Skip to main content

A bit of a twist in the path...

2017 has seen me take a twist in my career path. Moving from 11 years working within Technical Infrastructure Architecture and Operations, to Information Security.

The inspiration for this career change came from a few serendipitous sources.

When I joined Moonpig.com in 2014 (having had a fantastic 8 years building my career at Sony Playstation as SysAdmin and Operations Manager) I was tasked with setting up a new in-house Technical Operations function that would help to see Moonpig attain PCI-DSS compliance (as a level 1 merchant with full SAQ-D) as well as further improve their TechOps practices.

Whilst building the new team and dealing with PCI I was fortunate to have the opportunity to work with the talented Luke Potter at Surecloud - who had been engaged as Moonpig's preferred ASV. Spending time with Luke and his team during the course of that year (and years to date in my subsequent roles within the Photobox Group) inspired both the technologist in me as well as the lateral thinker: the vulnerabilities they were seeking, impressive exploits they were able to PoC and deep technical knowledge through which they were able to do this essential work was truly something to behold. It was at this time that I got my first taste of true AppSec and InfoSec workings, and I sensed that I'd hit upon something that would re-stoke the technologist in me in a way that pure technology management was unable to.

As Moonpig achieved its PCI certification, the brand, and in fact whole Photobox Group soon underwent a rapid program of security uplift and investment later in 2015. I was fortunate to now be leading the Group's Technical Operations capability across the UK and mainland Europe, and working alongside the Group Risk team was able to plan and deliver a wide-spectrum series of projects aimed at adding to, and improving the Group's Security working practices, processes and supporting technologies.

As a diverse team we tackled so much in so little time - DOS protection, WAF capabilities, SIEM adoption, DarkTrace, end-point security enhancements, GRC reviews, built SOC support via 3rd parties - and had ethical hacking submissions thrown into the mix as well as a few interesting discoveries by our own Engineers to deal with.

During the final stages of delivery of the program I was fortunate enough, in 2016, to enjoy a two month sabbatical from work with my young family.

We travelled across France, and whilst covering the miles between our stop-overs I began to reflect as to what my next career challenge needed to look like. It was especially important for me to maintain the promise I'd made myself upon leaving Uni that I will always 'get out of bed and go to work for something I care and believe in.' This became especially focused for me when I realised the simple pleasures of having time with my wife and children, and the sabbatical reinforced the fact that I needed a good reason to leave them back home each day if work was to be that draw.

Upon my return to Photobox everything was will ticking along nicely still thanks to my Deputy and team keeping on top of things - Operations were operating - and so I offered my resignation as means of giving myself the kick I needed to find that 'next challenge' and to ensure I was still useful to the business. Dominic Cameron - my truly brilliant and gifted boss and Group CTO at the time - smiled and reminded me there was still much to do, and later shared that the Group intended to further invest in Security through hire of a new CISO.

I threw my hat into the ring instantly (over a HipChat conversation with Dominic from Valencia if I recall) and what followed was a somewhat bumpy journey for me. Long story short,  I didn't become the CISO. However, I did get offered the chance to become the Group's first Senior Director of Information Security, and deputy to the new-hire CISO.

The CISO they chose was Dinis Cruz, and when we first met we simply hit it off. He's a hardcore AppSec specialist, with razor sharp engineering chops and an energy and work ethic that compliments our Group perfectly. He's also an enthusiastic mentor, and I felt assured that staying at Photobox to support the Security initiative under his guidance would be a great next career move.

Dinis and I soon realised we could start to build a function for the Group that saw him focusing on being CISO and the 'AppSec' areas of what we aimed to create. I would focus more on the InfoSec/SecOps side of things - bringing my experiences from TechOps, PCI-DSS and more to the party.

And so here I am. 'Day 1' you could call it (I know those Amazonions out there might...). A new career path, brilliant support from the Group and learning opportunities I could only dream of.

This personal blog has come about through my wish to share my learnings, no-doubt naive discoveries, thoughts, proposals, achievements and reactions as I find my way along this new path.

Forgive the blunders, but better my views, comment on my thoughts and help me to open source my career as it steadily begins to unfold in front of me.

Even in the year since my decision to pursue this path, and the two months I've now officially held my new position I've met some amazing new contacts - ethical hackers, black hats, hostage negotiators, CISOs from many walks of life and industries, social engineers, legendary founders and secret service operatives.

Without name dropping - they know who they are - I want to thank them all for encouraging me to take this step, and I hope to be able to repay the favour by contributing to the increasing pool of knowledge, debate and progress we all aim to make in this field.

Comments

  1. Great post! It's really brave to share your views like this :)

    I'm looking forward to reading the next 50 posts :)

    ReplyDelete

Post a Comment

Popular posts from this blog

Designing a GDPR-compliant consent workflow for eCommerce

It's been quite a journey for me, to date, as I find my way along the twisty path that is understanding GDPR.

Through attempting to better understand what 'compliance' for the Photobox Group looks like, and in a renewed attempt to better understand its likely impact upon us, something I've found hard to find are good examples of 'GDPR compliant' user interfaces for eCommerce around the provision of user consent.

Ultimately we need to ensure that for each and every GDPR-relevant interaction our brands have with our customer's data, we have their appropriate consent.

The question is, how granular the explicit Opt-In requirements need to be?

The ICO does a good job of publishing high-level 'consent guidelines' as below:
Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions.Be specific and granular. Vague or blanket consent is not enough.Name any third parties who wi…

My first month as a CEO...in numbers

It's been a busy few months as I moved from a wonderful few years spent with the Photobox Group to becoming Chief Executive for Conosco.

Playing to my 'purple' nature, here are some simple numbers to tell the tale of my first month as a CEO:
1 - organisational restructure0 - resulting redundancies4 - new members appointed to a newly-created Leadership Team spanning the UK and South Africa1 - tailored leadership skills course completed by the new Leadership Team20 - minutes that each leadership team member was asked by me to spend completing a self-analysis questionnaire~0 - the number of cynics asked to engage with the exercise1 professional lifetime - the time that the positive impact the individual questionnaire results that were presented to them will last on each of them (ask them, they agree.)62 minutes - the time it took us to escape from 'Escape Rooms' in London32 - the floor we ate lunch at in the Shard where we celebrated our offsite as a new Leadership te…

A SOC is cooking - with a sprinkle of Machine Learning and SRE

This week sees the start of an exciting new chapter in our ever-maturing InfoSec story, with our Group Security team forming a new Security Operations Centre (SOC).

It has been founded using key staff from our existing Network Information Security (NIS) and AppSec analyst capabilities and I believe we are taking an interesting approach to the its creation that sees us using our ASV (Surecloud) as our first internal SOC client:

The rationale is simple - Surecloud's consultants are tasked with poking and probing our applications, network and supporting infrastructure (all BAU as part of our PCI-DSS routines), and our SOC is challenged to be able to report back to the testers what it is they did.

To achieve this the new SOC team has been empowered (provided time, creative freedom, engineering resource access and budget) to architect whichever technical solution(s) they require to be gain the required insight, and so a Red/Blue team dynamic is born between 'them' and the '…