I deliver clarity, control, and resilience—trusted by boards and executives to restore confidence and unlock business growth under pressure.

1. 15+ years protecting enterprises, infrastructure, and SaaS against operational, reputational, and legal risk;
2. Board-level partner to executives, regulators, and investors across scale-ups and global multinationals;
3. Executive leadership of security, privacy, and resilience programmes in highly regulated industries;
4. Proven record in converting board strategy into measurable outcomes across business, IT, and cloud;
5. Crisis-tested in restoring trust after compliance failures, investigations, breaches, and incidents;
6. Deep GRC and operational resilience expertise, bridging technical remediation with legal demands;
7. Track record delivering frameworks and certifications that withstand audits, regulators, and investors;
8. Offensive and defensive depth in penetration testing, application security, and infrastructure hardening;
9. Mastery of ISO 27K, SOC 2, GDPR, NIS2, DORA, AI Act, CRA, BIO2, and global frameworks;
10. Enabled M&A, investment, and market entry in finance, healthcare, telecommunications, and SaaS;
11. Trusted to resolve regulatory investigations and avert organisations from multimillion-euro penalties.

Delivering pragmatic, industry-aligned security leadership—enabling informed risk decisions, measurable assurance, and compliance.

1. Develop and drive the security strategy and roadmap in line with stakeholder needs;
2. Report on risks, compliance, and maturity to boards and executive leadership;
3. Lead enterprise risk assessments, treatment, and control design to reduce risk exposure;
4. Conduct reviews, audits, and gap analyses (ISO/IEC 27001, NIS2, DORA, BIO2, NEN 7510);
5. Track legal and regulatory changes (NIS2, CRA) and update internal controls;
6. Establish and enforce security policies, procedures, and baselines (CIS, NIST SP 800);
7. Deliver security awareness and training across departments and leadership;
8. Guide secure architecture, design principles, IAM strategy, and Zero Trust adoption;
9. Drive BCP/DR planning and vulnerability management (CVEs, OWASP Top 10, CVD);
10. Build security operations centres (SOC) and incident response teams (CSIRT);
11. Oversee security operations, workforce, budget, and resource alignment;
12. Direct incident response, digital forensics, and regulator/crisis communications;
13. Coordinate playbooks, tabletop exercises, simulations, and red/blue/purple teaming;
14. Manage cyber insurance coverage, policy conditions, and claims exposure;
15. Drive OKRs, KPIs/KRIs, and report risk posture to executives and the board;
16. Manage audits, third-party risk, contractual controls, and supply chain control gaps;
17. Maintain and validate assurance artefacts (ISO 27K, ISAE, SSAE, SOC 2, PCI-DSS, BCRs);
18. Conduct capability maturity assessments (CMMI) and support investor due diligence;
19. Align ISMS operations with ISO/IEC 27001, 27017, and industry benchmarks;
20. Advise senior leadership on governance, risk appetite, and cross-functional alignment.

Leading enterprise-wide privacy governance—balancing data-driven innovation with ethical AI, regulatory compliance, and accountability.

1. Develop and drive the data protection strategy in line with stakeholder needs;
2. Report on privacy risks, compliance, and maturity to boards and executive leadership;
3. Lead enterprise risk assessments, treatment, and control design to reduce risk exposure;
4. Conduct DPIAs, LIAs, TIAs, and AI risk assessments (FRIAs) for high-risk processing;
5. Monitor the evolving regulatory landscape, particularly in the EU, UK, and US;
6. Track regulatory guidance (EDPB, DPAs, ICO, FTC) and federal & international rulings;
7. Maintain and optimise RoPAs, data retention schedules, and lawful bases under GDPR;
8. Develop and review privacy policies, notices, and mechanisms aligned with FIPPs;
9. Negotiate and review DPAs, cross-border data transfers, and joint controllerships;
10. Maintain and validate assurance artefacts (BCRs, SCCs, ISO 27K, ISAE, SSAE, SOC 2);
11. Advance PIMS maturity with ISO/IEC 27701, 27018, EDPB guidance, and EU data strategy;
12. Direct audits, breach response, and notifications to regulators and data subjects;
13. Handle DSARs and engage with the Dutch DPA and other European regulators;
14. Advise on transparency obligations, consent strategies, and cookie compliance;
15. Drive fairness, explainability, and accountability under the EU AI Act;
16. Direct implementation of privacy-by-design and privacy-enhancing technologies (PETs);
17. Lead awareness and training programmes on data protection and responsible AI.

