Mark Curphey joins Microsoft's ACE Team

Mark joined ACE as of Oct. 1st and we're very glad to have him aboard! The following is a note from Mark: 

As is the tradition around these parts I wanted to introduce myself as the newest member of the ACE Team. My name is Mark Curphey and I’ll be heading up ACE Services in Europe and product managing a security product codenamed the Oxygen Security Platform that we'll be building. You’ll be hearing a lot more from me in the future about what we are doing, software security in general and the Oxygen Security Platform. I am working on a blog series about Balanced Scorecards for information security programs and planning on posting some work on finding the security genome here soon. 

For a little bit of background, I graduated from Royal Holloway, University of London with a Masters degree in Information Security in the mid-nineties (as a mature student) . Royal Holloway is recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the bestselling novel “The Da’Vinci Code” and home of the very credible information security group that have won the Queens Anniversary prize (among many other accolades). After spending several years working at various investment banks in the City of London working on a variety of technical projects including PKI design, Windows NT security, policy development and single sign-on systems, I moved to Atlanta to run a consulting team performing security assessments at Internet Security Systems (now IBM). In late 2000 I took a job at Charles Schwab to create and manage the software security program. Long before SDL was a common term I was responsible for ensuring the security of all business applications protecting over a Trillion dollars of customer investments. It was quite a learning experience and a lot of fun. During this period I started OWASP, the Open Web Application Project which now has over 10,000 members globally and is recommended reading by the Federal Trade Commission and the National Institute for Standards (NIST). In 2003 I joined a small startup called Foundstone to take the experience I learnt at Schwab to their clients and built the software security team. The company was sold to McAfee in October 2004 and I stayed on to run all of Foundstone consulting reporting directly to the President of McAfee. I was awarded the Microsoft MVP for Visual Developer Security in 2005. Last November I left Foundstone, moved back to Europe and took some timeout to think seriously about an information security management platform that an increasing number of clients had asking been for. It could best be described as ERP for Information Security, the security management equivalent of what Visual Studio Team System is to software development or in more general terms an information security specific Governance Risk and Compliance platform. We have started the work on our plans for the product (codenamed the Oxygen Security Platform) and I will certainly be posting more about that in the future.

At some point in the future I am hoping to work with the rest of the team here at ACE to release a book about building software security programs for line of business applications and I am certainly hoping to be able to do more public speaking. Feel free to drop me a mail if you would like me to speak at an event. I do plan to continue to keep up my personal blog ( on general security topics.

I genuinely can’t tell you how excited I am to be here. I sit with the MSFT IT folks in the UK and right now they are configuring my new SmartPhone so I can use Windows Communicator Mobile 2007 via Bluetooth and the unified messaging platform to look up peoples phone number in the corp. directory using voice recognition from my car! It’s a little bit like James Bond’s Q branch around here!