Certified Information Security Manager, Certified Information Systems Auditor
Nov 1986 - Apr 1992
University of Augsburg
University degree from the University Augsburg in Business Administration and Economics. Focus areas were Organisational Management and Leadership. Controlling and Auditing. Third focus area was sociology.
Completed the Controlling and Auditing topic as one of the top ten students of the year.
Sep 2006 - Present
Owner, Management Consultant
- Definition of a communication concept for the global roll-out of a completely revamped product development process of manufacturing business. Development of a target group specific communication plan as well as various communication means, which are based on the training concept. Close collaboration with the HR unit of the company.
- Development of an integrated Process, Risk and Business Continuity Management approach for a telecommunications provider in Germany. Definition of milestones and facilitation of the process to identify mission critical activities. Roll-out of the risk management approach throughout the company and coaching of management board with regards to Risk Management and Business Continuity Strategy. Part of this assignment was dedicated to the companies process model definition.
- Implementation of a global HR Award System as part of a cultural change project during the post merger integration phase.
- Subject matter expert and functional head of the Human Capital Management and Corporate Governance Community within a freelance consultant network during the setup phase of the network. Topics covered were Change Management, Training System Management and Human Capital Management, Compliance, Risk Management Processes, Internal Audit Support, Business Continuity Management and Social Responsibility.
- Project Management and major content provider on the development of a business process control framework interlinking with the companies risk management system in a life insurance company (MaRisk – regulatory requirements project). Exemplary use of the framework on behalf of the customer for one business process, providing the customer with in depth documentation on existing processes, relating controls and process inherent risks as well as recommendations to reduce the risks where appropriate and in line with the business strategy.
- Program Manager for a Biotechnology company on their business process efficiency and compliance project throughout the Eurasian region. Objective of this project was the design and implementation of efficient business processes and control measures throughout the regional country offices. Topics addressed in this environment were e.g. Human Capital Management, Financial Processes, Marketing Processes, Business Development, Human Resources, Data Privacy, Customer Relations Management. Development and implementation of a scorecard model for key performance indicators as well as applicable training modules for above business processes. Management advisor to the regional division head with regard to any governance and efficiency related topic including preparation of executive summaries for the global board of directors. Development, delivery and facilitation of training modules and workshops to support business process owners in their training efforts. Initiated and drafted a training system for further use by the HR function to monitor training needs, define responsibilities and track training requirement execution.
- Advise to Telefonica Germany (o2 Germany GmbH & Co OHG) focussing on supporting the new setup of the Security Unit as well as conveying knowledge transfer.
Jul 2002 - Sep 2006
Vice President Corporate Security
o2 Germany GmbH & Co OHG
- Vice President Corporate Security O2 Germany, covering all strategic aspects of security including Disaster Recovery, IT Security, Physical Security, Network and Mobile Security, Health and Safety, Business Continuity Management and Lawful Intercept. The area of Lawful Intercept operations was managed by my team
- Data Privacy Officer for O2 Germany and as such main link to the Data Privacy authorities within Germany
- Security Officer as required by the German Telecommunications Act and the Chief Security Officer according to SOX
- Ensuring redundancy of critical systems
- Implementation ofa crisis management function and a Business Continuity Management Programme within the company
- Improvement of assessment results from external insurance auditors (operational risk reviews) in all relevant areas and thus keeping insurance fees stable for the company.
- Implementation of a security risk management system, using actual financials to assess risks
- Establishment of a risk acceptance process to ensure progress of projects within critical timelines with clearly defined deadlines to mitigate the security risks.
- Development of a security policy set based on ISO 17799 (27001)
- Management of company crisis, avoiding penalties from the authorities and establishment of formal communication channels with relevant authorities thus avoiding any regulatory penalties in the security area
- Introduction of an automated system for legal intercept measures and thus significantly reducing the increase of headcount while authority measures were increasing
- Data Privacy Trainer - focussing on Call Centre employees
- Conference speaker on international conferences
- Development of a security strategy in line with the company strategy to outline security into the future
- Management of the unit including cost centre responsibility and member of the top 50 senior management team
- Growing the business unit from 8 to 32 staff with 4 departments in the unit and a significant extension of responsibility
- Significantly improving the relationships of the security business unit with relevant other business units resulting in the involvement of the security function in core projects, thus reducing the risks to the company
May 2001 - Jun 2002
- Security Director at Interxion, a European Collocation Company. The areas of responsibility included physical security for all European Data Centers, Information Security for the internal as well as for the management network, security responsibility for product development, especially in the area of managed services.
- Achieved suntone certification for Interxion together with a dedicated team within a few months
- Development of a security policy in line with ISO 17999 (27001) binding for all daughter companiesthroughout Europe.
Sep 1992 - Apr 2001
Senior Manager Information Risk Management
KPMG, Germany, South Africa, Austria
Senior Manager, Regional Information Security Coach, International Headquarters, Amsterdam, The Netherlands (1999 - 2001)
- Secondment from KPMG Austria to KPMG International Head Quarters, Amsterdam as Regional Information Security Coach for Europe, Middle East and Africa with responsibility for the implementation of the KPMG security standards within the region (main security contact for 86 countries within the region). Position held was member of the office of the Global Chief Information Officer.
- Member of the core team defining the global information security management system policy and standards for deployment throughout the company
- Project Coach within the region, actively working in over 40 countries around the globe
- Trainer for security awareness programs and business process control related topics
Manager Information Risk Management, Vienna, Austria (1998 - 1999)
- Manager at KPMG Consulting, Vienna in the Information Risk Management Department consulting to clients on information security management topics, either as part of financial audits or as standalone projects, like e.g. the Y2K topic or the Euro induction in Austria
- Trainer for business process control management systems and involved in the roll out of the KPMG methodology relating to this topic
- Preparation of the company for passing the security section of the SuntoneTM certification
Manager Information Risk Management, Cape Town/ Johannesburg, South Africa (1995 – 1998)
- Information risk management projects involved computer assisted audit techniques, process control design during the set up of major companies, process definition during e.g. SAP/R3 implementations, IT audits, definition of security management systems. Mayor focus was in the area of business process control and facilitation between IT and business requirements.
- First leadership role and second in charge in the Information Risk Management assignment in Cape Town
- Trainer for business process control management systems.
Audit Assistant, Munich, Germany (1992 – 1995)
- Audits of financial statements and special (fraud) investigation assignments