Wilhelmshoeher Straße 74
60389 Frankfurt am Main
Germany
Tel.: +49-(0)170/57 29 31 0
thomas@hetschold.de

 

Professional Know-how

• Automotive - 7,5 years
  Coordination of Business Information Security Officers (Daimler/Mercedes-Benz Group)
  Support in implementing a cybersecurity management system (Daimler Truck)
  Creation of security profiles as information security architect (Daimler)
  Support in implementing a tool-based cloud risk process (Daimler)
  Conduct spot checks of cloud projects (Daimler)
  Support in governing the cloud risk process (Daimler)
  Design of an IT security policy for the automotive field (BMW)
  Definition, implementation and operation of the Center of Competence Automotive Security (BMW)
  Creation of a threat- and risk-analysis for the vehicle security architecture (BMW)
  Implementation of a secure SAP R/3 infrastructure (Volkswagen)
• Aviation - 10 years
  Support of the internal IT security architects as part of the internal consulting and further development of security specifications (Lufthansa)
  Implementation of Payment Card Industry Data Security Standards (Lufthansa)
  Supporting the implementation of IT-security processes (Lufthansa)
  Risk-analysis for IT systems that affect the aircraft (Lufthansa)
• Banking - 3 years
  Development of security protocols for electronic business processes (Deutsche Bank, Dresdner Bank, Bank of America, ABN Amro)
  Development of a security online banking protocol (Dresdner Bank)
• Public admininstration - 2,5 years
  Development of a threat analysis for automated driving (State of Baden-Württemberg)
  Design of IT security concepts for the deployment of the German electronic health card (several health insurance companies)
  Development of a purchase system according to German signature law (Federal State of Lower Saxony)
  Development of security protocols for the deployment of the German Health Pro-fessional Card (ABDA)
• Power - 1 year
  Development of a system for the secure operation control in a nuclear power plant (RWE)
  Implementation of a secure SAP R/3 infrastructure (RWE)
• IT and Telekommunication - 8 years
  Development of a product to secure SAP R/3 systems (SAP)
  Development of security products (Secude, Fillmore Labs)
  Development of access control in an OSI management platform according to X.741 (Deutsche Telekom)
• Media - 1,5 years
  Development of a digital rights management system for a peer to peer file shar-ing service (DWS/Bertelsmann)
• Transport - 0,75 years
  Development of an information security concept and a data privacy concept for a tolling platform (Kapsch)
• Trade - 0,5 years
  Consulting on data protection and setup of a data protection management system and an information management system (ISMS) (Lässig)

 

Professional Competence

• UNECE R155, ISO 21434
• Tolling processes
• Automotive processes
  E/E development processes
  Production processes
  Service processes
  Logistics processes
• Aviation processes
• IT processes
  PCI DSS
  ISO 2700x
  OWASP
  Documentation according to Common Criteria
  Documentation according to ITSec

 

Specialization

• Setup of a CSMS according to ISO 21434
• General data protection directive (GDPR)
• Payment Card Industry Data Security Standard (PCI DSS)
• IT security processes
• IT risk management
• Process analysis and -modelling

 

Languages

• German
• English (Certificate in Advanced English)

 

Education

• Diploma in Computer Science, J. W. Goethe-University, Frankfurt, Germany
• Project Management Professional
• Certified Information Systems Security Professional
• Cybersecurity Automotive Professional
• Information Security Architect (Daimler)
• ITIL Foundation
• PCI SSC Standards Training
• Project management of IT projects (CSC Ploenzke)

 

Former Employments

• Since 2004 freelancer (senior security consultant, process design)
• 2003 - 2004 Secude GmbH (CTO)
• 2001 - 2003 Fillmore Labs GmbH (CEO)
• 1996 - 2001 Secude GmbH (CTO)
• 1993 - 1997 GMD - German national research center for information technology GmbH (scientific employee, project manager)
• 1990 - 1993 self-employed (IT consultant, software developer)

 

Leadership and Project Management Experience

• Daimler, sub-project management, 1,5 years
• Lufthansa, project management, 7 years
• CTO Secude GmbH, Management of Development and Consulting with 30 employees, 7 years
• CEO Fillmore Labs GmbH, 7 employees, 2 years
• Secude GmbH, program management, 7 years
• Fillmore Labs GmbH, project management, 2 years
• GMD (Fraunhofer Gesellschaft), 2 years

 

Miscellaneous

• Member of Mensa e.V.

