Information security officer
myToys / OTTO Group
Total years of experience :21 years, 11 Months
• Governed cybersecurity ISMS, PDCA, cybersecurity program optimizing costs.
• Liaise with executives to secure necessary cybersecurity resources and effective controls.
• Executives advised on data privacy, IT, cybersecurity ISO27005 risk Risk2Value GRC.
• Effective management of agile cross-functional team.
• 10+ mil. Euro safeguards via timely fraud detected and response.
• Value added via professional IT-audits and cybersecurity assessments aligned with business.
• 100% of appropriate OTTO cybersecurity requirements timely delivery.
• Advocated cybersecurity awareness “tone from the top” to peak by 35% in eight months.
• Vulnerability exposure mitigated by 65%, costs dropped by 26% by effective patching strategy.
• Cybersecurity incidents response managed meeting KPIs of OTTO Group.
• Business operations streamlined by effective BIA for BCP/BCM and business transformation.
• Cybersecurity and data privacy compliance addressed at IT infrastructure cloud transformation.
• Passed CISA, CISM, CRISC exam.
• Cloud security monitoring and response matured preventing 2+ mln. USD monthly loss.
• Governed 10+ entities Group ISMS delivering ISO 27001, ISO 270017 compliant ISMS as per TÜV.
• Relevant ISO 27005 contexts identified and considered for effective ISMS cybersecurity program.
• Persuade executives allocating resources for cybersecurity program due diligence and effectively addressing cybersecurity business risk: Vision, BIA, strategy, roadmap, architecture, budget.
• Executives advised on cybersecurity ISO27005 risk. Risk appetite defined and followed.
• BIA, audits, assessments, penetrations oversight and guided. Findings accepted by risk owners.
• Disciplines interacted via Cybersecurity Steering Committee keeping top decision completion at 100%.
• 10+ FTEs team performance managed for cybersecurity excellence (DLP, APT, zero-day, OSINT, ITM, web-security, e-mail security, vulnerability, patch management, etc.).
• Data privacy compliance boosted liaising with DPO on PII privacy program. Facilitated OneTrust GRC.
• Cybersecurity awareness peaked at 87% updated policy, communications, trainings, tests.
• Launch and oversight of SOC operations: contracting, risk, quality, KPIs, SLAs, costs, added value.
• Corporate IT assets CMDB designed and piloted contributing timely vulnerabilities mitigation.
• Assigned responsibilities within incident framework: monitoring, detection, triage, remediation, restore.
• Insightful incident reports provided to CEO, COO, CSO, as per executive’s feedback.
• Internal controls transparency collaborated and shared with market boosting sales.
• Executives advised on preferable cybersecurity insurance approach PoC and business case.
• 5 entities Group ISMS governed adding value improved accountability and response.
• Implemented ISO27001 compliant ISMS meeting OTTO Group compliance KPI.
• Region- and Group executives advise on IT and cybersecurity ISO 27005 risk Risk2Value GRC.
• Implemented robust cybersecurity environment confirmed by OTTO Group CISOs reviews.
• Cross functional Agile teams guided implementing cybersecurity program, solutions, and safeguards.
• Oversight cybersecurity tools (IDS, ATP, zero-day security, etc.), controls (PAW, segmentation, SOD, etc.).
• Cybersecurity assessments and penetration tests supervised and guided: findings accepted by risk owners.
• Advocated for cybersecurity awareness improvement. Cybersecurity awareness peaked at 96%.
• Advocated for vulnerability mitigation. Vulnerability scanner 100% coverage. Risk reduced by 44%.
• Supply chain cybersecurity compliance peaked by 100% i.e., policies, contracts, "jump hosts", MFA.
• Data loss risks mitigated via cloud security policy implemented and enforced.
• Cases of misuse, fraud and cybersecurity incidents prevented via improved monitoring and response.
In the CISO role accountable for cybersecurity for a Sputnik company a Rostelecom dependent legal entity. I was governing the team of five direct subordinates establishing and maintaining ISMS within the Entity. I was accountable for cybersecurity delivery projects for external private and public clients including medical institutions (FDA, HIPPA), telecoms. Participated CISA CISM activities of ISACA chapter.
• Assurance and digital fraud department governed and inspired delivering top 450 mil. USD annual savings.
• The department governed: vision and strategy, roadmap, architecture, budget, team. Revenue KPIs met.
