Go to Website
  • en
  • de

Valeri M.

DORA Readiness – Gap Analysis and Implementation for Banks

Bonn, Germany

Experience

Oct 2022 - Present
3 years

ISO 27001, TISAX and §8a KRITIS Auditor

Dekra

  • ISMS certification audits according to ISO 27001 and TISAX.
  • §8a audits for KRITIS: hospitals, pharmaceuticals, energy sector.
  • Work as lead and co-auditor.
Jan 2020 - Jan 2025
5 years 1 month

Associate Partner - Information Security Consulting

Insentis GmbH

  • Improvement of the information security management system (ISMS) based on ISO 27001, NIS2, DORA, B3S, TISAX and BSI IT Baseline Protection.
  • Conducting comprehensive gap analyses to identify gaps and derive action plans according to the above standards and regulations, management and KPIs.
  • Vulnerability and patch management, security monitoring.
  • Risk analysis & threat modeling using STRIDE.
  • Third-party and supply-chain risk management: development of vendor risk assessments, implementation of risk classifications, supplier assessments and technical monitoring solutions (e.g., Security ScoreCard).
  • Cloud security: securing cloud environments, especially AWS and Azure. Expertise in CSPM/CNAPP (Wiz), cloud migration, secure CI/CD pipelines, container security and best practices in AWS, Azure and Office 365 environments.
  • Application security: penetration testing, DevSecOps, OWASP, pre-commit hooks, keys & secrets management, IDE plugins, static source code analysis, dependency checks, container scanning, vulnerability management, CIS benchmarks & compliance.
  • Cloud security: security assessment and hardening according to CIS benchmarks and Cloud Conformity in AWS, Office 365 and Azure.
Feb 2016 - Dec 2019
3 years 11 months

Lead Information Security Consultant - Team Lead, Key Account Manager

@-yet GmbH

  • Team size: >15.
  • Information security management system (ISMS) and governance.
  • Interim CISO at a KRITIS company.
  • Internal audit according to BAIT and support of external BAIT audit.
  • PMO for multiple security projects.
  • Risk analysis and threat modeling using STRIDE.
  • Incident response and forensics.
  • DevSecOps: pre-commit hooks, keys & secrets management, IDE plugins, static code analysis, dependency checks, container scanning, vulnerability management & scanning, security monitoring, CIS benchmarks & compliance.
  • Penetration testing, application security, OWASP, CWE, ISO 27034, mobile device security.
  • Cloud security: cloud migration projects, AWS, Azure, Office 365, Google Cloud Platform.
  • Security awareness: phishing and attack simulations.
  • Implementation of a data loss prevention (DLP) solution.
Jan 2010 - Jan 2016
6 years 1 month

Senior IT Security Consultant

softScheck GmbH

  • Team lead for 6 people, public speaking.
  • Key account management, client acquisition.
  • Threat modeling of the BSI TR-03109 for SMGW using STRIDE for the BSI.
  • Application security and vulnerability management.
  • SSDLC, security development lifecycle, ISO 27034.
  • Penetration testing and fuzzing.
  • Static source code analysis.
  • Web application security, OWASP, JavaEE.
  • Mobile security, iOS, Android, MSTG, MASVS, backend.
  • Threat modeling, security architecture and infrastructure.
  • Hardening of production implementation, security requirements.
Jan 2009 - Dec 2009
1 year

Research Associate

Hochschule BRS

  • BMBF research project SoftSCheck.
  • Threat modeling.
  • Penetration testing.
  • Dynamic analysis and fuzzing.
  • Evaluation of security tools.
Jan 2008 - Dec 2009
2 years
Bonn, Germany

Working Student

Hubwoo

  • SAP-based procurement solutions.
  • Penetration testing.
  • Threat modeling.
  • Technical security assessments.
  • Project management.
  • Level 2 customer support.
Jun 2007 - Sep 2008
1 year 4 months
Sankt Augustin, Germany

Internship

Fraunhofer IAIS

  • Framework for autonomous underwater vehicles.
  • Wire-frame modeling.
  • AI & physics engines.
  • Security evaluation.

Threat Analysis of JavaEE-based Web Application

  • Threat analysis of a JavaEE-based web application for global use and different scenarios using STRIDE. Developed technical and process measures for risk/threat mitigation following defense-in-depth principles.

Threat Analysis for Global Machine Maintenance Platform

  • Threat modeling using STRIDE, including threat assessment, risk mitigation measures and prioritization based on risk and effort.

Threat Modeling Smart Meter Gateway

  • For a BSI project, performed threat modeling on the reference design of a smart meter gateway and enriched the security architecture with additional controls. Threat scenarios included Local Metrological Network (LMN), Home Area Network (HAN) and Wide Area Network (WAN).

