Valeri Milke
Senior IT Security & Compliance CISO ISO 27001 TISAX NIS2 DORA AI Act CRA BSI IT-Grundschutz Penetration Testing ISMS BCM
Experience
IT Crisis Exercise Consultant
German Asset Management
- Annual IT crisis exercise execution
- Development of crisis scenario as multi-phase spear phishing attack
- Assessment of crisis management for IT crisis team, company-wide crisis communication and alerting and evaluation of initiated incident response measures
Vulnerability & Patch Management Consultant
Banking IT Service Provider
- Implementation of group-wide patch and vulnerability management through orchestration of various tool sets like Qualys, Secunia SVR, Palo Alto Container Scanning, Airwatch MDM, Snyk
- Development of reporting dashboard with KPIs and KRIs for board, CISO and operations
ISMS Implementation
VDA ISA
- Focus on organizational and procedural measures of Information Security Management System (ISMS): Information security, data protection, prototype protection, physical security, IT infrastructure, supplier relationship security, application security, business continuity management (BCM), identity and access management (IAM), data loss prevention (DLP), cloud services, logging and monitoring
Incident Response Consultant
Supermarket Chain
- Incident response support for multi-phase spear phishing attack
- Crisis management through organization and support of crisis team including company-wide crisis communication and alerting
- IT forensics on servers, clients, SIEM and network infrastructure logs
- Operational incident response & recovery measures
- Lessons Learned: Creation of optimization points for crisis management and quick wins
IT Crisis Exercise Consultant
Volkswagen AG
- Annual execution of group-wide IT crisis exercise
- Development of crisis scenario as multi-phase spear phishing attack
- Assessment of crisis management for IT crisis team, company-wide crisis communication and alerting
- Evaluation of initiated operative incident response measures
- Creation of optimization points for crisis management and quick wins
Vulnerability Management Consultant
Enovos
- Implementation of vulnerability management in OT infrastructure and AWS cloud
- Process establishment and implementation support for Tenable.io
- Comprehensive security assessment and creation/validation of implementation measures
- Conducted security assessment in Microsoft Cloud against CIS Microsoft 365 Foundations Benchmark v1.2.0
NIS2 and DORA Gap Analysis Consultant
DHL Group
- Conducted NIS2 & DORA gap analysis to identify deviations and vulnerabilities compared to NIS2 directive and DORA requirements
- Developed roadmap with prioritized measures to close identified security gaps
- Created detailed final report with tailored action plan summarizing analysis results and concrete steps to address vulnerabilities
- Presented results and action plan to DHL Group team members and decision makers
- Deep-dive into individual measures like establishing IT risk management and ensuring supply chain security
AWS WAF Implementation Consultant
Energy Provider (KRITIS)
- Evaluation of WAF solutions and effectiveness testing
- Application integration (manual and learning mode)
- Optimization of blacklist rules to increase block rate
- Optimization of input validation through WAF per application
- Configuration of bruteforce protection and IP blacklisting
- Connection to Kibana with ElasticSearch for monitoring and alerting
- Project management and implementation support
Office 365 DLP Consultant
Fintech Company
- Office 365 threat modeling regarding data loss threats
- Risk assessment and implementation of mitigations and hardening with Azure Information Protection (AIP) to prevent data loss in Office 365
- Prevention of shadow IT and cloud-based data loss (e.g. blocking Dropbox)
ISMS and DSMS Audit Consultant
Food Corporation (KRITIS)
- Internal audit of documented ISMS and DSMS processes
- Gap identification and measures to ensure compliance
- ISMS and DSMS process improvement based on ISO 27001 and BSI IT-Grundschutz
- Quick wins creation and implementation support
AWS Infrastructure Hardening Consultant
German Asset Management
- Check of AWS infrastructure for appropriate hardening according to international standards like CIS Benchmarks and Cloud Conformity
- Creation of detailed hardening measures
- Verification of hardening through adapted attacks
ISMS Implementation Consultant
German Enterprise eCommerce Company
- Gap analysis of ISMS according to ISO 27001 through document review, workshops and inspection
- Creation of optimized processes for risk assessment and management based on asset or process-based analyses considering individual organization
- Implementation management of quick wins and measures and certification support according to ISO 27001
Secure Development Process Consultant
IT Service Provider for Critical Infrastructure
- Maturity Assessment: Workshop to capture existing development processes and evaluate current maturity regarding security practices
- Threat Modeling: Application to identify and address potential security risks in software development early
- Web application penetration testing based on OWASP Web Security Testing Guide including authentication mechanisms, API review, fuzzing of files/folders, rights management control, web server configuration tests, SQL injection detection
- Security Concept: Development of tailored security concept integrated into software development process
Cloud Forensics Consultant
Industrial Company
- Analysis of ongoing security incident where attacker gained access to privileged Azure accounts
- Office 365 was used to send internal phishing emails and initiate CEO fraud attempts
Penetration Tester
Large German Bank
- Conducted penetration testing of online banking web application including bank API using automated and manual test procedures
- Application of OWASP ASVS and CWE to capture completeness of security controls like session management, HTTP security headers, input validation etc.
