Valeri Milke

DORA Readiness – Gap Analysis and Implementation for Banks

Bonn, Germany

Experience

Nov 2024 - Present
9 months

DORA Readiness – Gap Analysis and Implementation for Banks

Forvis Mazars

  • DORA gap analyses: conducting comprehensive inventories and identifying deviations from DORA requirements in various areas.
  • Deriving action plans: developing detailed roadmaps and prioritizing security-relevant tasks considering operational resources.
  • Implementation support: assisting with the introduction of new processes and technologies, regular progress checks, and quality assurance.
  • General requirements (governance, organizational foundations).
  • ICT risk management.
  • ICT-related incident management, classification, and reporting.
  • Digital operational resilience testing.
  • Management of ICT third-party risks.
  • Information sharing (e.g., threat intelligence).
  • Reporting processes to competent authorities and supervisors (BaFin).
  • Document review: auditing and optimizing existing policies, procedures, and documentation to meet DORA and relevant standards (e.g., ISO 27001).
  • Policy and procedure development: creating new policies for risk management, incident response, third-party security, etc., involving internal stakeholders.
  • Coordination with business units: working closely with IT, compliance, legal, and management to ensure company-wide acceptance and sustainable implementation.
Jul 2024 - Jan 2025
7 months

External Expert for IT Security and Compliance

Pfalzwerke AG

  • Implemented an information security management system (ISMS) based on ISO 27001, ensuring systematic risk management and data protection across the organization.
  • NIS2 readiness: ensuring compliance with the Network and Information Security Directive (NIS2) through structured assessments and security controls.
  • Conducted comprehensive gap analyses to identify areas of non-compliance with ISO 27001 and NIS2, focusing on critical infrastructure protection.
  • Developed and executed a detailed action plan to close identified gaps, including prioritizing security measures and allocating resources.
  • Policy and procedure development: drafting key security policies, including incident management, risk assessment, data protection, and third-party security aligned with ISO 27001 and NIS2.
  • Led implementation projects to enhance organizational security, supervised cross-functional teams, and ensured timely delivery of security initiatives.
  • Achieved NIS2 readiness: ensuring all operational, technical, and governance measures were in place to meet NIS2 requirements, including reporting obligations, risk assessments, and incident response strategies.
Mar 2024 - Jun 2024
4 months

External Freelancer

Deloitte

  • Implemented data loss prevention (DLP).
  • Managed and supported the deployment of Microsoft Purview Data Loss Prevention based on BAIT and DORA standards.
  • Developed DLP policies in accordance with BAIT and DORA, focusing on protecting sensitive financial and customer data.
  • Cloud security: integrated Microsoft 365 and Azure environments using MS Purview to comply with BAIT and DORA, ensuring secure data processing and monitoring in cloud services.
  • Implemented endpoint DLP to control and prevent data loss through unauthorized channels, including devices, storage, and third-party applications.
  • Created and delivered a DLP awareness campaign to educate employees on legal requirements (BAIT and DORA), safe data handling, and best practices in data protection.
  • Established data protection controls for email, document sharing, and collaboration tools to ensure compliance with BAIT and DORA resilience standards.
  • Continuous monitoring and response to DLP incidents, ensuring compliance and operational resilience per DORA.
Apr 2023 - Present
2 years 4 months

External Freelancer

TÜV Rheinland Group

  • Security consulting.
  • Managed and supported the TISAX certification process.
  • Implemented a bug bounty program.
  • Cloud security: implemented CSPM/CNAPP and container security solutions (Wiz, Aqua & Trend Micro).
  • Supplier management setup: integrated into procurement, defined security requirements for SaaS solutions, hosting and operations, software, and hardware; created contract annexes with security commitments.
  • Supported pentest planning including red teaming and TIBER tests.
  • Created various ISMS policies such as supplier management, vulnerability and patch management, cloud security according to ISO 27001:2022.
Oct 2022 - Present
2 years 10 months

ISO 27001, TISAX and §8a KRITIS Auditor

Dekra

  • Conducted ISMS certification audits against ISO 27001 and TISAX.
  • §8a audits for critical infrastructures: hospitals, pharmaceuticals, energy sector.
  • Served as lead and co-auditor.
Jan 2021 - Dec 2023
2 years

