Secure South West 12: Speakers

The twelfth Secure South West (SSW12) event was hosted by Plymouth City Council on the 22nd March 2019 and offered six presentations delivered by experts drawn from industry and academia, and a panel session. The event was sponsored by Securious Limited; and the south west branches of BCS - The Chartered Institute for IT and the Institute of Information Security Professionals.

A laypersons guide to the impact of quantum computers on secure communication today
Graham Bartlett (Cisco)

Download slides

Most methods of secure communication are based on the assumption that breaking the underlying mathematical method is too hard for classical computers. Quantum computing is a new way of computing, one that could provide the ability to perform computations that are practically impossible using today's computing technologies.

Quantum computers will result in many of the secure communication technologies used today to be easily broken. Experts are predicting such quantum computers could become a reality within the next 10 years.

For many organisations, moving to quantum computer resistant (QCR) solution is not going to be trivial. It has been dubbed the next "Y2K" problem. No one can predict if or when quantum computers will become a reality, unlike the "Y2K" problem the timeline for when a commoditised quantum computer is indefinable.


Graham is the lead consultant for Cisco’s Cyber Security Consultancy services; an NCSC certified Information Assurance Architect and Security and Information Risk Advisor.

He has a passion for applied cryptography; discovering a number of high severity zero-day vulnerabilities in addition to having intellectual property patented and published as prior art.

Graham is active in the creation of industry standards. Recent research areas includes software-defined WAN (SD-WAN) and the threat of quantum computers.

Graham is a published author, CiscoLive distinguished speaker and has developed Cisco security exam content. He holds a BSc (Hons) in Computer Systems and Networks from the University of Plymouth, Cisco Security Ninja black belt, CCIE and CISSP.

Graham Bartlett

Adopting Modern Security Practices on the Azure Platform
Tristan Edwards (Grey Matter)

Download slides

For many companies cloud security is at the top of the list when it comes to planning a migration and choosing a cloud platform. In this session, we will cover how you can adopt modern security best-practices in the cloud to keep your solution secure and enhance your cloud deployment, with a specific focus on Microsoft Azure.

We will cover and demo a selection of tools like Azure Security Centre, adopting web application firewalls, DDoS practices, Azure Active Directory and Enterprise Mobility & Security. By the end of the session you will have a better understanding of the collection of security tools available to you through Microsoft Azure. You’ll also have the knowledge needed to create secure solutions in a secure cloud environment.


Tristan Edwards is an experienced Cloud and Infrastructure Solutions Architect certified across a range of Cloud Platforms including Microsoft Azure, Amazon Web Services and Alibaba. Tristan has over 15 years of experience working in the IT industry. He is currently acting as Group Head of Services at Grey Matter, a Cloud Services and Software Licensing company based in the Devon town of Ashburton.

In his current role, Tristan manages a Team of 8 technical engineers and architects that work closely with Grey Matter’s customers to seamlessly deliver a range of IT solutions and services including, cloud and data migration and deployment, application re-architecture, dev/test environments, Cognitive and AI integration, and backup and disaster recovery. Tristan regularly provides technical sessions for workshops and Hacks at locations across the country.

Tristan Edwards

A whitebox approach to Red Teaming in industry
David Fergusson (Bank of England)

Download slides

Security Red Teaming provides a more realistic picture of the security readiness of an organisation against hackers. A whitebox approach seeks to deliver a wider set of results, at a lower cost and less risk to the business than a traditional blackbox test. Thus helping the organisations understand the kill chain and how the detect and react defences handle to a range of adversaries.


David Ferguson is a Senior Manager in the Technology Security Department at the Bank of England. Previously a University of Plymouth graduate in Computer Systems and Networking (CSN), who now has over a decade of experience in Information Security. Having worked for IBM, a security start-up and most recently the Bank of England, David has practical expertise in strategic leadership across multiple cyber security disciplines, including, risk management, cyber resilience, security architecture, SDLC, penetration testing and vulnerability management across multi-disciplined, global organisations.

David Fergusson

Engaging With The Bored – Overcoming Executive Apathy by Answering the Tough Questions!
Chris Hodson (Tanium)

Download slides

CISOs have the difficult job of delivering meaningful metrics to a Board of Directors that is not comprised of security professionals. In order for them to communicate security and risk effectively, the CISO needs to convey indicators of the company’s security posture in a manner which is informative and tailored to the audience. The c-suite require security metrics which align to business objectives, yet a percentage of security leaders continue to provide quantitative figures associated with malware outbreaks and esoteric security non-compliance. Other security leaders go down the ‘Red, Amber Green’ risk matrix route providing a lack of actionable data and a misunderstanding of their company’s exposure. If the security function wants a return seat at the executive table, the CISO needs to have answers to the difficult questions of visibility and business resilience. These are the same questions which have required answers for nearly two decades, made infinitely harder to answer in a world of endpoint heterogeneity, dynamic workloads, cloud computing and exponential growth in data creation. In this plenary session, Chris Hodson, Tanium’s EMEA CISO will give his opinion on some fundamental security questions which many CISOs deem ‘unanswerable’ - a position which leaves business executives wondering why they bothered investing in cybersecurity in the first place. Perhaps we cannot answer the age-old ‘when we will be secure?’, however, there are other questions that the security function should regularly be reporting to their executive community.


