top of page

Project experience

Find a small overview about the projects I supported as a project manager, subproject responsible and as an information security consultant/subject matter expert.  Those projects were supported as a freelancer (marked with a year and duration) starting 2022 or during my professional career as an employed information security manager for the international DAX40 chemical company Henkel (2018-2021) and as an employed information security consultant for the information security consulting company Infodas (2017).

Implementing quantitative risk management in NIS2 affected IoT company

Roles: Project manager and subject matter expert - 2023-2024: 5 months
Supported a NIS2 affected IoT company in implementing a quantitative information security risk management program. As part of the implementation there was strong collaboration with the CISO and CIO. Since the client is integrated in an international corporation the risk management process was integrated into the company wide information security risk management process as well.

Cyber risk assessment and ISMS implementation for IoT-manufacturer

Roles: Project manager and subject matter expert - 2023: 6 months
Performed a company-wide risk assessment for an international IoT manufacturer. Critical risks were highlighted, quantitatively assessed, discussed with the board level and afterwards managed. A focus was on the cloud environment using cloud security compliance recommendations like CIS-Benchmarks,  MITRE ATT&CK, CSA-CCM.
Additionally the client was supported with an ISMS implementation.

Security concept for new building

Roles: Subject matter expert - 2023: 5 months
Consulted a client in implementing physical security measures for a new building, from perimeter security to server-room security. Risks and necessity for security measures were made transparent, discussed with the Board Level and implemented if decided to be reasonable after a cost-benefit analysis.

Cyber Security Awareness Program 

Roles: Consulting and Conducting - 2023: 2 months
An international client was supported in planning and conducting an employee cyber security awareness program with measured success.

Risk assessment in OT environment, aligning risk mitigations and BCM planning

Roles: Project manager and subject matter expert - 2022: 5 months

I performed a risk assessment in the OT environment, focusing on ISO27001 and IEC62443 best practices (especially Zero Trust). Relevant risks were highlighted and mitigations for relevant risks were aligned with stakeholders from different business units. I also supported in improving the Business Continuity planning in alignment with BSI 200-4 recommendations.

Agile Threat Management and Risk Management in a DevOps IoT environment

Role: Information security consultant - 2022: 6 months
I supported a client to improve its threat management process in a DevOps IoT environment therefore enabling the responsible teams to understand and mitigate common threats and weaknesses (e.g. OWASP TOP 10). Furthermore, I helped the client in improving its risk management process (guided by NIST RMF) and supported in analyzing relevant risks in depth and guided the selection of mitigating controls.

Improving Incident Response Process

Role: Information security consultant - 2022: 2 months

The client had a very immature incident response process and wished to professionalize it. Recommendations from NIST 800-62r2 were discussed and implemented to increase maturity in several areas to predefined expectations.

Global production security project (OT-security) and production security assessment (IEC62443) in KRITIS company

Roles: Subproject responsible, information security consultant and PMO
We increased the security posture of several critical production facilities around the globe. During the project, I supported in an OT-security assessment of one production plant and was responsible for a subproject to implement several security controls (e.g. asset management, identity and access management, network segmentation, zero trust architecture and more) in several production lines, including managing external suppliers and communicating to senior stakeholders.

Implementing new company wide password policy

Role: Project manager and information security consultant
We implemented a new company wide NIST-based password policy to the satisfaction of all stakeholders affecting all 50.000+ employees. The project included alignment with different stakeholders (CIO, AD team, SAP-systems team, identity management team, SOC team, workers council, corporate communications) to create a risk-based, business-supporting, security policy. This policy was communicated and rolled out to all employees, including training for end-users, IT-administrators, inhouse security consulting team and corporate audit team.
An external development team was managed to implement the necessary technical changes.

SAP-system security improvement

Role: Project manager

After an external assessment identified several potential security risks, I was assigned to strengthen the security of the critical ERP system and mitigate these risks. The project involved the secure reconfiguration of connections for 19 internal and external warehouses while maintaining ongoing operations.