Threat Modeling for Distributed Apps: Agenda-Broker Architecture

  • Reviewed and enhanced the architecture of a distributed remote support application serving >300,000 client devices.

Consulting on Secure Development Lifecycle (SDL)

  • Advice on secure development processes, including threat analysis, architecture review, code review, pentests, deployment hardening.

Evaluation of DLP Technology

  • Performed a thorough evaluation of various DLP solutions, including Forcepoint and Symantec, for a mid-sized company.

Evaluation of UUID Generation Methods for Healthcare

  • Conducted suitability assessment and evaluation of various UUID generation approaches to ensure document uniqueness in healthcare. Evaluation based on cryptographic and mathematical methods such as the Laplace formula.

Blackbox App Security Assessment (iOS and Android)

  • Security assessment of a banking app for iOS and Android including all interacting backend systems.

Blackbox Offsite Pentest & Spearphishing

  • Simulated spearphishing attack as an awareness and hardening measure. Conducted extensive blackbox offsite penetration test.

Cloud Forensics: Azure & Office 365

  • Analysis of an active security incident where an attacker gained access to privileged Azure accounts. Office 365 was used to send internal phishing emails and launch CEO fraud attempts. Reviewed Azure logs, Cloud App Security logs, configured alert rules; analyzed internal monitoring systems like SIEM, Graylog, firewalls, Cylance, Proofpoint TAP and on-prem domain security checks with Voyeur.

Code Review of Banking Software

  • Manual and automated code review of banking software using AppScan Source. Languages: Java, Perl, PHP, JS and various build platforms like Vagrant, Maven, Gradle.

DLP Tuning and Optimization

  • Optimized an existing DLP infrastructure for a technology company to minimize false positives and maximize data protection efficiency.

Development of Security Concept for iOS App including Backend and MDM Integration

  • Developed a security concept for rolling out an iOS app, including backend systems and integration with AirWatch MDM solution.

Security Concept for In-house iOS App with MDM and Backend API

  • Created a security concept for a corporate iOS app with AirWatch MDM integration, backend web API and admin web portal. Defined MUST requirements for go-live and prioritized SHOULD requirements for future enhancements. Conducted security assessment of the iOS app, REST API and admin portal, and performed a holistic threat analysis using STRIDE.
Hybrid

Security Concept for Migration to Microsoft Cloud (Azure + Office 365)

  • Advised on migrating internal IT infrastructure to Microsoft Cloud as part of a hybrid architecture. Created security concept and hardened environment according to Microsoft best practices and CIS benchmarks. Conducted a compliance audit to verify implementation.

Design of Custom DLP Strategy

  • Developed a tailored DLP strategy for a healthcare organization to protect patient data while enabling seamless data exchange.

Business Continuity Management System for KRITIS Pharma Company

  • Implemented a KRITIS-compliant BCMS including disaster recovery according to ISO 22301 based on BSI IT Baseline Protection for a pharmaceutical company. Conducted status review and gap analysis. Managed programs to achieve compliance with ISO 22301 and B3S Pharma standards.

Security Guidelines for Secure Web Development

  • Created security guidelines for secure web development based on OWASP, CWE/SANS and BSI standards, covering in-house development and outsourced projects.
Remote

Forensic Analysis of Security Incident: Cryptojacking

  • Investigated an incident where attackers used remote support solutions to infiltrate the network, spread laterally and infect ~10,000 systems with crypto-mining malware. Determined the attack path and timeline, identified infected systems and defined cleanup and containment measures.

Fuzzing of Human-Machine Interface (HMI)

  • Fuzzed an HMI over SNMP, DNP3 and PROFINET protocols.

Fuzzing of Siemens Simatic S7 PLC

  • Fuzzed a Siemens SIMATIC S7 PLC via SNMP interface and developed a Metasploit fuzzing module and exploit PoC for an identified vulnerability.

Forensic Court Case: Windows and Android Client

  • Examined a workstation and Android smartphone of a works council member for suspected illegal activity. Findings were used in court.

Hardening of Cloud-based IT Infrastructure on Microsoft Azure

  • Security assessment of Azure AD, Dynamics, Office 365, custom VNets and servers. Reviewed role & permission model, MFA, session management, SIEM, monitoring and alerting.

ISMS Gap Analysis to ISO 27001

  • Conducted gap analysis according to ISO 27001 and identified quick wins and actions to achieve compliance.

Implementation of KRITIS-compliant ISMS to ISO 27001 based on BSI IT Baseline Protection

  • Implemented a KRITIS-compliant ISMS for an energy company (B3S Energy) per ISO 27001 and BSI IT Baseline Protection. Conducted status assessment, gap analysis and managed programs for compliance. Supported certification to ISO 27001 and BSI IT Baseline Protection 2019.

