Nikolaus Betzler - ICT Risk Management and Information Security

Langenfeld, Germany

Experience

Oct 2024 - Present

10 months

Independently developing policies, specifications, and concepts for ICT risk management and information security
Advising business units on ICT risk management and information security issues
Advancing the ICT risk management framework governing identification, assessment, and control of ICT risks
Evaluating and adapting the information security management system (ISMS) to new challenges
Conducting risk analyses to identify and assess potential ICT risks and information security risks for the Metzler Group
Advising on the definition and implementation of measures to minimize risks and improve ICT systems resilience
Ensuring compliance with relevant internal and external regulatory requirements (e.g., MaRisk, DORA, BAIT, BSI IT-Grundschutz, ISMS, ISO 27001, ISO 42001, ISO 27005, BCM ISO 22301)
Consulting on internal and cross-departmental projects, including SAP DORA compliance and Target2 as well as §8a BSI Act

Apr 2024 - Sep 2024

6 months

Berlin, Germany

Aligning ISMS processes with the contractor (ISO 27001 & BSI IT-Grundschutz)
Verification and collaboration in creating the “Network Management Platform” security concept
Advisory and point of contact for motorway security-related topics
Reporting to executive and program management
Technical support for audit processes in the information/IT security and data protection departments
Aligning processes for information/IT security and data protection
Supporting the integration of SIEM systems between client and contractor
Designing and establishing the integration of emergency management systems
Advising and collaborating on implementing information, IT security, and data protection requirements
Participating in audits and reviews based on BSI IT-Grundschutz
Advising on the advancement of KRITIS measures
Preparing and supporting the §8a audit

Oct 2023 - Mar 2024

6 months

Neuss, Germany

Supporting the migration from HiScout to ForumSuite (e.g., IS risk management tool)
ISMS, risk management, business continuity management, emergency management
Revising and improving the ISMS and BCM and ensuring audit-proof adjustments
Defining and implementing measures to remediate deficiencies and emergency plans
Advising on audit preparation
Reporting to department heads and executive management
Advising on DORA RTS/IST/guidelines, gap analysis
Advising on BSI IT-Grundschutz requirements and KRITIS audit (§8a BSI Act)
Advising on ISO/IEC 27001/27002 and ISO/IEC 22301
Creating a bank-specific target action catalog (BASI) and other guides (e.g., compliance, IT regulatory foundations)
Advising on BAIT, KAIT, VAIT, ISO 9001, and industry-specific security standards (B3S)

Oct 2022 - Sep 2023

1 year

Düsseldorf, Germany

Identifying and documenting gaps in the existing secure software development lifecycle
Defining a governance framework for a modern secure software development lifecycle based on DevSecOps principles and identified gaps
Analyzing and documenting gaps in centralized tooling for DevSecOps activities
Defining and documenting selection criteria for tools to close identified gaps based on industry-wide security standards
Creating a company-wide policy for the secure development lifecycle based on ISO 27001/ISO 27002 and NIST
Enhancing Azure cloud infrastructure and tooling (SAST, DAST, IAST, IaC, OWASP, MITRE, CERT, CSA)
Advising on the advancement of KRITIS measures
Acting as a liaison for auditors

Jan 2021 - Sep 2022

9 months

Heidelberg, Germany

Developing and implementing a certifiable information security strategy according to ISO 27001
Preparing presentations and business cases as decision-making basis
Establishing a certifiable ISMS according to ISO 27001 (BSI IT-Grundschutz/§8a BSI Act)
Managing consulting firms (PwC, DIOX, BDX, TGS, CBRE)
Managing information security incidents with reporting to executive management
Communicating and coordinating with internal cross-functional teams
Developing and refining security concepts and policies
Maintaining external communication with stakeholders and authorities
Implementing, maintaining, and enhancing the enterprise-wide risk management system
Considering and assessing relevant legal and regulatory requirements
Managing information security audits
Raising awareness for information security requirements through training programs
Advising on information protection and IT security requirements
Continuously improving and monitoring the ISMS system