• Risk Management
  • Crisis Management
  • Business Continuity
  • Cyber Security
  • IT Governance

Risk Management

Securing your business from operational risks is a first priority for any management team. Losses of life, intellectual property, physical assets and reputation can have a devastating impact on a business. We need to make sure we manage risks so that we minimise such threats and maximise their potential.

Risk management involves understanding, analysing and addressing risk to make sure companies achieve their objectives. Furthermore, it must be proportionate to the complexity and type of organisation involved, and there must be a joined up approach to managing risk across an organisation and its extended networks in order to be effective.

Common Standards Are:

  • ISO/IEC 27001:2013 - Information Security Standard and is Specifically Risk-Based
  • ISO 31000:2009 – Risk Management Principles and Guidelines
  • ISO/IEC 31010:2009 - Risk Management (Risk Assessment Techniques)

From strategic advice to practical, on-the-ground services, I provide integrated solutions to meet all of my clients security risk management challenges. Initially I review, audit and benchmark existing arrangements to identify gaps or misaligned resources. I subsequently create strategies, policies and solutions to protect assets and reduce the likelihood of losses from operational risks.

All of these solutions are delivered to an international best practice standard.

Crisis Management

The first step in effective crisis management is to understand the specific and unique threats and risks to your organisation. I have specialist knowledge across a wide range of issues and using a business impact analysis, help clients understand their vulnerability. I equip them to answer questions such as "What are the processes, people and systems that we could not survive without"? and "what can we do to protect them"?

With a detailed understanding of my clients, I am able to plan and implement a crisis management system. I help integrate the crisis plans into management structures, incorporating any response and recovery plans that may exist or may need to be created.

Where clients already have plans in place, I am able to review the plans and make recommendations for improvements. I also work with clients to test their crisis management preparedness, allowing plans to be modified to take account of changes. This enables the team as a whole to maintain familiarity with the systems in place and also to run through scenarios involving current threats.

Business Continuity

It is essential your business remains operational when unexpected, disruptive events occur. Have you wondered what might happen if your offices were flooded, or an extended power outage occurred? Research shows that 36% of businesses are keen to implement disaster recovery but believe they cannot afford even a basic service, whilst 95% of businesses experience outages for reasons unrelated to natural disasters. With the advent of Cloud computing, DR and BCP is now becoming more feasible for smaller businesses to implement.

DR Design and Testing

I have expertise in disaster recovery technologies helping you ensure your business is resilient to failure but, should the worst happen, systems can be swiftly recovered. I work with companies of all sizes and am able to design and implement robust solutions, or audit existing infrastructures to ensure your systems remain adequately protected.

Business Continuity Management

BCM traditionally centres on planning for hazards like fires, floods, etc. but doesn't account for challenges such as crisis management, cyber attacks and risk management. I have a high level of expertise in this area and regularly lecture at the University of Portsmouth’s MSc Risk & Crisis Management course.

I work with your business to create the plan, which will be allocated to necessary staff members and thoroughly tested, without causing any disruption to working users on your live systems. I provide a full report identifying areas where training and support will ensure your staff know, and can confidently implement your continuity plan in the future. Post implementation, I can re-test your Business Continuity Plan on an agreed schedule helping you ensure your technical systems and business processes are always meeting the changing needs of your company.

Cyber Security

Protection of information is a complex and ever changing issue; company data requires the highest levels of protection from theft or attack. Information is the lynch pin of your business. Whether it’s order ledgers, accounts, sales pipelines, emails or personnel records – can your business afford to lose any of this critical information? In the modern world it is increasingly important to ensure that anti-spam and malware protection is effectively managed and up-to-date, helping you to avoid falling foul of malicious attacks such as CryptoWall.

I have experience with a number of security vendors ensuring your staff and technical infrastructure remains protected. By harnessing systems such as off-load scanning, deep packet inspection, latest generation anti-virus and firewall technologies, I work with companies to ensure their data is effectively safeguarded.

Border Security

I have significant experience deploying devices capable of providing intelligent packet inspection, web security filtering, anti-spam, email protection, VPNs and much, much more. All of these features help to keep your corporate data within the confines of your business, whilst keeping intruders and potentially malicious users firmly out.

DDoS Protection

Distributed Denial-of-service (DDoS) attacks are designed to prevent staff and clients from accessing your Internet based services. They are on the rise and have evolved into overwhelming, complex security challenges for companies of all sizes. Whilst DDoS attacks are not considered a recent phenomenon, the methods and resources available to conduct and mask such attacks have dramatically evolved. The complexities of many attacks cannot simply be addressed by traditional on-premise solutions.

I am experienced with anti-DDoS protection from a variety of vendors ensuring that all attack traffic which would normally affect your server infrastructure is either dealt with locally or automatically routed to a dispersed network of datacenters.

Two Factor Authentication

Whilst allowing remote access to parts of your network for staff or trusted clients can be extremely beneficial, it can also increase the risk of accidental or malicious data loss. I am experienced in providing simple but effective solutions that incorporate either token or smartphone based solutions, ensuring the external security of your data relies on more than just a password.

Integrated Anti-Virus and Anti-Malware

Malicious software or "Malware" is a harmful type of program intended to secretly access a device without the user's knowledge. There are many types of malware including spyware, adware, viruses, trojan horses, worms, rootkits, ransomware and browser hijackers.

The majority of malware victims are people who don't install updates to fix security holes, not just in Windows but also in Microsoft Office products, Java, Adobe Flash, Adobe Reader, and other widely-used programs. They're people who either don't run anti-virus software and firewalls, or don't keep virus signatures up to date. However, the rise of Ransomeware infections has demonstrated that in some instances, anti-virus programs and firewalls are not enough.