 

Projects (chronologically)

• Support of the internal IT security architects as part of the internal consulting and further development of security specifications
  Project execution and/or consulting within the context of IT security based on defined goals and success criteria.
  Development and implementation of IT domain security architecture(s) and development projects and/or product, service and provider management for business-critical applications in all Lufthansa Group business areas.
  Development, evaluation and management of a group-wide information security architecture and strategy as well as a definition of group-wide guidelines.
  Development of relevant attributes for the security architecture of the Deutsche Lufthansa Group (e.g. models, templates, standards).
  Evaluation of the security solutions, services and tools offered on the market.
  Group-wide security assessment of existing IT systems and security services.
  
• Consulting on data protection and setup of a data protection management system and an information management system (ISMS)
  Consulting on IT systems (e.g. internal IT infrastructure, online shops, applications) for data protection compliance and information security.
  Consulting and support in implementing a deletion concept and in carrying out data protection impact assessments.
  Advice and support in the review and implementation of technical and organizational measures (TOMs).
  Creation of the necessary information security documentation.
  
• Coordination of the Business Information Security Officers (BISO)
  Support in definition and development of appropriate target structures and processes which are valid group-wide for information security in the business units and central units.
  Progression of role-, committee- and collaboration-models which are valid group-wide within the very complex environment of information security.
  Controlling and progression of the new committee of the information security officers of the business units.
  
• Support in implementing a Cybersecurity Management Systems (CSMS)
  According to UN Regulation 155 OEMs are required to implement a cybersecurity management system in the future for type approval. This requires them to comply to ISO/IEC 21434.
  Determine status quo of all vehicle types affected.
  Extend the vehicle development process to follow the requirements of ISO 21434.
  Create vehicle TARAs (Threat Analysis and Risk Analysis).
• Creation of security profiles as Information Security Architect (ISA)
  Creation of a C4 model and data flow model during analysis of IT systems to identify possibly vulnerabilities and threats as well as determine cloud specific threats.
  Evaluate threats and risks.
  Develop appropriate countermeasures to mitigate risks to an acceptable level.
  Discuss the results with the project team.
  
• Threat Analysis IT Security and autonomous Driving for the State of Baden-Württemberg
  Analysis and identification of new threats through networked and automated driving
  Preventive measures and the detection of attacks and appropriate countermeasures shall be proposed
  Especially new ways to detect criminal offenses shall be considered and also procedures for the traceability of decisions of the automated driving system that are based on machine learning
• Sub-project Management Development and Introduction of a tool-based Cloud Risk Process for Daimler AG
  Create and implement a concept for the support incl. provider selection
  Create and implement a concept to establish a world-wide multiplier structure to complement the support
  Create and implement a concept for spot checks to validate projects have complied to the process and have identified and mitigated risks correctly
  Support the work package communication
• Support the Governance of the Cloud Risk Process for Daimler AG
  Validate project documentation for cloud usage
  Align risk assessments with IT and legal
  Validate that mitigating measures have been implemented in a project(spot checks)
  Propose process improvements for the cloud risk process and align with the responsible stakeholders
  Deploy a tool for governing the cloud risk process
• Preparation of a Concept for Information Security and Data Privacy for Kapsch TrafficCom
  Understand the enterprise architecture to be able to deliver an information security concept for the program
  Align the security concept with the responsible business stakeholders
  Ensure that the information security concept complies with the information security strategy as well as the existing ISMS
  Develop an information security risk management approach
  Derive from the security concept a security operations concept
• Project manager within the PCI DSS project of German Lufthansa Airlines (Payment Card Industry Data Security Standard). Design and Implementation of PCI DSS requirements. Budget planning
  Successful certification according to PCI DSS as well as re-certification
  Development of protection requirement profiles and risk analyses
  Consulting service with regard to processes for the development of protection requirement profiles, risk analyses, and the implementation of identity management according to ISO 2700x
  
