# David Andersson

Director of Security Engineering

Sweden (remote) | info@davidandersson.se | https://www.davidandersson.se | https://www.linkedin.com/in/davidandersson-se | https://github.com/davand01


## Professional Summary

Information security leader with more than two decades of experience spanning enterprise architecture, compliance, and engineering leadership. Track record of building security programs from the ground up: from ISMS design and ISO 27001 certification to scaling product security teams at high-growth software companies. Equally comfortable shaping strategy at the executive table and diving into technical security reviews.

Security as a service function, not a gatekeeper. The shift from "no, you can't do that" to "yes, let's find a better way to do that" is the work. Best results come from addressing security early in the design phase and treating engineering teams as partners, not subjects of compliance.


## Core Competencies

**Application Security.** Security architecture, secure SDLC, threat modeling, security requirements engineering, and building security champion networks across development organizations. Keywords: Secure SDLC, Threat Modeling, CI/CD.

**Security & Compliance.** ISMS implementation and review, ISO 27001/27002, risk management, incident and continuity management, vendor governance, and security legislation. Keywords: ISO 27001, GRC, Compliance as code.

**Engineering Leadership.** Coaching and situational leadership, staff and budget responsibility, building and scaling security teams, and driving strategic improvement programs. Keywords: People Mgmt, Cultural awareness, Strategy.



## Professional Experience

### Director of Security Engineering, Grafana Labs AB

2024 - Present | Remote | SaaS observability, open source

**Scope:** Team of 10 across two sub-teams. Staff and budget responsibility.

Leading a team of 10 across two sub-teams: one building VulnO11y, an internal observability tool for vulnerability management across the Grafana ecosystem, and one serving as internal security consultants providing architecture reviews, vulnerability remediation support, and hands-on AppSec advisory across engineering teams.

Key contributions:

- Built and operate VulnO11y, an observability tool that models the full vulnerability lifecycle as a state machine, from detection through CVE publication, embargo handling, and SLO-driven remediation. Ingests from Trivy, Grype, and OSV across first-party and third-party scope, and tracks the point a vulnerability entered a repository, image, or artefact against the agreed time-to-fix.
- Co-presented at GrafanaCON 2026 on the April 2025 CI/CD incident response. Full attack reconstruction, canary-token detection, and open-source forensics (Loki, Trufflehog, Zizmor, Gato-X) that confirmed no customer or user data was affected.
- Evolving threat modeling practice. STRIDE remains the default, with the team building a custom model inspired by STRIDE and PASTA to cover AI-introduced threat surfaces where classic frameworks fall short.
- Own the AppSec testing toolchain across the organisation: SAST, SCA, external penetration testing, and the bug bounty and VDP programme.
- Internal advisory function providing architecture reviews and remediation support to product teams.
- Staff and budget ownership, operational and strategic improvements across incident management, secure SDLC, and vendor governance.


Skills and technologies: Vulnerability Management, VulnO11y, Vulnerability Lifecycle, CVE Coordination, Embargo Handling, Coordinated Disclosure, Open Source Security, Trivy, Grype, OSV, SAST, SCA, Penetration Testing, Bug Bounty, VDP, STRIDE, PASTA, Threat Modeling, Incident Response, CI/CD Security, Detection Engineering, AppSec, Architecture Review, Secure SDLC, Vendor Governance, Public Speaker.


### Director of Security Engineering, Snow Software / Flexera

2022 - 2024 | Remote | SaaS, software asset management

**Scope:** Grew from manager of 1 to leader of 15, including a reporting manager, through the Flexera acquisition.

Owned product security, application security, and cloud infrastructure security for the SaaS platform. The platform was an Azure-native, multi-tenant lift-and-shift of Snow Software's historic on-prem product. Started as a single manager with one report, grew the function, and through the Flexera acquisition scaled to leading a team of 15 including a reporting manager.

Key contributions:

- Owned the full AppSec and cloud security toolchain on Azure: SAST, DAST, SCA, and CSPM, plus external penetration testing and the bug bounty programme.
- Platform security owner for ISO 27001 certification and SOC 2 Type 2 accreditation (Security Trust Service Criterion). Sat in audit interviews, collected evidence, and improved policies and SDLC controls across the platform. The wider GRC and CISO function orchestrated the certification programme overall.
- Led security engineering through the Flexera acquisition and team integration.
- Daily operational and strategic risk management across development and production.
- Held monthly CTO updates on security posture and progress.


Skills and technologies: Azure, Multi-tenant SaaS, Lift-and-Shift, Product Security, Cloud Security, SAST, DAST, SCA, CSPM, Penetration Testing, Bug Bounty, ISO 27001, SOC 2 Type 2, SOC 2 Security TSC, Audit Evidence, M&A Integration, DevSecOps, Application Security.


### Chief Information Security Officer, Swedish Defence Conscription and Assessment Agency

2017 - 2022 | Karlstad, Sweden | Swedish government agency, defence and protective security

**Scope:** Functional CISO, working closely with the Säkerhetsskyddsorganisation and the IT team (CIO and IT enterprise architect).

Acted as the functional CISO at the agency. Rebuilt the ISMS largely from scratch, establishing a clear separation between information governed by the Swedish Protective Security Act and standard information, two domains with fundamentally different handling requirements. Worked closely with the protective security organisation and the IT team, including the CIO and the IT enterprise architect, and with development teams to embed security requirements into internal systems. Much of the work supported systems to be accredited according to KSF (Requirements on Security Functions) and uphold communications security.