Interim CISO

  • Interim Chief Information Security Officer at a KRITIS subsidiary of a global corporation. Established an ISMS per ISO 27001 and B3S, conducted risk analyses and coordinated with CISOs of other subsidiaries.

Internal BAIT Audit

  • Conducted internal audit per BAIT, identified quick wins and actions to achieve compliance.

KRITIS Penetration Testing

  • Internal and external penetration tests at an energy utility (KRITIS company).

Design and Implementation of Secure Development Lifecycle & Product Security per IEC 62443

    1. Processes/Security: Implemented a practical secure development process aiming for IEC 62443-4-1 Level 3 certification by end of 2024.
    1. System Architecture/Product Security: Conducted workshops and threat modeling to target IEC 62443-3-3 SL(C)2 certification by mid-2026.
    1. Training & Awareness: Developed and delivered training programs to enhance internal security skills.

Review of File Service Web Platform Concept

  • Concept review of a custom file-service web platform for uploading/downloading data with client-based authorization.

Migration of Fintech App to Kubernetes on AWS

  • Architecture and DevSecOps consulting for migrating a fintech app to Kubernetes on AWS. Hardened per CIS benchmarks, performed dynamic security testing post-migration. Implemented secure CI/CD pipeline, pre-commit hooks, keys & secrets management, IDE plugins, static code analysis, dependency checks, container scanning, vulnerability management, security monitoring, CIS benchmarks & compliance.

Migration to Cloud-based Virtual Firewall

  • Designed migration to a cloud-based virtual firewall. Performed forensics on systems and network traffic to identify compromised hosts before go-live. After migration, conducted penetration test and compliance checks against the security concept.

Office 365 Migration & Licensing

  • Migrated Microsoft infrastructure to Office 365 and Azure AD. Selected heterogeneous licenses based on business and security needs. Created security concept and performed compliance audit.

Penetration Testing for Energy Provider (KRITIS)

  • Assessed test network of an energy utility with 8 networks, firewalls, multiple management interfaces, HTTP, RTU, ICCP, IEC 60870-5-104.

Penetration Testing of Banking Software

  • Performed over 20 penetration tests on various banking applications at a major German bank. Blackbox and whitebox with provided credentials and test data, covering internal and customer-facing applications.

Pentest of Online Banking Web Platform

  • Pentest of an online banking web platform and related Android banking app built with Apache Cordova. Blackbox and whitebox per OWASP Testing Guide v4.

RFP Process and DLP Implementation

  • Led RFP, vendor evaluations and oversaw deployment of a robust DLP solution for a multinational financial institution.

Incident Response: IT Fraud

  • Incident response for email phishing fraud. Analysis of email headers, log files, attacker IPs and intelligence gathering. Remediation through email server hardening, system hardening and awareness campaigns.

Crisis Awareness Campaign

  • Planned and supported a crisis awareness campaign, analyzed crisis communication and developed BCM measures and process improvements.

Security Assessment of Cloud Single Sign-On for Online Banking

  • Security assessment of a cloud-based SSO implementation (Verimi) in an online banking web application and mobile apps. Identified vulnerabilities and proposed security measures for safe deployment.

Security Assessment of Supplier Relationship Management

  • Full security assessment including architecture review, penetration test, configuration review and deployment hardening.

Security Assessment of Branch App (iOS and Android)

  • Security assessment of a banking branch app for iOS and Android, including all backend systems.

Security Assessment of New iOS App for Insurance with Azure SSO

  • Architecture consulting and concept review for an iOS app for insurance agents. Threat modeling with STRIDE, penetration test and configuration review of servers, Azure ADFS and DenyAll-rWeb WAF.

Security Assessment to ISO 27001 and BSI IT Baseline Protection

  • Security assessment of entire enterprise IT and internal software development at a financial services provider.

Security Testing of Mobile Device Management Solution

  • Security testing of an MDM solution, including bypassing root detection and malware installation.

Security Testing of Robot Operating System

  • Security testing of the ROS framework on a Trossen Robotics PhantomX Reactor robot.

Security Testing of Industrial VPN Gateway IGW/922 by SSV

  • Verified VPN gateway protections with penetration tests and fuzzing; reviewed management interface.

Airlock WAF Security Test (Ergon Informatik AG)

  • Tested WAF filter rules (blacklist & whitelist) against current web threats and assessed WAF itself for vulnerabilities.

Security Test of Gaming App (Android and iOS) 10–50M Downloads

  • Whitebox test of a gaming app for Android, iOS, backend server and internal admin interface over VPN.