Group CISO (External Freelancer)

Berner Group

  • Chief Information Security Officer for the Berner Group covering 42 subsidiaries.
  • Managed an internal 15-person security team and coordinated partners, MSPs, and freelancers.
  • ISMS program management: implemented ISMS for the Berner Group according to ISO 27001, NIS2, DORA, TISAX, and BSI IT-Grundschutz using the Intervalid ISMS tool.
  • TISAX certification support per VDA ISA 6.0 and certifications for multiple EU sites.
  • Managed and evaluated RFPs for DLP, SIEM+SOC, EDR, vulnerability management, ISMS, penetration testing, and security awareness platforms including phishing campaigns (SoSafe, KnowBe4, Proofpoint).
  • Supplier management: developed policies and processes for third-party risk management, questionnaires, risk assessments, and embedding security requirements in contracts.
  • Monitored legal and regulatory IT security requirements.
  • Governance and KPIs.
  • Implemented and operated SIEM/SOAR + SOC, EDR, NDR, and vulnerability management.
  • Implemented a zero-trust architecture.
  • Vulnerability scanning and patch management.
  • Security awareness: deployed a tool-based awareness program with SoSafe including phishing campaigns.
  • Penetration testing: coordinated requirements, analysis, and recommendations for tests across the application and infrastructure landscape.
  • Cloud security: posture management, risk assessment, threat modeling using STRIDE, security assessment, and hardening of Azure infrastructure during a migration project from on-prem to Azure.
  • Supplier security: defined information security requirements for suppliers, hosting, software, hardware, and outsourced software development.
  • Secure web applications, apps, IoT, infrastructure, cloud, WAF & DDoS protection.
  • Asset management: designed and implemented a CMDB in ServiceNow.
  • Supported whistleblower software implementation under the German Whistleblower Protection Act, including policy and process.
Jan 2020 - Jan 2025
5 years 1 month

Associate Partner – Information Security Consulting

Insentis GmbH

  • Enhanced the information security management system (ISMS) based on ISO 27001, NIS2, DORA, B3S, TISAX, and BSI IT-Grundschutz.
  • Conducted comprehensive gap analyses to identify gaps and derive action plans according to the above standards and regulations, with governance and KPIs.
  • Vulnerability and patch management, security monitoring.
  • Risk analysis & threat modeling using STRIDE.
  • Third-party and supply-chain risk management: developed vendor risk assessments, implemented risk classifications, conducted supplier assessments, and deployed technical monitoring solutions (e.g., SecurityScorecard).
  • Cloud security: secured cloud environments, especially AWS and Azure; expertise in CSPM/CNAPP (Wiz), cloud migration, secure CI/CD pipelines, container security, and best practices in AWS, Azure, and Office 365.
  • Application security: penetration testing, DevSecOps, OWASP, pre-commit hooks, key & secret management, IDE plugins, static code analysis, dependency checks, container scanning, vulnerability management, CIS benchmarks & compliance.
  • Cloud security: security assessment and hardening per CIS benchmarks and Cloud Conformity in AWS, Office 365, and Azure.
Jan 2020 - Dec 2021
2 years
Luxembourg

Head of IT Security (Freelancer)

Encevo Group

  • Improved the information security management system (ISMS) regarding B3S (industry-specific security standards).
  • Cloud security: risk assessment, threat modeling with STRIDE, security assessment, and hardening of AWS infrastructure during an on-prem to AWS migration.
  • GDPR program management (EU GDPR), governance and KPIs.
  • Introduced lifecycle management for product security per IEC 62443.
  • Vulnerability scanning and patch management.
  • Concept, RfP & implementation of a data loss prevention (DLP) solution.
  • Information security requirements for suppliers, products, and hosting.
  • Application security: SAST, DAST, IAST, DevSecOps, OWASP, CWE, pre-commit hooks, key & secret management, IDE plugins, static source code analysis, dependency checks, container scanning, vulnerability management, CIS benchmarks & compliance.
  • Cloud security: security support in the AWS cloud migration project.
  • Implemented & operated SIEM/SOAR + SOC, EDR, NDR.
Feb 2016 - Dec 2020
3 years 11 months

