Simon Arnell

Experienced Chief Technologist with a demonstrated history of working in the information technology and security industries. Strong information security professional skilled in Security Architecture, Risk Management, Strategic Policy Decision Support and Research and Development (R&D).

Contact

Twitter simonarnell
LinkedIn simonarnell
Facebook simon.arnell
GitHub simonarnell
Crunchbase simon-arnell

Location

Fleet, Hampshire UK

Work

Configured Things

Founder and Non-Executive Director

2018-01-16 — Present

I am a co-founder and non-executive director at Configured Things, a member of the 2018 GCHQ/NCSC Cyber Accelerator

DXC Technology

Chief Technologist

2017-04-01 — Present

Following HPE Enterprise Services' 2017 spin-merge with CSC, my employer changed once again, it became DXC Technology. I was initially responsible for mapping the various partnering relationships the legacy organisations maintained and understanding what was necessary for the new organisation. In this capacity I owned the New Technology Overview program, a horizon scanning service that reflected the shifting needs of the market and proposed partnerships that would allow DXC to capitalise on these changes, whilst match-making potential partners with salespeople with particular requirements. I have authored many papers and spoken at a number of conferences at DXC to build out our market presence and I am responsible for our annual cyber security predictions report, a risk management level perspective with suggested mitigations for how to safely navigate one's business through a changing threat landscape. In this role I am a frequent lecturer on the UK Ministry of Defence's Cyber Operations Awareness (Core) Course (COACC) taught at the Defence Academy in Shrivenham

Hewlett Packard Enterprise

Chief Technologist

2015-11-01 — 2017-04-01

Due to the HP Inc. and Hewlett-Packard Enterprise split, my employer changed, however I continued to commercialise the DNS Analytics intellectual property. I ran two customer proofs of concept to test the solution in the real-world. I selected a Nordic telecoms equipment manufacturer and a Nordic nuclear power operator to pilot the technology and architect the solution around. This proved to be a great success as a detective control and was publicly unveiled at HP Protect '15. Having introduced a means of detection that could dramatically shift the mean time to detect an incident with the DNS analytics technology, I began to appreciate this was moot, as the response times were still dire, customers did not have the means to orchestrate and reconfigure their estates dynamically in response to a security incident. This is where my work on Software Defined Networking for Security and Network Security Function Virtualization began. I co-developed IP to rapidly respond to incidents with investigative and preventative measures from the network using OpenFlow, this was successfully prototyped on the HP Labs network to react to anomalous activity

HP

Chief Technologist

2014-08-01 — 2015-11-01

I was responsible for presenting the company's strategy and services to customers who visited our London and Bristol Customer Engagement Centres. I began to sponsor the commercialisation of a research project that was monitoring HP's internal network for anomalous Domain Name System (DNS) traffic, identifying misconfigured and compromised devices. I expanded the monitoring from the internal network onto HP's public cloud allowing it to rapidly detect compromised tenants, personally porting the architecutre from the original one gigabit per second based design and scaling to the ten gigabit per second requirement of our public cloud, requiring me to rewrite the C++ Field Programmable Gate Array-based software to cope with the dramatic hardware changes necessary to monitor a public cloud

HP

Security Analytics Lead

2010-11-01 — 2014-08-01

Having developed intellectual property during my time in HP Labs, I transfered myself and the technology into the security business unit to understand how it could be applied to the business. Using corporate R&D funding I sponsored a project with our Brazil team to scale and build a management framework around the modelling tooling, this allowed our Managed Security Service to perform proofs of concept of collecting data from the customer estates and providing them with a proactive and benchmarked risk assessment with respect to their Identity and Access Management and Vulnerability and Threat Management processes. This role also allowed me to act as a conduit to identify and transfer technology developed in our corprorate research labs into the security business. I also architected and piloted HP's Cloud Risk and Controls Assessment, a set of tools built around the Cloud Security Alliance's Cloud Control Matrix and an internal risk assesment to provide customers with an impact analysis of their planned cloud migrations

National Grid

Information Security Researcher

2010-01-01 — 2010-10-01

I was seconded to National Grid to understand the threats in the Operational Technology environments, exploring the potential mitigations of virtual machines on trusted platforms to improve overall systems security with respect to security and staff productivity, in addition the impact of password policies was assesed and reported on. I was based at the National Electricity Control site and performed extensive field work with University College London consisting of staff interviews at the National Gas Control site, UK Headquarters and US Headquarters.

