Product and technology road mapping and alignment
Current State to Future State strategy and architecture
Policy and architecture framework development and integration
Solution and process analysis and recommendation
Bidding, Tender, and Sourcing strategies
Request For Information, Pricing and Response to tender offers
In/Outsourcing, Offshore/near-shore partnering
Managed Services offerings and enablement
Service Provider/Vendor utilization and management
Business Process Outsourcing/Management
Business process analysis and re-engineering
Integration into IT architecture and solutions methodologies
Setup of development, testing, operations, and support centers
Subject Matter Expertise
Project Management, Architecture, Modeling, Standards, and Methodologies
Certified Risk and Information Systems Security Professional (CRISC/CISSP), Prince2, ITIL, Rational Unified Process (RUP), SDLC, Event and Model Driven Architecture (EDA), Network Enabled Capabilities (NEC), System of Systems design, Zachman, Sherwood (SABSA), TOGAF, MODAF/DODAF, Service Orientated (SOA).
Identity Management, Access Control and Security Monitoring (SIEM)Systems
Biometrics (Fingerprint, Face, Voice, Handwriting), eID ICAO/EAC, Workflow, Provisioning, X.500/LDAP, Meta/Virtual Directories, Synchronization/Replication, Single Sign On, SAML/Web Services, Federation, Surveillance, Context, Role, Location Based Access Control, SIEM Correlation and Monitoring, Counter Fraud/Intelligence tracking, collection and data disambiguation, GRC Policies
Virtualization of Desktop and Server Infrastructure
Thin Client computing hardware and software, Connection brokers and session management middleware. Secure hypervisor and multi-classification compartmentalization. Logical partitioning and multi-level security implementations.
Satellite and Communications Systems
Location and Navigation Systems (Galileo/GPS), Voice over IP (VOIP), Network Design/Architecture (VLANs, Switches, Firewalls, DMZ), one-way traffic data diodes
Cryptography and Encryption Systems
Hardware Security Modules (HSM), Key Management, X.509 digital certificate and PKI, Smart Card Management Systems, Strong/Multi Factor Authentication, IPSec and SSL VPNs and network encryption for remote and wide area access
System and Component Accreditation
Target of Evaluation, Protection Profiles, Risk Management and Methodologies, Threat, and Vulnerability Assessment, Counter-measures, and Penetration testing
Feb 2010– Present
Client: T-Systems International (Deutsche Telekom Group), Brussels, Belgium
Position: Security Manager, Consulting Western Europe (UK, Belgium, France, Netherlands)
Project: International outsourcing and strategy consultancy
T-Systems is part of the Deutsche Telekom Group, one of the largest telecom groups in Europe and world leader in dynamic SAP outsourcing services. As part of my role I am leading teams of security consultants and architects currently with 5 direct reports (10+ in matrix on projects) across Europe cities on multiple projects as part of international outsourcing contracts ($100M-$1B). I am leading a team of security consultants, project managers, and architects on transition and transformation projects which involve datacenter design, though to hosting of services and data privacy policies. I am responsible for P&L activities and costing of solutions for proposals. I am also performing security pre-sales activities, with responses to tender and bid on security projects, and strategic partnership development. I travel 25-50% to UK, Germany, France, and Netherlands.
October 2009 – Feb 2010
Client: EUROControl, Central Flow Management Unit (CFMU), Brussels, Belgium
Position: Project Manager, Security Operations, delivery, architecture and consultancy
Project: Data Warehouse (DWH) and CFMU service design and management projects
Eurocontrol is the European organisation for safety and security incident and event monitoring for air navigation. I am leading a team of 7 people on a $20M euro contract to transition and outsource the DWH operations that collect, report, and monitor security and safety events of airlines and airports. I am managing a team of architects, engineers, and support people though transition of services, with response SLAs, supporting Eurocontrol and SESAR with security and architectures.
March 2009 – October 2009
Client: European Commission (EC), Directorate of IT (DIGIT), Brussels, Belgium
Position: Project Lead, Security Architect, Identity Management strategy
Project: EC Authentication Service (ECAS) & Secure Identity Linked Across Borders (STORK)
DIGIT are responsible for development and support of strategic IT and security infrastructure programmes for the EC. As part of this project, I have been leading 3 person team in an identity and access management project for DIGIT working with other EC directorates and EU member states. This work includes the business case, budget estimation, and committee approvals for the project to support the use of smart cards and identity cards for strong authentication. This project involves the development and integration of eID and ICAO identity cards to allow EU Member States and the EC to exchange identity information and authenticate citizens. I was leading a team of developers and managing the involvement with various EU member states in workshops to help develop standards for federation applications using eID identities.
