If you’re looking for a standard sort of profile, LinkedIn is probably the best place to start, but here’s my journey…

I’ve been doing IT things since leaving university. And while I was essentially looking after IT infrastructure and security I got into a long discussion with the company’s lawyer about what the data protection act said we had to do in respect of security. And that started my interest in how external regulation affected security, which led me to study law and eventually take an LLM (i.e. Masters of Law) in Information Rights Law and Practice (Data Protection).

I wanted to work at the intersection of information security and data protection. But back in 2010 there were not really many jobs in data protection (it was pre-GDPR). I accidentally fell into the world of PCI and payment card security and became a QSA because I was interested in seeing how a form of regulated security worked.

PCI things have continued to interrupt my career plans ever since since!

I spent around three years as Visa Europe’s representative on the technical working groups of the Payment Card Industry (PCI) Security Standards Council (SSC). In that time I contributed extensively to PCI DSS v3 and P2PE v2 and I also answered lots of questions about the standards and payment security.

I was the technical lead on a 2 year project to make a major European airline become compliant with PCI DSS.

I spent two years at Mastercard as their representative on the PCI SSC working groups, and largely concentrated on PCI DSS v4, particularly the e-commerce requirements and the customised approach.

In gaps I was interim Head of Information Security for a building society, the data protection specialist at the Open Banking Implementation Entity and also the subject matter lead on the airline’s GDPR programme.

Professional Qualifications

Professional: BCS Fellow, Chartered IT Professional

Information Security: CISSP, CISA, CRISC, CDPSE

Academic: LLM Information Rights Law and Practice


Get in touch via LinkedIn, @withoutfire or email to john@you_can _probably_guess_the_domain.