Senior Information Security Consultant – Team Lead, Key Account Manager

@-yet GmbH

  • Team size: >15.
  • Information security management system (ISMS) and governance.
  • Interim CISO at a critical infrastructure company.
  • Internal audit per BAIT and supported external BAIT audit.
  • PMO for multiple security projects.
  • Risk analysis and threat modeling with STRIDE.
  • Incident response and forensics.
  • DevSecOps: pre-commit hooks, key & secret management, IDE plugins, static code analysis, dependency checks, container scanning, vulnerability management & scanning, security monitoring, CIS benchmarks & compliance.
  • Penetration testing, application security, OWASP, CWE, ISO 27034, mobile device security.
  • Cloud security: cloud migration projects, AWS, Azure, Office 365, Google Cloud.
  • Security awareness: training and simulated phishing and attacks.
  • Implemented a data loss prevention (DLP) solution.
Jan 2009 - Jan 2016
6 years 1 month

Senior IT Security Consultant

softScheck GmbH

  • Led a team of 6, public speaking.
  • Key account management, client acquisition.
  • Threat modeling of BSI TR-03109 for SMGW using STRIDE for the BSI.
  • Application security and vulnerability management.
  • SSDLC, security development lifecycle, ISO 27034.
  • Penetration testing and fuzzing.
  • Static code analysis.
  • Web application security, OWASP, JavaEE.
  • Mobile security, iOS, Android, MSTG, MASVS, backend.
  • Threat modeling, security architecture, and infrastructure.
  • Hardening production deployment, security requirements.
Jan 2009 - Dec 2009
1 year

Research Associate

University of Applied Sciences Bonn-Rhein-Sieg

  • BMBF research project SoftSCheck.
  • Threat modeling.
  • Penetration testing.
  • Dynamic analysis and fuzzing.
  • Security tool evaluation.
Jan 2008 - Dec 2009
2 years
Bonn, Germany

Working Student

Hubwoo

  • SAP-based procurement solutions.
  • Penetration testing.
  • Threat modeling.
  • Technical security assessments.
  • Project coordination.
  • Level 2 customer support.
Jun 2007 - Sep 2008
1 year 4 months
Sankt Augustin, Germany

Internship

Fraunhofer IAIS

  • Framework for autonomous underwater vehicles.
  • Wire-frame modeling.
  • AI & physics engines.
  • Security evaluation.

Threat Analysis of JavaEE-Based Web Application

  • Conducted threat analysis of a JavaEE-based web application for global use and various scenarios using a combination of the STRIDE methodology. Developed technical and process-oriented countermeasures following the defense-in-depth principle.

Threat Analysis of Global Maintenance Platform for Machines

  • Threat modeling according to STRIDE, including threat assessment, risk mitigation measures, and prioritization based on risk and mitigation effort.

Threat Modeling of Smart Meter Gateway

  • As part of a BSI project, performed threat analysis of a smart meter gateway reference design using threat modeling and enhanced the security architecture with additional measures. Threat scenarios included Local Metrological Network (LMN), Home Area Network (HAN), and Wide Area Network (WAN).

Threat Modeling for Distributed Applications: Agenda – Broker Architecture

  • Reviewed and enhanced the architecture of a distributed remote support application serving >300,000 client devices.

Consulting on Security Development Lifecycle (SDL)

  • Advised on secure development processes, including threat analysis, architecture review, code review, pentests, and deployment hardening.

Evaluation of DLP Technology

  • Conducted in-depth evaluation of various DLP solutions, including Forcepoint and Symantec, for a mid-sized company.

Evaluation of UUID Generation Methods for Healthcare

  • Performed suitability assessment and evaluation of various UUID generation methods to ensure document uniqueness in healthcare using cryptographic and mathematical tools like the Laplace formula.

Blackbox App Security Assessment (iOS and Android)

  • Security assessment of a banking app for iOS and Android, including all interacting backend systems.

Blackbox Offsite Pentest & Spearphishing

  • Conducted a simulated spearphishing attack as an awareness and hardening measure. Executed extensive blackbox offsite penetration testing.

Cloud Forensics: Azure & Office 365

  • Analyzed an active security incident where an attacker gained access to privileged Azure accounts. Detected internal phishing emails sent via Office 365 and CEO fraud attempts. Reviewed Azure logs, cloud app security logs, alert rule configurations, and internal monitoring systems such as SIEM, Graylog, firewalls, Cylance, Proofpoint TAP, and onsite domain security checks with Voyeur.