September 2008 – March 2009
Client: NATO (North Atlantic Treaty Organisation), SHAPE, Mons, Belgium
Position: Project Lead and Security Architect, Identity Management and accreditation.
Project: Norwegian Joint Warfare Centre (JWC) and NATO Computer Incident Reponse (NCIRC)
I was lead architect of a 3 person team designing and assessing the security requirements of a new joint operations facility. This project involved identity management, access controls, and virtualisation of thin client (VDI) technologies for shared platform solutions. I was responsible for the integration of security solutions that provide multi-factor authentication (PKI, smart cards, tokens, role, context) to virtualised environments. I lead the project architecture recommendations on the vendor engagement, procurement, integration, costing and implementation the security solutions, as well as transition, transfer and operation of systems. I was working with NATO accreditation authorities to provide certification of the solution for member country use. As part of this role I was leading customer requirements workshops and meetings with travel between NATO sites and countries.
July 2008 – September 2008
Client: IBM and Atos Origin, London, UK
Position: Lead Security Architect, Identity Management Consultant
Project: National Identity Scheme Card/Passport (NIS) Consortium
I successfully lead the security architecture and design bid team of 5 people which won £265M tender for the UK NBIS (National Biometric Information Storage). I was responsible for the design and development of security aspects including use of Tivoli (TIM, TAM, TDI, Datapower), virtualised hosting platforms (pSeries, zSeries), enterprise service bus (ESB) integration and access management solutions (NISAM). Within the enterprise and security teams I lead the architecture recommendations on integration and implementation the security solutions, as well as transition, transfer and operation of systems. I have been part of all customer meetings, and submissions to the customer, including special projects, business development, security accreditation, and architecture for counter fraud.
May 2008 – July 2008
Client: Oracle/Sun Microsystems, London, UK
Position: Lead Security Architect, Identity Management Consultant
Project: Credit Agricole-Lyonais (CALYON) and UK Home Office Single Sign On (SSO)
I consulted on a number of projects related to identity management integration and security architecture, and working with Sun products, vendors, and partners. I lead engagements with various clients, and providing strategy, guidance, and recommendations to improve the SSO design and deployment within the enterprise, towards tactical solutions like Kerberos, and strategic solutions for SAML/WS* federation, EMV/Chip and Pin Two factor/Smart card authentication and access control systems with Microsoft Identity Lifecycle Manager (ILM).
December 2007 – May 2008
Client: Thales, Security Solutions & Services Division, London, UK
Position: Lead Security Architect, Authentication, Data Protection and Counter Fraud
Project: National Identity Scheme Card/Passport (NIS) Consortium
I successfully lead the security architecture and design bid team of 5 people which won £20M tender for the UK Critical Workers ID Card (CWIC), currently in use for UK resident foreign national. My role included selection and design of secure platforms, products, enrolment workflow, approval, and provisioning of users. I also lead selection of the identity card EMV/Chip and Pin solution chosen, and biometric data protection and matching, cryptographic, multi-factor authentication, counter fraud and intelligence solutions and services for the proposed National Identity Register (NIR). Within the enterprise and security teams I lead the architecture recommendations on the vendor engagement, procurement, integration, costing, and implementation the security solutions, as well as transition, transfer and operation of systems. I have been part of all customer meetings, and submissions to the customer, including special projects, business development, security accreditation, and architecture for counter fraud.
August 2007 – December 2007
Client: Symantec Corporation, London, UK
Position: Lead Security Architect/Consultant
Consulting to BT, Barclays, RBS/ABN AMRO, I was advising on the security architecture and organisational transition, compliance, and transformation projects, such as cryptographic remediation of applications, and infrastructure platforms such as mainframes and networks intrusion detection (HIDS/NIDS). As part of engagements with BT Chief and Enterprise Architecture teams I was working on infrastructure strategy. The BT London Service provider NHS project is the UK’s largest health care patient database and X.500/LDAP directory infrastructure implementation. I was involved with the synchronisation and expansion of the identity management and local SPINE directory services to increase the integration, availability and performance of the application’s use of Single Sign On. My current role has been to analyse GP applications security threats and risks associated and propose counter-measure and approaches for remediation. I was also working on the improvement the asset management, identity management and single sign on, web infrastructure, enterprise architecture design, product catalogues, virtualisation, service offerings, and technology road maps for platform consolidation. I meet with BT Chief Architects, stakeholders, vendors, and arrange workshops to discuss user requirements and functionality.
