About Steven
I help regulated tech companies get their security and compliance into a state where auditors, boards, and enterprise customers stop worrying about it. In practice that means standing up an ISMS, getting through an ISO 27001, SOC 2 or PCI DSS audit without drama, or building EU AI Act compliance into a product before it turns into a problem.
I've spent 20+ years doing this — global PCI DSS at payments scale (Wirecard), a single unified ISMS across eight merging FinTech entities (NomuPay), and currently the full EU AI Act / high-risk AI compliance programme for an AI-native LegalTech platform. I'm comfortable at the boundary between the CTO, the board, and the auditor: setting the strategy, partnering on delivery, and carrying the compliance story to whoever needs to hear it.
Typical engagements: fractional or interim CISO/DPO cover, audit readiness (ISO 27001 / SOC 2 / PCI DSS), EU AI Act and GDPR programmes, and technical due diligence for investors looking at AI or FinTech businesses. Munich-based, happy to work remotely across the EU.
English
Native or bilingual
German
Conversational
Can work on-site
Munich (up to 50km)
Experience
- Augmetec LimitedChief Information Security Officer & Data Protection OfficerMarch 2025 - Today (1 year and 3 months)Executive accountability for information security, data protection, and AI governance at an AI-native LegalTech building LEIAA — a high-risk AI system (EU AI Act Annex III) for workplace investigations. Direct report to CEO; partner to CSO on product and audit readiness.• • Own the information security and data protection agenda at board level: ISMS, risk register, audit programme, vendor risk, and DPO obligations — reporting directly to the CEO.• • Lead the SOC 2 Type II and ISO 27001 audit programmes (Q2 2026 target), owning the ISMS, risk treatment plan, Statement of Applicability, and two-tier change management framework (CAB for technical, ISMS Council for governance).• • Established the EU AI Act compliance framework for a high-risk AI system classified under Annex III (employment and justice contexts), including human-in-the-loop controls, transparency obligations, audit-trail design, and bias mitigation across the AI pipeline.• • Built the third-party risk management process and data processor register from scratch; led security reviews across 14+ vendors including DPA verification, SOC 2 / ISO 27001 evidence review, and sub-processor flow-down.• • Architected the platform's security posture on GCP: multi-project customer isolation, JWT/JWKS namespace limiting, infrastructure-as-code via CDKTF, and an automated vulnerability lifecycle pipeline (Dependabot → Aikido → Jira) with defined SLA-backed remediation.• • Drove secure-development discipline in partnership with CTO and CSO: branch protection, PR review gates, staging-first promotion, and audit-ready change evidence satisfying SOC 2 CC8.1 and ISO 27001 Clause 8.1.• • Embedded EU AI Act transparency obligations into a three-stage requirements-to-production workflow for AI features, ensuring auditability across all AI services.
- NomuPay (FinTech, Scale-up — 8 merging entities)Chief Information Security OfficerDIGITAL AND ITApril 2022 - February 2025 (2 years and 10 months)Munich, GermanyGroup-wide information security governance across eight merging payment-services companies during rapid scale-up. Multi-cloud, multi-jurisdiction, PCI DSS regulated.• • Stood up a unified ISO 27001-based ISMS across eight merging entities using Vanta for compliance automation, accelerating M&A integration and giving the group a single defensible security governance model.• • Owned the multi-environment PCI DSS programme across merged entities, guiding payment processing environments through regulatory audits with zero non-conformities.• • Led group-wide IT risk assessment, developing the KRI framework and continuous monitoring across merged entities; regular reporting to executive leadership and audit committee.• • Orchestrated the secure development lifecycle across Azure, GCP, and AWS, partnering with engineering leadership on DevSecOps tooling (GitHub, Coralogix, Atlassian Cloud) and platform-wide control implementation.• • Deployed MDM and DLP via Microsoft 365 across a distributed workforce, complementing a group-wide security awareness programme to address insider and supply-chain risk.• • Established ITIL-aligned incident, problem, and change management across merged IT operations, delivering the group's first formal operational resilience reporting — framed against emerging DORA and NIS2 obligations for the group's regulated payment entities.Following the permanent role, retained on a six-month freelance basis to complete the handover — guided the business through two further PCI DSS audits and transitioned the remit to a newly hired IT Manager and Information Security Officer.
- Dangelmayer & Seemann GmbH / InnovationeersSenior Security & Solution ArchitectSeptember 2020 - March 2022 (1 year and 6 months)Stood up the information security function from scratch and productised security architecture into a client-facing capability.• • Built the ISO 27001 ISMS framework end-to-end, including risk methodology, policy suite, and 'operational security by design' principles for client process engagements.• • Developed an information security capability map that supported client consultation, proposals, and new business development.• • Implemented MDM, DLP, and a staff-wide security awareness programme on Microsoft 365.
Recommendations
Be the first to recommend Steven
Help this freelancer shine by sharing your experience working together.
These freelancer profiles also match your criteria
Agatha Frydrych
Backend Java Software Engineer
4.7
(3)
2
Baptiste Duhen
Fullstack developer
4.6
(4)
5
Amed Hamou
Senior Lead Developer
4
(2)
7
Audrey Champion
Web developer
4.3
(3)
4
Education
- Certified Information Systems Security Professional (CISSP)2023Certified Information Systems Security Professional (CISSP)
- Palo Alto Networks Certified Expert (ACE)2014Palo Alto Networks Certified Expert (ACE)
Certifications
- CISSPISC22011