About
Hello, I’m Frank. I work as the Information Security Officer at a large car service company with around 9,000 employees and over 500 locations in Germany.
With over 20 years of experience in Dev(Sec)Ops, system engineering, SRE, and system administration for Linux and Unix-based server networks, I have a deep understanding of IT departments.
Almost the same amount of years I used some of my free time to create software for my daily life. Code in Python, Scala, C/C++, Perl, Bash and other programming languages is familiar to me.
But protecting information is not only IT security for me. I take a holistic view of information security. From server configurations over source code, vulnerability management, supply chain management and how physical assets are managed up to business processes, and awareness training, I keep an eye on everything that is relevant for data privacy and information security in an organization.
With a controlled risk management using proven methods and my knowledge in offensive security, I identify risks, assess their criticality and implement suitable measures to mitigate them. In this way, the company's information security is improved in a targeted manner and resources are deployed effectively where they have the greatest impact in protecting the assets of the company. A continuous improvement process ensures that new risks are also identified and dealt with promptly.
The rest of my free time I spend with writing (blog) articles on my various blogs, building an ISMS toolkit to make my job a little bit easier, reading books, playing around with my Neocities website, enjoying analogue and digital photography and creating some digital art on my iPad.
Skills
These are only some of the skills I contribute to my professional activities.
General
- Information Security and Data Privacy Management; incl. planning and implementing ISMS or improving existing ones
- Risk Assessment and Risk Management
- DevOps / SecOps / DevSecOps
- Linux / Unix System Administration
- Security Auditing to prepare for certifications like ISO 27001
- Pentesting for web applications and networks
- Intrusion Detection
- Network Design
- AWS, Azure
- Containerization with Docker and Kubernetes
Security Frameworks that I'm familiar with
- BSI IT-Grundschutz
- ISO 27001 (and related ISO standards)
- CIS Controls
- ... and more
Some of my Softskills
- Explaining complex technical topics to non-technicals
- remaining calm and relaxed while managing disaster recovery procedures
- being paranoid enough to consider any risk, yet practical enough mitigatee them
- Teaching people how to better protect their data
- Showing business leaders why they should invest in information security by exposing vulnerabilities not only in IT systems
- having supporter genes
Operating Systems that I know very well
- Linux - various distributions from Debian and Ubuntu over SuSE, Fedora and Centos up to Linux From Scratch (LFS)
- MacOS - my preferred Desktop system
- RouterOS - I use it on my MikroTik devices
- KTSOS - a very basic core system, that I wrote in the past for some private projects like my C&C server from the "darker periods" of my life
- Solaris
- OpenIndiana
- FreeBSD
Operating Systems that I know basically
- MS Windows
- RISC OS
Programming and Scripting Languages that I like
- Python (my preferred language)
- JS
- Perl / Raku
- PHP
- C/C++
- Scala
- Bash
- Go
- and more
Servers and similar software that I've used and managed in my various engineering jobs
- Webservers
- Apache
- Nginx
- Databases
- MySQL / MariaDB / Percona
- MongoDB
- Apache Druid
- Email server technologies
- Postfix
- Dovecot
- Courier
- Spamassassin
- CI/CD
- Jenkins
- Gitlab
- Others
- Stream Processing with Apache Kafka
- Tomcat
- Zookeeper
- GlusterFS
- Varnish
- Log monitoring with ELK stack (Elasticsearch, Logstash, Kibana)
- Redis
- Beanstalkd
- various monitoring tools like NewRelic, Nagios / Icinga, Prometheus or Palo Alto Networks' Prisma Cloud
- IPtables, PF, IPFW and some other firewalls
- Intrusion Detection and traffic ananlysis with OSSEC, Snort, Prisma, Wazuh, Suricata, Zeek and other
- and more...
Experience
I worked in very different companies and environments in the past. Here are some of my stations from the last years, beginning with the latest. These are just a few stations of my career. I selected these stations because each one had a big impact on my personal development and gave me new knowledge and new experiences that have shaped me and helped me to become the allrounder I'm now.
Dr. Michael Gorski Consulting
I joined Michael's company as a Senior Security Consultant, but after just three months he promoted me to the Head of Security Engineering. Apparently, I'm good at what I do. 😉 And since I turned out to have a talent for explaining our various consulting services to our customers and showing them why investing in cybersecurity is important for every company, I also took on some tasks in business development. Even though Michael has unfortunately decided not to continue with the company, I'm grateful for the experience I gained working with him.
AppConceptionOne
I joined AppConceptionOne as the CISO. After I implemented a basic ISMS into the company I also took a look at the management processes. Since I learned a lot about modern management from my former employer, Personio, and I'm interested in management methods and leading a business in general, I began to look at ACO from this perspective. We were a very small start-up with an outsourced software development team and management processes were nearly non-existent. So I re-worked our management procedures and began to implement a lean management approach into our company. This led to my promotion to the COO of the company and I managed the complete day-to-day business.
Personio
I joined Personio in a very early startup phase. In the beginning I supported them as a freelancer in DevOps engineering and system administration. When the GDPR became mandatory, Personio offered me a permanent position as their Security Manager. In this role, I made the company GDPR-compliant, set up incident management, started implementing risk management and helped to build a security team that fits their fast growing environment. When I left Personio a few years later to take up my first C-level position, the company had grown from a dozen employees in the beginning to over 1200 employees.
Bild Digital GmbH / bild.de
I worked for Bild Digital / bild.de as a Senior System Administrator. In this role I hardened the systems for "Bild deckt auf", an encrypted system for whistleblowers to contact the editorial team via a highly-secured channel. Furthermore I re-structured multiple "satellite systems" running on AWS and integrated them into the IaC environment.
Mokono / blog.de
For Mokono I worked 2 times. At my first time with them I helped to move their complete office network to a new office and got some first insights into their server network. A few months later, I left the company due to professional disagreements between their CTO at the time and myself about how to handle bugs in high-traffic web environments to prevent growing instablity and performance issues. But a few years later, their Lead Developer brought me back to help them fix the problems in their server network that I had previously warned about. Together, we restored the stability of the platform and optimized the performance and security of the servers and the web applications running on them, so it could easily handle 3 million unique visitors per month on 2 webservers, 2 databases (master-slave replication) and a caching server.
I also took on the role as an internal data protection officer in this company for the first time in my career and started to dive deep into the legal and organizational aspects of data protection and information security. As a result, I began to look at information security from more than just an IT perspective and, over the following years, developed ways of balancing business needs with protection requirements.
Contact
Email: frank at ff-sec.euPhone: +49 15678447860