EU
NIS2 Directive compliance
Leading EU-wide implementation of NIS2 across multi-country operations: regulatory alignment, gap assessments, and remediation planning.
Cybersecurity · Governance, Risk & Compliance
Governance, Risk & Compliance Professional
Industrial engineer turned cybersecurity professional with 8+ years of experience in governance, operational compliance, data protection, and security awareness — bridging continuous-improvement methodologies with regulatory frameworks to build resilient, auditable security programs.
8+
Years experience
7+
Concurrent audits
92
ISO 27001 controls
EU
NIS2 scope
approach
Compliance as a system, not a checklist.
Eight years across governance, operational compliance, SOX ITGC support, data protection, DLP, insider-threat analysis, and ISO/NIS2/Swift CSCF alignment. I translate cybersecurity requirements into structured workflows that cross-functional teams can actually run. Coming from industrial engineering, I treat GRC less as paperwork and more as a problem of designing resilient processes — ones that survive audits, turnover, and the messy reality of real organizations.
career path
Professional experience
Dec 2024 — Present
IT GRC Specialist
Industrial sector — EU operations · Remote
- Lead the EU-wide NIS2 Directive compliance program across multi-country operations.
- Support ISO 27001, NIS2, and Swift CSCF 2025 operational requirements — documentation review and audit-evidence collection.
- Manage 7+ concurrent audits and assessments: penetration tests, investor due diligence, cyber insurance, maturity assessments, ESG cyber audits.
- Lead the ISO 27001:2022 certification roadmap across 92 applicable controls and four domains.
- Execute phishing simulation campaigns with reporting and retraining via Proofpoint PSAT.
- Develop awareness content using EasyGenerator, PowerPoint, and HeyGen; manage learning modules in SAP SuccessFactors LMS.
- Member of the internal AI adoption pilot group; automate recurring manual processes in GRC operations.
- Reestablished GRC operating procedures and documentation following significant team transition.
Jun — Aug 2024
SOC Engineer
Softtek · Client engagement (retail sector)
- Analyzed malware and suspicious activity using Trellix.
- Validated remediation steps and documented incident actions.
Jan — Jun 2024
Insider Threat Analyst
Softtek · Client engagement (healthcare)
- Investigated USB, email, and cloud alerts using Splunk and Securonix.
- Classified events on behavioral indicators; escalated high-risk cases.
Apr — Dec 2023
Project Manager — GRC Office
Softtek · Industrial conglomerate, corporate separation program
- Coordinated access remediation during a corporate separation.
- Created structured weekly reports surfacing progress and blockers.
- Consolidated ownership mapping for applications, servers, and databases.
Jun 2022 — Dec 2023
Program Manager — GRC Office
Softtek · Industrial conglomerate
- Tracked GRC initiatives across IAM, remediation, and SOX support.
- Built dashboards, templates, and workbooks to standardize documentation.
Oct 2021 — Jun 2022
IAM Analyst
Softtek · Industrial conglomerate
- Analyzed non-compliant Windows/Unix local accounts for SOX ITGC requirements.
- Coordinated remediation and documented operational procedures.
- Supported integration of accounts into credential-management solutions.
Aug 2016 — Jan 2021
DLP Analyst
Softtek · Industrial conglomerate (power division)
- Reviewed DLP alerts for offboarding employees to identify potential data leakage.
- Classified alerts by intent and escalated high-risk cases.
- Supported workflow coordination and small automation improvements.
2019 — 2020
Educator
Cecytea
- Taught English, Physics, and industrial tools at the high-school level.
key initiatives
Featured projects
ISO
ISO 27001:2022 certification
Driving the certification roadmap across 92 applicable controls and four domains — gap analysis, control owners, and evidence management.
BI
Phishing metrics dashboard
Power BI executive dashboard integrating Proofpoint PSAT data via paginated API, Power Query, and DAX — visualizing click rates and awareness trends.
AI
AI integration in GRC
Internal framework — adapted from Lean VSM and Scrum — to identify, prioritize, and implement AI augmentation in business processes. Used to automate recurring manual GRC work.
SME
SME cybersecurity consultancy
Independent project providing awareness training and phishing simulations to small and medium enterprises — packaging enterprise-grade practices into accessible models.
competencies
Skills & expertise
GRC & compliance
- ISO 27001:2022
- NIS2 Directive
- SOX ITGC
- Swift CSCF 2025
- Audit management
- DLP
- Risk assessment
Tools & platforms
- Proofpoint TAP / PSAT
- SharePoint / M365
- Splunk
- Trellix / Digital Guardian
- SAP SuccessFactors
- Power BI / DAX / Power Query
- EasyGenerator / HeyGen
Method & soft skills
- Lean / VSM
- Scrum / Agile
- Process automation
- Continuous improvement
- AI integration
- Bilingual EN / ES
- Stakeholder translation
academic background
Education & certifications
M.Sc. Cybersecurity
CEUPE European Business School — Madrid, Spain
Graduated with distinction.
B.Sc. Industrial Engineering
Tecnológico de Aguascalientes — Mexico
2010 – 2015
Certifications in progress
TÜV NORD — Internal Auditor ISO/IEC 27001
TÜV NORD — Internal Auditor ISO 22301
CISSP — in preparation
Languages
Spanish — native
English — advanced (business communication)
beyond the terminal
Personal interests
Hi-Fi audio
Fine-tuning a high-fidelity setup — Tidal via Questyle M15C DAC and Sennheiser HD 400S.
Philosophy
Exploring the deeper mechanics of systems like Alchemy and Kabbalah.
Sci-Fi
High-concept science fiction that challenges perception.
Deportivo Toluca
Because even in a zero-trust architecture, you still have to trust the process.
The goal is never just to check a compliance box; it is to build resilient systems that protect real people and real assets.Ramón Castañeda