Services

Strategy, oversight, execution—done right

I help organisations build resilient, compliant, and pragmatic security and privacy programmes.

vCISO • Security & GRC Consultant • Internal Auditor

Delivering pragmatic, standards-aligned security leadership—driving informed risk decisions, operational resilience, and compliance.

  1. Lead enterprise risk assessments, treatment, control design, and roadmap execution;
  2. Conduct internal audits and gap analyses (ISO/IEC 27001, DORA, BIO2, NEN 7510);
  3. Track legal and regulatory changes (NIS2, CRA) and update internal controls;
  4. Develop and review security policies, procedures, and baselines (CIS, NIST SP 800);
  5. Guide secure architecture, IAM strategy, and Zero Trust implementation;
  6. Advise on BCP/DR planning and vulnerability management (CVEs, OWASP Top 10, CVD);
  7. Support incident response, digital forensics, and regulator/crisis communications;
  8. Coordinate tabletop drills, phishing simulations, and red/blue/purple teaming;
  9. Assess cyber insurance coverage, policy conditions, and claims exposure;
  10. Drive OKRs, KPIs/KRIs, and report risk posture to executives and the board;
  11. Oversee strategic security hiring, budget planning, and resource alignment;
  12. Evaluate third-party risk, contractual controls, and supply chain control gaps;
  13. Assess and validate third-party assurance artefacts (SOC 2, BCRs, PCI-DSS);
  14. Conduct capability maturity assessments (CMMI) and support investor due diligence;
  15. Advise senior leadership on governance, risk appetite, and cross-functional alignment;
  16. Align ISMS operations with ISO/IEC 27001, 27017, and industry benchmarks.

vCPO • Privacy & Data Protection Consultant • vDPO • AI Risk Advisor

Leading enterprise-wide privacy governance—aligning data-driven innovation with regulatory compliance, ethical AI, and accountability.

  1. Conduct DPIAs, TIAs, LIAs, and AI risk assessments for high-risk processing;
  2. Maintain and optimise RoPAs, data retention schedules, and lawful bases under GDPR;
  3. Develop and review privacy policies, notices, and mechanisms aligned with FIPPs;
  4. Negotiate and review DPAs, cross-border data transfers, and joint controllerships;
  5. Support audits, breach response, and notifications to regulators and data subjects;
  6. Advise on transparency obligations, consent strategies, and cookie compliance;
  7. Drive fairness, explainability, and accountability under the EU AI Act;
  8. Guide implementation of privacy-by-design and privacy-enhancing technologies (PETs);
  9. Lead awareness and training programmes on data protection and responsible AI;
  10. Handle DSARs and engage with the Dutch DPA and other European regulators;
  11. Advance PIMS maturity with ISO/IEC 27701, 27018, EDPB guidance, and EU data strategy.

Technical Security Consultant • Ethical Hacker • DevSecOps Engineer

Advancing secure engineering—bridging software development, infrastructure hardening, and security operations to reduce systemic risk.

  1. Conduct code reviews to identify OWASP Top 10 issues, CWEs, and ASVS non-conformities;
  2. Perform penetration testing and vulnerability scanning with actionable PoCs;
  3. Assess API security, auth protocols (OAuth2, OIDC, JWT), and secrets management;
  4. Integrate and tune SAST, DAST, and IAST security gates in CI/CD pipelines;
  5. Secure software supply chains using SBOMs, SCA, and license compliance;
  6. Embed threat modelling (STRIDE, attack trees, abuse-case scenarios) into SDLC;
  7. Guide secure coding, IaC practices, cloud architecture, and OS/container hardening;
  8. Improve detection and response via logging, audit trails, and runtime monitoring;
  9. Harden deployments with secure defaults, rollback support, and DR automation;
  10. Champion shift-left practices and security-by-design across engineering teams.

Why work with me

15+ years of trust, impact, and execution

This isn’t just my profession—it’s my domain.

I bring nearly two decades of experience across security, data protection, software engineering, and relevant law. My hybrid expertise is rooted in hard-won execution, not just theory. I’ve built certified management systems, embedded privacy governance into complex data platforms, driven regulatory compliance, performed audits, and scaled SaaS platforms, among other things. I architect, implement, and deliver. I don’t just advise. I know what works—and what’s a waste of time.