Bank of America Merrill Lynch

Technology Risk Management Research Officer

2008-11-01 — 2009-12-01

I was seconded to Merrill Lynch to research the applicability and potential impact of Digital Rights Mangagment to the bank's security, costs and productivity. As part of this project I also facilitated and conducted interviews with the bank's staff and University College London to understand the socio-technical issues of the science of security. Beyond the Trust Economics project, I also assisted the bank with governence, risk and compliance exercises such as performing a policy gap anaylsis during its merger of Merrill Lynch with Bank of America, developing a Secure Development Lifecycle and consulting the line of business' technical teams to assist with security concerns.

Hewlett-Packard Laboratories

Researcher

2008-11-01 — 2010-10-01

I worked in the Systems Security Lab in HP Labs Bristol as a post-doc researcher. As part of the UK government-funded Trust Economics project, the role saw me seconded to Bank of America Merrill Lynch and National Grid, developing discrete event simulations of stochastic systems' security models to statistically analyse the impact of threats, people, process and technology on an organistion's security to improve strategic decision-making

Yospace, a Bauer company

Quality Assurance Engineer

2007-05-01 — 2008-10-01

A summer internship at a user-generated content startup as a Quality Assurance Engineer that became a part-time role during my post-graduate studies. I was the sole quality assurance resource, responsible for ensuring quality of the user-generated content platform prodvided to major operators such as Three, O2, Vodafone. Yospace adopted agile methods and so I would attend the daily scrum meetings to understand project direction and escalate bugs. To improve effiency I implmented Bugzilla for issue tracking and CruiseControl for continuous integration. I devised an application of AI classifier to reduce the cost to the business of moderating users' comments on other users' content

Collingwood College

IT Support Technician

2004-05-01 — 2006-09-01

A part-time role during my undergraduate studies. I supported a small campus network of approximately one thousand endpoints and two and a half thousand users. Due to a new college building being built a data centre migration was performed alongside transitions of Windows Server and Exchange 2000 to 2003. I was responsible for architecting and buildout of the desktop OS deployment solution, architecting a proposed 802.11g Wi-Fi deployment using 802.1x authentication of endpoints, and a Windows Active Directory consolidation project to support and manage the local feeder schools' IT.

Volunteer

Education

Royal Holloway, University of London

2007-01-01 — 2008-01-01
Information Security, MSc
Courses
  • Security Management
  • Introduction to Cryptography and Security Mechanisms
  • Network Security
  • Computer Security (Operating Systems)
  • Advanced Cryptography
  • Smart Cards/Tokens Security and Applications
  • Software Security
  • Trusted Computing

Royal Holloway, University of London

2004-01-01 — 2007-01-01
Computer Science, BSc
Courses
  • Logical Foundation for Computer Science and Artificial Intelligence
  • Introduction to Programming and Professional Issues
  • Computer Engineering
  • Web and Internet Technologies
  • Theory of Computer Languages and Infinite Structures
  • C++ for Java Programmers
  • Graphics and Human Computer Interface
  • Algorithms and Complexity
  • Bioinformatics
  • Operating Systems
  • Compilers and Code Generation
  • Advanced Data Communications
  • Information Security
  • Computational Finance
  • Software Engineering Group Project
  • Database Theory
  • Object Orientated Software Engineering

Publications

How to overcome the security questions facing blockchain technology

2018-04-01
Published by DXC Technology

Overcoming security questions about blockchain ecosystems will help ensure that blockchain continues to evolve in the financial services industry and matures into a disruptor in other businesses. This paper identifies security implications and potential threats, and offers 10 recommendations for embedding security into blockchain transactions.

