A bit about me.

I’m a cybersecurity and finance specialist, with a background in global financial services and the public sector.

You wanted more? Here goes then:

  • I worked as a financial auditor at KPMG, working with large tech firms

  • I worked as an internal auditor for education, health and local government, specialising in data analytics (IDEA) and computer forensics (EnCase).

  • I built an online application development business, with clients including the UK Government and retailers

  • I worked as a Computer Auditor for a major retail lender

  • I moved into Information Security, as CISO (Chief Information Security Officer) at Skipton Group (see profile in Infosecurity Magazine), then similar roles at State Street, Brevan Howard, and Willis Towers Watson (see profile in Wall St Journal, InformationAge).

  • I was elected to Bradford Council, serving for 10 years as a Councillor (local politician), chairing corporate services, scrutiny, and licensing - overseeing a £1bn+ budget process and implementing new legislation.

  • I served as Chair of the Audit Committee and a Director of Bradford Community Housing Trust Group (now incommunities) during a period of major renewal and investment in social housing stock.

  • I was one of the first Governors of NHS Foundation Trusts when they were brought in by the then Labour Government, serving on Bradford Teaching Hospitals NHS Foundation Trust, also working to set up and serving on the board of the Foundation Trust Governors Association, seeking to improve information to support Governors decision making.

  • I advised the next Conservative Government on urban regeneration policy.

  • I stood for for election to Parliament, unsuccessfully in 2010 (though looking back, it seems I did get the best swing in 20 years so it wasn’t a bad effort!).

  • I’ve worked with a range of fintech startups, from developing a new business line and software solutions to quantitatively model and advise on cyber risk at Willis Towers Watson, to supporting Appital as a cyber security advisor and NED.

  • I’ve set up and run a number of non-profits, most recently the Channel islands Information Security Forum.

  • I’m currently Director of Jersey Cyber Security Centre and a Commissioner at the Jersey Financial Services Commission.

  • I don’t know what the future holds. I’m sure it will be a surprise.

Say hello.

If you’d like to chat, perhaps about something you or I are working on, or something on this website, please do get in touch.

(a quick note: if you just want to sell me something, there’s really no need - I value both your time and mine, so will not trouble you with a reply).

Ok, but what is this website for?

For most of the time since I left politics this site had no clear purpose. Now it does.

I have a particular interest in how we make good risk decisions.

Why ? Firstly because there’s a lot of evidence that we make bad decisions about risk. Secondly because deciding how to use limited resources to get the best outcome (i.e. capital allocation) is what propels humanity forward, more so than anything else. And thirdly, because doing it well is hard, doing it well with cyber and technology is harder, and hard things are interesting. Particularly once you’ve had plenty of professional experience trying to do the hard things right (and not always succeeding).

That’s not the same as saying I have all the answers, but bear in mind that almost nobody actually talks about this at all outside the financial markets. Not boards, not executives, and definitely not cyber security leaders. Business decisions are mostly a lot more finger in the air. How many proposals for investment in capability have you seen that really explained what the return would be on outcomes and risk? Likely none.

Which has a bigger impact on earnings: investment in marketing, or in cyber security? We don’t know, because nobody asks.

As a result, companies have big, easily avoidable incidents that impact earnings and trust - sometimes critically.

Which leads to better clinical outcomes: more doctors, or a better patient records system? We don’t know, because nobody compares the benefits of each.

As a result, spending more on healthcare doesn’t always lead to better health.

Which policy is best for economic development: connecting regional cities to the Capital, or connecting regional cities to each other? Again, we don’t know.

For the consequences, just look at HS2 vs Northern Powerhouse Rail.

But it goes worse.

Very often, there can be vested interests that actively don’t want to know; after all there are no votes for politicians in calling for more hospital administrators, any more than there are business charts linking better internal control with sales growth. And that’s often true even when these investments are clearly what’s best for the patients or the shareholders!

Yet “I guessed” is neither a good defence when things go wrong, nor a good justification for spending people’s time and money.

So what’s holding us back from fixing this?

Deep rooted dogma and assumptions, a need to replace qualitative risk assessments with quantitative risk management, a lack of time or skills, or an assumption that what we do today is ‘good enough’, or assuming we never get fired for making the same mistake everyone else is, even if we know better? Perhaps some or all of these.

I believe we can do better, but I don’t have a magic wand so I try to keep learning and keep sharing. This website is about sharing. If it helps others bridge the gap between executive leaders and their boards so they can have better conversations about risk and reward, and use resources more wisely as a result - well, that’s what it’s all about.

If you’d like to read it, check out the links below.