Senior IT Consultant - Information Security / Compliance / Disaster Recovery

A bank wanted to invest in a local datacenter provider in Europe. I was engaged in a datacenter and cloud expert role by the management consulting firm who was advising the bank with the due diligence analysis.
Main project activities:

• Nordic cloud & datacenter market competitive analysis

• Vendor due diligence reports analysis

• Development of red flag report, providing a concise overview on the provider situation with regards to its infrastructure, staffing, competitive position, business strategy, growth and forecast

This client needed an answer to their question of where to host and run their 3 environments: in their own datacenters, in a private cloud, in the public cloud (IaaS/PaaS/SaaS) or using a combination of all these.

Interesting aspect was that, due to a recent company merger, their IT consisted of 3 distinct sub environments each having their own non-functional requirements. Main project activities:

• Analysing application portfolio and IT environment and mapping these to the existing datacenter landscape and service delivery models

• Capturing business requirements and definition of evaluation criteria

• Identification of possible DC solutions and delivery models and combination into potential scenarios

• Qualitative evaluation of scenarios

• Quantitative evaluation of scenarios based on a high level financial analysis

• Motivation and justification of scenario scoring and evaluation

• Development of the recommended target datacenter landscape

• Consolidation into a management report

• Presentation to management team

A governmental agency wanted to evaluate the country as a data center location, compare the position of Iceland against Ireland and understand its specific strengths and weaknesses for attracting future data center investments. To meet client expectations, the content of the deliverable was defined jointly with representatives from the power, telco and data center industries.
The report includes:

• Global trends and data center market drivers
• Icelandic data center market today and ambitions going forward
• Analysis of Ireland as a European data center growth region
• Comparing data center value propositions
• Financial benchmark Iceland vs. Ireland
• Conclusions and actionable recommendations for the government to improve the position of Iceland in the market

The recently appointed IT Director needed urgent help to manage his team and ongoing projects while facing significant challenges:

• The company had been hit very hard by a ransomware attack which had brought down manufacturing for several weeks. After one full year of rebuilding, the IT team was still struggling to rebuild the complete IT and OT environments with manufacturing spread across 4 countries.
• The attack happened during an acquisition by another company which was put on hold to allow an external audit ordered by the European Commission to look into competition aspects.
• The auditor was performing an in-depth investigation into all systems looking for sensitive manufacturing, supplier and client data and required ring-fencing this data before any take-over could take place.
• Under huge pressure from their internal clients who complained about the strictness of the newly applied security rules making it hardly workable for them to do their daily jobs.
• Urged to reduce costs of the external consulting company that had been running large portions of the IT for more than a year since the attack. Many responsibilities had to be passed back to the already stressed IT-team.
• And then, in the midst of this all, the IT director had to lay-off his IT infrastructure manager and his lead architect without any hand-over taking place.

This proved to be more of a people project than a technical project: rebuilding the IT infrastructure team (20 people) was one of my main objectives in order to help the IT director get things back on track. Next to this, I focused on setting the right priorities for the infrastructure to grow into a secure IT and OT environment while keeping the users satisfied.

Project focus:

The ministry was relying on another ministry for the provision of its IT services. Motivated by an initiative of the European Commission to improve the reliability of their IT services, clear agreements were required to manage the relationship between the ministries. A service level agreement had to be developed and agreed on between both parties, describing the service catalogue, both parties’ responsibilities, the service level objectives, the service level targets and the SLA governance approach.

Main tasks performed:

• Identification of stakeholders and services being provided
• Organisation of client workshops for information gathering
• Definition of roles and responsibilities
• Definition of SLA objectives
• Definition of SLA measurement and monitoring
• Development of draft SLA document
• Organisation of client workshops to find consensus on draft SLA content
• Iteration and development of final SLA document

Facing unexpectedly high monthly cloud infrastructure charges, this client wanted to have an independent review done of their main cloud-based application and its underlying Azure infrastructure.

As the client and his supplier were bound by a multi-year contract, an agreement had to be found to improve the relationship which had become troubled since the costs got out of hand.

