In Andy's professional career, he's been asked to find solutions to plenty of sticky security problems across a range of different business sectors - from enterprise IT to retail to heavy industry - where there is no obviously right answer. He's also being tasked with securing emerging technologies - such as IoT, AI/ML, robotics and autonomous vehicles - where few established standards or guides exist. This has given Andy a wealth of real-world use cases to bring to life the complexities that exist in architecture & engineering, and to teach the thought processes that help students to arrive at the best possible outcome.
A big part of security architecture & engineering is making decisions, but rarely are those decisions obvious. There's always trade-offs to be made which are unique to each situation, so there's never going to be a flow chart to tell you the answer. So Andy encourages a mindset of teasing-out the key deciding factors, making deliberate choices about what takes priority (and what doesn't), and pre-empting potential pitfalls in order to arrive at the best possible design — even if it's not perfect.
An added complexity is the pace of change in technology and security threat landscape, with vendors making bold claims about how their product will solve all problems. Andy offers a critical look at these solutions, breaking them down into specific technical capabilities and applying them to specific well-defined use cases.
"I'm a big believer in hands-on practical skills and using real-world case studies as a way to bring theoretical topics to life. After all, the real world is messy, complicated & imperfect, so it's important to be able to architect and engineer solutions that reflect reality rather than an impossible ideal," Andy says.
Andy considers himself "unashamedly a nerd at heart" and loves exploring new technologies and figuring out how it works. He also loves to figure out how to break that technology, because then he can develop even better methods to defend against those kinds of attacks.
"For me, the thing about security architecture & engineering in particular which really appeals to me is the ability to effect positive change on a massive scale; to take the time to step back from the whack-a-mole of responding to incidents, and to put in place systemic changes that prevent incidents from ever occurring, or significantly reduce their impact," Andy says.
Andy sees teaching with SANS as an opportunity for him to help with the crucial task of educating the next generation of infosec professionals. Andy sees security architecture & engineering not as a prescriptive skill, but a discipline which needs practicing.
"I find it mentally stimulating to discuss the many shades of grey, the relative pros and cons of different approaches, and to develop this same mindset in students," Andy says.
Many in the community may recognize Andy from his video walkthroughs of the SANS Holiday Hack CTFs, for which he was awarded prizes in 2017, 2018, 2019, and 2020. Andy also started producing educational infosec videos on his YouTube channel when the Covid-19 pandemic hit as a productive way to use his time when unable to go outside.
Andy has a Bachelor's degree in Computers & Networks and a Master's in Security & Cryptography. His professional certifications include CISSP, CRISC, GDSA, and GDAT.
Outside of his professional life, Andy enjoys escaping his desk to undertake a variety of outdoor activities, including gliding, sailing, skiing, rock climbing, archery, and ultimate frisbee. He also enjoys a good board game and pub quiz. He loves to travel - preferably to far-away exotic places - and to capture those travels through photography.