Code Review of Banking Software

  • Performed manual and automated code reviews of banking software using AppScan Source. Languages: Java, Perl, PHP, JavaScript; platforms: Vagrant, Maven, Gradle.

DLP Optimization and Fine-Tuning

  • Optimized an existing DLP infrastructure for a technology company to minimize false positives and maximize data protection control efficiency.

Development of Security Concept for iOS App including Backend and MDM Integration

  • Developed a security concept for deploying an iOS app in a rollout, including backend systems and integration with the AirWatch mobile device management solution.

Development of Security Concept for In-House iOS App with MDM Integration and Backend API

  • Created a security concept for an in-house iOS app with AirWatch MDM integration, corresponding backend web API, and administration web app. Defined MUST-have requirements for go-live and prioritized SHOULD-have requirements for future enhancement. Conducted security assessment of the iOS app, backend (REST API), and admin web app, and performed holistic threat modeling using STRIDE.
Hybrid

Development of Security Concept for Migration to Microsoft Cloud (Azure + Office 365)

  • Advised on migrating internal IT infrastructure to Microsoft Cloud (Azure + Office 365) as part of a hybrid architecture. Created a security concept and hardened environment per Microsoft best practices and CIS benchmarks. Conducted compliance check to verify implementation of security concept measures.

Design of Custom DLP Strategy

  • Developed a tailored DLP strategy for a healthcare company to protect patient data while enabling seamless data exchange within the organization.

Business Continuity Management System for KRITIS Company: B3S Pharma

  • Implemented a KRITIS-compliant BCMS including disaster recovery per ISO 22301 based on BSI IT-Grundschutz for a pharmaceutical company (B3S: industry-specific security standards pharma). Conducted current state assessment and gap analysis. Managed programs to achieve ISO 22301 and B3S Pharma compliance.

Creation of Secure Web Development Guide per OWASP, CWE/SANS and BSI

  • Created a secure web development guide following OWASP, CWE/SANS, and BSI principles for in-house development and outsourced projects.
Remote

Forensic Analysis of Security Incident: Cryptojacking

  • Analyzed an ongoing security incident where attackers used remote support solutions to infiltrate the network, moved laterally, and infected ~10,000 systems with cryptocurrency mining malware. Identified the attack path and event sequence, determined infected systems, and defined remediation and containment measures.

Fuzzing of Human-Machine Interface (HMI)

  • Fuzzed an HMI using SNMP, DNP3, and PROFINET protocols.

Fuzzing of a Siemens SIMATIC S7 PLC

  • Fuzzed a Siemens SIMATIC S7 PLC via the SNMP interface and developed a Metasploit fuzzing module and exploit module as a PoC for a discovered vulnerability.

Forensic Court Case: Windows and Android Client

  • Investigated a suspected illegal activity on a workstation and an Android smartphone of a works council member, analyzing devices for illicit behavior. Findings were used in court proceedings.

Hardening a Cloud-Based IT Infrastructure in Microsoft Azure

  • Security assessment of a cloud-based IT infrastructure with Azure AD, Dynamics, Office 365, custom VNets, and servers. Reviewed role and permission concepts, authentication methods (MFA), session management, SIEM, monitoring, and alerting.

ISMS Gap Analysis per ISO 27001

  • Conducted ISO 27001 gap analysis, identified quick wins, and derived measures to achieve ISO 27001 compliance.

Implementation of a KRITIS-Compliant ISMS per ISO 27001 and BSI IT-Grundschutz

  • Implemented a KRITIS-compliant ISMS per ISO 27001 and BSI IT-Grundschutz for an energy company (B3S: industry-specific security standards energy). Performed current state assessment and gap analysis. Managed programs to achieve BSI IT-Grundschutz 2019 compliance. Supported certification against ISO 27001 and BSI IT-Grundschutz 2019.

Interim CISO

  • Served as interim Chief Information Security Officer at a KRITIS subsidiary of a global corporation. Established an ISMS per ISO 27001 and B3S. Conducted risk analyses. Communicated with CISOs of other group subsidiaries.

Internal Audit per BAIT

  • Conducted internal audit per BAIT, identified quick wins, and derived measures to achieve BAIT compliance.

