Services
Tim D Williams delivers expert, ethical advice in all aspects of security architecture, security engineering & security management based on over 30 years of real-world experience, backed by extensive relevant qualifications & ongoing cutting-edge research.
Services which Tim is highly competent to deliver include:
Security Team Leadership and Interim Management
Security Governance, Budgeting and Oversight (referencing ITIL, COBIT, COSO, Sarbanes-Oxley, UK Corporate Governance Code, EU Digital Operational Resilience Act (DORA) and other relevant authorities)
Security Operations and Continuous Service Improvement
Security Training, including Agile Security coaching, DevSecOps, Cloud Security Auditing and secure CI/CD enablement
Data Protection Training, including GDPR, UK Data Protection Act (DPA), US Health Insurance Portability and Accountability Act (HIPAA) and California Consumer Privacy Act (CCPA)
Security Threat Modelling
Security Risk Assessments
Security Requirements Analysis
Security Architecture Development (referencing SABSA, TOGAF, NIST, CIS, MODAF and other relevant authorities)
Cloud Security Architecture (including AWS, Azure and Google Cloud Platform)
Security Due Diligence (both on vendors and responding to customer audits)
Security Procurement Support (client-side) and Proposal/Bid Support (vendor-side)
Security Engineering Solution Development
Security Design Reviews
Security Code Reviews (fully manual and partly-automated: static/dynamic/ interactive, referencing OWASP, MITRE, SANS, WebAppSec, SafeCode, SEI-CMM and other relevant authorities)
Infrastructure Vulnerability Assessments and Mitigation Plans
Web Application Penetration Testing
Applied Cryptography spanning:
- Asymmetric Cryptography: Algorithms (RSA, Diffie-Helman, ECC etc.), PKI, Web of Trust, Digital Certificates & Signatures, Key Lifecycle Management, HSMs, Encryption at Rest & In Transit including IPSEC, SSL/TLS & threats & mitigations.
- Symmetric Cryptography: Algorithms (AES, DES, 3DES etc.), Assured Hardware Sources of Entropy, Key Encryption Key (KEK), Data Encryption Key (DEK) & Key Rotation methods.
- Keyless Cryptography & primitives: Hash Functions, Pseudo Random Number Generators & One Time Pads.
- Human & Social aspects of Cryptography: Certificate Authorities, Registration Authorities & crypto custodian duties.
- Assurance Schemes: Common Criteria, FIPS, eIDAS, PCI-DSS etc.
- Post Quantum Computing (PQC) readiness: current state inventory (manual & automated), vendor supply chain due diligence & contract reviews, objective assessments of potential vulnerabilities to Grover’s algorithm & Shor’s algorithm, technical & economic modelling of PQC transition options.
If you would like to engage Tim as a trusted security advisor, he is open to negotiation about all* aspects of the requested engagement including scope, work location, duration and rates.
* subject to requests not involving any actual or apparent conflicts of interest.
Approach
Tim’s approach to security architecture & engineering is guided by the truth that:
“Attacks always get better; they never get worse" (1)
The inescapable implication is that all security solutions absolutely need to be designed for continuous improvement, keeping in mind that when new exploits emerge anywhere in the world they will quickly be automated and become available at low cost to unskilled threat actors.
Simply being able to mitigate today’s known threats is not nearly enough. A sustainable and agile approach to security design is needed - one which allows for continuous, rapid and economical integration and exploitation of new security capabilities. That means constantly maintaining “big picture” awareness of where future flexibility will be needed, whilst never losing focus on the effectiveness and efficiency of current security operations.
A thorough and systematic understanding is needed both of what types of improved security capabilities are needed and when they need to be ready for live operations.
Holz, R., Sheffer, Y. and Saint-Andre, P., 2015. RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). Available at: https://tools.ietf.org/html/rfc7457#section-1
Testimonials
“Tim is an astute security professional who has a wealth of knowledge and experience in the security domain. He is helpful and always willing to go that extra step to provide results.”
“The team relied not only on his extensive technical skills but also on his “out-of-the-box” thinking that often challenged the team to consider better alternatives”
“Tim is an exceptional mentor and has the ability to break down issues into the core problems quickly and without complication. ”
“ You don’t realise it yet, but you want Tim on your team.”
“Tim goes the extra mile to research areas both directly and indirectly related to the projects he is working on.”
“Tim is a forward-looking, experienced & talented security thought leader who can effortlessly deep dive from strategy & architecture to implementation in no time”
“Tim .. is the first person I turn to for peer review, because not only will get a well considered and valuable opinion, but he will always spot the things I had either not considered or felt were of little consequence, but he has identified as critical to a successful outcome”
Resume
Tim D Williams is a motivated, versatile & well-qualified security consultant with broad business, technical & regulatory compliance skillset who quickly establishes good relationships, inspires trust & supports continuous, agile team learning.
