Über Steven
I help regulated tech companies get their security and compliance into a state where auditors, boards, and enterprise customers stop worrying about it. In practice that means standing up an ISMS, getting through an ISO 27001, SOC 2 or PCI DSS audit without drama, or building EU AI Act compliance into a product before it turns into a problem.
I've spent 20+ years doing this — global PCI DSS at payments scale (Wirecard), a single unified ISMS across eight merging FinTech entities (NomuPay), and currently the full EU AI Act / high-risk AI compliance programme for an AI-native LegalTech platform. I'm comfortable at the boundary between the CTO, the board, and the auditor: setting the strategy, partnering on delivery, and carrying the compliance story to whoever needs to hear it.
Typical engagements: fractional or interim CISO/DPO cover, audit readiness (ISO 27001 / SOC 2 / PCI DSS), EU AI Act and GDPR programmes, and technical due diligence for investors looking at AI or FinTech businesses. Munich-based, happy to work remotely across the EU.
Englisch
Muttersprachlich oder zweisprachig
Deutsch
Konversationssicher
Vor Ort möglich
Munich (bis zu 50 km)
Projekt- und Berufserfahrung
- Augmetec LimitedChief Information Security Officer & Data Protection OfficerMärz 2025 - Heute (1 Jahr und 3 Monate)Executive accountability for information security, data protection, and AI governance at an AI-native LegalTech building LEIAA — a high-risk AI system (EU AI Act Annex III) for workplace investigations. Direct report to CEO; partner to CSO on product and audit readiness.• • Own the information security and data protection agenda at board level: ISMS, risk register, audit programme, vendor risk, and DPO obligations — reporting directly to the CEO.• • Lead the SOC 2 Type II and ISO 27001 audit programmes (Q2 2026 target), owning the ISMS, risk treatment plan, Statement of Applicability, and two-tier change management framework (CAB for technical, ISMS Council for governance).• • Established the EU AI Act compliance framework for a high-risk AI system classified under Annex III (employment and justice contexts), including human-in-the-loop controls, transparency obligations, audit-trail design, and bias mitigation across the AI pipeline.• • Built the third-party risk management process and data processor register from scratch; led security reviews across 14+ vendors including DPA verification, SOC 2 / ISO 27001 evidence review, and sub-processor flow-down.• • Architected the platform's security posture on GCP: multi-project customer isolation, JWT/JWKS namespace limiting, infrastructure-as-code via CDKTF, and an automated vulnerability lifecycle pipeline (Dependabot → Aikido → Jira) with defined SLA-backed remediation.• • Drove secure-development discipline in partnership with CTO and CSO: branch protection, PR review gates, staging-first promotion, and audit-ready change evidence satisfying SOC 2 CC8.1 and ISO 27001 Clause 8.1.• • Embedded EU AI Act transparency obligations into a three-stage requirements-to-production workflow for AI features, ensuring auditability across all AI services.
- NomuPay (FinTech, Scale-up — 8 merging entities)Chief Information Security OfficerDIGITALAGENTUREN & IT-CONSULTINGApril 2022 - Februar 2025 (2 Jahre und 10 Monate)Munich, DeutschlandGroup-wide information security governance across eight merging payment-services companies during rapid scale-up. Multi-cloud, multi-jurisdiction, PCI DSS regulated.• • Stood up a unified ISO 27001-based ISMS across eight merging entities using Vanta for compliance automation, accelerating M&A integration and giving the group a single defensible security governance model.• • Owned the multi-environment PCI DSS programme across merged entities, guiding payment processing environments through regulatory audits with zero non-conformities.• • Led group-wide IT risk assessment, developing the KRI framework and continuous monitoring across merged entities; regular reporting to executive leadership and audit committee.• • Orchestrated the secure development lifecycle across Azure, GCP, and AWS, partnering with engineering leadership on DevSecOps tooling (GitHub, Coralogix, Atlassian Cloud) and platform-wide control implementation.• • Deployed MDM and DLP via Microsoft 365 across a distributed workforce, complementing a group-wide security awareness programme to address insider and supply-chain risk.• • Established ITIL-aligned incident, problem, and change management across merged IT operations, delivering the group's first formal operational resilience reporting — framed against emerging DORA and NIS2 obligations for the group's regulated payment entities.Following the permanent role, retained on a six-month freelance basis to complete the handover — guided the business through two further PCI DSS audits and transitioned the remit to a newly hired IT Manager and Information Security Officer.
- Dangelmayer & Seemann GmbH / InnovationeersSenior Security & Solution ArchitectSeptember 2020 - März 2022 (1 Jahr und 6 Monate)Stood up the information security function from scratch and productised security architecture into a client-facing capability.• • Built the ISO 27001 ISMS framework end-to-end, including risk methodology, policy suite, and 'operational security by design' principles for client process engagements.• • Developed an information security capability map that supported client consultation, proposals, and new business development.• • Implemented MDM, DLP, and a staff-wide security awareness programme on Microsoft 365.
Empfehlungen
Sei die erste Person, die Steven empfiehlt
Teile Deine Erfahrung aus der Zusammenarbeit mit diesem Freelancer.
Diese Freelancer passen auch zu Ihren Kriterien
Agatha Frydrych
Backend Java Software Engineer
4.7
(3)
2
Baptiste Duhen
Fullstack developer
4.6
(4)
5
Amed Hamou
Senior Lead Developer
4
(2)
7
Audrey Champion
Web developer
4.3
(3)
4
Ausbildung und Abschlüsse
- Certified Information Systems Security Professional (CISSP)2023Certified Information Systems Security Professional (CISSP)
- Palo Alto Networks Certified Expert (ACE)2014Palo Alto Networks Certified Expert (ACE)
Zertifizierungen
- CISSPISC22011