David - Consultant ISO 2700x

Expérience professionnelle (consultant indépendant)

Disponible pour un nouveau défi à partir de Février 2021

(Juillet 2021 – Septembre 2021 - Marseille, France
Société de conseil en IT et Ingénierie, spécialisée dans les métiers du Digital, souhaite se lancer dans un projet de certification ISO 27001.
Principales réalisations :
 Entretiens avec le management (CEO, CFO, CTO, CIO, CISO, HR) pour comprendre les enjeux et les besoins dans le cadre de ce projet
 Identifier les actifs & processus à protéger
 Effectuer une première évaluation de l’exposition aux risques majeurs (analyse de risques basée sur l’ISO 27005)
 Fournir une analyse d’écart avec les 114 points de contrôles requis pour l’ISO 27001 permettant de dimensionner le projet et la charge pour le client
 Déterminer le périmètre pour la certification
 Identifier les ressources internes et externes qui seront allouées au projet

Available for a new challenge, beginning of September 2021
(March 2021 – September 2021 (6 months)) - Paris, France
AXA Groupe Operations (GO) has established in 2020 a risk indicator strategy
(KRI) to measure the performance and effectiveness of its security controls (KPI).
As AXA GO proceeds to the full deployment of the KPI / KRI strategy, it is essential to ensure
the relevance and systematic repeatability of the measurement of indicators.
Main achievements :
 Analyse the adequacy and aggregation of defined KRIs to provide meaningful
information on the extent of achievement of security objectives
 Rationalize the number of measures to be monitored and maintained (only the KPIs that
trigger management decisions are maintained)
 Ensure that the Plan-Do-Check-Act (PDCA) cycle is taken into account
 Deploy the KPI measurement process and associated reporting. KPI measurements
must be validated during a committee meeting and communicated to all relevant
stakeholders

(Octobre 2019 – Janvier 2021 (16 mois)) - Paris, France
VERISURE est le N°1 des Alarmes Télésurveillées en Europe.
Principales réalisations :
 Management par Interim : RSSI – Responsable de la Sécurité des Systèmes
d’Information. Management d’une équipe de 3 experts sécurité
 Mise en œuvre de projets de sécurité pour couvrir certains points de contrôles de la
norme ISO / IEC 27001:2013 (gestion des accès, sécurité des applications, Windows
hardening, server management (EOL, patching), Identity & Access Management)
 Accroissement de la sécurité des postes de travail dans le cadre de la mise en
télétravail du personnel lors de la crise de Covid-19 (blocage USB, cryptage des disques
durs, sensibilisation des utilisateurs)

(Janvier 2019 – Octobre 2019 (10 mois)) - Paris, France
ADP est le leader mondial des solutions basées sur le Cloud proposant des services pour la
gestion des Ressources humaines, la gestion des temps et des activités, la paie, et la
conformité.
Principales réalisations :
 Mise à jour du Système de Management de la Sécurité de l’Information (SMSI) ADP
pour s'assurer que l'organisation ADP Global Enterprise Technology & Solutions
maintient la confidentialité, l'intégrité et la disponibilité des informations clients.
 Analyse et mise à jour de la correspondance entre la politique de sécurité ADP et les
contrôles de sécurité ISO / IEC 27001:2013
 Organisation et pilotage de l’intervention des auditeurs externes (5 jours). Animation des
entretiens avec les équipes opérationnelles dans le cadre du processus de maintien de
la certification ISO / IEC 27001:2013 (périmètre EMEA)

Information Security Research Director
(September 2016 - September 2018 (2 years 1 month)
Paris, France
CyberVadis operates the 1st collaborative platform, allowing companies to assess the Cybersecurity performance of their global suppliers.
CyberVadis combines technology and expertise to deliver simple and reliable "Cybersecurity scorecards", covering 20 Cybersecurity indicators, 150 purchasing categories and 120 countries.
My main achievements:
- Creation of the reference model based on International standards and frameworks (NIST, ISO-27001, Shared Assessments, PCI-DSS, GDPR)
- Conception of an evidence-based questionnaire tailored to a company's size and business sector
- Implementation of GDPR-related questions to assess a company’s GDPR readiness
- Conception of a rating model providing an objective assessment of a company's Information Security Management System (ISMS)
- Development of an excel-based tool to perform the assessments and automate the rating
- Implementation of the processes to on-board and assess a company's Cybersecurity (ISMS) performance
- Recruiting, building and training a team of (17) security experts in charge of assessing companies' Cybersecurity (ISMS) performance
- Mapping of our questionnaire against ISO-27001, NIST, SIG (Shared Assessment)
- Pre-sales engineering: presentation of the assessment model to prospects & clients