Take a risk-based approach to DevSecOps

2018-03-01
Published by DXC Technology

Companies embracing digital transformation are looking to DevOps and agile development methods to accelerate the release of new applications. Unfortunately, in this need for speed, security is often left behind. This paper introduces process and language bridges to address the gulf between risk management, development and system operations teams.

Cyber Security Predictions for 2018

2018-01-01
Published by DXC Technology

A report authored with the help of colleagues at DXC, discussing what security risks and technology changes may feature in the year ahead and how to manage their impact to the enterprise.

SDN4S: Software Defined Networking for Security

2017-01-23
Published by Hewlett Packard Labs

Security Operations Centers (SOCs) rely on analysts to perform largely manual processes to carry out the various stages of the incident management lifecycle. These processes are time-intensive and typically require much context switching and hand-off between monitoring and operations analysts, introducing considerable delays into the resolution of incidents. With enterprise networks facing malware threats of increasing complexity and volume, this approach becomes unsustainable. It is crucial, therefore, to develop solutions that dependably automate and accelerate incident management tasks and only involve the limited pool of highly-trained and experienced analysts an organization can have at its disposal when truly necessary, where it matters. In this report we introduce SDN4S: a system and solution to minimize the time between incident detection and resolution by using automated countermeasures based on Software-Defined Networking (SDN). SDN4S creates incident-specific response workflows orchestrating actions and network-based countermeasures automatically upon receiving an alert, leading to faster and more predictable incident response. We describe the architecture and implementation of SDN4S, and report on the test deployment of the system on our research network.

Protecting the Enterprise using Network Function Virtualisation-based Security Analytics and Remediation

2017-01-23
Published by Hewlett Packard Labs

The threat landscape is constantly evolving, creating new challenges for organizations and the need for continuous investments in security controls and incident management capabilities. A key problem organisations face is how to reduce the incident remediation time, once security issues have been detected, in order to minimize risks, disruption and losses. Central to this challenge is the heavy reliance on proprietary hardware for advanced detection and remediation, which results in high upfront capital expenditure and long lead times in an area where rapid response is critical. We present our vision and technical approach to address this issue, consisting of a Network Function Virtualisation (NFV)-based Security Analytics and Remediation solution, motivated from real-world experiences gathered while working with a large enterprise customer.

Awareness is only the first step - A framework for progressive engagement of staff in cyber security

2015-12-16
Published by Hewlett Packard Enterprise, University College London (RISCS) and CESG

The business white paper “Awareness is only the first step: A framework for progressive engagement of staff in cyber security” is the product of collaboration between RISCS researchers and security awareness experts at Hewlett Packard Enterprise (HPE), with oversight by the UK government’s National Technical Authority for Information Assurance (CESG). Security communication, education, and training (CET) is meant to align employee behavior with the security goals of the organization, but it is not always designed in a way that can achieve this. The purpose of this paper is to set out a framework for security awareness that employees will actually engage with, and empower them to become the strongest link—rather than a vulnerability—in defending the organization. A set of steps, required to deliver effective security CET as a natural part of an organization’s engagement with employees at all levels, is outlined. Depending on different needs, many vehicles are available from security games, quizzes, and brainteasers—and possibly prizes—to encourage employees to test their knowledge and explore in a playful manner. The most important output is that different approaches are needed for routine security tasks, and those tasks require application of existing security skills to new situations. There are many creative ways to improve security behaviors and culture, but it is essential to engage people in the right way. Then they can convert learning into tangible action and new behavior. Security CET needs to be properly resourced and regularly reviewed and updated to achieve lasting behavior change.

Legal

Hewlett-Packard Enterprise Development Company 2016-04-21
Hewlett-Packard Development Company 2015-08-31
Hewlett-Packard Development Company 2015-11-17
Hewlett-Packard Development Company 2015-04-10
Hewlett-Packard Development Company 2015-03-11
Hewlett-Packard Development Company 2014-07-31
Hewlett-Packard Development Company 2014-07-31

Languages

English

Native or bilingual proficiency

Finnish

Elementary proficiency