INFORMATION SECURITY
AND RISK MANAGEMENT

I have held multiple roles in the field of information security, with expertise in policy and standards, practical applications, tools, projects, risk management, metrics,  investigations, stakeholder management and managing outsourced services. This included three years as head of Global Infrastructure Security for Shell, based in Malaysia, and two years leading the CyberSecurity Transformation Programme for the UN High Commissioner for Refugees (2018-20), after which I was appointed as their first CISO in September 2020.

in KL, I led a team of 30-60 managing directly or via contract the security, regulatory compliance and BCPs and DRPs for all Shell's infrastructure, both insourced and outsourced. We covered circa 120,000 PCs, 20,000 servers, a dozen data centres and global networks to hundreds of locations, and the common services which supported them. We worked collaboratively with teams from each of our three partners to deliver security in an outsourced model, to identify issues and get them fixed and to deliver sustainable improvement to Shell's security architecture. During this period I had to lead the response to more than one major incident relating to the security or operational integrity of the corporate infrastructure.

 Areas of personal experience and expertise include:
* Security metrics
* Sarbanes-Oxley controls
* Regulatory compliance for IT 
* Security project and programme delivery
* BCP and DRP in theory and practice
* Security risk identification and management
* CERT and incident investigation and response.

* Malware detection and response
* Advanced Persistent Threat (APT) response
* Vulnerability management and device hardening
* Rogue device detection and removal
* Intrusion detection and prevention (IDS and IPS)
* Multi-factor authentication
* Internet content filtering.