Résumé
My career so far!

Collingwood College, University of Durham

October 1979 to June 1982

I was an undergraduate in Collingwood College , taking a B.Sc. in Physics . I graduated with an upper-second-class (2/i) honours degree in June 1982.

October 1982 to April 1986

I was a graduate student, still in Collingwood College, doing research for a Ph.D. in Theoretical Physics, in what’s now the Centre for Particle Theory . I encountered a few problems with my final piece of research that prolonged completing my thesis, “Signatures of new particles at high-energy colliders”. But I did in the end. On 1 April 1986. Well, I thought it was appropriate.

Most of my research involved computer simulation of high-energy collider events using the Monte Carlo method . The programs were written in FORTRAN, using CMS, and run on a VM  mainframe at the Rutherford Appleton Laboratory . I also learnt Rexx , a neat scripting language, handy for writing utilities.

And for fun, I learnt structured programming in BBC BASIC  on a BBC Micro .

GA Life

Applications Development

July 1986 to October 1987

The programming skills I’d developed during my postgraduate research led me to a career in information technology, starting as a programmer in applications development for General Accident Life Assurance Ltd. in York. My initial training was in COBOL, and it was quite a change, and something of a struggle, to be formally trained in a programming language, with video instruction, exercises, and so on. I also learned – in the less-structured, experiential way that I prefer! – SAS , SELCOPY , and S/370 assembler (now subsumed within High Level Assembler (HLASM) ).

IT Standards & Training

October 1987 to April 1991

In 1987, after 15 months in applications development, I moved to this newly formed team: it was the first time GA Life had had someone looking after the technical training of IT staff full time. By the time I left the team, there were two other technical trainers and one administrator reporting to me. (Subsequently the team was absorbed by the company’s training department.) I had some fun, but I realised that I was a techie who enjoyed training rather than a true trainer, and got itchy feet. A vacancy arose in the IT Security team (within the same department), but it was a year before my manager was able to recruit someone who he thought was a suitable replacement – which was something of a compliment, I guess.

Information Security Management (ISM)

April 1991 to July 1998

The IT Security team, as it was when I joined it, dealt primarily with security for GA Life’s mainframe systems, using both IBM’s RACF  and an in-house Access Management (AM) system. One of the major projects I worked on was migrating AM (and other legacy access control mechanisms) to RACF. One of the features of this migration was to let our personnel system “drive” RACF: when an employee started work, a RACF user profile was created automatically; when an employee left, their RACF user profile was deleted automatically; and so on. I wrote many of the programs that enabled this, in SAS and my old friend Rexx, recently available on MVS.

Over the years, the team’s responsibility grew beyond the mainframe and technical issues – and we lost our administrators to the IT Help Desk (not a change I was ever happy with). To reflect our changing role, and inspired by BS 7799:1995, we re-branded ourselves as Information Security Management. Nevetheless, however hard we tried to position ourselves as an “executive agency” that would promote and enable information security throughout the company, we always seemed to be dragged back to being mechanics fixing problems for the administrators and applications developers. This was often fun, but more often not, and certainly didn’t further our strategy!

One of the things that was fun was playing with our RACF administration and auditing solution: Consul/RACF+Audit (now part of the IBM Tivoli zSecure Suite ). In fact, at one time it seemed to be so much fun that I thought I’d like to do it full time. So I did… (nearly).

Software Europe

Security Solutions

July 1998 to August 2000

Here I was a Technical Consultant and product manager for security solutions from CONSUL Risk Management b.v. (now part of IBM Tivoli ) – the bulk of my time was spent playing with… sorry, providing first-line support for Consul/RACF+Audit, and promoting Consul/Enterprise Audit (later Consul/eAudit, Consul InSight Security Manager and now Tivoli Compliance Insight Manager ), a then-innovative consolidated audit trail data management and reporting solution – and others, including for a short while Schumann’s Security Administration Manager (SAM – later from SYSTOR Security Solutions Gmbh and now – since early 2003 – from Beta Systems Software AG).

See: Security Matters.

Gartner

Information Security, Risk Management, Privacy and Compliance (SRPCo)

August 2000 to present

I started with this company as a senior research analyst. In October 2001, I was promoted to research director, and, on 1 April 2005, to research vice president.

My research covers information security and risk issues, with a strong focus on identity and access management technologies, products, services, and program management issues. A large part of my time is given to writing reports on individual solutions and on broad areas of technology.

While I try to wear two hats, I have but one head: Please note my disclaimer!