- Evangelism / Speaker at events:
* Third Party and Supply Chain Cyber Security Summit (June 2017)

* General Data Protection Regulation (GDPR) by Partech Ventures (Sept.2017)

* GDPR at Les Universités des Achats du CNA (May 2018)
 
Société Générale Corporate and Investment Banking
Operational Risk Manager (May 2009 - August 2016 (7 years 4 months))
Paris, France
Perimeter: IT
• In charge of a team of 7 and responsible for all the topics related to IT operational risk management (ORM) and IT security management worldwide (~1000 staff)
• Monthly presentation of a Risk Management dashboard to the IT Board of Directors
Topics include:
- Following-up on audit recommendations and helping the IT teams implement the necessary actions (+300 audit recommendations processed)
- Following-up on operational losses (declaration in the tools & leading post-mortem meetings)
- Implementing and following-up on permanent supervision controls (+200 controls implemented)
- Organizing and preparing the IT team to cope with disaster recovery events and the management of business continuity
- Following-up on the outsourcing of essential services (leading +80 risk assessments with the experts involved)
- Providing guidance and support to the IT teams in the implementation of security topics (IAM, application security, account management, workstation security, data management)
I tackle Risk management and Information Security subjects in a cost effective and communication-oriented way.
Stakes can be very high on day-to-day processes people may be used to.
It is therefore important to be able to convince that an active investment can reduce the risk of a potential loss (production incidents, data leakage, rogue trading, etc.).
My assets:
Ability to take a global view ; Observe and analyse ; Evidence-based communication (using indicators) ; Pragmatic view and common sense.
 
Société Générale Corporate and Investment Banking
TEAM MANAGEMENT (June 2007 - August 2016 (9 years 3 months))
As a manager, I always try to do my best to solve the following equation:
Performance = Skills x Motivations x Wishes (aspirations)
My style of management is a mix of participative and delegative style.
If required, I will deal with a situation in a direct and decision-making mode.
I have set-up the following initiatives or processes in order to :
- Welcome new-joiner, help them on-board and follow their development
- Implement self-evaluation of their skills in order to build a skill matrix and identify where progress is needed
- Anticipate difficult situations (conflicts) by performing regular individual and collective meetings to enhance communication

Société Générale Corporate and Investment Banking
PROJECT MANAGER (June 2007 - May 2009 (2 years))
Each project is a challenge to lead a team to a success : the sponsors satisfaction thanks to deliverables meeting the expectations, in a timely manner and while keeping to the budget.

My assets:
Acute sense to organise and anticipate ; Good management of priorities ; Ability to unite and take decisions ; Targeted and convincing communication; Service and result oriented ; Source of proposals.
My main achievements:

• 2001-2003 -- Management of a strategic project within the french Lottery (LFDJ - La Française des Jeux): design and deployment of a digital screen terminal (making 98% of the turnover).
I lead the design and development of a new user interface (GUI) offering many new functionalities on a touch-sensitive based screen.
I coordinated the large-scale deployment of the terminal on 19.000+ POS

• 2007-2009 -- Management of a project portfolio designed to enhance a major Loan Management software (Loan-IQ)
- Follow-up of the quality of IT projects within the scope of my Risk Management responsibilities

La Française des Jeux (french Lottery)
Internal Auditor (December 2003 - May 2007 (3 years 6 months))
• Internal Auditing (processes, projects, systems and applications)
• Internal Control (implementing self-assessment processes)

KPMG Peat Marwick (CSC)
Senior Consultant (October 1997 - April 2001 (3 years 7 months))
• Management and IS consulting assignments:
- Business process re-engineering
- SAP implementation (FI - CO - AA - IM)
- IS change management
- Management of junior consultants