KRITIS Penetration Testing

  • Conducted internal and external penetration tests at an energy utility (KRITIS company).

Design and Implementation of Secure Development Lifecycle & Product Security per IEC 62443 including Certification Support

    1. Processes/Security: Implemented a practical secure development process aiming for IEC 62443-4-1 Level 3 certification by end of 2024.
    1. System Architecture/Product Security: Led security workshops and developed threat models to achieve IEC 62443-3-3 SL(C)2 certification for systems by mid-2026.
    1. Training and Awareness: Developed and delivered training programs to enhance internal security competencies.

Concept Review of File Service Web Platform

  • Assessed the design of a custom file-service web platform for data uploads/downloads using a client-based authorization concept.

Migration of a Fintech Application to a Kubernetes Container and Deployment in Amazon AWS Cloud

  • Provided architecture and DevSecOps consulting for secure migration of a fintech app to a Kubernetes container and deployment in AWS. Hardened per CIS benchmarks. Performed dynamic security testing post-migration. Implemented secure CI/CD pipeline, pre-commit hooks, key & secret management, IDE plugins, static code analysis, dependency checks, container scanning, vulnerability management & scanning, security monitoring, CIS benchmarks & compliance.

Migration to a Cloud-Based Virtual Firewall

  • Designed a migration to a cloud-based virtual firewall. Performed system and network forensics to identify compromised systems before the target architecture go-live within the cloud firewall. Post-migration, conducted penetration testing and compliance checks against the security concept.

Office 365 Migration & Licensing

  • Migrated Microsoft infrastructure to Office 365 and Azure AD. Selected appropriate heterogeneous licenses based on business and security requirements. Created security concept and conducted compliance audit.

Penetration Testing Energy Utility (KRITIS Company)

  • Assessed a test system of an energy utility with 8 networks, firewalls, multiple management interfaces, HTTP, RTU, ICCP, IEC 60870-5-104.

Penetration Testing Bank Software

  • Performed over 20 penetration tests on various banking applications for a major German bank. Conducted both blackbox and whitebox tests with provided credentials and test data on internal and customer-facing applications.

Pentest of Online Banking Web Platform

  • Conducted penetration test on an online banking web platform and a corresponding Android banking app built with Apache Cordova. Blackbox and whitebox testing per OWASP Testing Guide v4.

RFP Process and DLP Implementation

  • Developed a compelling proposal, conducted thorough vendor evaluations, and oversaw the successful deployment of a robust DLP solution for a multinational financial institution.

Incident Response: IT Fraud

  • Led incident response project for an IT fraud case involving email phishing. Investigations included email header analysis, log analysis, attacker IP analysis, and intelligence gathering. Remediation involved email server and system hardening and awareness measures via phishing campaign.

Crisis Awareness Campaign

  • Planned and supported a crisis awareness campaign and evaluated crisis communications. Developed BCM measures and optimized related processes.

Security Assessment of Cloud Single Sign-On Implementation in Online Banking Applications

  • Security evaluation of a cloud-based single sign-on implementation (Verimi) in an online banking web application and mobile apps (Android & iOS). Identified vulnerabilities and developed measures for secure implementation.

Security Assessment of Supplier Relationship Management

  • Full security assessment including architecture review, penetration testing, configuration review, and deployment hardening.

Security Assessment of Branch Banking App (iOS and Android)

  • Security assessment of a banking app for iOS and Android, including all backend interactions for in-branch use.

Security Assessment of Newly Developed iOS App for Insurers including Azure SSO Authentication

  • Provided architecture guidance and concept review for an iOS application for insurance agents. Conducted threat analysis using STRIDE, penetration testing, and configuration review of servers, Azure ADFS, and DenyAll-rWeb WAF.

Security Assessment per ISO 27001 and BSI IT-Grundschutz

  • Conducted a security assessment of enterprise IT including in-house software development at a financial service provider.

Security Testing of Mobile Device Management Solution

  • Security testing of an MDM solution, focusing on bypassing root detection and malware installation.

Security Testing of Robotic Operating System

  • Security testing of the ROS framework on an example robot (Trossen Robotics – PhantomX Reactor).

