Services

Clarity, control, outcomes

I bring board-level clarity, rebuild operational control, and leave you measurably safer than before.

1. Enterprise & Digital Trust

Supporting boards and executives in defensible risk acceptance decisions that protect trust and enable sustainable growth.

Mandate
  1. Define enterprise risk posture, appetite, and tolerance across digital and operational risk;
  2. Integrate cyber, privacy, AI, third-party, and regulatory risk into a coherent risk model;
  3. Translate technical, legal, and operational exposure into decision-ready risk narratives;
  4. Frame decisions impacting reputation, investor confidence, and enterprise value;
  5. Advise on material risk exposure, trade-offs, residual risk, liability, and risk acceptance;
  6. Support oversight and supervisory engagement under EU digital regulation;
  7. Guide decision-making during incidents, investigations, and regulatory scrutiny;
  8. Provide independent risk challenge across core risk functions.
Domain knowledge

Enterprise risk governance; risk appetite calibration; digital and systemic risk integration; supervisory engagement; liability exposure and defensible risk acceptance.

2. Cybersecurity & Operational Resilience

Providing pragmatic security leadership that enables informed risk decisions, defensible assurance, and operational resilience.

Mandate
  1. Develop and drive the ISMS / cybersecurity strategy aligned with enterprise risk posture;
  2. Report risk, compliance, and resilience maturity to boards and executive leadership;
  3. Lead enterprise risk assessments, treatment, and control design to reduce exposure;
  4. Establish and enforce enterprise security policies, procedures, and baselines;
  5. Conduct audits, reviews, and gap analyses against international and sectoral standards;
  6. Monitor regulatory and threat landscape shifts and translate into control updates;
  7. Guide secure architecture, identity governance, and modern security models;
  8. Lead business continuity, disaster recovery, and vulnerability management programmes;
  9. Build and oversee security operations centres and incident response capabilities;
  10. Manage security operations, budgets, workforce, and external providers;
  11. Direct incident response, digital forensics, and regulator/crisis communications;
  12. Oversee third-party security risk, cyber insurance exposure, and assurance artefacts;
  13. Advise senior leadership on cybersecurity governance and resilience trade-offs.
Domain knowledge

Cybersecurity governance and assurance; operational resilience; crisis leadership and incident command; control framework integration; EU digital and sectoral regulation.

3. Privacy & Data Protection

Leading privacy and data protection governance to enable innovation while meeting ethical, regulatory, and accountability expectations.

Mandate
  1. Develop and drive the PIMS / data protection strategy aligned with stakeholder needs;
  2. Report privacy risk, compliance posture, and maturity to boards and executive leadership;
  3. Lead enterprise risk assessments, treatment, and control design to reduce exposure;
  4. Monitor EU, UK, and international regulatory developments and supervisory guidance;
  5. Direct enterprise privacy, transfer, and AI risk assessments for high-risk activities;
  6. Oversee and govern RoPAs, data retention schedules, and lawful processing models;
  7. Establish enterprise privacy policies, notices, and accountability mechanisms;
  8. Negotiate and govern DPAs, cross-border data transfers, and joint controllerships;
  9. Direct privacy-by-design and default, and PETs into systems and product development;
  10. Advise on transparency and consent models, cookies, and user rights implementation;
  11. Direct breach response and notifications to regulators and data subjects;
  12. Provide independent challenge on privacy, AI, and data governance decisions.
Domain knowledge

Privacy and data protection governance; FIPPs; accountability under GDPR and wider EU data law; cross-border data strategy; data subject rights enforcement; supervisory engagement; AI governance.

Why work with me

15+ years of delivery under pressure

I’m brought in when the cost of being wrong is high, whether legally, operationally, or reputationally.

I bring nearly two decades of senior experience across cybersecurity, data protection, security engineering, and regulatory compliance. My hybrid expertise is rooted in execution, not just theory. I’ve secured regulatory approvals, strengthened resilience through certified management systems, cut liability and risk exposure, and led organisations through audits and investor due diligence. I don’t just advise; I architect, implement, and deliver. I know what works and what wastes time.

  • Deep hands-on expertise Hard-won knowledge of what actually works.
  • Fluency across domains Connecting business, legal, and engineering.
  • Execution that builds resilience Strengthened trust and reduced risk.
  • Independent and discreet A neutral partner who cuts through politics.
  • Capability transfer I upskill your people, not replace them.
  • No guesswork Evidence-driven decisions, not assumptions.
  • No one-size-fits-all Solutions tailored to your risk reality.
  • No lock-in Autonomy delivered, dependency avoided.
  • No paper compliance Controls that function in practice.
  • No fear tactics I bring facts, clarity, and assurance.

Who I work with

Organisations needing clarity and assurance

If you need senior expertise across strategic, legal, and technical domains—you’re in the right place.

  • Boards & Executives

    Discreet advisory, risk oversight, governance, and leadership balancing strategy with hands-on execution.

