Ryan Brooks

Goodbase build bespoke case management tooling for charities and local authorities. I was brought in to mature their seucrity posture, introduce an Information Security Management System (ISMS) aligned to ISO/IEC 27001, and to lead the infrastructure changes needed to meet the new standards.

• Shipped the first phase of an ISO/IEC 27001-aligned ISMS, including formal risk management.
• Introduced infrastructure as code (IaC), retrofitting it across operational systems and adopting it as the default for new deployments.
• Hardened Google Workspace, AWS, GitHub and Slack against the new ISMS controls.
• Improved Goodbase's GDPR and data privacy posture through contractual improvements and internal review.
• Led cyber and information governance responses for sales conversations with prospective clients, including central government bodies.

Engaged to lead a research engagement with a central government department exploring techniques for understanding extremely large codebases in restricted environments.

Role expansion when Hackney's Head of Engineering left and the Council's security function scaled up ahead of a large external audit.

• Introduced a structured NCSC Cyber Assessment Framework (CAF) to quantify security risk and prioritise improvements.
• Devised and implemented a 5-year cyber strategy to mature cyber security and risk management within the Council's financial constraints.
• Led a team of 4 early-career cyber security analysts, providing structured training, mentoring and line management.
• Introduced Dependabot to quantify software dependency vulnerability risk and auto-update dependencies, training developers and tracking progress through governance sessions.
• Discovered risk around unmanaged devices, and led work to manage personal device risk and roll out corporate devices for critical systems.

Brought in to assess and improve Hackney's security posture for modern engineering projects. Worked closely with engineers and senior stakeholders to identify opportunities for change, getting buy-in from the wider business and enthusiasm from teams.

• Led an initiative to map Hackney's attack surface and existing systems after discovering ICT wasn't aware of all the services it operated, with many small systems being built by agencies, deployed within AWS, and forgotten. Brokered agreement about ownership and maintenance with the engineering and cloud platform teams.
• Introduced disaster recovery testing after discovering a lack of backups and testing across the estate. Raised awareness with senior leadership to agree priorities and introduced a way to assess system criticality which was adopted into the wider Council's business impact analysis processes. Tackled slow team response by creating lightweight templates and a runbook, and running in-person sessions covering theory and mob-recovery on problem systems. The work led to improvements in the central backup platform and processes, as well as upgrades to out-of-date systems to enable recovery.
• Revived Hackney's engineering community of practice. Heavy apprentice/early-career representation and high turnover had left the Slack and CoP languishing. Led by example with talks on security and engineering practices, workshops to build skills, and lightweight decision records as a way to foster discussion. The shift was away from informal decision making to a more collaborative, consensus-driven model — and most engineers became comfortable asking for help.
• Mentored junior security engineers, introducing learning sessions and pairing/swarming. The team began writing Python scripts to automate laborious manual checks.
• Ran Community of Practice sessions and workshops with engineers to embed threat modelling, OWASP Top 10, and dependency security.

Brought in to introduce modern software development delivery practices, improving focus, transparency and velocity.

Established new teams to maintain and develop GOV.UK's publishing platform, building an API-first strategy to modernise and secure an extensive suite of legacy Ruby applications in preparation for GOV.UK's classification as Critical National Infrastructure (CNI).

• Built an API-first strategy to modernise and secure an extensive suite of legacy Ruby applications ahead of GOV.UK's classification as Critical National Infrastructure (CNI).

Hands-on technical architect leading several software and infrastructure engineering teams, working with product owners, developers and non-technical stakeholders to define strategy, set priorities, and build technical systems.

• Instigated and delivered the migration of the in-cell prisoner content hub from on-premise servers to a secure, cloud-based Kubernetes platform, refactoring the application architecture to enable the service to scale to all public prisons while remaining secure.
• Responsible for the hosting and infrastructure for critical offender management, risk and operational reporting systems for HM Prison and Probation Service. Introduced continuous delivery to the legacy hosting team, building and deploying infrastructure with Terraform, Ansible and Packer. Set a vision for the operations team to escape their inherited technical debt and rebuild morale and delivery velocity.

My consultancy vehicle for interim CTO and project-based contract development work, with a focus on software quality, testing, and empowering developers. Clients included the Department for Education, University of Oxford, Oxford University Hospitals NHS Trust, Bookwhen, Nimble Approach and Press Association.

Recruited and led a team of 5–6 engineers, taking a Ruby/Padrino proof-of-concept site and iteratively developing it into a stable, scalable product, expanding into two complementary product lines.

Collaboratively developed open-source metadata-registry tools for modelling patient treatment and outcomes within the NHS.

Responsible for the strategic development of systems and processes to support growth and operational activities, as well as the security and integrity of NMi UK's computing resources and data under ISO/IEC 17025.

• Strategically developed systems, policies, procedures and training to allow the business to grow from 3 to 30 people.
• Ran critical, short-term projects from inception to completion; visited clients across Europe providing gambling compliance testing services, on-site auditing and consultancy.
• Operated as security and integrity owner for NMi UK's computing resources and data under ISO/IEC 17025.