Security Testing of Industrial VPN Gateway IGW/922 by SSV

  • Verified protection mechanisms of a VPN gateway via penetration testing and fuzzing; reviewed management interface.

Security Testing of Airlock WAF at Ergon Informatik AG

  • Reviewed filter rules for completeness (blacklisting & whitelisting) against current web application threats and tested Airlock WAF for vulnerabilities.

Security Testing of a Game App (Android and iOS) with 10–50M Downloads

  • Whitebox testing of a game app for Android, iOS, backend server, and internal admin interface accessible via VPN.

Security Testing of Web Application Firewalls

  • Reviewed a WAF for vulnerabilities and completeness of protections against current web attacks per OWASP Web Application Testing Guide. Used various target apps: custom, WebGoat, DVWA, Hackazon, Vulnerawa, Mutillidae.

Cloud Security Strategy

  • Implemented a cloud security strategy as a security control per BSI C5. Conducted risk analysis to inventory cloud assets. Target platforms: Azure, Office 365, AWS, GCP.

Symantec DLP Implementation

  • Successfully deployed Symantec DLP for a global financial institution to protect confidential data and meet compliance requirements.

VoIP Infrastructure Testing (Cisco)

  • Blackbox penetration test for a newly introduced Cisco VoIP system.

Threat Modeling of BSI TR-03109 for SMGW using STRIDE for the BSI

Comprehensive DLP Implementation and Training

  • Deployed a comprehensive McAfee DLP solution for a Fortune 500 company and trained employees to ensure understanding and adherence to new security policies.

Support and Lead External Audits per BAIT

  • Supported and led external BAIT audit as lead auditor, identified quick wins, and derived compliance measures for BAIT.

WAF Hardening and Rule Review

  • Reviewed a web application firewall protecting banking software for sufficient hardening and black/whitelisting rules using fuzzing and current attack strings; optimized for brute-force and DoS protection.

Whitebox Penetration Test and Code Review of Messenger App (iOS and Android)

  • Conducted whitebox pentests and code review of a messenger app for iOS and Android, its backend HTTP API, and web-based admin portal.

Workshop: Secure Development per ISO 27034

  • Delivered a two-day workshop on secure development per ISO 27034 and Microsoft SDL.

Workshop: Web Application Security Testing

  • Provided two-day workshops on web application security testing, including hands-on exercises with Burp Suite and WebGoat.

Architecture Review and Risk Analysis via Threat Modeling for Banking Software

  • Reviewed technical architecture and performed risk analysis using STRIDE threat modeling for banking software.
  • Standard: MaRisk.

Summary

Valeri Milke is Managing Director of VamiSec GmbH, which specializes in consulting and certifying companies in information security and compliance. His focus has always been on integrating IT security and compliance. He advocates establishing an ISMS and IT security measures according to the state of the art to reduce actual cyber risk, protecting assets, ensuring compliance, and fostering innovation. His expertise includes ISMS and securing cloud and on-premise environments according to ISO 27001, TISAX, and BSI IT-Grundschutz, as well as developing comprehensive strategies for risk management, third-party risk management, and incident response. He has a special focus on compliance with new regulations such as DORA, NIS2, CRA, and the AI Act.

Languages

English
Advanced
German
Intermediate

Education

Oct 2006 - Jun 2010

University of Applied Sciences Bonn-Rhein-Sieg

Bachelor of Science · Computer Science · Germany · 1.3

Certifications & licenses

BSI IT-Grundschutz Practitioner

BSI IT-Grundschutz

Company Data Protection Officer

IHK

Cloud Security Expert

CeLS

NIS2 Directive Expert

TÜV Nord

ISMS Lead Auditor per ISO 27001

TÜV Rheinland AG

AI Officer (EU AI Act)

BEN DIGITAL

Communication Management

WPC

Penetration Testing (IP Networks)

CeLS

Penetration Tester (Web)

CeLS

Project Management

Project Management Institute (PMI)

QS Day – Non-Functional Testing

QS Tag

Certified Auditor per BSIG §8a (KRITIS – Critical Infrastructures)

Certified Data Protection Officer per EU GDPR

IHK

Certified Whistleblowing Officer per German Whistleblower Protection Act

Ifb Hinweisgeberschutz-Gesetz

Additional Audit Procedure Competence for §8a (3) BSIG