Target-state design, TOGAF ADM, operating model definition, ARB governance and traceable architecture decisions across regulated institutions — banking, defence, DPI and multilateral.
ISO 27001, PCI DSS, NIST 800-53, GDPR, DORA — from control framework design through audit readiness. Zero Trust architecture, PAM/IAM governance, SIEM/SOAR for 23+ regulated institutions.
Threat modelling (STRIDE, PASTA, LINDDUN) embedded in cloud-native design — AWS, Azure, GCP, hybrid and classified environments. CSA CCM, CIS Controls, cloud-native SIEM, lateral movement containment, supply chain security and secure landing zone patterns.
Multi-cloud (AWS, Azure, GCP), sovereign and governmental cloud, hybrid and air-gapped designs. On-premise virtualisation: VMware ESXi / vSAN / NSX, Hyper-V, KVM, HCI. Mission-critical and classified environments — NATO Secret, EU restricted, DoD IL4/IL5 patterns. SDDC, IaC, policy-as-code, FinOps governance.
End-to-end delivery governance — from strategy, procurement and architecture through DevSecOps, cloud adoption (AWS · Azure · GCP) and transition to operations. NATO, UN, EEAS, national DPI.
Project Manager, Programme Manager and Service Delivery Manager across mission-critical engagements. PRINCE2, MSP, SAFe, Agile — matrix teams up to 39 direct and 80+ indirect reports. ITIL-governed service delivery, SLA/OLA ownership, CAB authority, transition-to-operations and steady-state handover. NATO, UN Secretariat, EEAS, PIR2-IT banking consortium.
Enterprise architecture authority
Target-state design, decision governance and reference patterns — from TOGAF-led enterprise architecture to Zero Trust and classified DPI systems.
Target architectures, operating models and traceable architecture decisions for regulated transformation.
↗Controls, standards, ARB/ADR frameworks and decision traceability across large-scale programmes.
↗TOGAF ADM, operating model design, capability mapping and governance for institutional transformation.
Cybersecurity, risk & data protection
Secure-by-design architecture, Zero Trust controls, GDPR/DORA compliance and audit-defensible information governance.
ISO 27001, PCI DSS, NIST 800-53, Zero Trust, SIEM/SOAR — 55% MTTR reduction across 23 regulated institutions.
↗Privacy-by-design, GDPR Article 25/32, DLP architecture, lifecycle controls and eDiscovery readiness.
↗Threat modelling, risk quantification, ISO 31000/27005 frameworks and control assurance for regulated environments.
Cloud adoption, governance & DevSecOps
Landing zone design, policy-as-code, DevSecOps pipelines and platform engineering — AWS, Azure, GCP, hybrid and classified environments.
Landing zones, CAF, Well-Architected, DevSecOps pipelines — NATO Secret, EU classified, DoD and commercial. 99.999% availability.
↗Hybrid backbone modernisation, Kubernetes, container orchestration, observability and operations-ready service foundations.
Industry & institutional expertise
25+ years across defence, DPI, banking, governance, innovation and programme delivery at institutional scale.
C4ISR, governmental cloud, classified platforms — NATO Secret, EEAS, DoD. Clearance valid Aug 2027.
↗National identity, ePassport, eHealth, eJustice and DPI programmes across 35+ states. eIDAS, WBG ID4D, EU structural frameworks.
↗Core banking architecture, cyber governance and regulatory compliance across 23 global institutions — ECB, HSBC, SocGen, EIB, UNFCU.
↗Decision governance, ARB authority, audit-readiness and compliance documentation — UN, NATO, EEAS, ECB, ENISA.
↗Transformation stabilisation, executive cadence and delivery governance — from strategy and procurement through transition to operations.
↗AI governance, blockchain, IoT and emerging tech architectures grounded in governance and mission-critical constraints.
Explainers, KPIs & institutional work
Ready to engage
Senior advisory — architecture, security & delivery
Send a brief — I'll assess scope and respond within 24 hours. Retained advisory, programme leadership or fixed-scope assessment.