Cybersecurity training and consulting that builds real security instinct
Explore the powers of game-based learning
People do not build security instinct by being lectured at. They build it by making decisions and living with what happens next. That is what a game does. It turns a topic people would normally sit through into something they actually do, argue about, and remember afterwards. The engagement is nice. The part that matters is that it sticks.
Contact me if you need my help in any of the following areas:
Community Marketing
The infosec community decides who is worth working for and worth buying from. Show up with something of real value instead of another campaign, and it talks about you. I help you do that in a language the community actually respects.
Talk: Living with AD(H)D in infosec
I can be engaged to do a talk or join a panel on neurodiversity, inclusion and ADHD built on my own journey from being diagnosed at the age of 44 after a long career in infosec.
The talk will focus on my journey and my learnings, I can talk about being an employee and which challenges neurodiverse people usually have in the workplace, what employers should focus on to be more inclusive or whatever is important to you.
In my experience neurodiversity is very widespread in infosec and IT in general so when I do my talk in front of these audiences, it always sparks a lot of talks and personal stories. To me it’s important to educate and inspire. I’ve been so lucky to do this at several conferences around Europe and US where I’ve been invited to talk about this, a subject very dear to me.
Reach out if you’re interested in continuing the conversation.
Two decades as an Infosec Professional
I have spent two decades in infosec, and the same thing keeps proving true: security is a people problem long before it is a technical one. So I teach it the way people actually learn, through stories and games they take part in, not slides they sit through. Pragmatic, a little contrarian, and built on what works in the room.
How I Work
Incident response training: I run your team through a real incident as a game, ransomware and worse, so they practise the hard calls before they have to make them for real.
Community-centric marketing: I help you reach the infosec community by giving it real value, not by pointing another campaign at it.
Public speaking and workshops: I speak at conferences across Europe and the US, and I run workshops that get a room talking instead of nodding along.
Work Experience
Where I’ve Worked
Strategic security work across enterprises including Deloitte, KPMG, NCC Group, Pandora, NNIT and others.
What I’ve Built
Designed Malware & Monsters, a TTRPG-based incident response training game used at BSides conferences.
Co-founded KbhSEC, Copenhagen’s independent infosec practitioner community.
Security awareness programme at Pandora, multi-channel, risk-based, global workforce.
Co-founder and organiser of BSides København since 2019.
Bridged marketing, technology, and community as Head of Community at CrowdSec.
From the blog
CUI protection is about to stop being a defense-only problem.
For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who's on the hook. It would extend NIST SP 800-171 to...
CMMC does not just want an IR plan. It wants you to test it.
CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork....
DORA says test your resilience. A document is not a test.
DORA made operational resilience testing a legal duty for financial entities across the EU, not an internal best practice. It expects a real testing programme and business-continuity arrangements that actually work. Plenty of firms are handling that with a documented...
NIS2 says train your board. A slide deck will not do it.
NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by...