bug Bounty program.
Our work designing and implementing a new approach to “shift-left” in AppSec was heralded as genuinely groundbreaking, our success with the Vulnerability Management program saw me invited to speak at Qualys’ flagship QSC conference and our public Bug Bounty program publicly highlighted by a world renowned ulnerability researcher in his Top 10 Bug Bounty Programs list.
On top of delivering numerous VM & AppSec projects, I was also part of an initially small cross-department team that designed and implemented a jira-based CMDB from the ground up, getting it successfully populated and maintained as well as integrated into numerous existing processes and procedures. My team then went on to build an entire Vulnerability Management platform on top of it, combining numerous data sources of discovered and tracked and prioritised vulnerabilities based on environmentally specific risk factors and was replied upon by both engineers and leadership.
2017 – 2019 (Senior) Technical Vulnerability Analyst / Senior CYBER SECURITY SPECIALIST – SkyBet
As the first hire of the newly appointed Vulnerability Manager I rapidly became a subject matter expert for the Qualys vulnerability scanner and as well as producing weekly management reports on our vulnerability position, I also became the main point of contact within the company for vulnerability remediation advice.
I’m my time as a Senior Technical Vulnerability Analyst, I performed almost all the tasks that were the responsibility of the Vulnerability Manager, either as part of my normal role, or as holiday cover. Tasks included Vulnerability Reporting, Vulnerability Remediation SME, Pentest Management (assessing the need for them, booking and chaperoning testers and analysing & processing findings), Risk Assessment, Secure Coding Training, Firewall Rule Review etc.
Within Vulnerability Management, I developed a particular specialism for Bug Bounty Programme Management, taking the lead running the company programme, organising 3 charity hack days, speaking on the subject at Universities, Security Conferences & Vendor Events and attracting some of the world’s leading Hackers to our programme.
As the companies needs changed I transitioned for a general company-wide vulnerability specialist to being the lead of a growing Cyber Security Specialist team, acting whilst my direct involvement with Vulnerability Management lessened, as I retained some relevant responsibilities such as producing vulnerability reporting, acting as the vulnerability SME within my assigned tribes and managing pentests and some aspects of the bug bounty programme.
2017 – SENIOR SOC ANALYST – Maintel Communications
I was hired as a Senior Security Operations Centre Analyst, but the initial role was the sole Security Specialist in a small team tasked with creating a greenfield MSSP Maintel’s and SOC from scratch. I quickly augmented my existing skills with expertise in areas such as the McAfee ESM SIEM, the Fortinet border protection and analysis devices and Cisco iOS devices, as well as preparing a team for incident management and investigation.
2016 – 2017 – InfoSec Manager – Crisp Thinking
After several years of being an unofficial security champion, I became the companies first dedicated InfoSec employee, as such I devised and implemented numerous new procedures and policies as well as building on both my personal skills and our in-house expertise to build an SIEM system on an ELK stack. I also developed the company’s InfoSec Risk Register along with performing internal InfoSec audits, CIA and breech risk analysis and developed procedures for InfoSec Risk Management & Reporting and Incident Risk & Reporting as well as conducting external host pentests.
2011 – 2016 – Technical Project Manager – Crisp Thinking
My primary role was to project manage the integration of customer’s games, chat systems, forums and social media feeds into Crisp’s Platform, I’ve successfully managed projects to integrate dozens of leading brands from every sector into Crisp’s platform, managing every step from process and worked closely with both management and technical teams of numerous leading brands in the entertainment, gaming, health care, social media, fashion and travel. I also spent most of my first 3 years with Crisp simultaneously acting as the account manager for 50+ customers and running the Customer Support team, alongside Project Managing customer integrations.
2011 – Director– Coding Futures
Coding Futures was a small startup who offered a Director role after a successful period freelancing for them. I was responsible for numerous different areas and projects, often performing customer liaison and project management work, rather than technical tasks.
Whilst the projects we undertook were varied, the company specialised in both WordPress plugin development and custom payment gateways, giving me a unique insight not just into developing secure applications on a challenging platform, but also PCI compliance and the Data Protection Act.
2009 – 2011- Consultant / Project Manager – Pegden.Com IT Management
Taking advantage of the wide range of skills I’d gained over the previous 13 years, I set up as a self-employed IT Consultant/Project Manager specialising in Small Businesses. This was me deliver a wide range of projects, often building teams of freelancers to meet project requirements.
1996 – 2009 – Multiple Positions – Visionsoft Limited
In my time at Visionsoft, my role and responsibilities changed as the company grew.
- Technician – Acting as the sole technical support representative in a fledgling company
- Technical Services Manager – Building and managing a customer support team to meet the growing demands of the company and expanding into customer training, internal support and system administration. Liaising with the development team to ensure both customer feedback and testing results were fed back into the development and release cycles.
- Technical Manager / IT Manager – Taking charge of all technical decision making in the company excluding software development. I managed the technical and customer service teams in the UK. I was also responsible for the company’s online presence (including significant input into online marketing) and headed up our customer training team. I also help set up support channels in USA, Australia, France and Germany.
1994 – 1996 CAL Limited. Support Technician and Maintenance Developer.
Whilst hired in a technical role to work mainly on VAX/VMS servers, testing and maintaining DIBOL code as well as specialising in PC desktop support, my customer facing skills saw me most commonly utilised in on-site face to face support, where I rapidly gained a reputation for being a great problem solver and firefighter who can work well under pressure.
As well as being a Dad and husband a lot of my spare time is spent on InfoSec community projects, such attending, speaking at and helping to run regional infosec conferences, running a charity sticker stall at conferences, co-organising DC151 a monthly InfoSec meetup in Leeds, and main a Blue Teamers Blog. I’m also in the process or researching and writing a book on the 90s UK Hacking Scene.
Outside of InfoSec, I am also a school governor, collector and restorer of 1980s arcade and gaming machines, lapsed runner, Blackburn Rovers supporter and have also built several online communities the most notable being based around a football website with over 6000 members which has been running since 1996.
Click Here to contact me.