Governance, Risk & Compliance
Building and assessing security programs against ISO 27001, NIST CSF, and SOC 2 — mapped to how the business actually operates, not just how the framework reads.
- ISO 27001
- NIST CSF
- SOC 2
Financial-sector cybersecurity & GRC
A banker who codes — cybersecurity and governance, risk & compliance for financial institutions.
Two and a half years inside a retail bank, now formalizing the security side in Riga — heading toward cyber due diligence and security advisory for banks, fintechs, funds, and M&A.
About
Security in financial services fails at the seams — between the framework and the branch floor, between the control and the person applying it at 4:55 pm on a month-end Friday. I've stood on both sides of that seam.
For two and a half years at Sampath Bank in Sri Lanka, I worked teller, head teller, pawning, and branch IT support roles — cash controls, customer verification, dual authorization, and the systems a branch depends on. That's the business, risk, and regulatory reality most security professionals only ever read about.
I also build software — full-stack web applications in TypeScript, from interface to database. Now I'm formalizing the security side: a Professional Bachelor in Computer Science at EKA University of Applied Sciences in Riga, Latvia, focused on cybersecurity and governance, risk & compliance.
The combination — banking operations, working code, and security frameworks — is rare, and it's exactly what cyber due diligence and security advisory for banks, fintechs, funds, and M&A demand: the judgment to see risk the way the business runs it, and the technical depth to verify what's actually there.
Focus Areas
Building and assessing security programs against ISO 27001, NIST CSF, and SOC 2 — mapped to how the business actually operates, not just how the framework reads.
DORA, NIS2, and PCI DSS — read from the perspective of someone who has worked under bank compliance rather than only audited against it.
Assessing the vendors financial institutions depend on — access, concentration, and resilience risk across the supply chain.
Security posture assessment for acquisitions and investments — what a target's real cyber risk looks like beneath the data room.
Selected Work
Core GRC deliverables I'm currently building, anchored to a single model financial entity. Each is published here as it's completed.
Threat-driven risk register for a model retail bank — scored, owned, and mapped to ISO 27001 Annex A controls.
Full SoA for a model financial institution — control selection with business-grounded justifications.
Current-state and target profile with a prioritized, budget-aware improvement roadmap.
Assessment framework plus a completed evaluation of a critical banking vendor — access, data, and exit risk.
Article-by-article gap analysis of a model bank against DORA's ICT risk-management requirements.
Credentials
Google Cybersecurity Certificate
In progress · 2026
CompTIA Security+ (SY0-701)
CompTIA
Planned · 2026
Professional Bachelor in Computer Science
EKA University of Applied Sciences, Riga, Latvia
Commencing September 2026
A staged certification path, pursued alongside full-time banking work — updated as each stage completes.
Skills
Contact
For roles, projects, or conversations at the intersection of banking and security — email is the fastest way to reach me.
Location: Sri Lanka → Riga, Latvia (Sept 2026)