Skip to main content

A bit of a twist in the path...

2017 has seen me take a twist in my career path. Moving from 11 years working within Technical Infrastructure Architecture and Operations, to Information Security.

The inspiration for this career change came from a few serendipitous sources.

When I joined in 2014 (having had a fantastic 8 years building my career at Sony Playstation as SysAdmin and Operations Manager) I was tasked with setting up a new in-house Technical Operations function that would help to see Moonpig attain PCI-DSS compliance (as a level 1 merchant with full SAQ-D) as well as further improve their TechOps practices.

Whilst building the new team and dealing with PCI I was fortunate to have the opportunity to work with the talented Luke Potter at Surecloud - who had been engaged as Moonpig's preferred ASV. Spending time with Luke and his team during the course of that year (and years to date in my subsequent roles within the Photobox Group) inspired both the technologist in me as well as the lateral thinker: the vulnerabilities they were seeking, impressive exploits they were able to PoC and deep technical knowledge through which they were able to do this essential work was truly something to behold. It was at this time that I got my first taste of true AppSec and InfoSec workings, and I sensed that I'd hit upon something that would re-stoke the technologist in me in a way that pure technology management was unable to.

As Moonpig achieved its PCI certification, the brand, and in fact whole Photobox Group soon underwent a rapid program of security uplift and investment later in 2015. I was fortunate to now be leading the Group's Technical Operations capability across the UK and mainland Europe, and working alongside the Group Risk team was able to plan and deliver a wide-spectrum series of projects aimed at adding to, and improving the Group's Security working practices, processes and supporting technologies.

As a diverse team we tackled so much in so little time - DOS protection, WAF capabilities, SIEM adoption, DarkTrace, end-point security enhancements, GRC reviews, built SOC support via 3rd parties - and had ethical hacking submissions thrown into the mix as well as a few interesting discoveries by our own Engineers to deal with.

During the final stages of delivery of the program I was fortunate enough, in 2016, to enjoy a two month sabbatical from work with my young family.

We travelled across France, and whilst covering the miles between our stop-overs I began to reflect as to what my next career challenge needed to look like. It was especially important for me to maintain the promise I'd made myself upon leaving Uni that I will always 'get out of bed and go to work for something I care and believe in.' This became especially focused for me when I realised the simple pleasures of having time with my wife and children, and the sabbatical reinforced the fact that I needed a good reason to leave them back home each day if work was to be that draw.

Upon my return to Photobox everything was will ticking along nicely still thanks to my Deputy and team keeping on top of things - Operations were operating - and so I offered my resignation as means of giving myself the kick I needed to find that 'next challenge' and to ensure I was still useful to the business. Dominic Cameron - my truly brilliant and gifted boss and Group CTO at the time - smiled and reminded me there was still much to do, and later shared that the Group intended to further invest in Security through hire of a new CISO.

I threw my hat into the ring instantly (over a HipChat conversation with Dominic from Valencia if I recall) and what followed was a somewhat bumpy journey for me. Long story short,  I didn't become the CISO. However, I did get offered the chance to become the Group's first Senior Director of Information Security, and deputy to the new-hire CISO.

The CISO they chose was Dinis Cruz, and when we first met we simply hit it off. He's a hardcore AppSec specialist, with razor sharp engineering chops and an energy and work ethic that compliments our Group perfectly. He's also an enthusiastic mentor, and I felt assured that staying at Photobox to support the Security initiative under his guidance would be a great next career move.

Dinis and I soon realised we could start to build a function for the Group that saw him focusing on being CISO and the 'AppSec' areas of what we aimed to create. I would focus more on the InfoSec/SecOps side of things - bringing my experiences from TechOps, PCI-DSS and more to the party.

And so here I am. 'Day 1' you could call it (I know those Amazonions out there might...). A new career path, brilliant support from the Group and learning opportunities I could only dream of.

This personal blog has come about through my wish to share my learnings, no-doubt naive discoveries, thoughts, proposals, achievements and reactions as I find my way along this new path.

Forgive the blunders, but better my views, comment on my thoughts and help me to open source my career as it steadily begins to unfold in front of me.

Even in the year since my decision to pursue this path, and the two months I've now officially held my new position I've met some amazing new contacts - ethical hackers, black hats, hostage negotiators, CISOs from many walks of life and industries, social engineers, legendary founders and secret service operatives.

Without name dropping - they know who they are - I want to thank them all for encouraging me to take this step, and I hope to be able to repay the favour by contributing to the increasing pool of knowledge, debate and progress we all aim to make in this field.


  1. Great post! It's really brave to share your views like this :)

    I'm looking forward to reading the next 50 posts :)


Post a Comment

Popular posts from this blog

Designing a GDPR-compliant consent workflow for eCommerce

It's been quite a journey for me, to date, as I find my way along the twisty path that is understanding GDPR.

Through attempting to better understand what 'compliance' for the Photobox Group looks like, and in a renewed attempt to better understand its likely impact upon us, something I've found hard to find are good examples of 'GDPR compliant' user interfaces for eCommerce around the provision of user consent.

Ultimately we need to ensure that for each and every GDPR-relevant interaction our brands have with our customer's data, we have their appropriate consent.

The question is, how granular the explicit Opt-In requirements need to be?

The ICO does a good job of publishing high-level 'consent guidelines' as below:
Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions.Be specific and granular. Vague or blanket consent is not enough.Name any third parties who wi…

The 'Big Five' behaviours - Building and maintaining a values-led business culture

Business culture is a topic that I frequently see popping up on my LinkedIn feed, and something I'm deeply passionate about.

Many of us have read the famous Netflix slide deck that describes their own business culture, and even last night whilst digesting the day's technology news I read an analysis of Bezos' meeting culture in a digital broadsheet.

For my business - Conosco - the culture I joined and the culture I knew that I would be proud to lead and be associated with, have maintained a high position in my everyday thoughts whether on my morning drive to work, walking through the streets of London at lunchtime or sitting with my young children as they fall asleep at night after their bedtime story.

Having just spent a week with our teams based in South Africa, it's become ever more apparent to me that a relatively small number of leadership values and habits can help to drive what I feel are the most valuable team member behaviours to support our business culture.

Introducing the Conosco Security Division

One thing you’ll notice is that I quite like to blog about what I’m up to at Conosco. As the CEO for a private company, this may be somewhat unusual, and it would certainly make other company Boards nervous. 
Thankfully not ours. 
We believe that being ‘open’ betters the understanding among our staff, future employees, clients and prospects of what Conosco does, how we do it, and what we strive for. It also follows an ethos that I believe has helped mature the Information Security community – sharing knowledge that adds insight and value to its members. This approach has allowed the Information Security community to build strong bonds,  improve its members’ collective defences and lower the barrier to knowledge proliferation as a result.
Conosco has a new and niche security offering for the SME market that has benefitted from such open thought, opinion sharing and an honest approach to solving our clients’ genuine security needs. The new Conosco Security Division provides our clients…