Profile photo

Marius Mihail Russo-Got

also known as Marius Russo

Expertise: Architecture · Cybersecurity · Cloud · GRC · Delivery · Agile / SAFe · Data Protection / GDPR · AI/AIOps · Quantum Strategy · Digital Workplace · Banking

English (C2), French (C1) · NATO Secret (valid until Aug 2027)
NATO/NCIA · UN · UNDP · UNOPS · FREELANCING · EU · EEAS · IBM · ALCATEL/NOKIA · MOTOROLA
04 · Strategy & governanceICFR / COSO · ISO 27001 · SOC 2 · audit-readiness

Strategy & governance

Architecture authority, decision governance and audit-readiness for institutions where every material design call needs an evidence trail. Most recent measured outcome: −35% audit findings within 1 year at a UN OICT programme.

Mandate type

Decision-governance build-out for CIOs, CTOs and programme sponsors facing supervisors, internal audit or rating-agency review. Engagement window 6–18 months. Output: a governance system the institution can defend to its regulators after handover.

Anchor reference

UN OICT (2016–2019) — Zero Trust + security awareness programme reduced audit findings by 35% in 1 year across ISO 27001 / PCI DSS / GDPR / SOC 2. NATO / NCIA NDW (2023–2024) — Section-head accountability with SLA / OLA evidence discipline. Société Générale (BRD) — ICFR / COSO control alignment across 848-component portfolio.

What I do

Four offers recur on governance and audit-readiness work.

  • Architecture decision-record system. ADR template, exception governance, decision-authority matrix. Decision lead-time reduced by ~50% on multi-year programmes.
  • Control framework alignment. ISO 27001 / SOC 2 / ICFR-COSO / NIST CSF / GDPR mapped to platform controls. Evidence the supervisory function can read directly.
  • Audit-readiness build-out. Evidence discipline, control-mapping packs and CAB practice that turn audit cycles into business-as-usual.
  • Programme governance recovery. Reset of decision-rights, evidence trails and CAB practice for portfolios that have lost defensibility.

Frameworks and standards applied

Methods are scoped, not decorative. Each mandate runs against a defined framework stack so decisions remain defensible to internal audit, external supervisors and donors.

  • Architecture governance: TOGAF · COBIT · ArchiMate · ADRs · exception governance
  • Control frameworks: ICFR / COSO · NIST CSF · ISO 27001 · SOC 2 · ISO 22301 · COBIT 5
  • Data & supervisory: GDPR · BCBS 239 · DORA · EBA guidelines · PCI DSS
  • Service & change: ITIL v3 · CAB practice · CMF (Capability Management Framework)
  • Delivery: SAFe / Agile · PRINCE2 / PMI · MSP
A4 infographic summarising institutional governance: ADRs, standards, exception governance, evidence discipline.
Strategy & governance infographic — executive A4 visual for web, briefings and PDF capability packs. A4 · Premium high-tech briefing style
Scope detail · auto / manual scroll →
ADR + exception governance

Decision system the auditor can read

ADR template, exception logging, decision-authority matrix. The institution gets a system that captures every material design decision with its trade-offs.

Scope:
  • ADR template + exception governance
  • Decision-authority matrix (architect / sponsor / supervisor)
  • ~50% decision lead-time reduction on multi-year programmes
  • Used in production across UN, NATO, EEAS, Société Générale, IBM IC
Control framework alignment

ISO 27001 · SOC 2 · ICFR-COSO mapped to platforms

Map regulatory frameworks to actual platform controls. Audit-grade evidence the supervisory function can read.

Scope:
  • ISO 27001 · SOC 2 · ICFR / COSO · NIST CSF · GDPR · DORA
  • BCBS 239 (risk data governance) · PCI DSS · ISO 22301
  • Control mapping with named owners and evidence sources
  • Unified risk dashboard integrating SIEM + GRC metrics
Audit-readiness build-out

From annual fire-drill to business-as-usual

Evidence discipline, CAB practice and supervisor-facing reporting that turn audits into operational baseline.

Scope:
  • −35% audit findings within 1 year (UN OICT)
  • ~33% audit cycle reduction (where measured)
  • 100% evidence completeness on covered controls
  • Audit-ready compliance ahead of regulatory deadlines (Société Générale)
Programme governance recovery

Reset before the regulator asks

Decision-rights, evidence and CAB practice reset for portfolios that have lost defensibility. Re-establishes line of sight from supervisor to platform.

