Specialisation
Threat modelling, secure architecture, and enterprise risk advisory at the highest level.
Cybersecurity is approached as a discipline that intersects technology, human behaviour, and organisational culture. The advisory practice is built on hands-on technical expertise combined with the strategic perspective gained through enterprise consulting at KPMG and years of building and securing production systems.
Effective cybersecurity begins with understanding what you are protecting, from whom, and under what constraints. Structured threat modelling engagements use established frameworks — including STRIDE, PASTA, and MITRE ATT&CK — to systematically identify, prioritise, and communicate risk across complex technology environments.
The output is not a checkbox exercise but a genuine strategic assessment: a clear picture of the threat landscape facing the organisation, the controls currently in place, and the residual risk that requires attention. These assessments inform both technical security programmes and board-level governance decisions.
Security architecture is not an afterthought — it is a design discipline. Security thinking is brought into the earliest stages of system design, ensuring that confidentiality, integrity, and availability requirements are embedded in the architecture rather than bolted on after the fact.
The approach covers network segmentation, zero-trust architecture, secrets management, identity and access management, encryption at rest and in transit, and secure API design — applied across cloud-native environments, hybrid infrastructure, and on-premises enterprise systems.
With expertise in applied cryptography, advisory covers the selection and implementation of cryptographic primitives appropriate to specific use cases — symmetric and asymmetric encryption, hashing algorithms, digital signatures, public key infrastructure (PKI), and zero-knowledge proof systems.
Poor cryptographic implementation remains one of the most common and costly security failures. Cryptographic decisions are made with full understanding of their implications — including forward secrecy, key lifecycle management, and post-quantum considerations.
Drawing on KPMG experience, board-level and C-suite cybersecurity advisory is provided — including security programme maturity assessments, CISO advisory support, regulatory compliance strategy (GDPR, NIS2, ISO 27001), and incident response preparedness.
Technical risk is translated into business language — enabling leadership teams to make informed decisions about security investment, risk acceptance, and programme prioritisation without requiring deep technical expertise.
Penetration testing, when properly scoped and conducted, provides invaluable assurance about the real-world security of systems and applications. Advisory covers testing programme design — defining scope, selecting testing methodologies, managing testing engagements, and interpreting and prioritising findings.
Penetration testing delivers genuine value rather than compliance theatre — by connecting findings to business risk and driving remediation that meaningfully improves the security posture.
Extensive experience integrating security into software development processes covers DevSecOps practices, static and dynamic analysis tooling, dependency vulnerability management, and secure code review. The hands-on software engineering background makes this practice uniquely effective at working alongside development teams to build security in from the ground up.