It is common to have an about me page, so I should make one.
First things first
My Twitter, LinkedIn and blog posts and comments are my own opinions, do not represent any of my current or past employers and are not in any way related to my current or past job for these employers.
Where do you find me?
Except for this blog, you can also find me on LinkedIn and Twitter. I used to be also on peerlyst until it shut down.
If you want to reach out to me, you may do so through my social media presence, or by email at my name dot surname at gmail.
What is this?
In the distant past I had a page, or a blog, or something like this. I don't even remember any more. Then I thought that my LinkedIn presence would be enough for me to express my thoughts and I got rid of that blog. More recent (2017) changes at LinkedIn though, as well as the need to write shorter thoughts and more personal, not professional stuff, led me to have my own blog again.
Unfortunately none of the old content - except for LinkedIn articles and some conference presentations - is here.
What do I do?
I have been a Linux / Unix sysadmin for years in the past, and my favorite language is perl. When I was a sysadmin, security was "part of the job". Then it changed and I changed with it. I now consider myself to be an Information Security and Risk professional.
Or, as my LinkedIn profile says:
Experienced Information Security and Risk Strategist with in depth technical knowledge, broad managerial skills and business acumen. My experience spans across several regulated industries and organizations with global presence. Skilled in building and leading multi-functional and international teams and projects. Experienced in developing the security strategy and establishing the function from scratch. Comfortable interacting with senior stakeholders and C-level executives
I enjoy doing strategy, risk and governance. Team building and function structuring in multi national, multi-business organizations. Overall I like challenges.
But if you're familiar with how CVs are structured, you expect to see numbers and the ones above are not numbers. So, although as a security professional I cannot openly disclose dates and names, I'm happy to provide some of my measurable (i.e not soft) achievements in some of the companies I have worked for (in random order, to maintain the anonymity of the company):
- One company had terrible audit results. Inefficient and inadequate, both internal audit and external audit. I developed and implemented a remediation plan that bumped the audit results from Inefficient to Effective (external) and Excellent (internal) in just 2 audit cycles.
- Once I had to lead a small existing team of engineers. Lacking leadership and guidance, the team was becoming the company's black hole due to inefficient response in ticket handling. In just eight months after I took over the performance of the team was bumped by more than 65%. Same people, same tasks (not Helpdesk, we're talking about engineers. R&D, systems and networks setup, troubleshooting, POCs). From ~40 tickets per month to more than 70.
- At some point I had to replace an anti-malware solution in a company. Previous deployment was ~60.000 endpoints. During the replacement project I managed to deploy to more than 75.000 endpoints - covering more than 20% more endpoints and servers.
- I do remember when in one company we had a significant problem with stale accounts in some IT systems; mainly due to frequent turnover. Processes I set up and close coordination with the company's internal development department led to rolling out a custom built (but efficient and fully auditable) automated identity provisioning system that terminated accounts immediately upon HR's activities.
- At some point I had to take over a support department which was managing one (arithmetically: 1) application. When I left some years later, the department was roughly the same size and with 50% of the members being the same; it was managing seven (arithmetically: 7) applications, including the initial one.
- I do remember when some employees of one company I worked for, found the opportunity to provide company services to customers, without registering them in internal accounting systems; so that they would keep the profits all by themselves. That was roughly 5% of the specific business unit's revenue, which I identified and deployed controls to stop that leak.
Now that I think about it, I might as well mention names; all the companies are better off after my tenure there, at least in my area of responsibility!
That's all for the time being...