Andrew is a Director, Cyber Risk in the Brisbane office with extensive experience in cyber security, privacy and risk management. He is a well-known expert in the governance, risk and compliance space and has advised multiple companies, including some of the largest in Financial and Insurance Services in Asia Pacific.
Andrew’s practice focuses on strengthening clients’ readiness for, response to and recovery from cyber incidents. He works closely with clients to offer information and operational technology risk assessments, cyber security strategy development, privacy and data protection compliance, operational cyber resilience and related advisory services.
Having started his career as an intelligence operator and security analyst in the British Army, Andrew has been involved in cyber security and has held senior positions in global specialist cyber security firms. Prior to joining Clyde & Co, Andrew was the GRC Director and a Senior Advisor for NCC Group, managing a team of consultants providing professional services across Asia Pacific.
Experience
Senior risk advisor: for one of Asia’s largest international banks, providing expertise and external assurance for a multi-year programme to reduce the risk of payment card data loss to the bank.
Cyber security strategy and roadmap: assisted an ANZ based financial services provider to understand its cyber security maturity and to develop a cyber security strategy and roadmap based on cyber risk analysis.
Cyber simulation: facilitated a multiple day cyber simulation for a financial services provider testing its capability to respond to and recover from a cyber incident, advising on remediation requirements for areas of concern.
Vendor risk management: managed a program for one of Australia’s largest international banks, developing and refining the process to assess supply chain risk from thousands of vendors globally.
Security policy development: developed bespoke cyber security policies for both IT and OT environments for a state transportation agency, advising them of the appropriate level of control implementation based on risk.
Information classification: developed an information classification framework for one of Australia’s largest health fund providers, including awareness sessions to ensure to information was adequately protected across its multiple business units.
OT risk assessments: conducted multiple ISA 62443 based risk assessments of OT environments for a state transportation agency to identify and remediate risk to critical national infrastructure.
Information security management systems: implemented an effective information security management system and associated governance functions for a large state government agency, including performing a trusted advisor role for all information security related projects.
Privacy and data mapping: part of a team that mapped data and assessed compliance to the GDPR for an international travel agency which required several months of engagements across multiple jurisdictions in Europe.
Qualifications
Certified Information Privacy Manager
Certified Information Systems Security Professional