Key Strengths
Business/IT alignment - quickly understanding the context & the required balance of people/process/technical change
Breadth of Experience - spanning architecture, management, finance, training, software, data & infrastructure
Extremely rapid learner - with proven ability to master the critical details of new industries, roles & technologies
Experience
Encryption Consultant
Global Law Firm
Jan 2020 to Jan 2022
Senior Digital Security Specialist
Government client
May 2019 to Aug 2019
Interim Head of Cybersecurity
Retail e-Commerce client
Feb 2018 to Jul 2018
Lead Security Architect
Government client
Jul 2016 to Sep 2016
Lead Security Architect
Government client
Apr 2016 to May 2016
Interim Head of Information Security
Private healthcare sector client
Mar 2015 to Jul 2015
Lead Penetration Tester
Energy Sector client
Oct 2013 to Jun 2014
Security Architect
Government sector supplier
Feb 2011 to Aug 2011
Principal Systems Engineer
Government sector supplier
Nov 2005 to May 2010
Enterprise Information Architect
Banking group
May 2002 to May 2005
Data Warehouse Manager
Chemicals manufacture & logistics
Aug 1997 to Aug 1999
Lead Security Architect
International Bank
Nov 2021 to present date
Security Consultant
Transport Sector Engineering client
Sep 2019 to present date
Lead Security Architect
Government client
Aug 2018 to Mar 2019
Enterprise Security Architect
Energy sector client
Sep 2016 to Feb 2018
Freelance Security Trainer
Public-sector & private sector clients
Jul 2016 to present date
Security Architect
Government client
Jul 2015 to Apr 2016
Security Architect
Government sector supplier
Sep 2014 to Jan 2015
Lead Security Architect
Government sector supplier
Sep 2011 to Oct 2013
Solutions Architect
International Bank
May 2010 to Jan 2011
Senior Systems Engineer
Enterprise Software Vendor
May 2005 to Nov 2005
Software Development Manager
Multinational e-Commerce vendor
Aug 1999 to Aug 2001
Professional Memberships and Qualifications
BCS
FBCS - Fellow of the British Computer Society
CITP - Chartered IT Professional
MBPsS - Graduate Member of the British Psychological Society
BPsS
MCIIS - Full Member of the Chartered Institute of Information Security
CIISec
GDPR (F) - General Data Protection Regulation Foundation
GDPR (P) - General Data Protection Regulation Practitioner
GASQ
IET
MIET - Member of the Institution of Engineering & Technology
(ISC)2
CISSP - Certified Information Systems Security Professional
ISSAP - Information Systems Security Architecture Professional
ISSEP - Information Systems Security Engineering Professional
ISSMP - Information Systems Security Management Professional
CSSLP - Certified Secure Software Lifecycle Professional
CCSP - Certified Cloud Security Professional
CGRC - Certified in Governance, Risk and Compliance
ISACA
CISA - Certified Information Systems Auditor
CISM - Certified Information Security Manager
CGEIT - Certified in the Governance of Enterprise IT
CRISC - Certified in Risk and Information Systems Control
The Open Group
TOGAF 9.1 Certified
Education
MBA Technology Management
The Open University (OU)
2022 to 2025 (Expected)
MBA Technology Management
Postgraduate Certificate in Business Administration
2022 to 2024
Postgraduate Certificate in Higher Education (PGCHE)
Falmouth University
2020 to 2021
BSc (Joint Honours) Psychology & Pharmacology
University of Manchester
1985 to 1995
Executive MBA
Quantic
2024 to 2025 (Expected)
Cambridge English Language Teaching Assessment (CELTA)
Cambridge Assessment
2021 to 2022
MSc Information Security Testing
Royal Holloway University of London
2012 to 2014
Professional Contributions
External Adviser
London Metropolitan University: MSc Artificial Intelligence & BSc Cyber Security & Digital Forensics
May 2019
Programme Committee Member
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRIC.org)
Sep 2017 to present date
Committee Member
British Computer Society Information Security Specialists Group (BCS-ISSG)
Sep 2016 to present date
Events Coordinator
(ISC)2 Thames Valley Chapter
Nov 2014 to Jan 2019
Secretary
(ISC)2 Thames Valley Chapter
Nov 2016 to Jan 2019
Member
CESG Listed Advisers Scheme (CLAS) Policy & Tools Working Group
Feb 2011 to Sep 2015
Contact
