Security, Governance and Delivery — run as a Unified role, driving Digital Trust...
Strategic Delivery Leader - Three Disciplines18+ years building Information Security, ISO 27001/GDPR compliance, and Program & Service Delivery Management capability for global organisations — now extending that into AI Governance and AI Product Management.
Helping organisations adopt AI Responsibly — and deliver on time with quality.
Built calm, on purpose.
18+ years ago, I started in technical support — fixing other people's infrastructure at 2am. Today I architect the ISMS, govern the compliance, and run the program. Same instinct, bigger problems.
I've built ISO 27001 management systems from scratch, governed AWS Landing Zones across 150+ accounts, and led security integration through a company acquisition without a single incident — owning budget and vendor governance directly, and advising C- and D-level leadership on strategy, not just executing it.
The acquisition taught me the real lesson: governance only survives contact with change if it's been someone's daily habit for years — not a project plan for months.
When ISO 42001, the EU AI Act and the NIST AI RMF arrived, I wasn't starting from zero. I was pointing 18+ years of the same instinct at a newer problem.
"Progress doesn't need chaos. It needs someone willing to walk the new path calmly, while everyone else argues about the old one."
KERALA, INDIA · ISTHere's that record, year by year:
18+ years, one throughline.
Five roles, four companies, one instinct: closing the gap between new technology and the trust needed to run it safely.
Packaged App Development Manager
Mindcurv, part of Accenture Song
The role where security, governance and delivery formally became one job — not three responsibilities split across three different people.
Packaged App Development Manager · Mindcurv, part of Accenture Song
Architected the ISO 27001:2022 ISMS from the ground up; led Security and Client Data Protection integration through Accenture Song's acquisition of Mindcurv — zero incidents through the transition.
Senior Enterprise Solutions Specialist · UST Global
Directed the FogPanel cloud management platform program; cut provisioning time 30% and troubleshooting incidents 25% through automation.
Senior Cloud Consultant · AssistanZ Networks
Led a 30-engineer global managed-services team; Service management & cloud consulting across AWS, Azure, Rackspace, OpenStack and CloudStack landscape.
Team Leader, Infrastructure Managed Services · Velan Info Services
Responsible for a 20 member global managed-services and webhosting support team, SLA-accountable IT operations for SMBs, ISPs and data centres.
Technical Support Engineer · AssistanZ Networks
24/7 L1/L2 incident response across multi-platform hosting environments — where this started.
How I add value to your organisation.
Six ways this actually shows up, whichever pillar the work touches.
Risk becomes a roadmap
AI and security governance built so adoption moves at the speed of opportunity, not anxiety — ISO 42001, NIST AI RMF and the EU AI Act mapped from day one. That means a risk register exists before the first model goes live, not after a regulator asks for one.
Strategy survives contact with reality
Roadmaps built on Agile, SAFe, PRINCE2 and ITIL discipline — designed to hold up against real budgets, real teams, real deadlines. Milestones get tested against whatever actually breaks delivery, usually budget or people, rarely the technology.
Security stops being the brake
Multi-cloud architecture and GRC built on ISO 27001, Zero Trust and GDPR/DORA — protection that moves with the team, not against it. Controls get designed alongside the engineers who'll live with them, not handed down after the architecture's already built.
The room gets sharper
Practitioner credibility brought to the boardroom through workshops, coaching and advisory — not just theory. The frameworks discussed in a keynote are the same ones implemented on a Monday morning.
Compliance becomes a sales asset
GDPR and CDP certification managed so client trust converts into signed contracts, not just passed audits. The same governance discipline that protects data has measurably strengthened client trust and contract retention.
Teams stop depending on me
Every engagement includes structured knowledge transfer — 45+ sessions delivered to date — so capability stays with the team long after the engagement ends, not walking out the door with me.
Where I operate.
Eight areas. Each backed by a credential or a delivered number — not a claim. Translated once, not eight times: less risk exposure, faster certification and deal cycles, and delivery that doesn't depend on me being in the room.
Information Security Operations
Day-to-day security operations — IAM, EDR, VAPT and incident response — built into how the business runs, not bolted on after deployment.
KPI — Zero security incidents through a company acquisitionCloud Security & Architecture
Multi-cloud security architecture across AWS, Azure and GCP — Zero Trust principles, CSPM, and OpenStack/CloudStack environments, built for operational resilience, not just a compliance checkbox. The B2B platform migration replaced on-premise infrastructure with a scalable AWS architecture, with monitoring and logging built in from day one — not bolted on after the first incident. A library of reusable cloud best-practice audit artefacts, built from that same work, now cuts governance and technical audit time by 30%.
KPI — Reusable cloud audit artefacts cut audit time 30%ISO & Compliance
ISO 27001 Lead Auditor, TÜV Rheinland — running the external certification audit itself, not just preparing for one. The same governance discipline extends to SOC 2, NIST CSF and DORA control mapping where frameworks overlap. Built out a full set of GDPR and ISMS audit templates, registers, forms and checklists, then trained the teams who'd actually use them — not just filed them in a policy folder.