Scope:
  • Control reset and decision-authority restoration
  • Evidence backfill where artefacts went missing
  • CAB practice rebuilt with named approvers
  • Portfolio governance for 300+ application estates

Typical deliverables

Standard artefact set on a governance mandate.

  • ADR system with exception logging and decision-authority matrix
  • Control-mapping packs to ISO 27001 / SOC 2 / ICFR-COSO / NIST CSF / DORA / GDPR
  • Audit-readiness pack: evidence sources, owners, refresh cadence
  • CAB practice handbook and change-impact templates
  • Portfolio-governance dashboard integrating SIEM + GRC metrics
  • Supervisory-facing reporting templates (regulator, board, rating agency)
Measurable outcomes · auto scroll →
−35%
audit findings within 1 year (UN OICT programme)
~50%
decision lead-time reduction (ADR / exception governance)
~33%
audit cycle reduction where measured
100%
evidence completeness on covered controls
300+
applications under unified governance (UNFCU programme)
848
component banking portfolio governed (Société Générale)
USD 3.2M
OPEX savings via Smart-Outsourcing (UN OICT)

Governance holds at audit when decision-rights, evidence and control-mapping are designed as a system the institution owns — not as an annual fire-drill the architect leaves behind.

Relevant projects04 · Strategy, governance & innovation · 8 matching

Projects in this domain

Engagements filtered by primary domain from the full 270+ project record. Full detail and NDA-gated evidence packs available on request.

Public
InfoSec · Privacy · Awareness

InfoSec policy, phishing exercises & PII handling

NATO / NCIA · The Hague · 2023 – 2024

Oversaw all InfoSec policies tied to Content Collaboration lifecycle management. Designed and led phishing / social-engineering exercises and awareness training. Managed privacy complaints and internal risk registers. Conducted internal audits and served as escalation point for incidents affecting PII.

Frameworks: ISO 27001 · GDPR · NIST CSF · NATO information-handling directives

Cyber Crisis Management

Cyber Crisis Management programme

IBM · 2019 – 2024

Advise, implement and manage the Cyber Crisis Management programme — strategic crisis decision-making, large-scale crisis response. One of the largest, most respected teams of crisis and continuity management professionals.

Global SOC

Global Security Operations Center oversight

IBM · 2019 – 2024

Oversee Global SOC positions in daily tasks and projects. Selection of technology (cloud, SOA, etc.), devices and software for the network and information security infrastructure. Cryptographic key management in support of CIO function as Single Point of Authority.

UN Cyberspace · Single Point of Authority

UN cyberspace concept & member-state recognition

UN HQ · New York · 2016 – 2019

Defined UN cyberspace concept and influenced UN member states to recognise UN as Single Point of Authority for UN and member-state cyberspace. Stakeholder management with budget secured to develop the collective cyberspace, cyber-security programme planning, and cyber-risk implementation.

US$125M (2015) + US$124M (2016) member-state budgets

Public
Smart-Outsourcing

UN Smart-Outsourcing programme (SOC · infrastructure · DevSecOps)

UN OICT · 2016 – 2019

Smart-Outsourcing programme covering SOC, infrastructure and DevSecOps operations. Delivered USD 3.2M OPEX savings while maintaining PCI DSS Level 1 compliance.

Frameworks: ITIL v3 · PCI DSS · ISO 27001 · COBIT 5

USD 3.2M OPEX savings

Public
Enterprise agreements

UN enterprise agreements — Microsoft + AWS with security / performance KPIs

UN OICT · 2016 – 2019

Negotiated enterprise agreements with Microsoft and AWS embedding performance and security KPIs. Yielded ~20% annual cost optimisation across UN workloads.

Frameworks: Vendor governance · Microsoft Cloud Adoption Framework · AWS Well-Architected · ITIL v3

~20% annual cost optimisation

Public
Zero Trust · Awareness

UN Zero Trust + security-awareness enterprise programmes

UN OICT · 2016 – 2019

Enterprise-wide Zero Trust programme combined with security-awareness training, improving organisational resilience and compliance maturity. ISO 27001 / PCI DSS / GDPR / SOC 2 audit findings reduced by 35% within one year.

Frameworks: Zero Trust (NIST 800-207) · ISO 27001 · PCI DSS · GDPR · SOC 2

-35% audit findings within 1 year

ENISA · EU

ENISA — National Cyber Security Strategy framework

EU · Aug 2013 – Dec 2013 · 60 working days

Member of expert advisory group defining the National Cyber Security Strategy (NCSS) framework and action plan to improve security and resilience of EU national infrastructures and services. Part of the task force ensuring that national eIDs work for cross-border public-service access in EU.

View all projects →