Key contributions:

- Designed and implemented controls for both ISO 27001/27002 and protective security legislation.
- Served as acting unit manager and member of department leadership team.
- Established security requirements processes for in-house software development. Based the ISMS on ISO 27001 and 27002, and authored a requirements catalogue aligned with the information classification levels of systems.


Skills and technologies: CISO, Functional CISO, ISMS, ISO 27001, ISO 27002, Protective Security, Protective Security Act, KSF, Requirements on Security Functions, Communications Security, Information Classification, Security Requirements Engineering, Requirements Catalogue, Government Security, Defence Sector.


### Senior Consultant, Information Security, Versitile Consulting AB

2015 - Present | Remote | Independent consulting practice

**Scope:** Independent practice running alongside primary engagements. Startup CISO and security advisor work through to hands-on architecture, compliance, and assessment.

Independent consulting practice delivering information security engagements that range from startup CISO and security advisor work to hands-on architecture, compliance, and security assessment.

Key contributions:

- Startup CISO for an AI startup. Took the company through alignment with SOC 2 and ISO 27001, maturing boilerplate ISMS content into tailored, company-specific policies. Built a GRC pipeline on Vanta and GitOps: policies authored as markdown in Git, rendered to PDF, and uploaded to Vanta through a GitHub Actions workflow. Delivered in-house OWASP Top 10 training and acted as IT security architect in feature development.
- Security advisor in the energy sector (ongoing engagement). Procurement support, policy writing and ISMS work, SIEM tuning, and applying GDPR and NIS2 to the operating context.
- Security assessment of a mid-sized SaaS product, including review of source control and the CI/CD environment.
- Senior security advisor for a web-based animal medical records system used by veterinarians to report deviations and violations (for example, sheep diseases) and compile statistics. Supported both data quality and security.
- Online doctor service. Helped form their first ISMS and aligned operational procedures with legislation across multiple jurisdictions: Sweden, Germany, UK, and USA.


Skills and technologies: Startup CISO, Interim CISO, ISMS, ISO 27001, SOC 2, GDPR, NIS2, Vanta, GitOps, GitHub Actions, Policy as Code, OWASP Top 10, Security Architecture, SIEM Tuning, CI/CD Review, Source Control Review, Procurement Security, Energy Sector, Healthcare Security, Multi-jurisdiction Compliance.


### Senior Consultant & Business Area Manager, Bitsec AB

2015 - 2017 | Karlstad, Sweden | Cyber security consultancy

**Scope:** P&L responsibility for the IT and information security business area. Procurement, staffing, and delivery.

Led the IT and information security business area covering procurement, consultant assignments, and delivery. Key engagements included security architecture for a mainframe migration at the Swedish Transport Agency, developing Secure Development Lifecycle processes, and creating a cyber security strategy for a multinational corporation.

Skills and technologies: Business Area Management, Security Architecture, Secure SDLC, Cyber Security Strategy, Public Sector.


### Senior Information Security Consultant, ÅF Technology AB

2013 - 2015 | Karlstad, Sweden | Engineering and technology consultancy

**Scope:** Technical security consultant, primarily industrial control systems clients.

Technical information security for industrial control systems (ICS) covering security requirement profiling, SIEM implementation, and security reviews. Represented Sweden in SIS TK 318, the standardization committee for the ISO 27000 family.

Skills and technologies: ICS Security, OT Security, SIEM, ISO 27000 Standardization, SIS TK 318.


### Senior Information Security Consultant, Avan AS

2011 - 2013 | Oslo, Norway | Cyber security consultancy

**Scope:** Enterprise PKI specialist for large organizations.

Enterprise PKI covering design, implementation, and operations for large organizations. Also performed IT security reviews and assessments.

Skills and technologies: Enterprise PKI, Cryptography, Identity Management, Security Assessment.


### Information Security Consultant, Veriscan Security AB

2007 - 2011 | Karlstad, Sweden | Information security consultancy

**Scope:** Technical security specialist across enterprises, municipalities, and government agencies.

Technical security specialist across a broad client base including enterprises, municipalities, and government agencies. Led ISO 27001/27002 compliance assessments and served as security advisor for high-security ICS environments.

Skills and technologies: ISO 27001 Assessment, ICS Security, Public Sector, Compliance.




### Earlier Career

**Junior IT Security Consultant**, WM-data AB/LogicaCMG. 2005 - 2007 | Karlstad, Sweden.

Technical security delivery focused on penetration testing, network design, and operating system hardening for client engagements.

Skills and technologies: Penetration Testing, Network Design, OS Hardening, Infrastructure Security.


**Intern, Penetration Testing**, Validation AB. 2004 - 2005 | Karlstad, Sweden.

Supporting penetration tests as part of the penetration testing unit.

Skills and technologies: Penetration Testing, Security Testing.





## Certifications

- **CISSP** - Certified Information Systems Security Professional, ISC². Held since 2011.
- **CISM** - Certified Information Security Manager, ISACA. Valid 2018 to 2026.
- **SCF** - SABSA Chartered Security Architect, Foundation, SABSA Institute. Held since 2021.
- **27001 LI** - ISO 27001 Lead Implementer, IT Governance. Held since 2021.


## Education

- **B. Sc. Computer Science**, Karlstad University. 2012.
- **Information Security (30 ECTS)**, Luleå University of Technology. 2017.
- **Understanding Group & Leaders (UGL)**, Leadership Course. 2020.


---

Generated from https://www.davidandersson.se/resume.html. For the styled version with full context, visit the site.