About

Welcome. I’m John Elliott and this is my small bit of the Internet. I’m a payments / privacy / cyber security / risk specialist. I work as a consultant and interim manager and I help organisations balance risk and regulation with business needs. I started this blog sometime in 2010 and then ended up in jobs where it wasn’t really appropriate to write publicly about the things I also worked with, which is why there’s always gap between posts.

Research

I’m a part-time doctoral student at the University of Warwick Cyber Security Centre looking at principal-agent relationships in respect of cyber security. Specifically how regulators and companies validate the security claims of third-party entities to support regulatory or contractual compliance.

PCI DSS and payment security

I was fortunate to spend around three years as Visa Europe’s representative on the technical working groups of the Payment Card Industry (PCI) Security Standards Council (SSC); before that I worked as a Qualified Security Assessor. In that time I contributed extensively to DSS v3 and P2PE v2 and I also answered lots of questions about the standards and payment security.

Work

Currently I’m looking after payment security and a PCI DSS programme at an airline and helping a Building Society with its cyber / information security strategy.

Privacy

Since I studied Data Protection law I’ve been fascinated by the intersection between privacy law and information security practice. I moved into payment security in 2009 to understand how mandatory security regulation works, because I predicted then that there will be technical information security standards when the General Data Protection Regulation comes into effect (we’ll find out soon!). I’m a CIPP/E and have an LLM in Information Rights Law and Practice.

Open Rights Group

I’m an elected board member of the Open Rights Group, which works to protect digital rights through campaigning, research and education.

Professionally

I’m a Fellow of the British Computer Society and Chartered IT Professional. I hold the CISSP, CRISC and CISA qualifications.

What is it with (out) fire?

There’s a reason that flames do not engulf whole cities when one building (or bakery) catches fire. And it’s not just because of prevention.

I use the metaphors of fire prevention and control, along with stories about the great fires of the world, to explain the world of cyber security to senior management and company boards.

Contact

Get in touch via LinkedIn, @withoutfire or email to john@you_can _probably_guess_the_domain.