Security Architecture,
Engineering and Management

Services

Tim D Williams delivers expert, ethical advice in all aspects of security architecture, security engineering & security management based on over 30 years of real-world experience, backed by extensive relevant qualifications & ongoing cutting-edge research.

Services which Tim is highly competent to deliver include:

• Security Team Leadership and Interim Management

• Security Governance, Budgeting and Oversight (referencing ITIL, COBIT, COSO, Sarbanes-Oxley, UK Corporate Governance Code and other relevant authorities)

• Security Operations and Continuous Service Improvement

• Security Training, including Agile Security coaching, DevSecOps, Cloud Security Auditing and secure CI/CD enablement

• Data Protection Training, including GDPR, UK Data Protection Act (DPA), US Health Insurance Portability and Accountability Act (HIPAA) and California Consumer Privacy Act (CCPA)

• Security Threat Modelling

• Security Risk Assessments

• Security Requirements Analysis

• Security Architecture Development (referencing SABSA, TOGAF, NIST, CIS, MODAF and other relevant authorities)

• Cloud Security Architecture (including AWS, Azure and Google Cloud Platform)

• Security Due Diligence (both on vendors and responding to customer audits)

• Security Procurement Support (client-side) and Proposal/Bid Support (vendor-side)

• Security Engineering Solution Development

• Security Design Reviews

• Security Code Reviews (fully manual and partly-automated: static/dynamic/ interactive, referencing OWASP, MITRE, SANS, WebAppSec, SafeCode, SEI-CMM and other relevant authorities)

• Infrastructure Vulnerability Assessments and Mitigation Plans

• Web Application Penetration Testing

• Applied Cryptography spanning:

  - Asymmetric Cryptography: Algorithms (RSA, Diffie-Helman, ECC etc.), PKI, Web of Trust, Digital Certificates & Signatures, Key Lifecycle Management, HSMs, Encryption at Rest & In Transit including IPSEC, SSL/TLS & threats & mitigations.

  - Symmetric Cryptography: Algorithms (AES, DES, 3DES etc.), Assured Hardware Sources of Entropy, Key Encryption Key (KEK), Data Encryption Key (DEK) & Key Rotation methods.

  - Keyless Cryptography & primitives: Hash Functions, Pseudo Random Number Generators & One Time Pads.

  - Human & Social aspects of Cryptography: Certificate Authorities, Registration Authorities & crypto custodian duties.

  - Assurance Schemes: Common Criteria, FIPS, eIDAS, PCI-DSS etc.

If you would like to engage Tim as a trusted security advisor, he is open to negotiation about all* aspects of the requested engagement including scope, work location, duration and rates.

* subject to requests not involving any actual or apparent conflicts of interest.

Approach

Tim’s approach to security architecture & engineering is guided by the truth that: 

“Attacks always get better; they never get worse" (1) 

The inescapable implication is that all security solutions absolutely need to be designed for continuous improvement, keeping in mind that when new exploits emerge anywhere in the world they will quickly be automated and become available at low cost to unskilled threat actors.

Simply being able to mitigate today’s known threats is not nearly enough. A sustainable and agile approach to security design is needed - one which allows for continuous, rapid and economical integration and exploitation of new security capabilities. That means constantly maintaining “big picture” awareness of where future flexibility will be needed, whilst never losing focus on the effectiveness and efficiency of current security operations.

A thorough and systematic understanding is needed both of what types of improved security capabilities are needed and when they need to be ready for live operations.

1. Holz, R., Sheffer, Y. and Saint-Andre, P., 2015. RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). Available at: https://tools.ietf.org/html/rfc7457#section-1