Christophe - Responsable Sécurité, Cybersécurité, GRC, Audit, 27001, DORA, NIST

Février 2009 – aujourd’hui Strategy & Governance, Expert Cyber Sécurité
Paris, Luxembourg, Bruxelles


Consultant sénior en sécurité du SI


Consultant sécurité Assurance & Banque (2014- aujourd’hui)

u Actuellement : RSSI/CISO pour une banque et précédemment pour une assurance leader mondial.
• Accompagnement projets : Accompagnement des projets métier, s'assurer de la prise en compte de la politique de sécurité dans les projets (security by design), suivi des recommandations sur le cycle de vie du projet.
• Soutient auprès des équipes : Assistance et conseil aux équipes (internes et partenaires), sensibilisation des collaborateurs,
• Gouvernance sécurité : Evaluation du niveau de sécurité, mise en œuvre et suivi des plans d'action, revue des instances de gouvernance.
• Analyses de risques : Amélioration de la démarche de maîtrise des risques, conduite d'analyse de risques.
• Continuité Opération : Revue du PCA, préparation exercice de gestion de crise pour le COMEX.
• Veille : Suivi de l'actualité cybersécurité, des nouvelles vulnérabilités.
u AXA + Natixis Assets Management : Direction d’un programme de test d’intrusions (150 tests commandés sur 2,5 ans), suivi des plans de corrections et renforcement de la sécurité (Diminution de 80% des vulnérabilités d’un SI d’une centaine d’applications sur 2 ans, réduction de 20% de la surface d’attaque).
u Awareness sécurité, expertise de mise en place de la sécurité dans les projets (développements, refonte, RFP, etc.),
u Sécurisation de l’organisation pour ses réseaux (filaires, WIFI), postes de travail, durcissement des serveurs et au sens large de l’infrastructure,
u Data Leakage Prevention, actions diverses d’accompagnement de lutte sur l’évasion intentionnelle d’informations,
u Etablissement et maintient de la cartographie des traitements de données personnelles, classification des données,
u Surveillance de la bonne application du principe de la protection des données dans les projets ou prestations comportant un traitement de données personnelles, intégration des principes lors des analyses de risques,
u Nombreux projets d’alignements de politiques sécurités (PSSI), RACI, KPI du Groupe.

Consultant sécurité Banque, Assurance, Finance & secteur publique (2009-2014)

u Déclinaison d’un ERM COSO, COBIT, 27.001, directives de sécurité associées et mesures de contrôles.
u Réalisation de plusieurs PSSI, assessment ISO 27.001/2.
u Définition et suivi des plans d’actions de l’audit interne et externe d’une banque à Luxembourg (150 mesures).
u Montage de dossier en vue d’homologation de sous-systèmes de SI au régulateur national (CSSF) pour des activités de e-Banking.
u Mission de forensic, établissement de la preuve et des contrôles à mettre en place pour une banque à Luxembourg suite à une fraude.
u Mesures de contrôles contre la cybercriminalité et la fraude interne.
u Mise en place d’un plan de continuité pour une banque privée Suisse et aux USA.
u Mise en place d’une fourniture de services via des Managed Services pour le compte de la Commission européenne.
u Support à différents RSSI/CISO (KBL, Commission européenne).



Partner at Strategy and Governance, since 2009.
Strategy and Governance (S&G) is a European company with headquarters located in Luxembourg providing services in the governance area, that I created in March 2009.
Value is the heart of the vision that we share at S&G, especially by reviewing and aligning processes inside the organisation, and by implementing strong reporting for continual improvement, leading to elaborate a real value chain for the organisation.
We are delivery services in the following areas, project management, BPM, audit, risks management, continual improvement, and BSC, strategic alignment between business and IT, outsourcing, staff support, value creation and retention, services portfolio and more … Customers are mainly large-scale organisations, sustainable companies and local financial entities.
As Project Director and consultant, I am focused on project delivery on time and on budget, projects are highly complexes implying soft skills such as diplomacy, stress resilience, involving various stakeholders, requiring an open-minded and positive attitude, ethic, and honesty.

Fujitsu, Stratiqo Consortium Luxembourg, Brussels (since 2011).
Senior Consultant, expert for strategic alignment, new technology definition and adoption.
Fujitsu Limited is a Japanese multinational information technology equipment and services company offering a diversity of products and services, Fujitsu has approximately 172,000 employees and its products and services are available in over 70 countries (world's third-largest IT services provider).