Driving secure engineering—bridging software development, cloud infrastructure, and security operations to enable digital transformation.

1. Define and adopt secure architecture and design principles to enhance risk posture;
2. Embed threat modelling (STRIDE, attack trees, abuse-case scenarios) into SDLC;
3. Conduct code reviews to identify OWASP Top 10 issues, CWEs, and ASVS non-conformities;
4. Perform penetration testing and vulnerability scanning with actionable PoCs;
5. Assess API security, auth protocols (OAuth2, OIDC, JWT), and secrets management;
6. Integrate and tune SAST, DAST, and IAST security gates in CI/CD pipelines;
7. Secure software supply chains using SBOMs, SCA, and license compliance;
8. Guide secure coding, IaC practices, cloud architecture on AWS, Azure, and GCP;
9. Harden OS and containers on Linux, Docker, and Kubernetes with security baselines;
10. Improve detection and response via logging, audit trails, and runtime monitoring;
11. Harden deployments with secure defaults, rollback support, and DR automation;
12. Champion shift-left practices and security-by-design across engineering teams.

When you hire me, you’re not onboarding someone who needs training, hand-holding, or months to get up to speed. You’re getting nearly two decades of hard-won experience across security, privacy, engineering, and legal domains. I ask the right questions, extract what matters, and get to work. You get outcomes, not overhead.

Unlike full-time hires, I’m not caught up in office politics or role preservation. I bring clarity, challenge assumptions, and lead with transparency. You get facts, not theatre. I’ve seen how internal politics and noise can obscure risk, slow progress, and distort reality. I cut through that with facts and focus. No employer risk. No hidden agenda. Just discreet, senior execution, where and when you need it.

Flexible, independent, and outcome-driven.

Some clients retain me on a monthly basis for strategic oversight, risk advisory, or interim leadership. Others bring me in for tightly scoped projects, such as DPIAs, vendor assessments, internal ISO/IEC 27001 audits, or high-pressure remediation projects after incidents.

Scope, deliverables, and check-ins are defined up front—for focus, clarity, and accountability. I’m flexible, but lead decisively to protect outcomes and budgets. I’ve seen how some consultants inflate hours or let projects drift. That’s where I’m different: I keep scope tight, delivery sharp, and outcomes accountable.

I work independently on my own secured devices and drive execution while collaborating through your preferred tools, whether that’s email, Teams, Slack, or something else. This keeps things practical, efficient, and compliant with the Dutch Wet DBA—ensuring a clear, professional, and truly independent working relationship.

Both. Most assignments require a mix of strategic input and hands-on execution to deliver real results. I’ve seen teams left with abstract frameworks or stuck with vague recommendations that never land in practice. That’s not me. I make sure strategy translates into action, delivers outcomes, and holds up under scrutiny.

When you’re short on time, under pressure, or hitting roadblocks, I step in and help. Whether that means building registers, writing policies, conducting assessments, negotiating contracts, or managing crises, I roll up my sleeves and get it done. However, my goal isn’t to create dependence. Ultimately, I embed practices and transfer capabilities, leaving you stronger and more resilient than before.

While I’m sector-agnostic, I’ve supported clients across e-commerce, healthcare, fintech, education, digital media, and government—handling regulated data, sensitive workloads, and critical systems.

I’ve worked across high-risk environments and apply proven methods tailored to your risk, regulatory obligations, and growth stage. I know what regulators expect, what partners and clients demand, and what investors scrutinise most. I’m also keenly aware of conflicting risk appetites and interests, particularly in commercial environments.

Trust and discretion underpin everything I do. I routinely operate under NDA. If required, we can extend confidentiality to cover the fact of our engagement. You can expect strict independence, secure working practices, and absolute protection of sensitive information.

I’ve supported clients through regulatory investigations, breach response, and other situations where discretion was critical to survival. My role extends beyond safeguarding intellectual property, personal data, systems, and compliance posture: it’s also about protecting your reputation and trust.

Yes, I conduct independent, standards-based assessments in line with ISO 19011 across ISO/IEC 27001, 27701, 27017, 27018, and Dutch BIO2 and NEN 7510. Provided I haven’t designed the controls or processes being audited, of course.

As a Certified Information Systems Auditor (CISA) and a Certified ISO/IEC 27001 and 27701 Lead Implementer, I help clients strengthen posture, prepare for certification, and meet internal assurance goals without conflict of interest.

1. 
2. 
3.