Main tasks performed:

• Understand client (user) position with regards to excessive costs
• Capture the supplier’s position and assess their arguments justifying excessive costs
• Review tendering and contractual documents with regards to requirements and infrastructure estimates
• Gap analysis to identify differences between the initially requested solution and the deployed solution (functional and non-functional requirements)
• Analyse the deployed Azure infrastructure and services and the corresponding monthly invoices
• Review application architecture in terms of resource efficiency and future-proofness
• Development of independent report listing observations with regards to recurrent cost of the deployed solution as well as recommendations for cost optimisation 
• resentation of report highlights to both client and supplier management teams

Triggered by an IT audit, the board of directors asked to assess the state of the disaster recovery capabilities in the company. Given the criticality of the infrastructure managed by the organization, the recoverability of its ICT environment was of the utmost importance and the client wanted to have an independent review done.

Main tasks performed:

• Tailor assessment approach and questionnaires to client situation and needs
• Organise data gathering activities such as workshops, interviews and site visits
• Assess the maturity of multiple DR aspects such overall readiness, people, applications, infrastructure and data centers
• Prepare management report including key findings, recommendations for improvement and feedback towards audit committee

This government entity had to manage 71 different types of end-user devices for its staff. While clearly in need of a more consistent end-user device policy with reduced types and models on one hand, they also wanted to take advantage of the new policy to introduce more flexibility. This would allow the users to spend ‘their’ budget as per their own needs and preferences, and would in turn help the organisation to be more attractive as an employer in the battle for talent. A delicate balancing act was required to increase flexibility while reducing the number of devices.

Main tasks performed:

• Assess current end-user device policy and inventory
• Define policy guiding principles based on organisation requirements and ambitions
• Develop multiple draft alternatives for the policy with varying levels of flexibility based on market best practices
• Compare alternatives based on their user-friendliness and operational manageability
• Develop a shortlist of three alternative end-user device policies for presentation to the management team, including indicative device list and budgetary impact

This top-3 South-African bank was hit by a major outage in one of its production data centers. The disaster recovery operations didn’t go as smoothly as expected and different stories of what had happened circulated in the bank (by facilities, IT, business).

They hired external consultancy to provide a consolidated view on what happened (root cause analysis), to understand what went wrong during the DR and to define what could be done to avoid this from happening again in the future (recommendations).

Main tasks performed:

• Understand client’s IT and data center landscape
• Interview stakeholders (business, IT, Facilities) and capture their view on the incident
• Data center visit and documentation review
• Consolidate various internal reports into one consolidated view
• Participate in review of resiliency and DR documents
• Provide recommendations for improvement

The bank was going through a transformation shifting more responsibilities from the Infrastructure team to the Application teams. They wanted to improve agility as well as reduce infrastructure cost and planned for the Application teams to own and manage their own infrastructure stack.

The client project sponsor was located abroad but insisted the team to be local in order to make sure to match the local culture, to help reduce resistance to the upcoming change and to overcome the ‘stickyness’ (sic) of the local organisation.

Main tasks performed:

• Understand client’s IT organisation and analyse the platform landscape (Windows, Linux, AIX, Solaris and storage)
• Develop an approach and build a communication plan to engage with the application teams spread across 25 different application areas
• Initially organize bulk data gathering sessions and gradually switch to a more personalized approach to ensure reaching 100% server ownership of the 6000 identified servers
• For the different platforms initiate the capturing of resource usage data
• Provide monthly management status updates

This established investment holding company wanted to move away from its on-premise IT which no longer met their requirements in terms of availability and recoverability. They needed help to define a new cloud-based target architecture and to find the most suitable partner for the implementation.

Main tasks performed:

• Define acceptable target cloud solutions meeting requirements in terms of availability, recoverability and security
• Develop tender documents including technical specifications for the target architecture and evaluation criteria
• Identify list of companies to be invited to the tender and answer bidder questions
• Initial bidder proposal review and creation of shortlist
• Attending shortlisted bidder presentations, in-depth solution evaluation and data center site visit
• Recommendation for partner selection
• Prepare documentation and argumentation to help the project sponsor convince stakeholders throughout the company about the security of the selected cloud solution

This bank in Kuwait lacked in-house data center expertise during the construction of their new main production data center. They needed a trusted advisor to protect their interests throughout the data center detailed design and implementation.