Various projects with Fujitsu as consultant for Consilium and European Commission (DG Communication) both in Brussels and with a fix-priced approach.
• Commercial offers and team building;
• Kick-off, roles and responsibilities, tasks dispatching;
• Project follow-up (meetings, meetings, deliverables, acceptances).

Projects are related to strategic alignment between business and IT for General Secretariat of Consilium (350 on-site users) and business users requirements and organisation for the next web content management of the European commission (30,000 internal users), methodologies used are Prince2, ITIL, COBIT, VAST & COBIT Risk for risks management, SWOT analysis, critical success factors and balanced scorecard (BSC).
I am also an auditor for Swiss private bankers in Luxembourg for BCP/DRP and continuous improvement.

ATOS Consortium, Service Portfolio Management (2010-2011).
Senior Consultant, expert for service catalogue and ITIL.

ATOS is an international information technology services company with annual 2010 pro forma revenues of EUR 8.6 billions and 74,000 employees in 42 countries.

The objective of the Corporate Infrastructure Solutions for Information Systems Service Catalogue is to provide stakeholders with structured information about the services offered by EU from a business point of view. During this project the following tasks were performed:
• Project management and PID writing for Service Portfolio (goals, objectives, stakeholders, risk, …);
• Regular meetings with key users to capture the actual service definition;
• Definition of service portfolio template and dissemination mode towards 40 different units;
• Portfolio metrics and interaction with service desk.
Framework used was ITIL V3, Prince2, no specific tooling.

2009-2010, Eurocontrol outsourcing project, Consortium Bull Tata Consulting Services, Brussels – Belgium.
Senior Consultant, expert for change and transition management.
Eurocontrol is the European organisation for the safety of air navigation, is an intergovernmental organisation made up of 39 Member States and the European Community. The goal for this RFP is to outsource all kind of activities actually done by 18 different providers to a unique provider, activities include service desk, studies, coding, testing and maintenance. The business model is ruled on a fix-price basis with service orders based on a service catalogue. Activities in this project were;
• Initialisation and dispatch of activities in the bid team, based on 300 requirements;
• Building the overall strategy to reach the goal, especially in terms of due-diligence, transition, tooling, knowledge and change management;
• Drafting of due diligence description (goals, stakeholders, metrics, timeframe, approach);
• Team leader for due diligence (team of 10 people), dispatch of final due diligence report to Eurocontrol;
• Review of the transition phase and alignment with final due diligence;
• Review of the original bid for the Best and Final Offer (BAFO).

This bid submitted by the consortium was accepted by Eurocontrol in February 2011 for an amount of 43 millions of euros, for 5 years (with a possible 2 years extension).

B-Trust Consortium (Bull, Unisys, Tata Consulting Services) Managed Services Provision (MSP) Project (2009-2010).
Senior Consultant, expert for managed services provision.

MSP comprises as a set of related service elements aiming at providing hosting services to specific customers, relying on a common infrastructure, operated in a managed way.

MSP is a 5 years contract estimated to 90 Mio/euros for 50 people (Service Desk, DBA, Cold Fusion, Weblogic, BMC Patrol, Business Objects, GIS, LAMP, etc.).

The number of users is estimated to 35,000 located word wild mostly concentrated in Europe, number of servers in main data centre is 1,500, number of buildings is 60.

The ticketing system is Peregrine (customised by IBM for EU) for the management of 55,000 incidents yearly, for problem management and reporting (weekly, monthly and yearly).

PMO, the prime contact for the customer (European Commission – DIGIT), has to setup the core services (PMO and service desk) then to initialise each new managed services (each MS can be viewed as a “work package”). The main goal is to move from a time and means mode to a fix price under SLA, each new managed service shall be operated within a pre-define delay with the customer during a preparation phase.

The service is managed under service level objectives (SLO) then move to service level agreement (SLA) mode, the preparation phase is a transition phase where metrics (KPIs) are measured, improvements are done but no financial penalties can be applied by the customer to the consortium.

In this MSP project, the following tasks where performed;
• Kick-off with officials, setup of regulars internal and external meeting (steering and operational committees), reporting to the EU management;
• Drafting of escalation procedure, with clear responsibilities for each side (RACI) for contractual aspects;
• Establishment of project plan, project initialisation documents (PID) for each new managed services (and impact on service desk such as training or shadowing);
• PID inception including requirements, objectives, stakeholders, artefact, deliverables, costs/budget, risks, timetables, …;
• Allocation of resources to perform due-diligence and preparation;
• Due-diligence and building of transition phase;
• Incidents, problem, change processes definition;
• Integration of MSP within current business continuity plan (BCP);
• Set-up of quality framework (based on COBIT and ITIL);
• Risk Management (COBIT Risk, Mehari);
• Set-up and customisation of ECM mainly for knowledge management and internal workflows for day-to-day operations, the ECM was Support Central customised for this project;
• Continual improvement based on balanced scorecard (BSC) approach.
The core setup was delivered end 2009 after 9 month of (overall) preparation and went into production in February 2010, since then new services are managed under this mode (one new service each 3 months). Services are operated under SLA, costs reduction for the customer is –in average- 15%.

