Security practitioner and risk thinker with 8+ years in cybersecurity and IT risk management. Writing about security, compliance, and the risks hidden in today’s interconnected business ecosystems.
I work at the intersection of cybersecurity, third-party risk, and supply chain resilience, helping organizations understand, assess, and manage the risks that come with relying on vendors, partners, and complex ecosystems. Whether it’s a gap analysis against NIS2, a compliance assessment under DORA, or building a practical Identity and Access Management (IAM) framework, my focus is always the same: making security work in the real world, not just on paper.
This site is where I think out loud. You’ll find writing on risk management, third-party security, compliance, and the tools and ideas that help turn complex requirements into practical programs.
When I’m not focused on security and risk, I’m probably tending the garden, training for my next Ironman, or spending quality time with my family.
Most TPRM programs are built to pass audits, not to manage actual risk. Here's what changes when you treat it as an intelligence function instead.
Open-source dependencies, build pipelines, and the uncomfortable truth about software you didn't write but fully own.
Led a NIS2 gap analysis, mapping regulatory requirements alongside ISO 27001, ISAE3402, and SOC2 to the organization's internal control environment — a critical step in understanding supply chain exposure.
Assessed DORA compliance for a cryptocurrency and digital finance company, focusing on operational resilience in a space where third-party dependencies are evolving faster than regulations.
Performed a combined NIS2 and NIST gap analysis, advising on practical strategies to close compliance gaps across vendor-dependent infrastructure.
Oversaw the IT components of external financial statement audits, digging into access management, incident response, and change management processes — all areas where third-party risk often hides in plain sight.
Conducted IT and SWIFT audits, revising internal policies that directly impact how third-party transactions and communications are secured.
Developed and formalized IAM policies, strengthening the security posture across a supply chain that depends heavily on external partners and systems.
Guided the implementation and certification of ISO 27001:2022, building a security management system designed to scale with third-party growth.
Working on something in the risk space?
Let's talk.