Main tasks performed:

• Review the contractor proposal for gaps with the bank’s requirements
• Attend detailed design workshops on layout, electrical, cooling, connectivity and security
• Review design submittals and provide recommendations for acceptance or rejection
• Review contractor project planning and monitor progress
• Advise on adherence to applicable industry standards and best practices
• Perform construction site visits
• Facilitate resolution of technical challenges and issues during the construction
• Review contractor invoicing and advise on the release of payments
• Protect against scope creep
• Advise on acceptance during testing and commissioning
• Provide monthly management status updates

This client relied on multiple external data center providers for the housing of their business critical IT infrastructure. To gain insight into the level of security at the providers, the client decided to audit the data centers and, more specifically, to evaluate how the providers managed security during their daily operations. The outcome of the study was also intended to be used as a guideline for a possible future ISO 27001 certification.

Main tasks performed:

• Analysis of the corporate security policies and procedures
• Audit of the data centers with regards to physical security, looking at infrastructure as well as operations
• Workshops with stakeholders such as CISO, Security operations manager, IT operations
• Identification of risks
• Evaluation of risk levels using the client’s security risk scales
• Development of report with findings and recommendations
• Presentation of results and conclusions

The world’s leading provider of secure financial messaging services decided to conduct an audit of the physical security processes and controls for selected global locations. The client aimed to provide a safe and secure environment for its production activities by implementing appropriate protection for staff and company assets against internal and external threats to their physical security or integrity.

Main tasks performed:

• Preparation of security audit controls table
• Physical security policy and site-specific security requirements document review
• HQ location site risk assessment (Brussels)
• Workshops with site security stakeholders
• Listing of identified issues and risks as part of global report

This IT service provider wanted to improve its information security management and obtain an ISO27001 certificate for the data center services they are providing to public organisations and communes. We helped them take the first steps by assessing their current situation with regards to ISO27001 compliance, performing a maturity scan of the ISO27002 domains and developing the recommendations and next steps towards the implementation of an ISMS, including ISO27001 certification.

Main tasks performed:

• ISO27001 audit dry-run to establish the baseline in terms of actual compliance with the standard (requirements are either: not met, partially met, met to a large extent, met)
• Organising workshops covering the 14 ISO27002 domains
• Maturity assessment of all domains using CMMI maturity levels
• Developing assessment report
• Presenting report highlights to the management team

The bank needed to rethink its data center landscape now that the company’s main data center no longer meets the requirements of the Central Bank of Kuwait.

Main tasks performed:

• Organisation of project workshops including:
  • Business and IT strategy
  • IT environment
  • Security policy
  • Building existing infrastructure systems
  • Monitoring and management
• Data center target location site visit and assessment
• Development of formal statement of requirements with regards to reliability, capacity, scalability and security
• Development of new data center concept solution design including architectural, electrical system, cooling, racks, data cabling, security systems and monitoring & management systems
• Development of technical specifications for tendering
• DR site evaluation
• Production of data center strategy report
• Management presentations
• Procurement guidance

A governmental holding company in Dubai wanted to create a department acting as shared IT service provider for all its subsidiaries. This required the consolidation of several existing IT environments from different group companies spread across multiple data centers.

Main tasks performed:

• Data gathering workshops
• Data center site visits and assessment
• Development of new data center landscape
• Definition of new data center requirements
• Data center provider evaluation

The bank wanted to build a new future-proof data center to support its IT department which was growing towards becoming a service provider for different group entities.

Main tasks performed:

• Validation of the company’s IT strategy
• Review of new building design documents
• Alignment of data center scope with general building contractor
• Data center solution design (architectural, electrical, cooling, racks, datacabling, security, monitoring)

This bank invested in a new main production data center while at the same time implementing a small remote disaster recovery site for its critical applications. The new infrastructure was implemented in less than a year, vastly improving the reliability of the IT systems supporting their 193 branches serving their clients.

Main tasks performed

• Detailed solution design for main data center as well as disaster recovery server room
• Data centers construction (turnkey solution including civil works, electrical, cooling, security, racks, monitoring and cabling)
• Testing and commissioning