The project’s success required effective leadership of an international team of internal and external specialists, as well as securing senior management's support to modify connections for these business-critical warehouses during live operations. The project was completed on time, within budget, without any significant operational disruptions, and to the full satisfaction of all stakeholders.

Implementing a global security awareness program in the production environment

Role: Project manager and information security consultant
We created a company wide information security awareness program for production employees. We identified which security controls to communicate to the target audience and aligned with different stakeholders (plant managers, blue collar workers, workers council) about target group specific requirements. Agile methodology helped in testing assumptions and managing external suppliers was essential for the project.

Warehouse security assessment and control implementation

Role: Project manager and information security consultant
Together with an external party we performed an information security assessment of a critical warehouse and afterwards implemented controls to mitigate relevant risks. Understanding business needs and communicating to senior stakeholders was essential for project success.

Introduction of an ISMS and preparing for an ISO27001 audit

Role: Information security consultant
A client from the banking sector was supported in establishing an ISMS, creating various policies, and developing information security, risk, and data protection processes, and was guided through a successful ISO 27001 certification audit. The approach was aligned with the requirements of the BSI IT-Grundschutz to ensure a robust and practical security architecture. Existing processes were analyzed, optimized, and aligned with the standards of the BSI IT-Grundschutz Compendium. Additionally, targeted training sessions were conducted to raise awareness of information security and data protection.

Implementing a business-supporting asset risk classification tool

Role: Project manager and information security consultant
We implemented a company wide risk classification tool to support colleagues
from the inhouse information security project consulting team and the business responsibles to match systems and their processed information to categories of business critical risks, which were already pre-aligned with senior management.

Inhouse information security consulting for several projects

During my 4 years at Henkel I consulted many projects on all aspects of information security to ensure that the projects were secure according to Henkel's expectations. I performed risk-based consultation covering the following aspects:

  • asset management

  • identity and access management

  • change management and secure software development, including static code analysis and penetration testing

  • system hardening

  • management of cryptographic controls

  • logging management

  • physical security​

  • risk management

  • incident management

  • business continuity and disaster recovery management

  • data privacy compliance (e.g. GDPR)

  • provider management, including

    • checking certifications and security maturity level

    • ensuring contractual information security requirements 

Developing new information security strategy

Role: Project manager and information security consultant
We analysed the current and expected future threat landscape and used risk analysis tools to define controls to mitigate relevant risk.

Recommendations

Here you can find verified recommendations from authentic people I worked with. 

A LinkedIn-account is necessary to access the recommendations. I recommend using a one-time-email if you do not want to share your personal details with LinkedIn.

Certifications

and trainings

CISSP  & CCSP

CISSP (Certified Information System Security Professional) is the golden standard of information security certifications, which covers all aspects of information security and risk management (verify).

CCSP (Certified Cloud Security Professional) certifies a deeper specialisation for all topics related to cloud security (verify).

​

It also requires highest ethical standards

​

Code of Ethics Canons:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.

  • Act honorably, honestly, justly, responsibly, and legally.

  • Provide diligent and competent service to principals.

  • Advance and protect the profession.

CISSP.png

PMP

The Project Management Professional (PMP) certification is a globally recognized credential offered by the Project Management Institute (PMI) that validates an individual's expertise in project management practices. It demonstrates proficiency in managing projects across various industries, including planning, executing, and overseeing projects to meet goals within constraints like scope, time, and budget.

Verify certification

Screenshot 2024-10-22 11.50.23.png

some other recent trainings:

Google Project Management Certification for waterfall and agile projects

MITRE ATT&CK Framework - SOC Assessment, Framework Application, Adversary Emulation

OWASP Top 10: 1,2,3,4,5,6,7,8,9,10

Industrial IoT - on Google Cloud / on AWS 

Communication & Leadership by Wertfreunde GmbH

Foundational Business Management Skills by Thunderbird School of Global Management

IT-Security Officer (TÜV) - (certipedia:6511)

Data Protection Officer (TÜV) - (certipedia:26192)

bottom of page