KPI — Externally certified, not self-assessed KPI — Audit time down 35%, audit efficiency up 70%GDPR & Data Protection
Client Data Protection Lead certified. GDPR compliance governed end-to-end across a full client portfolio — policy, technical controls and breach response owned by one accountable function. The same template-and-training discipline applied here too: reusable GDPR audit registers and checklists, not just a policy document nobody opens.
KPI — 100% of client portfolio CDP-compliant, on scheduleProgram & Project Management
PRINCE2 Practitioner. AWS Landing Zone rollout, platform migrations and post-merger integration orchestrated as programmes — stage-gate discipline from business case to handover, not just the technical build. The Landing Zone rollout replaced account-by-account guesswork with a single-pane view across all 150+ accounts — surfacing non-compliant resources, abandoned cloud assets, and security risk that had been invisible one account at a time. Twenty-three programmes delivered this way to date.
KPI — 150+ AWS accounts governed in a single Landing Zone rollout KPI — 23 distinct programmes delivered to date KPI — B2B platform migrated on-premise → AWS, zero downtime, zero customer impactStakeholder Management
C- and D-level advisory on strategy and pricing, for enterprise clients across Europe, APAC and North America. Vendor and budget governance owned directly, not delegated to a project office.
KPI — C/D-level advisory across three continentsService Management
ITIL 4 Specialist & Strategist certified. SLA-accountable delivery for a 30-engineer global managed-services team, with service improvement built into the operating model, not added after an outage. That team held 95% SLA compliance while cutting errors and complaints at the same time — not trading one for the other.
KPI — 30% faster provisioning, 25% fewer troubleshooting incidents KPI — 95% SLA compliance KPI — 15% CSAT improvement, 70% error reduction, 15% complaint reductionAI Governance Current focus
ISO 42001, EU AI Act and NIST AI RMF applied in practice — ahead of formal certification, the same operating discipline used for ISO 27001 a decade earlier.
KPI — Practitioner-applied, ahead of certificationCompliance is a quality metric, not a checkbox.
GDPR and ISO aren't separate from delivery quality — they're how it gets measured. Every control built in is a quality gate, not a hurdle bolted on after the fact.
Fewer defects, earlier
My ISO 27001 risk registers catch what QA alone misses, before it ships — a misconfigured access control rarely shows up in a functional test.
Audit-ready by default
GDPR controls built into delivery make certification a formality, not a fire drill — by the time an auditor asks, the evidence already exists.
One scorecard, not two
Security and compliance sit inside the same KPI set as delivery quality — not next to it. A missed control gets tracked as a defect, the same way a broken feature would be.
Assess
Map risk and regulatory exposure first — the real gaps, not just what a checklist asks for.
Architect
Design governance around how the business actually runs, not around a generic framework template.
Embed
Build controls into delivery itself, sprint by sprint — not a binder nobody opens again.
Operate
Hand over a system the team can run, measure and improve without me — that's the actual finish line.
Enabling teams to perform at their highest potential.
The best results come from teams that understand the "why" behind every decision — not just the instruction. Six principles, applied the same way regardless of which pillar the work touches.
Clarity at every level
Strategy means nothing to me until an engineer and an executive can both explain it the same way. I treat alignment as a daily practice, not a quarterly memo. On a 30-engineer team, that meant the same one-line answer to "what are we doing and why" whether you asked the newest hire or the client sponsor.
Technical meets business thinking
The conditions I try to create: technical specialists feel ownership over business outcomes, and business stakeholders develop genuine respect for technical constraints. Fewer silos, better solutions. It's the difference between a security function that says no, and one that says here's how, by Friday.
Capability over dependency
The measure of good leadership isn't how much a team needs me — it's how capable they become without me. Knowledge transfer is part of the deliverable, not an afterthought. Every engagement should end with someone else able to run what got built, not a support ticket with my name on it — 45+ internal training and knowledge-transfer sessions delivered, by count, not by accident.
Resilience by design
Whether it's an AI system, a security architecture, or a delivery programme, I build in resilience as a principle, not bolt it on as a feature. Anticipating failure modes is part of how I think about responsible strategy — the same instinct that got a company through an acquisition with zero security incidents. Not luck; a plan for what could go wrong before it did.
Governance without bureaucracy
Compliance and speed aren't opposites to me. I design frameworks that give a team the confidence to move fast — not a reason to wait for permission at every step. A 30% cut in provisioning time didn't come from removing controls; it came from automating the ones that were slowing everyone down.
Trust as the real deliverable
Every control, every architecture decision, every AI policy gets judged by one thing, as far as I'm concerned: did it make the organisation more trustworthy. That's the real deliverable — certifications and audits are just the paperwork that proves it.
What's certified. What's not. What it adds up to.
What it adds up to
Only 38% of organisations have a formal, comprehensive AI policy.
