Senior IT Security & Compliance CISO ISO 27001 TISAX NIS2 DORA AI Act CRA BSI IT-Grundschutz Penetration Testing ISMS BCM

• Implementation of group-wide patch and vulnerability management through orchestration of various tool sets like Qualys, Secunia SVR, Palo Alto Container Scanning, Airwatch MDM, Snyk
• Development of reporting dashboard with KPIs and KRIs for board, CISO and operations

• Incident response support for multi-phase spear phishing attack
• Crisis management through organization and support of crisis team including company-wide crisis communication and alerting
• IT forensics on servers, clients, SIEM and network infrastructure logs
• Operational incident response & recovery measures
• Lessons Learned: Creation of optimization points for crisis management and quick wins

• Implementation of vulnerability management in OT infrastructure and AWS cloud
• Process establishment and implementation support for Tenable.io
• Comprehensive security assessment and creation/validation of implementation measures
• Conducted security assessment in Microsoft Cloud against CIS Microsoft 365 Foundations Benchmark v1.2.0

• Evaluation of WAF solutions and effectiveness testing
• Application integration (manual and learning mode)
• Optimization of blacklist rules to increase block rate
• Optimization of input validation through WAF per application
• Configuration of bruteforce protection and IP blacklisting
• Connection to Kibana with ElasticSearch for monitoring and alerting
• Project management and implementation support

• Internal audit of documented ISMS and DSMS processes
• Gap identification and measures to ensure compliance
• ISMS and DSMS process improvement based on ISO 27001 and BSI IT-Grundschutz
• Quick wins creation and implementation support

• Gap analysis of ISMS according to ISO 27001 through document review, workshops and inspection
• Creation of optimized processes for risk assessment and management based on asset or process-based analyses considering individual organization
• Implementation management of quick wins and measures and certification support according to ISO 27001

• Analysis of ongoing security incident where attacker gained access to privileged Azure accounts
• Office 365 was used to send internal phishing emails and initiate CEO fraud attempts

• Industry-specific security workshops: Alignment of development processes with industrial IoT security requirements in mechanical engineering considering STRIDE threat modeling
• Proactive IIoT risk management using STRIDE threat modeling for early detection of security risks from networked machines
• Integrative security strategies for IIoT: Creation of robust security architecture ensuring secure data communication while protecting integrity and availability of mechanical engineering systems

As Public Speaker, certified ISO 27001 Lead Auditor, TISAX-, NIS2-, DORA-, KRITIS-BSIG-§8a-Auditor and BSI IT-Grundschutz Practitioner with over 15 years of consulting experience in IT security, information security and business continuity & emergency management for large and internationally operating companies from the finance, insurance, automotive, food, KRITIS and public sector industries. His focus areas are Information Security Management Systems, Business Continuity and Emergency Management as well as Risk Management according to established standards such as ISO 27001, IEC 62443, ISO 22301 and BSI IT-Grundschutz. He also has in-depth knowledge in Secure Development Lifecycle, Application Security, Vulnerability Management, Threat Modeling (STRIDE), Secure CI/CD, Cloud Security (M365, Azure, AWS, GCP), Identity and Access Management, Data Loss Prevention and Incident Response & Forensics, which he implements from strategy development through program management to operational, procedural and organizational topics.