Dr John Leach

Summary of my capability and experience

I am an acknowledged Information Risk and Security expert with over 25 years’ experience helping Blue Chip clients address strategic risk management problems and build enterprise-wide security improvement programmes.

I have a deep technical background (including a science Ph.D.) plus a wealth of experience in the information security and risk management fields.  This enables me to work closely with technical people whilst assisting top-level security and business management to address pressing security needs.  I can communicate the value and benefits of improved security to C-level business management, design security programmes in response to governance and business objectives, and deliver improved security management systems and technical controls. I have helped clients in the areas of Security Governance, Security and Controls Frameworks, Identity Assurance, Privacy Protection, Risk Modelling, Risk Metrics and Dashboards, Security Monitoring, and the use of security data to create meaningful results and improve risk management decision making.

I continue to provide consultancy services across a wide range of topics in the risk management and security field.  My mission is to provide innovative thought leadership and high-value consulting services, working with national and international clients, private and public sector organisations, assisting in strategic risk management and the meeting of security needs.  I bring extensive and deep experience and skills to all the projects I undertake.

I have worked for clients in the UK, Europe, USA and Asia.  I have delivered numerous training courses and workshops for clients, and presented at public conferences on a wide variety of subjects.  I was an active member of the Management Committee for IAAC, the Information Assurance Advisory Council, from May 2002 until March 2011, and led their widely-acclaimed research programme for five years.  I am a member of the International Board of Referees for Computers and Security, and a peer reviewer for IEEE Security and Privacy.

Highlights
The work I undertake tends to fall into the following three broad categories.

♦  Helping clients use security data to create meaningful results that support risk management decision making.  That data could be threat data, vulnerability data, countermeasure data, compliance data, incident data, staff data, almost any data that clients might gather from within their own systems and environments.  I use my security experience and data analysis skills to help clients extract the insights buried within that data and build the risk or other indicators they need to support the risk management decisions they are trying to address.
♦  Creating innovative solutions to difficult problems, often taking on problems that other consultants who lack my analytical training would not be able to take on.  This includes many leading-edge client projects as well as the research work I undertook for the IAAC.
♦  Strategic projects for clients who need the very best calibre skills and experience to ensure important projects are delivered correctly or to supplement the breadth, depth or specialist knowledge of their existing security teams.

The following are a few examples to illustrate the scope of my experience.
The use of security data
♦  Working with a High Street brand and with a leading trading firm to develop threat models and risk models that helped them get greater consistency and insights from their compliance assessments.
♦  Working with MessageLabs to calculate the security added-value that their hosted e-mail service provided and to compare that to a competitor's service.  (To read the results from this very interesting work, please go to Articles and Papers.)
♦  Working with a Netherlands-based global medical devices company to show how TBSE could apply to a wide range of corporate security challenges
♦  Working with a London-based international bank to develop a new way to assess and present system and operational risk

Innovative solutions to difficult problems
♦  Directing IAAC's People-Centric Information Assurance research
♦  Directing IAAC's Identity Assurance research
♦  The research for, and full development of, Threat-Based Security Engineering, TBSE
♦  The research for, and full development of, a Taxonomy of Threats, Attacks and Incidents
♦  A thorough analysis of the security issues raised by breaking the original SET paradigm

Strategic projects
♦  The development of a policy framework and the complete suite of structured and standardised security policies contained within that framework.
♦  (In partnership with Colin Watson of Watson Hall Ltd.) articulating the business case for the protection of privacy, for the UK ICO.  (This report was launched by the ICO at its Data Protection Officer conference in Manchester on the 3rd March 2010.)
♦  The assessment of a number of GRC products for an international bank.
♦  Devising a multi-million pound Security Improvement Programme for a global manufacturing company.
♦  The development of a security monitoring service model.
♦  Directing a multi-national team providing eCommerce assistance to an Oil major.
♦  Developing a Global Security Framework for a London-based international bank.
♦  The development of a Logical Access Control Framework for a london-based financial services provider.
♦  The definition of security frameworks and strategies for numerous clients.
♦  The development of PKI strategies for a number of clients.
♦  The review of a novel use of RSA techniques for remote authentication.
♦  The provision of a suite of Voice Security services.

Publications and conferences
I have presented at conferences on a variety of subjects and written articles for publication in international journals and the press.  I have delivered many training courses on a wide variety of topics and have presented seminars on risk modelling and network security for the Royal Holloway (University of London) M.Sc. in Information Security.


For a copy of my full CV in pdf format, including details of each of a number of projects illustrating the scope of my experience, please click here, or for a copy of the abbreviated version, please click here.

Return to Credentials.