Skip to main content


Introducing the Conosco Security Division

One thing you’ll notice is that I quite like to blog about what I’m up to at Conosco. As the CEO for a private company, this may be somewhat unusual, and it would certainly make other company Boards nervous. 
Thankfully not ours. 
We believe that being ‘open’ betters the understanding among our staff, future employees, clients and prospects of what Conosco does, how we do it, and what we strive for. It also follows an ethos that I believe has helped mature the Information Security community – sharing knowledge that adds insight and value to its members. This approach has allowed the Information Security community to build strong bonds,  improve its members’ collective defences and lower the barrier to knowledge proliferation as a result.
Conosco has a new and niche security offering for the SME market that has benefitted from such open thought, opinion sharing and an honest approach to solving our clients’ genuine security needs. The new Conosco Security Division provides our clients…
Recent posts

My first month as a numbers

It's been a busy few months as I moved from a wonderful few years spent with the Photobox Group to becoming Chief Executive for Conosco.

Playing to my 'purple' nature, here are some simple numbers to tell the tale of my first month as a CEO:
1 - organisational restructure0 - resulting redundancies4 - new members appointed to a newly-created Leadership Team spanning the UK and South Africa1 - tailored leadership skills course completed by the new Leadership Team20 - minutes that each leadership team member was asked by me to spend completing a self-analysis questionnaire~0 - the number of cynics asked to engage with the exercise1 professional lifetime - the time that the positive impact the individual questionnaire results that were presented to them will last on each of them (ask them, they agree.)62 minutes - the time it took us to escape from 'Escape Rooms' in London32 - the floor we ate lunch at in the Shard where we celebrated our offsite as a new Leadership te…

Designing a GDPR-compliant consent workflow for eCommerce

It's been quite a journey for me, to date, as I find my way along the twisty path that is understanding GDPR.

Through attempting to better understand what 'compliance' for the Photobox Group looks like, and in a renewed attempt to better understand its likely impact upon us, something I've found hard to find are good examples of 'GDPR compliant' user interfaces for eCommerce around the provision of user consent.

Ultimately we need to ensure that for each and every GDPR-relevant interaction our brands have with our customer's data, we have their appropriate consent.

The question is, how granular the explicit Opt-In requirements need to be?

The ICO does a good job of publishing high-level 'consent guidelines' as below:
Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions.Be specific and granular. Vague or blanket consent is not enough.Name any third parties who wi…

Cultural mugs

One of the main challenges that drew me to Information Security (and management in general) was that of helping to build a working culture that is genuine, sustainable and is aligned to support 'the vision'.

I've had the benefit to have learned directly, and from the experiences of past bosses, leaders and mentors how not to approach cultural change initiatives: Knowing what bad change-approaches looks like, usually without any real clarity around what perfect (or even good!) may be is a useful head-space to occupy.

At least in the absence of knowing what to do, knowing what not to do provides a useful reference point.

I find that this simple psychological tool helps me to sanity check if I'm falling into those past gotchas and traps as shared with me by the wise few who've been there, seen it, burnt that bridge, picked themselves up and started all over. Haven't we all?

The challenge of raising Information Security awareness through driving a working culture …

Preparing staff messaging around WannaCrypt/WCry

In the spirit of my ongoing InfoSec openness, here's the messaging I've prepared around our Group's education and call to action around WannaCrypt:
Many of you will have read about last week’s Global cyber attack that caused a number of organisations to be seriously impacted including the National Health Service in the UK and Telefonica in Spain. Over 70 countries were affected in total.
The attack took the form of ‘ransomware’ that caused computer-held files to be made unreadable (encrypted) unless a payment was made to the attackers via the 'Bitcoin' online currency.
Currently we have no reports of any impact to Group services or systems from this attack.
The attack relied upon a combination of malicious software being run, poor IT configuration practices, and the exploit of older, unpatched/out-of-support systems such as Windows XP and 2003.
The Group have a large and complex IT infrastructure that is continually being improved, strengthened and made more …

A SOC is cooking - with a sprinkle of Machine Learning and SRE

This week sees the start of an exciting new chapter in our ever-maturing InfoSec story, with our Group Security team forming a new Security Operations Centre (SOC).

It has been founded using key staff from our existing Network Information Security (NIS) and AppSec analyst capabilities and I believe we are taking an interesting approach to the its creation that sees us using our ASV (Surecloud) as our first internal SOC client:

The rationale is simple - Surecloud's consultants are tasked with poking and probing our applications, network and supporting infrastructure (all BAU as part of our PCI-DSS routines), and our SOC is challenged to be able to report back to the testers what it is they did.

To achieve this the new SOC team has been empowered (provided time, creative freedom, engineering resource access and budget) to architect whichever technical solution(s) they require to be gain the required insight, and so a Red/Blue team dynamic is born between 'them' and the '…

Security as 'Product'

One of the (many) challenges that attracted me to a role within Information Security was to seek a way of better integrating and aligning the benefits of both amazing products alongside amazing information security.

Now, 'amazing' security need not require multi-million $ appliance-level technology or investment, but should be sat close to the edge of the trail-blazing curve from both an AppSec and InfoSec standpoint both through practices, culture and attitude.

What do I mean?

Well, right now I'm not 100% certain, hence this blog post (I'm looking for ideas and validation/criticism) but here's the concept:

What if Security itself became a 'Product' for the business much like any other they produce?

Or perhaps - but I am shying away from the idea for a few reasons I'll explain - a set of features/requirements that are baked in to every product we release?

Sure, best practices and ISMS frameworks mandate/dictate what 'best practices' look like, …