ISACA AI Pulse Poll, 2026The global average cost of a data breach is $4.44M — and 97% of AI-related breaches occurred where AI access controls were missing.
IBM Cost of a Data Breach Report, 202563% of breached organisations had no AI governance policy in place at all.
IBM / Ponemon Institute, 2025Written, not just done.
Practitioner guides on AI governance, ISO compliance, and cloud security, delivery management — many published from my experience, and counting...
ISO 42001 Explained: The Complete AI Management System Standard
Read the guide → ComplianceEU AI Act vs ISO 42001 vs NIST AI RMF: Choosing Your Framework
Read the guide → Cloud SecurityZero Trust Architecture in Multi-Cloud Environments
Read the guide → Program ManagementBuilding a High-Performance Delivery Framework for Complex IT Programs
Read the guide → GDPRGDPR in the Age of AI: What Every DPO Needs to Know
Read the guide → AI & CybersecurityAI for Cybersecurity and Cybersecurity for AI
Read the guide → CareerThe AI GRC Career Guide: Roles, Skills and Certifications
Read the guide → IT StrategyHow IT Service Integration Firms Must Evolve or Risk Obsolescence
Read the guide → AI SecuritySupply Chain Attacks on AI Tools: What Axios, LiteLLM & Claude Code Reveal
Read the guide →Direct answers.
Am I ISO 27001 certified?
Yes. I'm an ISO 27001:2013 Lead Auditor, certified by TÜV Rheinland — and I've built an ISO 27001:2022 ISMS from the ground up at Mindcurv, part of Accenture Song.
Do I hold an AI governance certification like ISO 42001?
Not yet, by design — and I'll say so plainly: I'm applying ISO 42001, the EU AI Act and NIST AI RMF in practice, ahead of formal certification. My formal certifications are in ISO 27001, PRINCE2, ITIL 4, Accenture Client Data Protection, EXIN Agile Scrum Master, and IBM Enterprise Design Thinking.
What roles am I open to?
Three things, equally: Senior Manager / Associate Director full-time leadership roles in Information Security, GRC or Program Management; consulting and advisory engagements; and speaking or workshops.
What's the core area of expertise?
Information Security, Cloud Security & Architecture, ISO 27001/42001 and GDPR compliance, Program & Project Management, Stakeholder Management, Service Management (ITIL), and AI Governance — eight areas built on 18+ years across cloud security, compliance and delivery leadership.
Where am I based, and do I work with international teams?
Based in Ernakulam, Kerala, India, working globally across time zones. Yes, I do work with C- and D-level teams for enterprise clients across Europe, APAC and North America — not limited to local engagements.
Am I ITIL certified, and what's my Service Management experience?
Yes — I'm an ITIL 4 Specialist (High-Velocity IT) and ITIL 4 Strategist (Direct, Plan & Improve). I led SLA-accountable delivery for a 30-engineer global managed-services team, with a directed programme that cut provisioning time 30% and troubleshooting incidents 25%.
Do I hold a Program or Project Management certification?
Yes, I'm a PRINCE2 Practitioner. I've applied it orchestrating an AWS Landing Zone rollout across 150+ accounts, platform migrations, and post-merger integration, with stage-gate discipline from business case to handover.
What's my GDPR and data protection experience?
I hold the Accenture Client Data Protection Lead certification and have governed GDPR compliance end-to-end — policy, technical controls and breach response — across a full client portfolio, with 100% of that portfolio compliant on schedule.
What's the difference between hiring me full-time versus as a consultant?
Same expertise, different engagement shape. Full-time (Senior Manager / Associate Director) suits organisations that want my ongoing, embedded ownership. Consulting or advisory engagements suit a defined problem with a clear scope and timeline. I'm equally open to either, plus speaking and workshop engagements.
What's the best way to get in touch?
LinkedIn is the fastest way to start a conversation. A direct email option is also available on this page under the contact section.
Let's talk.
Open to three things, equally: full-time leadership roles, advisory engagements, and speaking. Based in Ernakulam, Kerala — working globally across time zones.
Discover
A conversation about the actual problem — security, compliance, delivery, or AI. Usually thirty minutes, no deck required.
Scope
A defined outcome and the right engagement shape — full-time, consulting, or advisory — matched to what's actually needed. If the honest answer is "you need someone full-time, not a consultant," that's what gets said.
Deliver
The relevant pillars applied hands-on, using the same Assess → Architect → Embed → Operate discipline every time — the same four steps, whether the work is a security audit or an AI policy.
Sustain
Capability left with the team — documented, demonstrated, and tested with them before anyone calls it done. The goal is to become unnecessary, not indispensable.
Connect on LinkedIn
The fastest way to start a conversation — about a project, a role, or a stage.
Connect on LinkedIn →Email directly
For a detailed brief, a formal enquiry, or anything that needs more than a LinkedIn message.
Send an email →Selecting a time sends an email request with that date and time filled in — I'll confirm by reply and send a calendar invite. It doesn't book the slot instantly.