Chris Hodson is the CISO, EMEA at Tanium. Chris is an information security, data privacy and risk management leader with an SME background in strategy, architecture and design. He possesses 18 years' professional experience obtained across the financial, retail, energy and media industry sectors. In early 2016, Chris made the move from end-user into the vendor space with Zscaler, where he operated as CISO, EMEA and Data Protection Officer. As a CISO, Chris is a trusted advisor to executives, board members and other stakeholders, helping them define well-balanced strategies for managing risk and improving business outcomes. Chris holds an MSc in Cyber Security from Royal Holloway and retains an active role in the Infosec industry through directorship of the IISP and membership of CompTIA's Cyber Security Committee.

Chris Hodson

Quantitative risk assessment for cyber security
Simon Marvell (Acuity Risk Management)

Download slides

Acuity Risk Management is the developer of the STREAM cyber risk management platform - CIR Magazine’s Cyber Security Product of the Year for 2018. London based, Acuity provides its customers across 24 countries with exceptional business-oriented visibility of their cyber risk status with support for Enterprise-wide quantitative and qualitative risk assessment integrated with: threat and vulnerability management; incident and event management; and, action management, enabling business risk-based decision making.



Simon Marvell

Protecting your organisation from Cyber Crime
Sam Parsons (South West Regional Cyber Crime Unit)

Offering nationally recognised guidance on how to protect your organisation, we will analyse case studies from investigations our unit have been involved in, and outline the steps which could have prevented those organisations from becoming victims. We will also discuss current and future threats, and explain how to defend against them. Our advice is delivered in an easy to understand format and suitable for all business owners.


Sam is a Cyber Protect and Prepare Officer with the South West Regional Cyber Crime Unit (SWRCCU). Her role is to offer free, impartial advice to organisations from any sector across the South West and support organisations who have been a victim of a cyber attack. Sam also helps organisations to prepare for the event of a cyber-attack via interactive table top exercises and scenario-based workshops.

Sam Parsons

PANEL: Profiling, personalisation and prediction – what about principles, privacy and protection?

Data aggregation, user profiling, behaviour prediction … technology allows us to do all of these things to the benefit of enhancing services, personalising the user experience, and refining the things that businesses can offer to customers. In addition, similar core techniques can also be used in security monitoring and threat intelligence. However, as data collection and profiling technologies advance, are we losing track of the privacy and ethical issues involved, and is the data itself receiving sufficient provision in terms of security?


Steven FurnellSteven Furnell (Professor of IT Security, University of Plymouth)

Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at the University of Plymouth in the United Kingdom, an Adjunct Professor with Edith Cowan University in Western Australia, and an Honorary Professor with Nelson Mandela University in South Africa. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is the current chair of Technical Committee 11 (Information Security and Privacy) within the International Federation for Information Processing (IFIP), and a Board member and Fellow of the Institute of Information Security Professionals (IISP). He is the author of over 300 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society, and Computer Insecurity: Risking the System. He is also the editor-in-chief of Information & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).


John FinchJohn Finch (Information Governance Manager, Plymouth City Council)

John Finch is the Information governance manager for Plymouth City Council, responsible for Data protection, security policy development and management, managing the Information Asset Register, managing security incidents, providing security advice for the Council and partners, providing security awareness education for senior management. John is a current CISSP, and undertook an IT masters degree at Plymouth University in 2001, with a thesis in Approaches to establishing IT security culture.

Andy PhippenAndy Phippen (Professor of Social Responsibility in IT, University of Plymouth)

Andy Phippen is Professor of Social Responsibility in IT at the University of Plymouth. His research interest lies in the exploration of the use of technology in relationships, online safety and digital resilience and the ethical and professional practices in the IT sector.

Andy has worked with the ethical and social responsibility, and how technology impacts in the social world, with companies such as BT, Google and Facebook. In the last ten years he has specialised in the use of ICT by children and young people, carrying out grassroots research on issues such as sexting, pornography, cyberbullying and online harassment.

Andy's research contribution to online safety for young people is vast, as is his impact on policy. His book Children’s Online Behaviour and Safety: Policy and Rights Challenges was published in October 2017.

Pete WoodwardPete Woodward (Securious)

Pete Woodward is a co-founder of Securious, a Cyber Security Compliance Company based in the Science park in Exeter. He has a wealth of knowledge around cyber security, system architecture and networks. Pete is a CISSP and a Payment Card Industry (PCI) Qualified Security Assessor (QSA). He works with organisations to help them achieve PCI DSS compliance and assess them against the PCI Data Security Standard. Pete comes from a military background, and has worked on security projects in the public and private sectors for organisations including Devon and Cornwall Police, Met Office, Capita, BP, HP and some of the UKs largest retailers. He co-founded the South West Cyber Security Cluster, a not for profit collaboration working with the police to raise awareness in the region around current Cyber Security threats, and with the vision to establish a ‘Centre for Cyber Excellence’ in the South West.