Switzerland
Seasoned Cyber Security & Data Privacy Professional for Start-Ups and Corporations I help organizations to evolve their Cybersecurity, Data Privacy and Legal capabilities to meet and surpass international benchmarks - whether it is starting a cybersecurity function from scratch, the successful execution of cyber defense strategies or raising the bar in existing structures. My professional career started in the Legal domain, before branching over into Data Privacy and ultimately Cyber Security as my core competencies. Examples of challenges that I help organizations to solve: - establish a new cyber security department in an organization and driving intracompany culture change towards more security awareness - security architecture - GDPR / CCPA-compliant privacy programs - obtaining a security certification (e.g. ISO 27001, BSI Grundschutz) - establishing web3 & crypto security protocols (smart contract assurances, cloud infrastructure hardening) - ramping up and running bug bounty programs (managed programs with 6-figure payouts) - designing a customized & effective application security flow to build and release secure code (SDLC tollgates, CI/CD audits, threat modeling and security architecture review) - ramping up a Security Operations Center with 24/7 real-time monitoring capabilities, SIEM and MSSP selection - designing audit-resilient and automated internal control systems (e.g. SOX, SOC2, PCI-DSS) - Protection strategies for Intellectual Property (source code licensing) - Low-Code & Artificial Intelligence policies, enabling secure usage My profile in a nutshell: - Senior Level Professional with 8+ years of hands-on experience as Head of Cyber Security and Data Privacy Officer in multinational corporations and startups - I lived the challenges of both worlds. - Successful in delivering results in high-pressure work environments (e.g. scaling security controls while experiencing a 400% YoY employee growth, obtaining ISO 27001 certification within 6 months) - Built and grew diverse, international engineering teams of up to 25 members - Precise and empathic communicator in 3 languages: German, English, Portuguese - Holder of relevant, internationally recognized certifications (CISSP, PMP, CIPP/E) and academic titles (LLM) What I am not: - a software developer. Manual code review or Advanced Scripting are not among my skills (yet) - a SOC analyst - a web application penetration tester I speak fluent: German, English, Portuguese
Rocket.Chat is the most secure open-source enterprise communications platform with (as of 2022) 200 employees and received $20 million new venture capital in Series A funding at the beginning of 2021. Since 2019 and the start-up days I was responsible for information security, data protection and legal topics in a multicultural, international environment. Achievements: - Initial security certification under ISO 27001 as well as annual recertification; completely internal and without external consulting or tool expenses - Development of the information security organization from the ground up with a focus on efficiency, agility and business compatibility. The first 2 years with sole responsibility, then building and hiring a team of 5 FTEs - Expansion of vulnerability management and responsible disclosure process (Hackerone, CVE assignment) to meet a publicly visible SLA - Secured 6-figure deals as pre-sales contact for customers on all topics related to security and data protection (RFQs, RFPs, negotiation, creation of marketing material, webinar speaker) - Introduction of SecDevOps elements in CI/CD pipeline to identify and reduce vulnerable steps in the software release process (SAST, DAST, dependency scanning, container image scanning) - Internal penetration testing (OWASP ZAP) as well as coordination of external testing and remediation - Complete structuring of the data protection organization (GDPR, LGPD, etc.) and acting as data protection officer; - Legal support for contractual and licensing matters with customers, partners, employees (IP, copyright, open source licensing, data protection agreements) as well as contact for law enforcement and antitrust inquiries - primary contact on security and privacy for the 1000+ developers of the open source contributors - Product manager for product security features: specification of features based on industry standards and customer requirements, e.g. released an improved Off-the-Record messaging feature
Rakuten is the leading Japanese E-commerce company with more than 15.000 employees and among the worldwide Top 15 largest Internet companies. My responsibilities: I started as a project firefighter, meaning my task was to rescue and stabilize important privacy projects utilizing my previous experience. Afterwards, I developed the privacy program management team (6 full time members) of the global privacy office. Responsibilities: • Project Portfolio Management & Policy Deployment • Business Processes Design and Transitioning to Operations • Continual Improvement of Operations in accordance with ITIL • Unified Privacy Control Framework to increase overall project efficiency and allow for transparency of requirements Achievements: • Establishing the privacy office’s program management team with 6 FTEs. Taking over responsibilities from various subteams and consolidating them into one high-performant structure. Lead and grow the team and liaising with other departmental managers, such as Security Operations and Security Audit. • Transition to Operations for critical privacy compliance processes, such as vendor management, data inventory updates and incident management. Starting from service design up until hand-over. • Creation of a scalable, unified framework combining controls of existing or new data protection laws (GDPR, California, Japan and more) and internal company regulations based on ISO 27k standards, effectively removing the need for double work on similar control sets • Planning and execution of a roadmap to consolidate and stabilize the privacy program, which included a complete overhaul of the compliance assessments of a GRC tool • Performing onsite information security audits on local entities outside of Japan, including controls for ISO 27002 and PCI-DSS • Establishing an AI-powered GDPR compliance Chatbot which answers common user questions 24/7 and both in English and Japanese
Autoliv, headquartered in Stockholm and listed on the New York Stock Exchange, is a global Fortune 500 company with more than 70.000 employees and world market leader in vehicle safety systems. As head of the global data privacy office and with direct reporting line to the Group CISO, I was responsible for design and implementing the global data privacy program and as well as leading particular information security initiatives. • Leading and concluding the GDPR implementation program • Setting and executing strategy of the global privacy office • ISO 27002-based security control implementation • Privacy by design in product development for connected cars and IT system development Achievements: - Building a team of more than 25 individuals for the global privacy office, consisting of dedicated full-time staff and part-time coordinators in each country of operations - Training and mentoring of 2 junior employees into highly qualified subject matter experts - Developing a risk management approach to identify, consolidate and visualize risks of the privacy and cybersecurity domains - Training members of the Security Operations Center (SOC) in data protection and incident management - First deployment and implementation of a global data privacy policy in the organization - Establishing the first SLA-based Cloud Vendor Security Evaluation process to support the CIO´s Enterprise Cloud Strategy - Onsite information security audits of new facilities (incl. physical security) - In-house development of a tailored GRC solution based on MS SharePoint, with significant cost benefits over comparable commercial tools - Designing a global data privacy framework to cover legislative requirements of more than 25 legislations