Given my background in Information Security Risk Management, I place great emphasis on the fact that ultimately it's all about running a business.

I approach things with an understanding that it isn't about eliminating all risks, but that every risk also comes with a potential opportunity that needs to be weighed.

Compliance without governance becomes an paper exercise detached from the business, and thus ends up painting "red" lights "green"—without any real value for the business and its employees. Therefore, my ambition is always to create value across the business, and to pull the Information Security discipline—regardless of whether it involves Cyber, Intellectual Property, Physical Security, or GDPR—out of IT, and elevate it as a cross-organizational discipline.

I use various frameworks such as the ISO 27000 series, NIST CyberSecurity Framework, and CIS Controls v8 to identify both challenges and areas where the client excels. Additionally, I bring practical experience from several different GRC platforms, and should the client need to find a platform, I advise impartially to find the best fit for the specific needs, such as taking into account corporate language, ability to maintain the solution in-house, and organizational maturity.

As a trusted advisor within Cyber- and Information Security, I work based on what I have chosen to call ”ambitious pragmatism – which is to be understood as having an ambitious approach while taking into account the client's reality, so that unrealistic changes are not initiated - but the goals can have the feel of "shooting for the stars."