Sweden
Information security and governance must be aligned with the way of working in the organization, otherwise it will cause friction and will be ineffective. I am a strong believer in security and governance automation. Checks and balances need to be implemented as code or LLM automation into all areas, from product delivery (DevSecOps) to the back-office. Security and governance has to come "out of the box" for the user, tickboxes and manual checklists are a thing of the past. In order to build useful solutions, a solid understanding of information processing from management theory down to hardware implementation is needed. Solutions that consider only one layer will be circumvented on another. My area of expertise is a holistic approach to security, from governance and legal, along business processes, down to technical implementation. As a leader I motivate both technical and non-technical staff to uphold good security by establishing intrinsic values and understanding. Teams need to be able to move fast, using efficient tooling support, and with a reliable safety net under them. --- BSI Grundschutz [DE], CIS Controls, CMMI, COBIT, Common Criteria, COSO, DMA, DORA, DSA, eIDAS, ETSI, GDPR, ISM - Industrisäkerhetsskyddsmanual [SE], ISAE 3000, ISAE 3402, KSF [SE], OCTAVE, SOC1, SOC2, ISO 9001, ISO 27001, ISO 27005, ISO 31000, ITIL, NIS, NIST, PCI DSS, SOX ITGC, Trust Service Criteria Banking and payment industry regulations (BaFin [DE], EBA, FI [SE], SOX [US]) Various technical security standards (ETSI, NIST, OWASP)
Leading teams of security-aware engineers in developing an eIDAS-certified identification and signing platform. Migrating a Python-based monolithic application into an on-site service-based architecture following zero-trust and defense-in-depth principles. As the leader of direct reports as well as team leads, encouraging ownership of areas and systems as well as strong collaborations instead of hierarchies. People grow through their tasks and challenges, with a safety net under them. * Security-focused architecture and implementation * Designing for user experience as a market advantage * Agile development process * LLM-based development flows * Service-based architecture * Automated CI/CD pipeline * QA through automation and human expertise
Manager for process and ICT security at an eIDAS-certified Qualified Trust Service Provider (QTSP), operating internationally. Ensuring that all staff understands security requirements and how they apply to them. Fostering intrinsic understand for security and encouraging them to improve security in their area. When facing gaps, people grow by receiving feedback and recommendations, instead of accusations. * ISMS management * Implementing legal and regulatory requirements, based on eIDAS, ETSI and country-specific sources * ICT and process risk management * Internal and supplier security reviews * Managing external security reviews and supervisory audits * Interaction with security authorities * Sales support for customer compliance topics
After working in the group as a consultant for 6 months, accepted the offer to lead and grow the in-house team of information security specialists. As the Accountable Lead and Competence Lead expanded the team by recruiting and hiring several senior security specialists from various countries. Emphasis on a collaborative work style by being directly approachable to stakeholders in the organization and providing practical and real-world responses to their needs. The team handled all internal and external information security governance requests, ranging from security compliance to ICT risk assessments and technical security topics. Working with a diverse set of stakeholders, including Legal, Compliance, Contracting, Development, Architecture and Business Development. Part of the Merger & Acquisition group, performing fast and reliable security assessments of potential targets while upholding a high level of confidentiality. The team was also part of the global market expansion group, evaluating legal and compliance topics related to information security when entering a new country, and adjusting the internal ISMS accordingly. * Provide frictionless compliance to a fast moving agile organization built on cloud services * Translate regulatory and legal requirements into information security controls and processes * Maintain the group-wide ISMS * Maintain the ICT risk register and related processes * Implement, operate and improve an automated compliance verification system * Provide security assurance to our business partners, including contract negotiations * Support internal legal teams on security topics * Design and execute the global ISAE 3000 (SOC2) and ISAE 3402 (SOC1) Type 2 audits * Recruit and mentor information security specialists for various internal positions
Senior consultant for Information Security Governance. Supporting our customers in their security governance work by providing hands-on improvements and creating policies and routines from scratch where needed. Performing third-party security assessments of suppliers for enterprise customers. One long-term project has been to ensure initial GDPR compliance of a major Swedish retail company by creating the necessary routines and tools, and overseeing their implementation across the organization. This was done in close cooperation with the internal legal teams, the security group, and the development organization. In another major technical project, leading a team of engineers to implement a custom vulnerability scanning solution, integrated to ServiceNow. Scanning was performed based on metadata in ServiceNow and results were combined with existing risk information and reported back to system and platform owners. Together with senior colleagues also developed internal security tools and frameworks, to be used in other customer projects. * ISO 27000 (ISMS - Information Security Management Systems, risk management and information classification) * EU data protection legislation (GDPR) * Secure information management and processing
As a senior evaluator for information security performed certified security evaluations according to the Common Criteria standard. Such product evaluations include formalized assessement of all aspects of security, including development and organizational process security, IT security of the development environment and pipeline, physical security of the development offices, technical security of the application and supporting libraries including source code reviews, cryptographic analysis, and general assessment against security regulations. As a senior security consultant, advized our customers on secure development and design practices, and their reliable implementation. This included on-site assessments of existing situations. Also role as internal Quality Manager, responsible for the ISO 9001, ISO 17025 and ISO 27001 certification of the evaluation lab, the internal Information Security Management System, and the required audits related to the evaluation activities. * Common Criteria (Sweden, Germany, USA), performing evaluations up to EAL5 * ISO 27001 * Information and process security * Hardware and software security * Cryptography
Student assistant for * OCTAVE method * Various research projects in the area of practical information security