  • Legal & Compliance

    TOMs, DPAs, cross-border transfers, M&A due diligence, and AI governance—made practical and defensible.

  • IT & Engineering

    Secure architecture, DevSecOps, cloud resilience, and vulnerability triage embedded into delivery.

  • Start-ups & Scale-ups

    Audit-readiness, certifications, M&A preparation, and investor due diligence, building trust at every growth stage.

  • Regulated Industries

    Protecting high-risk and high-sensitivity data in finance, health, and other sectors under heavy scrutiny.

  • SaaS Providers

    Designing multi-tenant platforms that scale securely, comply globally, and earn lasting customer trust.

FAQ

Straight answers

I lead with transparency so you can make informed decisions, not just comforting ones.

What differentiates you from a full-time employee?

When you hire me, you’re not onboarding someone who needs training, hand-holding, or months to get up to speed. You’re getting nearly two decades of hard-won experience across security, privacy, engineering, and legal domains. I ask the right questions, extract what matters, and get to work. You get outcomes, not overhead.

Unlike full-time hires, I’m not caught up in office politics or role preservation. I bring clarity, challenge assumptions, and lead with transparency. You get facts, not theatre. I’ve seen how internal politics and noise can obscure risk, slow progress, and distort reality. I cut through that with facts and focus. No employer risk. No hidden agenda. Just discreet, senior execution, where and when you need it.

How do your engagements typically work?

Flexible, independent, and outcome-driven.

Some clients retain me on a monthly basis for strategic oversight, risk advisory, or interim leadership. Others bring me in for tightly scoped projects, such as DPIAs, vendor assessments, internal ISO/IEC 27001 audits, or high-pressure remediation projects after incidents.

Scope, deliverables, and check-ins are defined up front—for focus, clarity, and accountability. I’m flexible, but lead decisively to protect outcomes and budgets. I’ve seen how some consultants inflate hours or let projects drift. That’s where I’m different: I keep scope tight, delivery sharp, and outcomes accountable.

I work independently on my own secured devices and drive execution while collaborating through your preferred tools, whether that’s email, Teams, Slack, or something else. This keeps things practical, efficient, and compliant with the Dutch Wet DBA—ensuring a clear, professional, and truly independent working relationship.

Are you hands-on, or do you just advise?

Both. Most assignments require a mix of strategic input and hands-on execution to deliver real results. I’ve seen teams left with abstract frameworks or stuck with vague recommendations that never land in practice. That’s not me. I make sure strategy translates into action, delivers outcomes, and holds up under scrutiny.

When you’re short on time, under pressure, or hitting roadblocks, I step in and help. Whether that means building registers, writing policies, conducting assessments, negotiating contracts, or managing crises, I roll up my sleeves and get it done. However, my goal isn’t to create dependence. Ultimately, I embed practices and transfer capabilities, leaving you stronger and more resilient than before.

What industries do you have experience in?

While I’m sector-agnostic, I’ve supported clients across e-commerce, healthcare, fintech, education, digital media, and government—handling regulated data, sensitive workloads, and critical systems.

I’ve worked across high-risk environments and apply proven methods tailored to your risk, regulatory obligations, and growth stage. I know what regulators expect, what partners and clients demand, and what investors scrutinise most. I’m also keenly aware of conflicting risk appetites and interests, particularly in commercial environments.

How do you handle sensitive or confidential work?

Trust and discretion underpin everything I do. I routinely operate under NDA. If required, we can extend confidentiality to cover the fact of our engagement. You can expect strict independence, secure working practices, and absolute protection of sensitive information.

I’ve supported clients through regulatory investigations, breach response, and other situations where discretion was critical to survival. My role extends beyond safeguarding intellectual property, personal data, systems, and compliance posture: it’s also about protecting your reputation and trust.

Do you also perform internal ISO/IEC 27K audits?

Yes, I conduct independent, standards-based assessments in line with ISO 19011 across ISO/IEC 27001, 27701, 27017, 27018, and Dutch BIO2 and NEN 7510. Provided I haven’t designed the controls or processes being audited, of course.

As a Certified Information Systems Auditor (CISA) and a Certified ISO/IEC 27001 and 27701 Lead Implementer, I help clients strengthen posture, prepare for certification, and meet internal assurance goals without conflict of interest.

  1. ISO/IEC 27001 certification badge
  2. ISO/IEC 27701 certification badge
  3. Auditing certification badge

Case studies

Proven outcomes

I’ve led high-stakes engagements where discretion was essential and the stakes were regulatory, financial, and reputational. While most of my work is under NDA, these examples highlight the outcomes I deliver.

  1. ISO/IEC 27001 Certification Secured to Enable Regulated Market Growth

    A leading marketing and communications SaaS platform risked losing enterprise deals without a credible risk governance programme. Continued integration with major social platforms and the ability to serve banking and government clients demanded compliance and resilience under ISO/IEC 27001, BIO2, GDPR, DORA, and the AI Act.