  • Deep hands-on expertise I know what works, what scales, and what doesn’t
  • Hybrid fluency I speak engineering, law, and business. Effectively.
  • Execution that lands You get outcomes—not process theatre or fluff.
  • Independent and discreet Neutral, agenda-free, and trusted across silos.
  • Team enablement I upskill your people—not replace them.
  • No guesswork Experience-driven, evidence-backed decisions.
  • No one-size-fits-all Tailored to your risk, scale, and context.
  • No lock-in I build clarity and autonomy—not dependence.
  • No checkbox theatre If it doesn’t work in practice, it doesn’t belong.
  • No scaremongering Fear sells—I deliver facts, context, and execution.

Who I work with

For decision-makers, not spectators

If you need someone who operates across strategic, legal, and technical domains—you’re in the right place.

I support founders, general counsel, CTOs, and leadership teams who need senior, high-trust security and privacy expertise—without the overhead of a full-time hire. Typically, I work with:

  • Boards & Executives

    Discreet advisory, risk oversight, or interim CISO/CPO leadership.

  • Legal Teams

    TOMs, DPAs, international transfers, and AI governance—made actionable.

  • Engineering & IT

    Secure architecture, DevSecOps integration, and vulnerability triage.

  • Startups & Scaleups

    Preparing for audits, certifications, or investor due diligence.

  • Regulated Environments

    Handling high-risk, high-sensitivity data under scrutiny.

  • SaaS Providers

    Designing secure, compliant, and scalable multi-tenant platforms.

FAQ

Straight answers

I lead with transparency so you can make informed decisions, not comforting ones.

What’s the difference between hiring you and hiring a full-time employee?

When you hire me, you’re not onboarding someone who needs training, hand-holding, or three months to get up to speed. You’re getting nearly two decades of experience across security, privacy, engineering, and legal domains. I ask the right questions, extract what matters, and get to work. You get outcomes, not overhead.

Unlike full-time hires, I’m not caught up in office politics, role preservation, or internal noise. I bring clarity, challenge assumptions, and lead with transparency. You get facts, not theatre. I’ve seen how status games and team dynamics obscure risk, stall progress, and distort reality. I cut through that. No employer risk. No hidden agenda. Only discreet, senior execution, exactly where and when you need it.

How do engagements typically work?

Flexible, independent, and outcome-driven.

Some clients retain me on a monthly basis for strategic oversight, risk advisory, or interim leadership. Others bring me in for tightly scoped projects, such as DPIAs, vendor assessments, or internal ISO/IEC 27001 audits. Scope, deliverables, and check-ins are defined up front—for focus, clarity, and accountability. I’m flexible, but lead decisively to protect outcomes and budgets. I’ve seen consultants quietly inflate hours and drift off track. I don’t work that way.

I work independently on my own secured devices and drive execution while collaborating through your preferred tools, whether that’s email, Teams, Slack, or something else. This keeps things practical, efficient, and compliant with the Dutch Wet DBA—ensuring a clear, professional, and truly independent working relationship.

Are you hands-on, or do you just advise?

Both. Most assignments require a mix of strategic input and hands-on execution to deliver real results. I’ve seen teams left with abstract frameworks or stuck with vague recommendations that never land in practice. That’s not me. I translate strategy into action, drive implementation, and roll up my sleeves when it counts.

If you’re stuck, short on time, or hitting roadblocks, I step in to help. Whether it’s writing policies, conducting data processing impact assessments, building registers, triaging vulnerabilities, or something else, I get it done.

What industries do you work with?

I’m industry-agnostic, but I’ve worked across high-risk environments. I’ve supported clients in e-commerce, healthcare, fintech, education, digital media, and government sectors—handling regulated data, sensitive workloads, and critical systems.

Whether you’re scaling a SaaS platform, navigating international data transfers, securing healthcare systems, or preparing for certification, I apply proven methods tailored to your risk, regulatory obligations, and growth stage.

Do you perform internal ISO/IEC 27001 and 27701 audits?

Yes, as long as I haven’t designed the controls or processes being audited, I deliver objective, standards-based assessments in line with ISO 19001 across ISO/IEC 27001, 27701, 27017, 27018, and Dutch BIO2 and NEN 7510.

