After discovering I could prank my high school friends using Visual Basic scripts, I developed a curiosity of what code can do. Interested in penetration testing in High School, I pursued an education from one of the only GCHQ certified honours degrees in the UK at Edinburgh Napier University. During my time at university, I freelanced with several organisations including the Jesuit Refugee Service, one of the oldest and most prevalent NGO’s in the world, where I worked in collaboration with teams in Rome, Switzerland, Afghanistan and Pakistan. This work set me on a path with a desire to deliver real change to people and organisations..
Since becoming a consultant, I have worked with a fantastic range of very talented people who have helped me develop my understanding of people, process and culture. Coupled with my technical knowledge, I have had great success in assisting teams through challenging problems and significant changes.
My considerable experience working with executive management and technical teams in Public Sector, Professional Services, Health and Defence is an asset to any team. I have active Security Clearance (SC) from the MoD, and I am willing to undergo Developed Vetting (DV) clearance.
Security and Risk Management
Security and Risk Management is one of my core competencies. I have successfully led framework-based gap analyses on several 1000+ employee enterprises, delivering pragmatic, prioritised control recommendations to align organisations with their risk appetite.
To deliver real value to clients, I use a multi-faceted approach to understanding a business. Working closely with senior management, I gain insight into the businesses strategy, budget, appetite for risk, the core services that support the business, and the high-value assets that must be protected at all costs. This understanding not only helps me tie together all of the information I get from working with their technical teams, but most importantly allows me to provide genuinely pragmatic prioritised recommendations.
Where possible, I not only deliver a report filled with information that technical teams can act on but also provide a high-level framework that enables senior IT management to continuously prioritise, measure and communicate security performance data to C-level management.
By delivering this value directly to the buyer (in this case senior IT management) I have seen continuous repeat work from our clients and had the enviable position of watching them develop their capability through the years.
A large law firm recognised the growing importance of a secure underlying infrastructure to support the services it delivers to its clients. With this awareness, the firm wished to work with a trusted advisor to ensure that the organisation is secure and is designed to best practice to minimise security or availability issues. The firm identified a need for external support to assist in the introduction of a comprehensive security framework to support the continued growth and retention of clients across the organisation.
After business stakeholder meetings to understand the business, we worked with multi-disciplinary technical teams to assess the existing infrastructure, services, threats, controls and governance. We followed our assessment with an evaluation against the firm’s risk appetite, PCI-DSS requirements and Data Protection legislation. We developed a cyber security framework to allow the firm to prioritise, measure and articulate the firm’s position concerning cyber security to C-level management.
Our prioritised, cost-effective remedial controls allowed the firm to become compliant for less than it cost them in monthly regulatory fines. Our improved threat models changed the direction of the information security strategy to focus on internal controls as opposed to building a more robust edge.
Security Architecture and Engineering
My knowledge and experience in security architecture and engineering underpin my understanding of threats and risk. I have successfully led projects working in multi-disciplinary technical teams to design hybrid architectures that integrate physical, virtual, and cloud infrastructure. These designs were all delivered with the secondary aim of improving the security and visibility of the existing segregated infrastructure by utilising secure design principles and fundamental security concepts inline with business requirements.
Security architects frequently face the challenge of kickback from IT management and in-house development functions when trying to implement controls. In my experience, this can be overcome by first taking the time to understand the exact requirements of the service in question and working with development teams to understand the impact of your recommendations before making a decision.
Taking this approach to working in an organisation as a trusted advisor has allowed me to bridge the gap between security and development, even integrating the two where possible to implement security from the strategy and high-level design phase.
A Local Authorities IT services faced several business and technical requirements that impact how they deliver digital services, including a significant shift from on-premises to cloud and software-as-a-service computing and a lower risk appetite for digital services.
With this in mind, the local authority identified the requirement for external, independent advisors to assess their current virtualised DMZ security architecture with the view to developing a realistic high-level design to support their requirements and enable safe change within the organisation.
We held multiple in-depth requirements workshops to define exactly what the DMZ architecture would deliver. Once the requirements were defined, we assessed the existing infrastructure and technology to determine the current state. Where possible, we utilised existing technology in our recommendations to deliver the desired state whilst minimising spend.
Our pragmatic design allowed the local authority to implement the changes in their existing infrastructure, utilising existing technology to micro-segment the services and safely transit data from on-premises databases to the cloud.
Security architecture is only truly effective when supported by active monitoring and triage. I have experience leading the implementation of security operations processes in several public sector organisations, including overseeing the implementation of a security operations team.
My experience extends from operations such as vulnerability management, monitoring and logging to incident response procedures and secure software development lifecycles. Implementing these operational controls have allowed multiple organisations to gain certifications and accreditations in their desired standards whilst significantly reducing the risk posed to business operations.
When implementing security operations, it is all too easy for a consultant to follow best practice blindly. From my experience, this results in technologies and procedures that involve far too high an overhead for most organisations to reasonably practice. When recommending new processes and technologies, it is essential to consider how existing technologies can be leveraged, automating where ever possible.
With hundreds of thousands of citizens using their critical digital services each year, a large Government Agency identified the requirement to build a security operations team to monitor applications, infrastructure, and triage vulnerabilities continuously. With this requirement, the Agency approached FarrPoint to advise on how to create an effective security operations team.
FarrPoint worked closely with stakeholders in IT to define their appetite, budget and timescales for implementing a security operations team. Once a strategy was defined, we assisted in defining roles and recruitment interviews. FarrPoint worked with the initial members of the team to determine how continuous monitoring would be implemented, followed by a soft-market review to assess the capability and potential impact of tooling. Over the following months, we worked with the team to define their vulnerability management process, implementing the security operations team with the rest of the organisation. Finally, FarrPoint provided triage guidance when the organisation set out to reduce the vulnerabilities in their estate significantly. Due to some legacy technology, a significant number of alternate remediations were designed to protect from specific high-risk threats.
The outcome of this engagement was a small but proficient security operations team that significantly improved security capability and posture within the organisation, allowing them to gain certification with several standards.
Training and Awareness
Security architecture and operations will all fall short if an organisation’s users are not aware of the threats they face. One of the most effective ways to maintain a raised awareness of social engineering is to simulate attacks and provide appropriate training continuously.
I have implemented platforms for social engineering and led managed service social engineering engagements that have included spear phishing, mass phishing, voice phishing (vishing), and USB drop pretext attack simulations. I have designed and implemented virtual training and significantly improved reporting and pass rates in subsequent engagements.
When it comes to getting value from a social engineering engagement, the aim of the organisation must be taken into consideration. Targeting specific high-value users with highly-targeted spear-phishing campaigns can be significantly more effective in reducing the risk than generic mass phishing campaigns.
This case study is coming soon.
Thank you for taking the time to read about my skills. If you have any questions or comments I’d like to hear from you.
Outside the Office
I’m not all work and no play. Growing up as a country boy in the Highlands of Scotland, I feel most at home getting lost in the outdoors. Whether it’s struggling through five Munro’s in one day or canoeing 120km down the River Spey from source to sea, wild camping on river islands for five days, you’ll find me happiest outside of my comfort zone.
If you catch me in the city, then I’m likely out walking my dog Leo, or I’m on my way to the Scottish Malt Whisky Society for a dram and a catchup with some friends.