May 2007 – August 2007
Client: UK Home Office, Identity and Passport Service, London, UK
Position: Lead Security Architect, Identity Management Specialist
Project: National Identity Scheme Card/Passport (NIS) Consortium
The National Identity Scheme involves the design and development of ID card including EMV/Chip and PIN, as well as systems used to integrate, manage, and synchronise biometric databases and matching of information about 60M citizens and foreign nations residing in the UK. As part of this project, my role is to provide specialist consultancy, architecture, design, integration, and implementation of the enterprise approaches to middleware integration and synchronisation of databases and PKI and X.500/LDAP directory systems. I was designing the solution and components used manage and issue cards, as well as store and synchronise biometric databases and cryptographic keys used to protect the identities of individuals with National ID cards and UK Passports. This role involves requirements gathering and analysis of systems, as well as the adherence to standards. I meet with stakeholders and organise workshops to discuss requirements and implementation of interfaces and propose use of the system with vendors, and other agencies.
September 2006 – May 2007
Client: EADS Astrium, Thales Land & Joint Division, London/Portsmouth, UK
Position: Lead Security Architect/Design Authority, Payload and Ground Systems
Project: Galileo Payload, Ground Engineering and Security Teams
The Galileo Project is part of the European Space Agency development of rival Global Positioning System (GPS) intended for use by the European Member states. My role is to help architect, design and engineer a secure payload and ground system communications (NAV/COMSEC), FPGA/ASIC development, key management systems, and access control solution capable of protecting the information contained and controlled onboard. This role includes management of the design; development, certification and accreditation (Common Criteria, FIPS) process to ensure secure communications, storage, authentication, and access control. This role involves risk management and assessment of threats and vulnerabilities (TEMPEST), counter measures, and scoping cost benefit, feasibility study, strategy and architecture. As part of this role, I was a security design authority for cryptography services, and X.500/LDAP directory services, identity management of ground station controls for shift and operation hand over. I managed vendors and security engagements, with reports to the senior project management. I meet with stakeholders and arrange workshops, requirements, certification and accreditation, frequent travel (25-50%) including Italy, France, Belgium, Germany, and Netherlands.
March 2006 – September 2006
Client: UK Ministry of Defence (MOD), Atlas Consortium, London, UK
Position: Lead Security Consultant/Architect
Project: MOD DII (Future) Common Access Smartcard & PKI Architecture Teams
As part of this project, I was the technical design authority and architect involved the implementation of the ActivIdentity EMV/Chip and PIN Two Factor/Smart Card management and workflow provisioning system for card issuance, and the PKI, X.500/LDAP directory synchronisation and integration, selection of certified and accredited products (Common Criteria, FIPS). In my role I was responsible for requirements and gap analysis, producing architectures, designs, arranging workshops, and the documentation of the deliverables and the statement of work. I meet with Atlas and MoD stakeholders and end users and arrange workshops to discuss requirements and functionality.
June 2005 – September 2006
Client: ABN AMRO Retail/Investment Bank, Amsterdam/London, UK
Position: Chief Security Architect (UK)
Project: Global IT Architecture Group, Security Strategy and Enterprise Architecture Teams
My role was to engage stakeholders and lead a project team of 10 people to remediate systems and ensure policy compliance though securing transactions, communications, and storage. I worked on initiatives including PKI, Strong/Two Factor Authentication tokens, EMV/Chip and PIN smart cards, and identity management solutions for SOX compliance. This role involved leading risk assessment and penetration testing activities and small teams identifying vulnerabilities and threats, penetration testing, and providing market research reports recommending counter measure solutions. I developed cost benefits, feasibility studies, future state strategy and architectures, as well as review of various projects, selection of certified and accredited products (Common Criteria, FIPS), and platforms that integrate and security infrastructure. As part of this role, I was the global design authority for cryptography, and working on all other key programmes with other global enterprise architects, across the regions to support business units. I managed outsourced vendors and security engagements, with reports to the chief information officers, security and enterprise architects. I meet with stakeholders including CIOs, regional security chiefs, arrange workshops, travel (25-50%) to countries including Netherlands, US, Brazil.