As a Certified Information Systems Auditor (CISA) and a Certified ISO/IEC 27001 and 27701 Lead Implementer, I help clients strengthen posture, prepare for certification, and meet internal assurance goals without conflict of interest.

  1. ISO/IEC 27001 certification badge
  2. ISO/IEC 27701 certification badge
  3. Auditing certification badge

Case studies

Expertise meets execution

I’ve led sensitive engagements where discretion was key and failure wasn’t an option. While most assignments remain under NDA, the following examples offer a glimpse into the kind of outcomes I deliver.

  1. ISO/IEC 27001 Certification Secured to Win Enterprise Trust

    A leading social media marketing and communications SaaS platform required an effective security, privacy, and compliance programme. A tailored Information Security, Privacy, and Compliance Management System was designed and implemented, supported by custom-built governance tooling for streamlined risk management, control tracking, and evidence collection.

    This led to ISO/IEC 27001 certification, including successful recertification and revisions, while meeting regulatory compliance and enterprise procurement demands.

  2. Covert Distribution of Child Sexual Abuse Material Revealed

    A global consumer transport and mobility platform operating across 100+ countries commissioned a white-box security assessment of its production environment. This review uncovered a covertly reconfigured component that allowed unauthorised traffic to flow through the company’s infrastructure.

    Further investigation revealed exploitation by Russian-based threat actors to host and distribute illegal content, including child sexual abuse material.

  3. EU Anti-Money Laundering Compliance For Crypto Trading

    A Dutch fintech startup aiming to launch a consumer cryptocurrency trading platform required a security-led architecture and workflows to operate under increasing regulatory scrutiny. A secure architecture was delivered, featuring robust KYC/AML workflows, advanced fraud detection engines, and data protection controls.

    The platform was able to meet banking partner requirements, onboard users within Europe, and scale rapidly—resulting in Dutch market leadership and international acquisition.

  4. Travel Platform Rebuilt for Scale and Regulatory Compliance

    A fast-growing European travel platform was under pressure from unstable infrastructure, performance bottlenecks, and consumer watchdogs—including the Dutch Authority for Consumers and Markets (ACM). The platform was re-architected to strengthen resilience, eliminate failure points, and align with consumer protection requirements.

    The result was 500x (!) faster performance, zero downtime under peak load, regulatory compliance, and a measurable increase in booking volume.

  5. Healthcare Platform Hardened To Meet NEN 7510 Standards

    A Dutch healthcare provider required third-party assurance of its new digital platform meeting secure engineering practices and sector-specific NEN 7510 controls. The white-box assessment yielded several improvements related to access control and handling of sensitive personal and medical data.

    The platform successfully attained its NEN 7510 certification, strengthened trust with medical partners, and enabled continued secure delivery of digital care services.

Pricing

Flexible models for serious work

My work reflects a lifelong commitment to protecting people, systems, and data.

My services are tailored, not templated. Whether you need ongoing leadership, targeted delivery, or flexible access to expertise, we will structure our engagement to meet your specific needs.

  • Retainer model

    Fixed hours per month · Ongoing strategic and operational support. From acting as your vCISO, vCPO, or vDPO, to leading risk management, advising teams, or handling sensitive issues as they arise.

  • Project-based

    Fixed scope, defined outcomes · Scoped initiatives with clear goals. Including audits, DPIAs, security reviews, TOMs analysis, OSINT & vulnerability reports, as well as ISO/IEC 27001 preparation.

  • Prepaid model

    Prepaid hours, flexible use · Expertise on call without the monthly commitment. Buy a block of hours and use them as needed. For reviews, second opinions, or other quick interventions.

  • Interim placement

    On-demand interim coverage · For short-term placement or urgent assignments. When you need a CISO, DPO, or technical expert to step in quickly and focus on restoring clarity and control.

Contact

No pitch, just clarity

Whether you’re scaling, raising funding, preparing for certification, facing regulatory scrutiny, or simply stuck, I help you get the controls and confidence you need.

We are ONE in cyber ✨

I’m currently limited in availability to take on new clients. However, I’m always happy to connect and explore how I can assist at a later time.

Connect on LinkedIn Profile picture linking to my LinkedIn