Cybersecurity training and consulting that builds real security instinct

EXPOSURE: The board game that builds security instincts in management

Turn a 60-minute session into a lasting shift in how your leadership team thinks about security risk. No technical knowledge required. Built around NIS2 Article 21(2)(g).

I can help you with a different take on your cyber security marketing

You want to do it differently. But how? I have a simple suggestion: address the cyber security community; a powerful but often overlooked marketing channel. Doing so both requires understanding of the target group and the ability to get ideas no one else does. I can assist you with both.

NIS2, DORA and the CRA make security a board problem

The new EU rules do not ask you to be aware of cyber risk. They ask your board and your team to make the decisions, test the plan, and prove it. I run games that build exactly that, mapped to NIS2, DORA and the CRA.

Explore the powers of game-based learning

People do not build security instinct by being lectured at. They build it by making decisions and living with what happens next. That is what a game does. It turns a topic people would normally sit through into something they actually do, argue about, and remember afterwards. The engagement is nice. The part that matters is that it sticks.

Contact me if you need my help in any of the following areas:

Community Marketing

The infosec community decides who is worth working for and worth buying from. Show up with something of real value instead of another campaign, and it talks about you. I help you do that in a language the community actually respects.

&

Gamified Incident Response training

Most incident response plans have never met a room full of people under pressure. I run the incident as a game, so your team makes the calls, finds the gaps, and learns how each other actually behaves before a real incident does it for them.

&

Talk: Living with AD(H)D in infosec

I can be engaged to do a talk or join a panel on neurodiversity, inclusion and ADHD built on my own journey from being diagnosed at the age of 44 after a long career in infosec.

The talk will focus on my journey and my learnings, I can talk about being an employee and which challenges neurodiverse people usually have in the workplace, what employers should focus on to be more inclusive or whatever is important to you.

In my experience neurodiversity is very widespread in infosec and IT in general so when I do my talk in front of these audiences, it always sparks a lot of talks and personal stories. To me it’s important to educate and inspire. I’ve been so lucky to do this at several conferences around Europe and US where I’ve been invited to talk about this, a subject very dear to me.

Reach out if you’re interested in continuing the conversation.

 

Two decades as an Infosec Professional

I have spent two decades in infosec, and the same thing keeps proving true: security is a people problem long before it is a technical one. So I teach it the way people actually learn, through stories and games they take part in, not slides they sit through. Pragmatic, a little contrarian, and built on what works in the room.

How I Work

5

Incident response training: I run your team through a real incident as a game, ransomware and worse, so they practise the hard calls before they have to make them for real.

5

Community-centric marketing: I help you reach the infosec community by giving it real value, not by pointing another campaign at it.

5

Public speaking and workshops: I speak at conferences across Europe and the US, and I run workshops that get a room talking instead of nodding along.

Work Experience

Where I’ve Worked

Strategic security work across enterprises including Deloitte, KPMG, NCC Group, Pandora, NNIT and others.

What I’ve Built

5

Designed Malware & Monsters, a TTRPG-based incident response training game used at BSides conferences.

5

Co-founded KbhSEC, Copenhagen’s independent infosec practitioner community.

5

Security awareness programme at Pandora, multi-channel, risk-based, global workforce.

5

Co-founder and organiser of BSides København since 2019.

5

Bridged marketing, technology, and community as Head of Community at CrowdSec.

From the blog

CUI protection is about to stop being a defense-only problem.

CUI protection is about to stop being a defense-only problem.

For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who's on the hook. It would extend NIST SP 800-171 to...

CMMC does not just want an IR plan. It wants you to test it.

CMMC does not just want an IR plan. It wants you to test it.

CMMC certification is how a company stays eligible for US Department of Defense contracts, and it asks for more than a binder of policies. To reach Level 2 you have to meet the practices in NIST SP 800-171, and two of them are about your people, not your paperwork....

DORA says test your resilience. A document is not a test.

DORA says test your resilience. A document is not a test.

DORA made operational resilience testing a legal duty for financial entities across the EU, not an internal best practice. It expects a real testing programme and business-continuity arrangements that actually work. Plenty of firms are handling that with a documented...

NIS2 says train your board. A slide deck will not do it.

NIS2 says train your board. A slide deck will not do it.

NIS2 turned board-level security training into a legal obligation, not a nice-to-have. Article 20 puts accountability for cyber risk on the management body itself, and Article 20(2) requires those same people to be trained. Most organisations are dealing with that by...

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.