David Andersson

Remote

SaaS observability, open source

Director of Security Engineering

Grafana Labs AB

Team of 10 across two sub-teams. Staff and budget responsibility.

Leading a team of 10 across two sub-teams: one building VulnO11y, an internal observability tool for vulnerability management across the Grafana ecosystem, and one serving as internal security consultants providing architecture reviews, vulnerability remediation support, and hands-on AppSec advisory across engineering teams.

• Built and operate VulnO11y, an observability tool that models the full vulnerability lifecycle as a state machine, from detection through CVE publication, embargo handling, and SLO-driven remediation. Ingests from Trivy, Grype, and OSV across first-party and third-party scope, and tracks the point a vulnerability entered a repository, image, or artefact against the agreed time-to-fix.
• Co-presented at GrafanaCON 2026 on the April 2025 CI/CD incident response. Full attack reconstruction, canary-token detection, and open-source forensics (Loki, Trufflehog, Zizmor, Gato-X) that confirmed no customer or user data was affected.
• Evolving threat modeling practice. STRIDE remains the default, with the team building a custom model inspired by STRIDE and PASTA to cover AI-introduced threat surfaces where classic frameworks fall short.
• Own the AppSec testing toolchain across the organisation: SAST, SCA, external penetration testing, and the bug bounty and VDP programme.
• Internal advisory function providing architecture reviews and remediation support to product teams.
• Staff and budget ownership, operational and strategic improvements across incident management, secure SDLC, and vendor governance.

Remote

SaaS, software asset management

Director of Security Engineering

Snow Software / Flexera

Grew from manager of 1 to leader of 15, including a reporting manager, through the Flexera acquisition.

Owned product security, application security, and cloud infrastructure security for the SaaS platform. The platform was an Azure-native, multi-tenant lift-and-shift of Snow Software's historic on-prem product. Started as a single manager with one report, grew the function, and through the Flexera acquisition scaled to leading a team of 15 including a reporting manager.

• Owned the full AppSec and cloud security toolchain on Azure: SAST, DAST, SCA, and CSPM, plus external penetration testing and the bug bounty programme.
• Platform security owner for ISO 27001 certification and SOC 2 Type 2 accreditation (Security Trust Service Criterion). Sat in audit interviews, collected evidence, and improved policies and SDLC controls across the platform. The wider GRC and CISO function orchestrated the certification programme overall.
• Led security engineering through the Flexera acquisition and team integration.
• Daily operational and strategic risk management across development and production.
• Held monthly CTO updates on security posture and progress.

Karlstad, Sweden

Swedish government agency, defence and protective security

Chief Information Security Officer

Swedish Defence Conscription and Assessment Agency

Functional CISO, working closely with the Säkerhetsskyddsorganisation and the IT team (CIO and IT enterprise architect).

Acted as the functional CISO at the agency. Rebuilt the ISMS largely from scratch, establishing a clear separation between information governed by the Swedish Protective Security Act and standard information, two domains with fundamentally different handling requirements. Worked closely with the protective security organisation and the IT team, including the CIO and the IT enterprise architect, and with development teams to embed security requirements into internal systems. Much of the work supported systems to be accredited according to KSF (Requirements on Security Functions) and uphold communications security.

• Designed and implemented controls for both ISO 27001/27002 and protective security legislation.
• Served as acting unit manager and member of department leadership team.
• Established security requirements processes for in-house software development. Based the ISMS on ISO 27001 and 27002, and authored a requirements catalogue aligned with the information classification levels of systems.

Remote

Independent consulting practice

Senior Consultant, Information Security

Versitile Consulting AB

Independent practice running alongside primary engagements. Startup CISO and security advisor work through to hands-on architecture, compliance, and assessment.

Independent consulting practice delivering information security engagements that range from startup CISO and security advisor work to hands-on architecture, compliance, and security assessment.

• Startup CISO for an AI startup. Took the company through alignment with SOC 2 and ISO 27001, maturing boilerplate ISMS content into tailored, company-specific policies. Built a GRC pipeline on Vanta and GitOps: policies authored as markdown in Git, rendered to PDF, and uploaded to Vanta through a GitHub Actions workflow. Delivered in-house OWASP Top 10 training and acted as IT security architect in feature development.
• Security advisor in the energy sector (ongoing engagement). Procurement support, policy writing and ISMS work, SIEM tuning, and applying GDPR and NIS2 to the operating context.
• Security assessment of a mid-sized SaaS product, including review of source control and the CI/CD environment.
• Senior security advisor for a web-based animal medical records system used by veterinarians to report deviations and violations (for example, sheep diseases) and compile statistics. Supported both data quality and security.
• Online doctor service. Helped form their first ISMS and aligned operational procedures with legislation across multiple jurisdictions: Sweden, Germany, UK, and USA.

Karlstad, Sweden

Cyber security consultancy

Senior Consultant & Business Area Manager

Bitsec AB

P&L responsibility for the IT and information security business area. Procurement, staffing, and delivery.

Led the IT and information security business area covering procurement, consultant assignments, and delivery. Key engagements included security architecture for a mainframe migration at the Swedish Transport Agency, developing Secure Development Lifecycle processes, and creating a cyber security strategy for a multinational corporation.

Karlstad, Sweden

Engineering and technology consultancy

Senior Information Security Consultant

ÅF Technology AB

Technical security consultant, primarily industrial control systems clients.

Technical information security for industrial control systems (ICS) covering security requirement profiling, SIEM implementation, and security reviews. Represented Sweden in SIS TK 318, the standardization committee for the ISO 27000 family.

Oslo, Norway

Cyber security consultancy

Senior Information Security Consultant

Avan AS

Enterprise PKI specialist for large organizations.

Enterprise PKI covering design, implementation, and operations for large organizations. Also performed IT security reviews and assessments.

Karlstad, Sweden

Information security consultancy

Information Security Consultant

Veriscan Security AB

Technical security specialist across enterprises, municipalities, and government agencies.

Technical security specialist across a broad client base including enterprises, municipalities, and government agencies. Led ISO 27001/27002 compliance assessments and served as security advisor for high-security ICS environments.