Thijs Verwaal

• • Designed and implemented an ISO 27001–compliant ISMS from greenfield, including continuous & automated control monitoring, enabling scalable governance for a growing SaaS organisation. Led and completed audits for ISO27001, ISAE3000 & SOC2 certifications, managing external auditors and internal stakeholders end-to-end.

• • Designed and led the AI transformation program, including roadmap, milestones, and operating model. Started with Implementing an AI governance, including AI risk assessment framework, AI technology register, and Acceptable AI Use policy.

• • Partnered with Engineering to enable secure AI experimentation and defined an AI adoption lifecycle for scaling successful use cases.

• • Defined and executed a security vision, multi-year strategy and roadmap, aligned with business growth objectives.

• • Directed security program management across IAM, vulnerability management, device hardening, security awareness, secure office IT.

• • Executed threat-led penetration testing of the SaaS platform to identify vulnerabilities and ensured remediation in a timely manner.

• • Completed customer security & privacy risk assessments as part of client due diligence, supporting sales & contract closure.

• • Led the Information Security function as 2nd Line of Defence, overseeing policy, control design and independent risk assessments.

• • Defined an AI governance including AI risk assessment framework, introduced Responsible AI Usage training to educate personnel.

• • Developed and executed an Information Security Strategy and Security Project Portfolio to remediate identified gaps.

• • Led the DORA Remediation program, coordinating several Security Projects to close operational resilience & control deficiencies.

• • Performed a Control Maturity Assessments against DNB Good Practice for Information Security, to measure and report control maturity from Second Line of Defence, ensuring audit-ready DORA compliance ahead of regulatory deadlines.

• • Supported Privacy Office with setting up similar maturity approach to privacy controls using the NOREA Privacy Control Framework.

• • Organised bi-weekly IT risk management sessions with the CTO & CFRO, delivered monthly board-level security reporting, and participated in the Business Risk & Compliance Committee.

• • Defined a Web3 cybersecurity strategy with Board approval, focused on Product Application Security risks.

• • Built & led a fully remote Global Security team, focused on Secure Product Development Lifecycle & Continuous Vulnerability Management.

• • Launched a Web3 Bug Bounty Program with $1 million bounty pool, increasing responsible disclosure & external security testing coverage.

• • Achieved CertiK Security Score of 95.18%, positioning GALA as world's most secure altcoin after Bitcoin & Ethereum.