I am experienced with a comprehensive suite of products, providing a layered approach to the security of desktop, laptop and server environments. I combine different technologies in order to minimise potential exposure and even reverse infections and recover data if necessary.

Security Policies and Procedures

Policies and procedures form part of the information security management framework (see IT Governance) for implementing a set of best practice controls that can be applied based on the risks your organisation faces, in order to improve your security posture.

I have undertaken a number of projects requiring the creation of secure frameworks (predominantly ISO 27001 and PCI-DSS), that have subsequently passed stringent audit requirements in order to achieve compliance.

Incident Response

It is inevitable that some organisations may unfortunately be affected by unforeseen circumstances such as natural and manmade disasters or malicious activities, namely hacking or malware attacks. Whilst prevention is always the best course of action, it is important to respond in the correct manner when lapses occur to ensure any issues are not compounded with further problems.

I have worked with a variety consultancy companies during the last 15 years and have led a number of incident response teams. This experience has proven invaluable and resulted in a number of successful outcomes including the recovery of lost data following a significant ransomware attack and the prosecution of five separate hacking incidence.

Whilst all incident are unique, recommendations from the SANS Institute (together with NIST 800-61) form the basis of my work, namely Preparation, Identification, Containment, Eradication, Recovery and Follow Up.

IT Governance

The primary goals for IT governance are to assure that the use of information and technology generate business value, oversee management's performance and mitigate the risks associated with using information and technology.

I have been involved with security and governance since 2006 and undertaken a number of projects, ranging from a PCI-DSS audit for a national high street retailer to ISO 27001 implementations for energy companies, law firms and financial institutions. Engagements may comprise of gap analysis for 3rd party consultancy firms through to complete ISMS implementations.

ISO 27001:2013

ISO 27001:2013 is the international standard that describes best practice for an information security management system (ISMS) which is "a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives".

This is specific to the organisation that implements it so no two projects are the same, and it can take anything from three months to a year for certification, depending on the scope. I assist companies by conducting a gap analysis and risk assessment, together with Management System documentation, policies and procedures, training requirements and an internal audit prior to certification.


The Payment Card Industry Data Security Standard is designed to increase payment card data security and decrease payment card fraud across the Internet. Companies that accept, store, transmit or process cardholder data must comply with the PCI DSS. Recent changes help organisations make the PCI DSS part of their business-as-usual activities by introducing more flexibility, and increasing focus on education, awareness and security.

Gap Analysis
The gap analysis compares where your organisation currently stands with where it needs to be in order to meet the full requirements of the Standard. I help identify where cardholder data is stored, processed or transmitted within your environment, and determine your cardholder data environment (CDE) – your ‘scope’ for PCI DSS compliance. Once the CDE has been established, I work with companies to reduce the scope, ultimately resulting in reduced resources and expenditure.

Cyber Essentials (Plus)

There are two types of certification: Cyber Essentials, which relies on self-assessment and an external verification by a certification body, and Cyber Essentials Plus, which relies on a more rigorous onsite assessment and internal scan by a certification body.

Cyber Essentials Implementation
Many organisations are able to conduct the self assessment questionnaire prior to the verification phase and vulnerability scan. However, there are instances where some companies are not comfortable answering security questions or unsure whether the infrastructure meets the required standard. I can implement the necessary security measures, compile the required documentation and even undertake an external scan prior to the assessment, meaning you can be confident in gaining the accreditation first time.

Cyber Essentials Plus - Gap Analysis
Cyber Essentials Plus is a more rigorous process involving all of the requirements for the 'base' Essentials certification but also includes internal vulnerability scans and a more detailed review of processes. I aim to find out whether the Cyber Essentials controls have been correctly implemented and to check whether known vulnerabilities have been addressed.

Frequently Asked Questions

Are independent audits really necessary?

I believe that companies of any size can benefit from and independent review since it can either confirm the client's current security position, or highlight issues they were unaware of.

In addition, the review can be undertaken in isolation or to underpin a planned technical engagement or business change.

What geographic areas do you cover?

Whilst my availability is national, the majority of work is undertaken in London and southern England (Dorset, Wiltshire, Berkshire, Hampshire, West Sussex, East Sussex, Surrey and Buckinghamshire). For short engagements, I am also available for international work as well.

Isn't Business Continuity the same as Disaster Recovery?

No. Whilst both topics are closely related (and often combined), there are fundamental differences.

Disaster Recovery refers to specific steps taken to resume operations in the aftermath of a catastrophic natural disaster or national emergency. Business Continuity describes the processes and procedures an organisation must put in place to ensure that mission-critical functions can continue during and after a disaster.

My company has had a security breach - can you help?

Absolutely! I have worked on numerous security related projects during the last 15 years and have assisted companies with all manner of security related matters, from data recovery and DDoS attacks to disgruntled employee issues.

Furthermore, I have worked with a number of police forces and prepared reports resulting in successful prosecutions for security related matters.

Providing a helping hand when required

  1. Discussion

    Actually, I'll start by listening to you about potential problems and requirements enabling us to agree a way forward.

  2. Audit

    Depending upon your requirements, this phase isn't always necessary. However, when a company is looking to improve security or achieve compliance, it is important to fully understand where the start point is. I discuss the scope with all stakeholders prior to starting the project in order to ensure all of the deliverables are achieved.

  3. Assess

    The findings of the audit are assessed and a gap analysis (if applicable) is undertaken. The results and subsequent recommendations are compiled into a report for review and agreement prior to the next phase of the project.

  4. Implement

    Following the assessment, there are a number of ways I can help implement the recommendations; either work with existing teams providing guidance and an extra pair of hands or undertake all the work on an outsourced basis.