• Executives and management regularly updated on revenue, fraud related losses and amounts recovered.
• Inspire and encourage company on assurance-aware, accountable, and due business conduct via leading implementation of revenue safeguards and recovery, fraud, and cybersecurity internal controls.
• 18 FTEs team performance managed for excellence: audit, fraud analysts, cyber managers, SOC.
• Business impacting protection tools oversight meet agreed SLA (DPI, SS7 firewall, SIEM, FMS, data lake).
• Pioneered matured SOC: feasibility, business case, hiring, trainings, go live, maturing. BEP in 10 months.
• Oversight and guide teams do walkthroughs, BIA, CAATs, substantives identify revenue, cost, fraud losses.
• Acted as product owner safeguards and protection tools (PoC, requirements, roll-out, UAT, backlog).
• Coordinate with technical and business to pioneer detective, preventive and corrective safeguards.
• Improved business continuity plan and BCM. Paper tests success peaked 94%, walkthroughs peaked 78%.
• Effective crises and emergencies mitigation in person and with the team acting as the “fast response” team.
• Cybersecurity, assurance, fraud consulting services provided to recovered 10+ mln. USD annual revenue.
• Risk-based revenue, fraud, cybersecurity reviews contracted, planned, accomplished.
• Oversight and guidance of audits scope, time, budget, material finding and escalations.
• Provided added value by sharing relevant business insights and adopting GSMA and ISO27002 guidelines.
• Findings delivered accepted by risks owners and executives.
• Effective strategies to mitigate findings and improve revenues determined and accepted by executives.
• Engagement results delivered to Vivacom Audit Committee. Follow-up agreed.
• Follow-up assessment provided 100% of top findings fixed.
• Shareholders and executives updated on strategic and top operational risk Control Committee.
• Business added value achieved by implemented risk-based internal audit, PDCA cycle mitigating risks.
• 4 FTEs team performance managed.
• Oversight of creation and update corporate risk universe, risk and control matrix.
• Govern risk and compliance: identification, assessment, assignment, mitigation, progress control.
• Owning top-risk activities: IT migrations, costs benchmarking, continuous auding, AML/KYC, interconnect inflation, artificial sales, business continuity.
• Acting as a product owner for risk detection and mitigation tools (PoC, tech. requirements, UAT).
• Managing external vendors and contractors (contracting, SLA monitoring, settlement).
• Carrying out forensic investigations of M&A upon Control Committee requests.
• Conduct BIAs, assessments, audits, internal investigations as planned and per request.
• Deliver risk mitigation, IT-audit, fraud prevention projects.
• Developing corporate operational risk governance policies and procedures.
• Corporate risk universe maintained. Assets, threats, probability, exposure identified.
• Impact assessment (root-cause, exposure) reviews, statistical analytics.
• Risk management continues audit, carrying out mitigating projects/controls.
• Risk Committee (CEO and shareholders) non-compliance reporting.
• ISACA and CIA member. Participated CISA CISM activities.
• Hiring, onboarding, training, assessing, feedback on performance for team members up to 11 FTE team.
• Lead consulting cybersecurity, revenue assurance, BCP/DRP assignments.
• Lead audit projects IT-audit, financial audit support, compliance audit, SOX.,
• Overseeing and hands-on audit field work ELC, ITGC, ALC, CAATs, substantive, analytical procedures, MLP performing to provide reasonable assurance on internal controls effectiveness.
• Engagements progress reported to executives: contracting, scoping, budgeting, planning, staffing, training.
• Liaise with client’s executives on audit progress, findings, escalations.
• Acting as a team member of cybersecurity audits and consulting teams.
• Audit BSI Part 1 and BSI Part 2 etc. compliance.
• Advise on ISMS effective operations and overall level of cyber-resilience improvement.
• Implementing high-performance clustering calculations (MPI, Beowulf).
• Delivering lecturers and classes: networks, operating systems, C/C++.
• Administrating network perimeter: RHEL IPchains/IPtables, DMZ, IDS, MS ISA, S2S and RA VPNs.
• Administrating application proxies: Apache, Postfix, Squid.
• AD Domain administration.
• Rolling out and maintaining PKI.
• Virus and Spam border control.
• Maintaining ISP contracts and DNS.
• Running regular cybersecurity penetration tests.
Master of Cybersecurity management
Bachelor in IT management.