Logica (Luxembourg) Cetrel 07/2008-12/2008
Senior Consultant, Expert for Service Continuity Management.
As the leading payment card processor in Luxembourg, CETREL is owned by Swiss SIX Group 3,600 employees and a presence in 23 countries the company has a turnover of over 1.5 billion Swiss francs.;
• Alignment of Business Continuity Management with Business requirements and company strategy;
• Critical Success Factors, Risk Analysis & Business Impact Analysis;
• Advice & Guidance to support Business Continuity Plan;
• Employees training, job profile updates (roles & responsibilities);
• Alignment with COBIT, ITIL and good practices guidelines from Business Continuity Institute;
• KPI & KGI for performance improvement;
• Full BCP testing with Business Units, and;
• Alignment of business with contracts, SLAs & OLAs.

Logica (Luxembourg) 08/2004-05/2008
Expert, Consultant
Logica is a business and technology service company, employing 41,000 people in 36 countries with revenue at £3.7 billion.
For the European Commission in a rich multicultural environment, consultant for various aspects covering different areas, such as;
• ITIL implementation and continual improvements mainly for service support and service level management, this deployment includes all ITIL processes, service catalogue, producing a better reporting, and performance improvements;
• External audits follow-up using COBIT;
• Risk Management (COBIT Risk, eBios, Mehari);
• Policies dissemination to employee and third-parties;
• Processes design for various aspects including security (related to ISO 2700x);
• Building the Business Continuity Plan based on the BIA & critical factors for a subset of 1.000 information systems, testing of the plan and maintenance,
• Overall building of Service Management, Service Catalogue, SLAs,
• General advisor and development of awareness amongst various stakeholders.
These various activities produced positive effects within the organisation, better control on IT and finance, maturity increasing & alignment with the business.

European Parliament (Luxembourg) 08/2003-08/2004
Project Director
Audit, pacification, risks assessment, organization of the migration of the production site to a hybrid and up-to-date, state of the art computer centre for the production of the official publication of the EP. Security audits & Business Continuity Management.

Infeurope -Office for Harmonization in the Internal Market (Alicante, Spain) 06/2002-08/2003
Project Director/Team Leader
• Team Leader for the whole project both in Alicante and in Luxembourg on a fix-price basis. The project contained 20 modules, for each module up to 4 iterations.
• Team building, human resources allocations, management and coordination of 30 people in Alicante and 20 in Luxembourg (offshore development), budget of 4M€.
• Performance evaluation of employees, trainings, career roadmap, self-evaluation framework.
• Project management, reporting to the steering committee, agenda, global follow-up ...
• The project followed the ISO 9000 and for some parts the ITIL.

******** (Geneva, Switzerland) 09/2000-06/2002
Chief Technology Officer
• Chief Technology Officer at ********, Swiss start-up company based in Geneva, first capital raised 2M€.
• Responsibility to the general management for the entire IT strategy, its installation and maintenance, supervision of the technical team, production teams, graphic designers, freelancers and translators.
• Definition of the IT team, staffing, IT architecture, equipment, servers, network, telephony and management of sub-contractors. Definition of the Business Continuity Plan & DRP.
• Overseeing the outsourcing of the site, SLAs definitions and monitoring completion of contracts.
• Definition and follow-up of the IT budget and IT staff.
• Definition and implementation of strategies for referencing, positioning, affiliation and syndication of content and services.

Logica (OPOCE, Luxembourg) 10/1994-09/2000
Senior Consultant, Head of Operations
• Project manager at the “Publication Office”, European Commission in Luxembourg.
• Project management, supervision of contractors and sub-contractors.
• Responsible for open systems, management of the UNIX environment, including 150 workstations and 20 servers, mainly SUN/SOLARIS.
• Definition of system and software architectures, overseeing the budget distributed among purchases, maintenance and external staff.
• Project leader for applications related to infrastructure, software distribution and centralisation of management.
• Overseeing the integration of application software and maintaining relations with outside contractors.