- WAF rules optimization to increase security level
- Creation of detailed remediation measures
- Static code analysis of frontends and dynamic testing including backend fuzzing
IIoT Security Consultant
Mechanical Engineering Company
- Industry-specific security workshops: Alignment of development processes with industrial IoT security requirements in mechanical engineering considering STRIDE threat modeling
- Proactive IIoT risk management using STRIDE threat modeling for early detection of security risks from networked machines
- Integrative security strategies for IIoT: Creation of robust security architecture ensuring secure data communication while protecting integrity and availability of mechanical engineering systems
VoIP Security Consultant
State Authority
- Conducted maturity level assessment workshop for detailed concept with relevant stakeholders from IT service provider and state authority customer
- Threat analysis of VoIP landscape using STRIDE threat modeling
- Development of security concept according to BSI IT-Grundschutz Compendium Edition 2022, TLSTK II and TL-02103 for securing VoIP solution
Founder & CEO
VamiSec GmbH
As Public Speaker, certified ISO 27001 Lead Auditor, TISAX-, NIS2-, DORA-, KRITIS-BSIG-§8a-Auditor and BSI IT-Grundschutz Practitioner with over 15 years of consulting experience in IT security, information security and business continuity & emergency management for large and internationally operating companies from the finance, insurance, automotive, food, KRITIS and public sector industries. His focus areas are Information Security Management Systems, Business Continuity and Emergency Management as well as Risk Management according to established standards such as ISO 27001, IEC 62443, ISO 22301 and BSI IT-Grundschutz. He also has in-depth knowledge in Secure Development Lifecycle, Application Security, Vulnerability Management, Threat Modeling (STRIDE), Secure CI/CD, Cloud Security (M365, Azure, AWS, GCP), Identity and Access Management, Data Loss Prevention and Incident Response & Forensics, which he implements from strategy development through program management to operational, procedural and organizational topics.
Summary
ISO 27001 zertifizierter Lead Auditor fokussiere ich mich auf die Beratung und Zertifizierung von Unternehmen im Bereich der Informationssicherheit.
Mit über 100 erfolgreich abgeschlossenen Projekten und über 15 Jahre professionelle Beratungserfahrung, erstreckt sich meine Expertise über verschiedene Branchen, wobei der Schwerpunkt auf der Implementierung von ISMS nach ISO 27001 liegt. Ich setze mich dafür ein, ein ISMS und IT-Sicherheitsmaßnahmen nach Stand der Technik zu etablieren, die nicht nur Vermögenswerte schützen, sondern auch die Widerstandsfähigkeit und Innovation von Unternehmen fördern.
Meine Expertise umfasst das ISMS und die Sicherung von Cloud- und On-Premise-Umgebungen nach den Standards ISO 27001, TISAX und BSI IT-Grundschutz sowie die Entwicklung umfassender Strategien für Risikomanagement und Incident Response. Ich bin zertifizierter ISO 27001 Lead Auditor, BSI IT-Grundschutz-Praktiker und Datenschutzbeauftragter (DSGVO) mit einem speziellen Fokus auf die Einhaltung neuer Regulierungen wie dem AI Act, DORA und NIS2.
Zu meinen Kernkompetenzen zählen:
- Informationssicherheitsmanagement und Compliance: Spezialisiert auf IS Governance, externe CISO-Dienstleistungen, Implementierung von ISMS nach ISO 27001 und BSI IT-Grundschutz. Erfahrung in der Einhaltung von gesetzlichen Anforderungen wie NIS2, DORA, TISAX, CRA, AI Act und KRITIS
- Cloud-Sicherheit: Tiefgreifende Kenntnisse in der Absicherung von Cloud-Umgebungen, insbesondere AWS und Azure. Expertise in CSPM/CNAPP (Wiz), Identitätsschutz und Lizenzierungsstrategien
- Risikomanagement und Bedrohungsmodellierung: Erfahrung in der Durchführung von Risikoanalysen, Bedrohungsmodellierungen (z. B. STRIDE) und der Entwicklung von Risikobewältigungsstrategien
- Business Continuity und Disaster Recovery: Kompetenz in der Entwicklung und Implementierung von BCMS und DR-Plänen gemäß ISO 22301. Durchführung von Geschäftsim-pactanalysen und Krisenmanagement
- Anwendungs- & RZ- und Cloud-Sicherheit: Expertise in RZ, Cloud-Migration, sicheren CI/CD-Pipelines, Bedrohungsmodellierung (STRIDE), Container-Sicherheit und Best Practices in AWS-, Azure- und Office 365-Umgebungen
- Incident Response & Forensik: Erfahrung in der Leitung kritischer Incident Response-Projekte, forensischer Untersuchungen und proaktivem Threat Hunting in Cloud- und On-Prem-Umgebungen
- KI-gestützte Sicherheit: Einsatz von KI zur Stärkung der Verteidigungs- und Compliance-Maßnahmen, um Unternehmen in einem dynamischen regulatorischen Umfeld einen Schritt voraus zu halten
Ob Sie Ihre Compliance stärken, Ihre Rechenzentren, hybride IT-Infrastruktur absichern oder die Resilienz Ihres Unternehmens durch KI erhöhen möchten – meine Mission ist es, komplexe Sicherheitsanforderungen in klare, strategische Lösungen zu verwandeln.
Languages
Education
Bonn-Rhein-Sieg University of Applied Sciences
Bachelor of Science · Computer Science · Bonn, Germany · 1.3
Rheinische Akademie Köln
Information Technology Training · Cologne, Germany
Certifications & licenses
AI Officer According AI Act
BEN Digital
Bsi It-Grundschutz Practitioner
Cels Cloud Security Expert
CeLS
Cels Penetration Tester (Web)
CeLS
Certified Auditor According Bsig $8a
Certified Data Protection Officer According Eu-Gdpr
IHK
Certified Whistleblowing Officer According Hinschg
ifb
Nis2 Directive Expert
TÜV Nord
Project Management
Project Management Institute (PMI®)
ISMS Lead Auditor Nach ISO 27001
TÜV Rheinland AG
Similar Freelancers
Discover other experts with similar qualifications and experience