• Development of security concepts for the deployment of the German elektronic health card
  Development of security concepts according to ISO 2700x
  Evaluation of several hardware security modules
• Operation of the Center of Competence Automotive Security
  Development of an IT security policy for the automotive field
  Monthly organization of the steering committee CoC Automotive Security
  Preparation of decision memos for the board of heads of departments according to the guidelines of the client
  Communication of the know-how of automotive security to all involved depart-ments
  Amendment of the BMW threat catalogue in collaboration with the administrative department for information protection
  Definition of the base protection profile for automotive security in collaboration with the administrative department for information security according to ISO 2700x
  Review of existing security measures of the responsibles for electronic control units
  Requirements management for security measures of automotive security
• Definition and implemenation of the Center of Competence Automotive Security
  Identification and analysis of requirements of a CoC Automotive Security
  Definition of the tasks and description of roles and processes of the CoC Auto-motive Security
  Coordination with all relevant contact persons of the involved departments
  Preparation of an action plan to implement the CoC Automotive Security
  Enforcement of the action plan and integration of the CoC Automotive Security in the process landscape of the client
  Support of the project management to implement the CoC Automotive Security and coordination of all involved departments
• Threat and risk analysis of vehicle security
  Design and development of a threat- and risk analysis based on CIA criteria (confidentiality, integrity, availability) for the security architecture of the newest vehicle model as well for the vehicle side as for the infrastructure side
  Discussion and priorization of the risk profile with the relevant contact persons of the respective consumer and system functions (security requirements analysis)
  Derive the overall risk for the vehicle from the single risks of the consumer and system functions
  Derive the overall risk for the infrastructure from the single risks of the respective consumer functions
  Definition of security components appropriate to secure the bordnet architecture
  Determination of the remaining risk according to the specifications of BMW
• Digital Rights Management for Napster
  Design and development of a high performant PKI system for 50 millions of users for Napster
  Design and integration of brand-new obfuscation techniques into the Napster software to enforce digital rights management
• Identrus
  Identrus was an initiative of international major banks to establish a public key in-frastructure for business-to-business to suport e-commerce
  New security protocols for electonic business processes were designed together with Identrus
  The software developed was being used as reference to test third party software for compliance to the protocols
  Patent submissions:
  20020165827: System and method for facilitating signing by buyers in electronic commerce
  20020112156: System and method for secure smartcard issuance
• BaanERP Security
  Design and development of a client/server system that uses signature law com-pliant hardware components for the secure login to a Baan ERP system for the Federal State of Lower Saxony
  It was not possible to integrate the security functionality directly into the Baan ERP system
  Realization was accomplished as middleware as well on the client side as on the server side
  On the client side the Microsoft protocol stack was extended and on the server side the middleware acts as a proxy which allows the connection to the Baan-ERP server only after a successful user authentication
  As hardware components signature law comliante smartcards of Deutsche Tele-kom were used
• Security for SAP R/3
  Design and development of a product to secure the client/server communication of SAP R/3
  Because of export restrictions it was necessary for SAP, to integrate an interface into the R/3 system in a way, that third party products could realize the encryp-tion of the communication channel without the need for SAP to implement the security functionality by themselves
  The protocol had to ensure strong authentication of the users and the encryption of the communication channel
  The use of hardware to enhance security should be possible
• Secure Online Banking
  Design and development of a secure online banking protocol for Dresdner Bank
  At the time of the project common online banking implementations used only PIN/TAN techniques for authentication and transaction security
  Digital signatures are still not very common in this area but they are ideally suited to provide this functionality
  In co-operation with several companies an online banking protocol was designed based on digital signatures. This protocol models the entire process from certifi-cate issuing to online transactions
• Security in OSI-Management
  Design of specifications to integrate access control into an existing X.700 OSI management platform
  Implementation of access control for OSI Management (X.741)
  Development of scientific publication about security policies and their representation
  Design of specifications to integrate security policies into an existing OSI man-agement platform
  Implementation of security policies into an existing OSI management platform

 

Certificates and References

• Recommendation of Deutsche Lufthansa AG (May 2015)
• Certificate of Actano GmbH (June 2007)
• Certificate of German National Research Center for Computer Science GmbH (September 2002)
• Letter of Recommendation of Digital World Services (March 2002)
• Certificate of Secude GmbH (September 2001)
• Cybersecurity Automotive Professional (TÜV 2021)
• Certificate of ISSMP (May 2022)
• Certificate of CISSP (May 2022)
• Certificate of PMP (December 2014)
• ITIL Foundation (March 2016)
• Certificate of PCI SSC Standards Training (April 2010)
• Certificate of Advanced English (March 2007)
• IQ-Profile (Mensa e.V.) (November 2003)
• Certificate: IT-Projekte leiten of CSC Ploenzke (Mai 2001)
• Diploma of J.-W. Goethe University (October 1993)