Ehden Biber

Information Security and Privacy Professional

Professional with extensive experience and a proven ability to lead teams, solve problems, and prioritize tasks. Dedicated to helping others and leveraging my skills to achieve success.

SKILLS

Risk Management, Governance, Privacy (DPA, GDPR), Project Management, Quantitative Risk Assessment, Cyber Security, Cyber Resilience, Cloud Integration, Policy and Process Development/Improvement, Vulnerability Management, 3rd Party Risk Management, Threat Management, Awareness, Security Architecture and Engineering.

EXPERIENCE

Risk, Governance, Privacy, Cybersecurity Advisor   Sep 2017 - Dec 2022

START-UP (CONFIDENTIAL)

Assisted in the development and launch of a secure and privacy-centric solution.

Responsibilities: provide technical and non-technical guidance on product features, privacy (DPA/GDPR), and governance. Assess 3rd party solution providers and their compliance. Assist pre-sales activities. Drive SDLC implementation (OWASP SAMM).

·       Risk management achievements: scope development (ISMS policy, RACI mapping, risk assessment methodology). Risk assessments, w/focus on 3rd party (risk scenarios portfolio/register, data collection, quantitative/qualitative risk/gap analysis, prioritisation, communication of risk estimates and mitigation solutions to management etc) while utilizing MITRE ATT&CK Matrix. Treatment plan and gap remediation via integration and adjustments of controls. Introduction of monitoring capabilities via the implementation of KRIs, KPIs, dashboard development, and reporting mechanisms. Performed vulnerability scanning and incident management. Cybersecurity culture enrichment (awareness). Led the ISO 27001 certification.

·       Privacy achievements: Defined, developed, and implemented privacy program (strategy / framework / governance). Performed data inventory and DPIA, including vendor assessment. Realigned Policies: (acceptable use policy, access and data classification, vendors, data retention and destruction). Developed privacy notice, consent mechanisms, and data subject access request process. Reviewed Information security controls (technical and non-technical), remediated gaps (e.g., pseudonymise data, encryption etc), and introduced privacy by design/default. Created privacy incident response plan. Provided visibility (monitoring) via privacy metrics.

Privacy, Risk and Compliance Specialist (consultant)  May 2018 - Jun 2019

OPEL VAUXHALL FINANCE, HIGH WYCOMBE, UK

Helped the organization to achieve GDPR compliance.

Responsibilities: drive the IT stream of the execution phase of the GDPR program risk mitigation activities. Supported the organization's IT Risk and Compliance objectives.

Achievements:

·       Successfully remediated all internal and 3rd party gaps identified in the 1st phase of GDPR IT program.

·       Performed and enhanced end user access reviews, as well as contribution to cyber security awareness initiative.

Head of Enablement: Governance, Compliance, and Awareness; Security Data Architect (consultant) Feb 2016 - Mar 2017

DIRECT LINE GROUP (DLG), BROMLEY, UK

Member of the CISO leadership team, leading a team of three.

Responsibilities: streamline and strengthen business operations, provision regulatory compliance, and lead organisation-wide information security awareness activities.

Achievements:

·       Development of a cyber resilience focused FCA approved policy framework improvement plan via Gap analysis of ISMS controls vs. NIST Cyber Security Framework.

·       Authored and revised multiple information security governance artefacts, such as cloud security requirements, 3rd party assurance questionnaire, unified response compliance assurance queries, etc.

·       Integration of 3rd party assurance processes.

·       Collaborated with the data science team to safeguard sensitive customer information through benchmarking (CIS), hardening (OS, VM, apps, docker), integration of security controls (Terraform/Vault) for on-site and cloud (AWS/Azure), revision of operation processes, and implementation of IT privacy controls (GDPR).

Information Security Analyst (consultant) Dec 2014 - Feb 2016

ING COMMERCIAL BANKING UK, LONDON, UK

Helped to assure the smooth performance of the information security operations department through the required technical and nontechnical controls.

Responsibilities: Managed information security operations processes. Led Proof of Concept (PoC) and Proof of Value (PoV) process for new technologies. Re-wrote the information security code of conduct (CoC).

Achievements:

·       Delivery assurance for the technical controls’ performance, with strong focus on DLP.

·       Delivered effective governance by supervising compliance against standards, policies, and procedures.

·       Coordinated process improvement and detailed business impact analysis initiatives.

·       Shifted the focus of the information security CoC to data assets protection.

Information Security Officer                               Jul 2013 - Jul 2014

METRO BANK, LONDON, UK

Lead information security risk management, focusing on regulatory obligations.

Responsivities: Improve resilience, lead information security operations, assure appropriate governance, and provide cybersecurity awareness training to stakeholders across the bank.

Achievements:

·       Establishment of C-level information security forum and development of KRI metrics.

·       Performed gap analysis of the organisation's security posture vs CIS Controls security best practices for effective cyber defence. Developed and implemented a risk mitigation plan to address the identified gaps. Tracked progress via KPIs.

·       Developed and executed migration plan for the information security related policies (ISMS) toward a pre-accreditation to ISO 27001:2013.

·       Lead the selection of security services (SOC). Key contributor to the selection of the bank's new data centre, and the 3rd party archiving services.

·       Lead security operations, and PCI-DSS compliance certification. Performed and coordinated information security policy reviews and penetration testing.

·       Design and delivery of DDoS protection to the bank’s customer facing infrastructure.

·       Performed root cause analysis investigation of information security incidents.

·       Integrated information security milestones into IT project methodology, reducing cost related to repeated security testing and improved delivery time.

·       Enhanced information security awareness among bank personnel through targeted training to C-level and employees.

EDUCATION

MSc in Information Security - Computer Science Sep 2019 - Sep 2023 (Expected)

Royal Holloway University of London

CERTIFICATIONS

Certified Information Security Manager (CISM)                         

ISACA

Certified Information Systems Security Professional (CISSP)                                                                                                                 

ISC2

Certified in Risk and Information Systems Control (CRISC) 

ISACA

Contact via: