Can three people keep a secret only if two of them are dead, as Benjamin Franklin suggested? If you'd prefer to keep your team, let's look at handling secrets in product development.
Our Practitioners

Toby Irvine
Product Security SpecialistToby is the CEO and one of the co-founders of Secure Delivery. He has spent (well) over 20 years in secure software engineering, designing and building large scale on-premise and cloud systems across many industries. He’s established & managed secure engineering and security engineering functions in highly regulated organisations.
He’s trained technical and non-technical delivery roles across the Americas, EMEA and APAC in modern application security practices and founded Secure Delivery to bring both strategic advisory and proven training in modern application security thinking, practices and tooling to regulated organisations.
He’s the author of HSBC’s Secure Development Handbook—the “field guide” to secure application development at one of the largest banks in the world, in use by 30,000 software developers across 68 countries.
He has a deep passion for education and ensuring everyone involved in technology product and service delivery understands how to ensure things are as secure as they need to be. He believes that no one should have their personal data or money stolen or lose access to the vital services and products they depend upon from a security incident. As part of this mission he is project lead for the OWASP Open AppSec Curriculum, a joint industry and academia effort to define the essential security knowledge required for people involved in building software systems.
Expertise
- Digital Product Security
- Security Engineering
- Secure Product Management
- Secure Technology Leadership
- Training & Development
Industries
- Financial Services
- Banking
- Transport
- Telecoms
- Medical
- Retail
- Media
Skills & Certifications
- Enterprise Software Development
- Cloud Security & Architecture
- Technology Leadership
- Data Engineering
- Automation
Articles by Toby Irvine

Security, DevSecOps, DevOps
What is DevSecOps? (And DevOps)
The IT industry has a history of taking simple practices and turning them into monstrous delivery frameworks with little of the original left. We'll wind back to see what's really going on.


Security, Product, Quality
Securing the Digital Factory: Part 1
Analogies are terrible, but the factory one has shown some use in software engineering. Let's gird our analogous loins and take a look at how we secure this digital factory.


Security, Process
Chesterton's Fence, and Monkeys
It can be hard to know how to change your ways of working to be more secure. Here we look at the types of security controls and what monkeys have to teach us about processes.


Security, Organisations
How to Scale Product Security Across …
Your security team is overloaded. There are barely enough hours in the day to keep up with incoming requests, let alone improve ways of working. What's the cause of this?


Security, Networks
What is The Cloud? (it's Zero Trust)
The internet is a scary place. Thankfully we've got all our services on a private network and only accessible over a dedicated link. That's more secure, right? Right? Oh no...


Security, Process
The Chaos Butterfly of Security …
We specifically requested that things must be secure. It's detailed at length in our security policies and standards on Sharepoint. Why aren't things more secure?


Security, Delivery
The Biggest Misconception in …
Your instinct for safety isn't necessarily correct. Delivering slowly isn't more secure, it's fearful, and if you're afraid of changing a system then the system is not secure


Security, Product, Organisations
Building a Culture of Quality, Not Just …
In this article we explore the concepts of quality and culture within an organisation. And, in a startling break with tradition, actually define what they are and how to change them


Security, Product, Organisations
Number of Data Breaches is not a Good …
It's hard to manage product security if all you have is a lagging indicator of it. Reacting to data breaches is not planning ahead. How do you know that things are being built securely?
