About

Hello, I’m Frank. Currently I'm working as the Head of Security Engineering for a german cyber-security consulting company. Show me your business processes and IT systems and I can show you how data can be stolen from your company and how you can improve and protect the value stream and the information flow in your company.

With over 20 years of experience in the areas of SecOps, System Engineering, SRE, DevOps and classical system administration for Linux- and Unix-based server networks I understand what your server guys are doing.

Almost the same amount of years I used some of my free time to create software for my daily life. Code in Python, Scala, C/C++, Perl, Bash and other programming languages is familiar to me.

But protecting information is not only IT security for me. I take a holistic view of information security. From server configurations over source code, vulnerability management, supply chain management and how physical assets are managed up to business processes and awareness training, I keep an eye on everything that is relevant for data privacy and information security in an organization.

With a controlled risk management using proven methods and my knowledge in offensive security, I identify risks, assess their criticality and implement suitable measures to mitigate them. In this way, the company's information security is improved in a targeted manner and resources are deployed effectively where they have the greatest impact in protecting the assets of the company. A continuous improvement process ensures that new risks are also identified and dealt with promptly.

The rest of my free time I spend with writing (blog) articles on my various blogs, building an ISMS toolkit to make my job a little bit easier, reading books, playing around with my Neocities website, enjoying analogue and digital photography and creating some digital art on my iPad.

Skills

These are only some of the skills I contribute to my professional activities.

General

• Information Security and Data Privacy Management; incl. planning and implementing ISMS or improving existing ones
• Risk Assessment and Risk Management
• DevOps / SecOps / DevSecOps
• Linux / Unix System Administration
• Security Auditing to prepare for certifications like ISO 27001
• Pentesting for web applications and networks
• Intrusion Detection
• Network Design
• AWS, Azure
• Containerization with Docker and Kubernetes

Security Frameworks that I'm familiar with

• BSI IT-Grundschutz
• ISO 27001 (and related ISO standards)
• CIS Controls
• ... and more

Some of my Softskills

• Explaining complex technical topics to non-technicals
• remaining calm and relaxed while managing disaster recovery procedures
• being paranoid enough to consider any risk, yet practical enough mitigatee them
• Teaching people how to better protect their data
• Showing business leaders why they should invest in information security by exposing vulnerabilities not only in IT systems
• having supporter genes

Operating Systems that I know very well

• Linux - various distributions from Debian and Ubuntu over SuSE, Fedora and Centos up to Linux From Scratch (LFS)
• MacOS - my preferred Desktop system
• RouterOS - I use it on my MikroTik devices
• KTSOS - a very basic core system, that I wrote in the past for some private projects like my C&C server from the "darker periods" of my life
• Solaris
• OpenIndiana
• FreeBSD

Operating Systems that I know basically

• MS Windows
• RISC OS

Programming and Scripting Languages that I like

• Python (my preferred language)
• JS
• Perl
• PHP
• C/C++
• Scala
• Bash
• Go
• and more

Servers and similar software that I've used and managed in my various engineering jobs

• Webservers
  • Apache
  • Nginx
• Databases
  • MySQL / MariaDB / Percona
  • MongoDB
  • Apache Druid
• Mailserver technologies
  • Postfix
  • Dovecot
  • Courier
  • Spamassassin
• CI / CD
  • Jenkins
  • Gitlab
• Others
  • Stream Processing with Apache Kafka
  • Tomcat
  • Zookeeper
  • GlusterFS
  • Varnish
  • Log monitoring with ELK stack (Elasticsearch, Logstash, Kibana)
  • Redis
  • Beanstalkd
  • various monitoring tools like NewRelic, Nagios / Icinga, Prometheus or Palo Alto Networks' Prisma Cloud
  • IPtables
  • Intrusion Detection with OSSEC, Snort, Prisma, Wazuh and other
  • and more...

And of course I can work with common Linux/Unix CLI tools, IaC (Terraform, Saltstack, Ansible or Rex), version control with Git or Mercurial SCM and everything else required for modern configuration, logging and application management.

Experience

I worked in very different companies and environments in the past. Here are some of my stations from the last years, beginning with the latest. The list would be too long if I would try to list all the companies I have worked for since I started working in IT.

Dr. Michael Gorski Consulting
I joined Michael's company as a Senior Security Consultant but already 3 months later he promoted me to the Head of Security Engineering. Looks like I'm good at what I'm doing. ;) And since it turned out that I have some talent in explaining our different consulting services well to customers and showing them why investments in cybersecurity are essential for every company, I also took over some areas in business development.

AppConceptionOne
I joined AppConceptionOne as the CISO. After I implemented a basic ISMS into the company I also took a look at the management processes. Since I learned a lot about modern management from my former employer, Personio, and I'm interested in management methods and leading a busines in general, I began to look at ACO from this perspective. We were a very small start-up with an outsourced software development team and management processes were nearly non-existent. So I re-worked our management procedures and began to implement a lean management approach into our company. This led to my promotion to the COO of the company and I managed the complete day-to-day business.

Personio
I joined Personio in a very early startup phase. In the beginning I supported them as a freelancer in DevOps engineering and system administration. When the GDPR became mandatory, Personio offered me a permanent position as their Security Manager. In this role, I made the company GDPR-compliant, set up incident management, started implementing risk management and helped to build a security team that fits their fast growing environment. When I left Personio a few years later to take up my first C-level position, the company had grown from a dozen employees in the beginning to over 1200 employees.

Bild Digital GmbH / bild.de
I worked for Bild Digital / bild.de as a Senior System Administrator. In this role I hardened the systems for "Bild deckt auf", an encrypted system for whistleblowers to contact the editorial team via a highly-secured channel. Furthermore I re-structured multiple "satellite systems" running on AWS and integrated them into the IaC environment.

Mokono / blog.de
For Mokono I worked 2 times. At my first time with them I helped to move their complete office network to a new office and got some first insights into their server network. A few months later, I left the company due to professional disagreements between their CTO at the time and myself about how to handle bugs in high-traffic web environments to prevent growing instablity and performance issues. But a few years later, their Lead Developer brought me back to help them fix the problems in their server network that I had previously warned about. Together, we restored the stability of the platform and optimized the performance and security of the servers and the web applications running on them, so it could easily handle 3 million unique visitors per month on 2 webservers, 2 databases (master-slave replication) and a caching server.
I also took on the role as an internal data protection officer in this company for the first time in my career and started to dive deep into the legal and organizational aspects of data protection and information security. As a result, I began to look at information security from more than just an IT perspective and, over the following years, developed ways of balancing business needs with protection requirements.

These are just a few stations of my career. I selected these stations because each one had a big impact on my personal development and gave me new knowledge and new experiences that have shaped me and helped me to become the allrounder I am now.

---

Ich bin ein Mensch - Ein Statement für mehr Miteinander in unserer Gesellschaft

---

Contact

Email: frank at ff-sec.eu
Phone: +49 15678447860

---

Design based on Dracula UI from Dracula Theme.