Twenty-eight years inside the perimeter.
The home page is the elevator. This page is the corridor afterwards — what the hands have actually been doing, why I keep them on the keys when the title says I shouldn't, and what the chair in the boardroom is for.
Things I haven't delegated.
Most CEOs in this corner of the industry have politely stopped touching the consoles. Here is the short, honest list of what I still do myself — and why.
THE GAP — between the room where the kettle's on and the room where the chair's asking is where most cyber security goes wrong.
What fills the time the keyboard doesn't.
Each of these has taught me something I still use at work — but mostly I do them because I like them.
I race endurance GT in the Pro/Am class around the world. The 12 and 24 hour races combine endurance, strategy, trust and deep team working. Half-hour after the chequered flag, when the data download lands and you work out what actually happened versus what it felt like in the car, is the part I came for. Same shape as a post-incident review; better fun and catering.
Standard aerobatic rating · a Pitts S-2A out of Old Buckenham. Half the discipline is in the briefing room: knowing the recovery from every attitude before you go anywhere near the runway. The other half is doing precisely what you briefed. A lot of planning, a lot of practice and a reliance on the team both on the ground and in the air.
Yachtmaster offshore · short-handed racing and cruising out of the Solent and Gibraltar depending on the time of year. Everything I know about redundancy I was taught by the boat that ran out of it forty miles offshore in a force seven. Belt, braces, second belt.
Brisket, beef ribs, picanha. A ceramic kamado for clean smoke; a stone-built oven I made myself for the heavy lifting. The recipe is patience, an air probe, and the willingness to trust the cooker more than the clock. Multiple championships and reserves won over the years.
The letters after the name.
Listed in the order they're useful, not the order they were earned. Each one is here because the work asked for it, not the other way round.
Fellow of the British Computer Society, royal-chartered. The one credential that says "a body of peers thinks this person should be allowed to keep doing this." It travels well in rooms that distrust acronyms.
The ones you sit a lab for, not a multiple-choice. They're proof I can still find my way around someone else's network when nobody is helping. I keep them current because the day I can't is the day I should stop signing off pentests.
CISSP is necessary because clients ask for it; don't read too much into it on its own. CISM and GCIA are the ones I actually use — programme-level governance and packet-level analysis, which is most of what a CISO's week is.
The unglamorous half of the job. Not certifications — working familiarity, earned by writing the responses, sitting across from the regulator, and watching what gets accepted and what gets sent back.
Led from page-out to resolution. Some were quiet. A handful made the papers. The figure isn't a trophy — it's the reason a lot of the advice on this site is shorter than people expect.
If you've read this far, you probably have a specific question rather than a general one. Ask it directly — the contact channels on the home page are the same ones I read every morning.
→ view my cv · writing · talks · contact