February 2005 – June 2005
Client: Cable and Wireless, London, UK
Position: Security/Infrastructure Architect
Project: UK National Health Service (NHS) Web Technology Group
The NHSmail project is the UK’s largest secure unified X.400/SMTP messaging and X.500/LDAP directory infrastructure implementation project. My role was to manage the migration, reliability of the platform, develop workflow processing, synchronisation, security for the messaging and directory systems for the 2M users. The project used IBM Tivoli and CA tools for provisioning. Web portals for user self-administration functionality were also developed to manage provisioning. I meet with stakeholders and arrange workshops to discuss user requirements.
December 2003 – February 2005
Client: Singapore Telecommunications (SingTel Optus), Sydney, Australia
Position: Enterprise Security/Infrastructure Architect
Project: Web Infrastructure, Security, and Enterprise Architecture Teams
SingTel Optus is the largest mobile carrier in Australia, with some 5M customers and some 1200 web sites providing online services. As part of this project I lead the security effort to assess the design and identify risks, threats, and vulnerabilities for online/web applications, and selection of certified and accredited products (Common Criteria, FIPS). As part of the rebuild/migration of the existing web infrastructure, I designed and implemented the workflow approvals, provisioning, and database synchronisation with PKI, and LDAP directory architecture, and the SAP Single Sign On integration with Siteminder and IdentityMinder for delegated user management. I also developed security policy and guidelines for identity management and information security. I meet with stakeholders such as the CIO and business units arrange workshops for user requirements and functionality.
August 2002 - December 2003
Client: Computer Science Corporation (CSC), Canberra/Sydney, Australia
Position: Security/Infrastructure Engineer
Project: e-Defence project Web Infrastructure and Security Architecture Teams
The Australian Dept. of Defence e-Defence project is part of the highly secure network. This deployment included database synchronisation with SAP, Peoplesoft and other PKI, Two Factor Authentication systems, digital certificates, smart cards to sign and encrypt email. As part of this project, I was involved in the design, implementation, and risk assessment of the X.500 directory and X.400 messaging systems, selection of certified and accredited products (Common Criteria, FIPS). I designed and implemented the corporate white pages and synchronisation of database and applications used to retrieve user details from the directories. I also developed documentation and guidelines on information security policy in line with Australian DOD standards. I met customers, stakeholders and arrange workshops.
February 2002 - August 2002
Client: Department of Workplace Relations, Canberra, Australia
Position: Security Analyst/Consultant
Project: JobNetwork Enterprise Application Services and Security Teams
The Australian Dept. of Workplace relations currently manages over a 1000 employment agencies as part of the JobNetwork for Australia’s 1M unemployed job seekers. I worked on synchronisation and integration of PKI and Active Directory for securing mainframe systems used to provide external access to job seekers details to the employment providers. As part of this project, I designed and implemented the Active Directory domains and trusts, certificate authorities and Two Factor Authentication with smart cards. As well as a number of workflow and web-based components, I also implemented corporate directory white pages which retrieved user details from the directory and synchronised it with existing data sources. I also developed documentation and guidelines on information security policy. I meet with stakeholders and CIO, arrange workshops to discuss user requirements and functionality.
March 1999 - February 2002
Client: DSTO, Dept. of Defence, Adelaide, Australia
Position: Systems Analyst/Programmer and Masters research student
Projects: Human Systems Integration, Electro-optic Threat Warning, and C3I teams
The Defence Science and Technology Organisation (DSTO) are responsible for the research and development of Australia’s defence-related technology. As part of my Masters thesis, I worked on a number of projects involved in development of applications for biometrics for handwriting, voice/speech recognition, text summarisation, and extraction. I also developed graphical modelling and simulations weapons platform engagement scenarios, as well as command and control structures. Lastly, I worked on secure communications and distributed information storage systems (X.500), and secure messaging systems (X.400), cryptography, PKI, and certification and accreditation (Common Criteria, FIPS). I wrote technical reports, also presented regularly to DoD, Military personnel, and academics.
