Description

Profile

Experienced Information Security and IT Governance professional with 20+ years of international consulting and leadership in cybersecurity, risk management, regulatory compliance, and IT service management. Proven expertise in critical infrastructure (finance, insurance, telecom, energy) and extensive certifications in ISO, ITIL, COBIT, PRINCE2, CISA, SCRUM. Skilled at aligning IT strategies with business goals, managing complex projects, and ensuring compliance with EU and local regulations (DORA, NIS2, GDPR, AI Act, KRITIS).

Key Experience

• Certified Information Security Officer, Allianz Suisse AG (2024–present)

Supports CISO in compliance, risk assessments, IT security framework management, and regulatory alignment (EU & FinMa).

• Owner/Consultant, ICT Project & Governance Consulting (Estonia & Finland, 2011–present)

Delivered IT governance, compliance, and risk projects for major banks, insurers, and automotive clients across Europe. Conducted audits (ISO 27001, ISO 20000, GDPR, IEC 62443, TISAX).

• Managing Director, Marabu Information Technology (1996–2009)

Led IT consulting and outsourcing services for banks, insurers, and SMEs. Oversaw teams, budgets, ITIL-based process improvements, and IT security projects.

Certifications

• Certified ISO 27001 Auditor, ISO 20000 Auditor, ITIL Expert, PRINCE2 Practitioner, SCRUM Master/Product Owner, CISA, COBIT (Foundation & Practitioner).

• Ongoing advanced training in IT security, data privacy, and regulatory compliance (latest in 2024).

Languages

• German (native), English (C2), Italian (B2), Dutch (B2), French (B1–B2).

Core Skills

• IT Governance & Compliance (EU & international frameworks).

• Cybersecurity & Data Protection (ISO 27000, GDPR, DORA, NIS2, AI Act).

• Risk Management & Third-Party Risk Assessments.

• Project & Program Management (PRINCE2, SCRUM, SAFe, Kanban).

• Multicultural stakeholder management, leadership, and training.

Industry field of expertise

Languages

German
Native or bilingual
English
Fluent
Italian
Conversational
French
Basic
Dutch
Basic

Workplace preferences

Can work on-site

Düsseldorf (up to 50km), Frankfurt am Main (up to 50km), Hamburg (up to 50km), Zaventem (up to 50km), Arnhem (up to 50km)

Allianz Suisse AG
Certified Information Security Officer
BANKING AND INSURANCE
March 2024 - Today (2 years and 3 months)
Zurich, Switzerland
Controlling the implementation of IT security controls in the Software Development Life Cycle (SDLC) in cooperation with the Data Protection Office, IT Architecture and the Project Management Organisation;
Controlling the implementation of IT security controls in IT Operations (Applications- and IT Service Operations, DevOps, Backup and Recovery, Disaster Recovery, Identity and Access Management (IAM), data encryption (data in transfer/data in rest), key and certificates management, CA operation));
3rd Party Risk Management;
Supporting CISO, Portfolio and Risk Management in alignment of Portfolio-, Project- and Operational Risk Management processes within the SDLC acc. to ITIL/ISO 20000;
Implementation of new/additional IT Security Controls and Quality Gates required by regulatory bodies (FINMA (CH), BaFin(DE), DORA (EU), NIS2 (EU)) into SDLC and CI/CD pipelines like STRIDE Analysis, Security Design Pattern, Cloud Design Pattern, SAST/DAST testing;
Supporting CISO in the adaptation ot the IT security and IT Risk Management Framework to new technical and organisational Requirements (e.g. Cloud-Strategie, Artificial Intelligence (AI));
Evaluation of possibilities for the use of AI in IT security (e.g. STRIDE Threat Modeling); Review of Documents related to the IT Security and Risk Management Framework (Policies, Security Practices, Work-Instructions);
Managing internal and regulatory Audit Findings (management and controlling of mitigation projects and measures).
DORA, NIS-2, ISAE 3402, SOC1 GDPR, Swiss Data Protection Act, AI Act, KritisV, VAG ITIL, ISO 20.000, COBIT, ISO 27.001, NIST, NIST Cybersecurity Framework Business Continuity Management, Backup and Recovery, Disaster Recovery Cloud IAM, AWS, MS Azure, OpenAI, Google Gemini
BNP Paribas Fortis
IT Security Analyst / Project Manager
BANKING AND INSURANCE
March 2023 - February 2024 (11 months)
Brussels, Belgium
Responsible for remediation of Audit Findings in the field of Application Vulnerability detection and management (Source Code Scan, DAST, SAST, SCA, Vulnerability Scanning):
Analysis of Audit Findings and requested/agreed remediations
Analysis and documentation of process-chains, involved applications and interfaces as well as exchanged information artefact as well as organisational topics across the IT organisation.
Development of improvement measures regarding the orchestration of applications and teams (squads).
Alignment of technical details with the involved IT teams and Internal Audit.
Technical and organisational definition of project plans and monitoring the implementation progress.

Contributing to the migration activities of the Fortis SAST/DAST tool-landscape towards the desired BNP Group tool landscape.
Involved in the development and roll-out of a software feature validation process (Quality Gates) regarding business related web-applications (Web Application Vulnerability Assessment) within the Release Management Processes.
BMC Discovery, CMDB, Qualys, SAST, DAST, Titanium, Bitsight, Sysdig, Fortify, NexusIQ, Archer SOC1, ISO 27000, SOX, EuroSox ITIL, Scrum, Prince 2, SAFe Continuos Development, Continuous Integration, CI/CD, SecDevOps
E.ON
GDPR Auditor/Enterprise Architect
ENERGY AND UTILITIES
November 2018 - December 2019 (1 year and 1 month)
Essen, Germany
-Drafting a three-stage architecture of an audit programme to inspect group-internal and external GDPR relevant data-processing activities:
Inventory and consolidation of sources dealing with contracts and processing activities;
Drafting a classification schema for processing activities;
Matching internal catalogues of technical and organisational measures (TOMs (Security/Data Privacy Instructions and Controls)) with the processing-activities classification schema.
Development of a procedure to determinate appropriate sample sizes;
Working out a method, combining self-assessments and audits, to work down the identified audit-sample;
Elaboration of a procedure for the selection of audit candidates;
Estimation of the required resources to implement and run the audit program.

- Conducting IT-/OT-, audits data-protection audits to verify the feasibility of the proposed audit program and to determine the adequacy of the technical-organizational measures (TOMs):
Screening of framework contracts and individual orders, TOMs, process descriptions, work instructions regarding the particular concerned data-processing;
Checking internal and external processing registers;
Examination of documentation regarding the lawfulness of the processing activities;
Interviews and on-site visits;
Documentation of findings;
Development of follow-up measures;
Preparation of audit reports;
Implementation of the follow-up measures.
- Participation in the technical specifications for the program’s IT support.
GDPR, ENWG, KritisV ISO 27001, 27002, 27005, 27019, IEC 62443, ISO 20000, ITIL Encryption, Anonymization, Data minimization, Rights of the Data Subject, Erasure Concepts, Access Concepts, Authorization Concept, Register of processing activities, Lawfulness of Processing Concepts IT security instructions, IT security controls, Data privacy instructions and controls