Project Manager Security
Resume:
Dave Somers
Summary
A s enior information security manager, with a rich e xperience of implementing
information security in large corporates. Many years experience of managing
information policy, projects and operations i n complex technical environments
and across cultures. Excellent communication skills plus experience o f working
with business management at all levels.
Professional experience
General Manager North China, Hill & Associates PRC 2008 -
Summary : Joined Asia’s largest information security consultancy to lead the
north China team in winning and delivering their assignments.
Ÿ I manage delivery of a portfolio of consulting projects in information security
/ intellectual property protection. Examples include :
Ÿ Information security risk assessment and mitigation plan creation
for an extranet solution for a manufacturer
Ÿ Leading product evaluation for a client on security monitoring tools
and on the subsequent integration of that into existing architecture.
Ÿ Creating and delivering information security training program for a
software house’s own staff and their third party suppliers’ staff.
Ÿ Advised a client (chip-maker ) on the establishment of their
PCIDSS project.
Ÿ Led an internal investigation into information theft and disclosure
on behalf of a client whose designs appeared to be being copied by
competing manufacturers.
Ÿ I manage the Hill & Associates Beijing office; P&L responsibility, staff
matters, etc.
Ÿ I have re -organised the company’s service offerings for DR and BCP.
Information Security Consultant,
Britannia Building Society 2007- 2008
Summary : Contractor with the Information Security team at Britannia. Main
achievements:
Ÿ Internet programme security. R esponsible for all information security
aspects of new internet presence. This included :
Ÿ Defining architecture and application level security requirements
and project-managing their delivery (firewall, monitoring etc)
Ÿ Risk assessment and mitigation activities during the planning and
development work.
Ÿ Defining the control/governance model for t h e n e w internet
environment – distinct from the rest of the technical estate
Ÿ Ensuring that compliance with Data Protection Act requirements
was achieved by the systems and processes created by the project
– for example by defining which data needed to be treated as highly
secure, and creating the Subject Data Access process.
Ÿ PCIDSS Initiated the Society’s PCIDSS compliance programme, identifying
scope, goals, timeframes for the Society.
Ÿ Project engagement model Created a project engagement model for
information security, matching the policy and operational roles the team has
with the Society’s project- management model (which uses CITI as a base)
Overall the role included project management aspects as well as provision of
i nformation se curity expertise in privacy, privilege management, secure
collaboration with 3rd party developers. Used both ISO27001 and ISF as
references. Undertook considerable liaison and co-ordination within the Society,
advising colleagues on the need for and priorities of information security.
Information Security Director, Ericsson China 2004 - 2007
Summary : Promoted to new position, to create and run an information security
improvement program for five thousand staff in fifty locations in Greater China.
Goal was to make step-change in the standard of information security, aligning
with ISO 27001. Main achievements :
Policy- and goal-setting
Executive sponsorship. Established Security Council with Greater China
executive t eam ; used this as vehicle to get approval for projects and
changes.
Policies Wrote and gained approval for local Ericsson China information
security policies (use of encryption in transmitting software, segregation of
duties, access control, abuse of internet etc). Member of the drafting team
for global information security policies.
Information security
Information security consultancy to the business. Consulted with business
teams to ensure that policies were upheld in daily work and in new
solutions. Acted as the expert for information security challenges, such as
move of critical software to China, setup of new joint- venture companies,
secure connections to third parties.
Information security risk assessments. Created and taught information
security risk assessment method for software development teams. This is
now in use by over 1,000 staff in software/solutions development.
Technical improvement projects. Created and sponsored projects to
improve technical security e.g. HD encryption, standardize PC OS,
rebuild server rooms for business continuity reasons.
Network security Decision-maker on connectivity security issues.
Program-managing improvements. Created an information security audit-
and-improvement program covering all fifty sites in Greater China. Used
ISO27001 as baseline.
Compliance Led security compliance work for SOX, including much
access management/segregation of duties work on key applications.
Investigations. Undertook investigations into – for example – i nternet
abuse, confidential data reaching public domain, and data security failures.
Information security roadmaps Created system/capability roadmaps and
ran change programmes in – for example – information classification.
Risk management, business continuity, incident handling
Risk management / DR / business continuity. Created and provided tools,
gave training for local staff, programme-managed the implementation of
technical risk assessments and DR / BC plans.
DR and BC plan-testing Planned and led tests of DR and continuity plans.
Incident management Created a standard process for incident handling
and reporting, with my role as focal point for investigation/resolution.
Other responsibilities
Organisation setup. Created and trained a network of 75 colleagues in
security, technical security, risk management and business continuity.
U ser training. Created and managed the rollout of security training
program which reached all 7,000 staff and contractors in Ericsson China.
Awareness raising. Key task was to evangelise the concepts of
information security, particularly into the R&D community. Done via
structured workshops for management teams, facilitation of risk
assessments, and the delivery of many tailored training sessions.
Key relationships
Auditors and Risk Committee
CSO in Stockholm, Country Chief Officer and CFO
IT & Risk Manager, Ericsson Mobiles, Beijing 2001 – 2003
Summary : Promoted to lead the IT and risk management functions in Ericsson’s
largest factory in Asia.
Designed risk management strategy, including systems capacity and
disaster recovery. Led to replacement of ERP and manufacturing systems .
Project director for $7m implementation of Oracle ERP system and for
$5m replacement of manufacturing systems. Included negotiation of
contracts with Oracle, HP and software houses in the millions of dollars.
Led setup of crisis management team, preparations for crisis handling.
Created company’s DR plans and business continuity plans.
Directly managed 25 staff. Managed another 45 through m atrix / project
management structures.
Improvement program for manufacturing systems suite, leading to
reduction in downtimes of one hour per day to below one hour per month.
IT Projects Group Leader, Ericsson Mobile, UK 1998 – 2001
Summary : Controlled all IT projects for Ericsson’s key UK site. Team of 11 staff
– programmers, analysts and project managers. We supported 2,000 staff
running 24x7 manufacturing operations (with downtimes costed at £2000 per
minute, risk management and incident control were our priorities ! ) .
Portfolio management for all IT projects in the unit, with the project
managers reporting to me.
Implemented formal project management method to system development
and system implementation operations.
Project leader for transfer of the whole IT manufacturing systems suite to
a sister-factory in Romania.
Project Manager UK Post Office IT Division 1988 – 1997
Summary : Rose from business analyst to project leader to project manager, with
successful experience in software development and implementation.
Co-produced Systems Project Management Handbook
Project manager for simultaneous implementation of PBX solutions at
eight regional HQ sites during a major reorganization.
P roject m anager for d evelopment and i mplementation of H R solution
across the business, and later for pilot SAP HR solution.
Education/Professional training
B.Sc. Honours degree from Europe’s largest undergraduate management school
– University of Aston, UK.
Member of the Association of Project Managers
Part-qualified Certified Accountant
Qualified project manager with both APMP and ISEB PM certificates. I am also a
PRINCE2 practitioner.
Top-scoring candidate in ITIL examinations in Asia 2005
Qualified I mplementer and Lead Auditor for Information Security standard
BS17799 and have used ISO27001 in earnest in my last three roles.
Current study : CISM ( Taking this in June 2009. Confident of passing since I
scored 75% on the self-assessment)
Personal & contact details
Nationality: British Family : Married, two children
Email : **.******@*****.*** Tel +86-158********
Contact this candidate