Web Application Firewall Security Tests

  • Reviewed WAF for vulnerabilities and rule coverage against current web attacks per OWASP Web Application Testing Guide using WebGoat, DVWA, Hackazon, Vulnerawa, Mutillidae.

Cloud Security Strategy

  • Implemented cloud security strategy as a control per BSI C5. Conducted risk analysis for cloud assets. Target platforms: Azure, Office 365, AWS, Google Cloud.

Symantec DLP Implementation

  • Successfully deployed Symantec Data Loss Prevention at a global financial institution to protect sensitive data and meet compliance.

VoIP Infrastructure Testing (Cisco)

  • Blackbox penetration test of a new Cisco VoIP system.

Threat Modeling of BSI TR-03109 for SMGW using STRIDE for BSI

Comprehensive DLP Implementation and Training

  • Deployed McAfee DLP at a Fortune 500 company and trained staff to ensure understanding and compliance with new security policies.

Support and Lead External BAIT Audits

  • Supported and led external BAIT audits as lead auditor, identifying quick wins and actions to achieve compliance.

WAF Hardening and Rule Review

  • Reviewed a web application firewall for bank software, tested blacklisting & whitelisting with fuzzing and current attack strings, optimized for brute force and DoS protection.

Whitebox Pentest and Code Review of Messenger App (iOS and Android)

  • Whitebox pentest and code review of an iOS/Android messenger app, its HTTP API backend and admin portal.

Workshop: ISO 27034-Compliant Secure Development

  • Two-day workshop on secure development per ISO 27034 and Microsoft SDL.

Workshop: Web Application Security Testing

  • Two-day workshop on web app security testing, including exercises with Burp Suite and WebGoat.

Architecture Review and Threat Modeling of Banking Software

  • Reviewed technical architecture and performed risk analysis using STRIDE for banking software.
  • Standard: MaRisk.

Summary

Valeri Milke is the Managing Director of VamiSec GmbH, specializing in advising and certifying companies in information security and compliance. His work has always focused on integrating IT security and compliance. He is dedicated to establishing an ISMS and IT security measures according to the latest standards, reducing actual cyber risk, and thereby not only protecting assets but also ensuring compliance while fostering companies’ ability to innovate. His expertise includes ISMS and securing cloud and on-premise environments according to ISO 27001, TISAX and BSI IT Baseline Protection, as well as developing comprehensive strategies for risk management, third-party risk management and incident response. He has a special focus on complying with new regulations such as DORA, NIS2, CRA and the AI Act.

Languages

English
Advanced
German
Intermediate

Education

Oct 2006 - Jun 2010

Bonn-Rhein-Sieg University of Applied Sciences

Bachelor of Science · Computer Science · Germany · 1.3

Certifications & licenses

BSI IT Baseline Protection Practitioner

BSI IT Baseline Protection

Company Data Protection Officer

IHK

Cloud Security Expert

CeLS

NIS2 Directive Expert

TÜV Nord

ISMS Lead Auditor to ISO 27001

TÜV Rheinland AG

AI Officer (EU AI Act)

BEN DIGITAL

Communication Management

WPC

Penetration Testing (IP Networks)

CeLS

Penetration Tester (Web)

CeLS

Project Management

Project Management Institute (PMI)

QS Day - Non-Functional Testing

QS-Tag

Certified Auditor according to BSIG §8a (KRITIS - Critical Infrastructures)

Certified Data Protection Officer according to EU-GDPR

IHK

Certified Whistleblower Officer according to Whistleblower Protection Act

Ifb Whistleblower Protection Act

Additional Audit Procedure Competence for § 8a (3) BSIG

Need a freelancer? Find your match in seconds.
Try FRATCH GPT
More actions

Similar Freelancers

Discover other experts with similar qualifications and experience

Federico L.

ISO – Senior Consultant Quality & Information Security

View Profile
Dirk M.

Project Lead

View Profile
Henryk O.

Security Consultant

View Profile
Björn B.

Auditor

View Profile
Markus W.

IT security consultant

View Profile
Sascha L.

CEO

View Profile
Nikolaus B.

ICT Risk Management and Information Security

View Profile
Christian G.

DORA Implementation Project

View Profile
Manfred L.

Support for the Chief Security Officer (CSO) and Chief Information Security Officer (CISO)

View Profile
Matthias S.

Senior Consultant Security (freelance)

View Profile
Christian D.

Managing Director and Senior Consultant

View Profile
Christian H.

Lead Auditor

View Profile
Stephan S.

IT-Security Manager

View Profile
Daniel J.

Information Security Consultant

View Profile
Fabian F.

OT Security Champion Europe

View Profile
fratch Part of Bitkom logo
linkedIncrunchbaseyoutube
  • English
  • Deutsch

2025 © FRATCH.IO GmbH. All rights reserved.