About
I have been working in security for over 25 years. Right now I am the CISO for Jonas Software, covering cyber security, information security, and AI governance across 35+ businesses in Australia, New Zealand, and Asia.
My job is to turn complex cyber, privacy, and AI risk into clear outcomes that executives and boards can act on. I focus on what is practical: enabling growth while keeping trust, resilience, and regulatory readiness in good shape.
Experience
2024 – Present
Chief Information Security Officer
Jonas Software Australia
CISO for Jonas Software, responsible for cyber security, information security, and AI governance across 35+ independent software businesses in Australia, New Zealand, and Asia.
- •Built an AI use-case intake and risk assessment framework covering security, privacy, legal, and ethical risk. It is now the group standard.
- •Automated the AI risk workflow using Power Automate and Microsoft Copilot. Faster assessments, full audit trail.
- •Participated in the global Security and IT Steering Committee, contributing to cyber and AI governance strategy across the portfolio.
- •Led cyber due diligence for acquisitions. Defined the post-acquisition security uplift process and minimum standards.
- •Introduced tier-based cyber status reporting across business units so executives could see real posture, not just compliance ticks.
- •Wrote group standards for AI governance, penetration testing, and incident response.
2023 – 2024
CISO / Head of Delivery / Head of IT
Corum Health (Jonas Group)
Continued as CISO after Jonas Group acquired Corum Health from Corum Group. Expanded into technology delivery and IT operations.
- •Managed the security transition through the acquisition. Kept cybersecurity operations and compliance running without gaps.
- •Took on product delivery teams. Improved development processes, tightened product security, and got releases moving faster.
2021 – 2023
CISO / Head of Delivery / Head of Cyber
Corum Group
Led cybersecurity across Corum Health, PharmX, and Corum E-commerce. Built a commercial cybersecurity product for the healthcare sector.
- •Designed, built, and launched "Corum Cyber Defence", a cloud-native endpoint security product for Australian pharmacies using Microsoft Azure and Defender. Covered everything from architecture to marketing.
- •Integrated a group-wide ISMS using ISO/IEC 27002:2022. Achieved formal certification.
- •Ran the Security Operations Centre. The team stopped malware, phishing, and more complex incidents across client endpoints.
- •Spoke at industry events and wrote security awareness content focused on healthcare cybersecurity and Essential 8 adoption.
- •Promoted to Head of Delivery based on results. Took on product development, release management, and engineering quality.
2017 – 2021
Principal Security Consultant
Loop Secure
Led a team of GRC specialists delivering risk assessments, security strategy, and compliance advisory across Australian enterprises.
- •Created cloud security risk assessment methods covering Microsoft 365, Azure, GCP, and AWS. Several of Australia's largest enterprises used them.
- •Built enterprise security strategies for major organisations. Removed delivery inefficiencies and improved project outcomes and stakeholder satisfaction.
- •Ran incident response engagements. Created playbooks and fixed communication processes between internal teams and external SOC/SIEM providers.
- •Developed compliance services for APRA CPS 234 and US DOD CMMC (DFARS NIST 800-171). Turned new regulation into consulting revenue.
- •Presented to boards on cyber risk, crisis management, disaster planning, and pandemic preparedness.
2013 – 2017
Regional Investigations Leader
Nokia
Directed fraud, bribery, and corruption investigations across APAC. Ran the global forensics strategy and incident response, covering Asia, Europe, and the Americas when needed.
- •Led the APAC response to a nation-state APT across 8 countries and hundreds of endpoints. Stopped the data theft and the findings shaped global security improvements.
- •Internal investigations recovered over $5 million USD from suppliers and staff in a single year.
- •Provided evidence to the US Department of Justice for large-scale fraud cases. The DOJ said no further compliance action was needed.
2007 – 2013
Regional Security Director
Alcatel-Lucent
Based in Shanghai. Provided security leadership across physical security, information security, ethics, compliance, investigations, and crisis management for the APAC region.
- •Built a region-wide corporate security programme covering 17 APAC countries. Secured budget, hired teams, and rolled out badging, access controls, and visitor management.
- •Led crisis response during the 2008 Sichuan Earthquake and 2011 Japan Tsunami. Kept facilities running and employees safe in both events.
- •Ran a three-year programme that raised security awareness and maturity across the entire APAC region.
2004 – 2007
Regional Information Security Officer
Alcatel-Lucent
Based in Shanghai. Led a regional team of information security specialists managing infrastructure, projects, risk assessments, and monitoring across APAC.
- •Planned and rolled out local, regional, and global ISMS. The work led to real improvements in anti-malware, patching, vulnerability management, and detection and response.
- •Part of a global information security team that built the organisation-wide approach to reducing technology risk.
Certifications
ISO/IEC 27001 Lead Implementer
PECB
The ISO/IEC 27001 Lead Implementer certification demonstrates the ability to design, implement, and manage an Information Security Management System (ISMS) in compliance with the ISO 27001 standard. To achieve this certification, one needs a solid understanding of risk management, security controls, and compliance requirements, as well as practical experience in implementing security frameworks across organizations.
Certified Information Security Manager (CISM)
ISACA
The CISM certification is aimed at professionals who manage and oversee an enterprise's information security program. It requires strong skills in information risk management, incident response, governance, and program development. Passing the exam involves extensive knowledge of security strategy and a practical understanding of aligning security initiatives with business goals.
Certified Data Privacy Solutions Engineer (CDPSE)
ISACA
The CDPSE certification focuses on privacy engineering and helps professionals design and implement privacy solutions within technology and business environments. Candidates need a thorough understanding of data privacy laws, risk assessments, and privacy by design principles. Achieving this certification requires experience in implementing privacy practices into the development lifecycle of information systems.
Global Industrial Cyber Security Professional (GICSP)
GIAC
The GICSP certification is designed for those who protect industrial control systems (ICS). It bridges the gap between IT and operational technology (OT) security, requiring knowledge in ICS architecture, protocols, and cybersecurity measures. Candidates typically need experience in both ICS environments and cybersecurity to succeed in the exam.
Access Data Certified Engineer (ACE)
Access Data
The ACE certification is aimed at professionals who use Access Data tools for computer forensic investigations. Achieving this certification requires proficiency in using forensic software to collect, analyze, and interpret digital evidence. Candidates must demonstrate practical skills in handling digital evidence and conducting in-depth forensic analysis to pass the exam.