    I designed and rolled out a tailored Information Security, Privacy, and Compliance Management System, supported by custom tooling for risk management, control tracking, and evidence collection. I also embedded continuous compliance to sustain platform integrations and meet rigorous financial and public-sector due diligence.

    The platform secured and sustained ISO/IEC 27001 certification, unlocking enterprise procurement and expansion into regulated markets while safeguarding critical integrations, assuring regulators, and strengthening long-term confidence among partners and shareholders.

  2. Crypto Trading Platform Licensed for EU AML Compliance and Acquisition

    A Dutch fintech startup preparing to launch a consumer cryptocurrency trading platform faced scrutiny from the Dutch Central Bank (DNB), the regulator responsible for licensing and supervising banks. At the time, major banks refused to provide services to crypto firms, deeming the sector too new and high-risk. This created an existential barrier to launch.

    I architected a security-led operating model to meet EU licensing requirements and withstand regulatory and banking due diligence. This included KYC processes, sanctions screening, transaction monitoring, and suspicious activity reporting, supported by enterprise-grade fraud detection and data protection controls to ensure resilience across EU jurisdictions.

    The company gained regulatory approval and secured integration with BNP Paribas, enabling licensed market entry in the Netherlands and across Europe. With compliance embedded, it scaled rapidly, established Dutch market leadership, and was ultimately acquired by global exchange Kraken.

  3. Global Child Abuse Network Exposed Through Cloud Security Assessment

    A global consumer transport and mobility platform operating across 100+ countries commissioned an independent white-box security assessment of its production environment. The project required senior secure engineering expertise and discretion, given the sensitivity of the findings.

    I uncovered a covertly reconfigured cloud component in the core infrastructure that let unauthorised traffic flow undetected. Evidence suggested an insider-driven change, exploited by Russian-based threat actors to host and distribute child sexual abuse material. Beyond discovery, I advised executive leadership on crisis management, coordinated with law enforcement, and provided technical evidence for a successful takedown.

    This intervention averted an existential risk to the business, enabling decisive action to protect users and cooperate with authorities. It avoided multi-million-euro penalties and reputational collapse, while preserving trust with regulators, partners, and investors.

  4. Travel Platform Rebuilt for Scale, Resilience, and Regulatory Compliance

    A fast-growing European travel platform was constrained by unstable infrastructure, performance bottlenecks, and scrutiny from consumer watchdogs, including the Dutch Authority for Consumers and Markets (ACM). Outages during high-profile television advertising campaigns further damaged reputation and drew threats of regulatory fines.

    I worked with engineering to re-architect the platform for scale and resilience, fixing systemic weaknesses and aligning the board and product teams with regulatory expectations. I also strengthened integrations with external platforms that had previously failed under load.

    The rebuild delivered 500x faster performance, zero downtime under peak load, regulatory compliance, and support for new partner integrations. This averted penalties and drove a measurable surge in bookings, enabling sustainable growth.

  5. Healthcare Platform Hardened to Achieve NEN 7510 Certification

    A Dutch healthcare provider required independent assurance that its new digital platform complied with sector-specific NEN 7510 standards after a failed certification attempt. The platform supported patient self-diagnosis, medical record tracking, and video consultations, making health data protection vital to operations and trust.

    My assessment exposed numerous application security flaws and systemic gaps in access control and data handling. I worked with engineering teams to remediate issues and embed secure and privacy engineering practices for sustained assurance. I deployed automated SAST and DAST tooling, trained engineers in threat modelling, and established security standards for the evolving platform.

    The platform achieved NEN 7510 certification, strengthening trust with medical partners, and ensuring reliable delivery of patient care while reinforcing confidence at board level.

Pricing

Responsibility priced accordingly

My work reflects a lifelong commitment to protecting people, systems, and data.

My services are tailored, not templated. Whether you need ongoing leadership, targeted delivery, or flexible access to expertise, we will structure our engagement to meet your specific needs.

  • Retainer model

    Fixed hours per month · Ongoing strategic and operational support. From acting as your vCISO, vCPO, or vDPO, to leading risk management, advising teams, or handling sensitive issues as they arise.

  • Project-based

    Fixed scope, defined outcomes · Scoped initiatives with clear goals. Including audits, DPIAs, security reviews, TOMs analysis, OSINT & vulnerability reports, as well as ISO/IEC 27001 preparation.

  • Prepaid model

    Prepaid hours, flexible use · Expertise on call without the monthly commitment. Buy a package of hours and use them as needed. For reviews, second opinions, or other quick interventions.

  • Interim placement

    On-demand interim coverage · For short-term placement or urgent assignments. When you need a CISO, CPO, or technical expert to step in quickly and focus on restoring clarity and control.

Contact

Straight answers, no sales pitch

Whether you’re scaling, raising funding, preparing for certification, facing regulatory scrutiny, or simply stuck, I help you get the controls and confidence you need.

Need clarity and hands-on expertise?

I’m currently limited in availability to take on new assignments. However, I’m always happy to connect and explore how I can assist at a later time.

Connect on LinkedIn Profile picture linking to my LinkedIn