Chief Security Officer · Sweden

Elie
Feghaly

22 Years Securing What Others Miss

Board-ready security leadership at the intersection of risk, engineering, and regulation. From zero-day to boardroom — turning cyber exposure into strategic advantage.

22+
Years in Cybersecurity
C-Suite
Executive Track Record
EU
NIS2 · CRA · GDPR · DORA
View Services Read More
Open to engagements
Elie
Feghaly
Chief Security Officer · Advisory
Stockholm, Sweden · EU Remote
22+
Years Experience
C-Suite
Executive Level
vCISO
Advisory Available
NED
Board Mandate
Domains
Risk Strategy Advisory
Profile

Security Leadership
as a Strategic Discipline

I am a Chief Security Officer with over 22 years in cybersecurity, currently based in Sweden and operating across the media, streaming, and technology sectors. My work sits at the intersection of security strategy, organisational transformation, and regulatory accountability — translating complex risk into decisions that boards can own and act on.

My career has been built on one principle: security must be measurable, defensible, and embedded in how an organisation operates — not a compliance checkbox. I have designed and led security programmes in complex, multi-vendor environments, built security functions and teams from the ground up, and developed the cultural and governance frameworks that make security sustainable at scale.

I am currently seeking Group CISO, Field CISO, vCISO, and Non-Executive Director opportunities where security is a board-level priority, and where the mandate includes shaping culture, not just managing controls.

Core Competencies
  • Security Programme Leadership & Ownership
  • Board & Executive Risk Advisory
  • Security Culture Transformation
  • Product Security Strategy & Programme Design
  • EU Regulatory Compliance: NIS2, CRA, GDPR, DORA
  • Strategic Vendor & Third-Party Governance
  • Incident Response Programme Ownership
  • Security Team Building & Organisational Design
  • Risk Quantification & Investment Prioritisation
Track Record

Experience &
Credentials

2020 – Present
Chief Security Officer
Media & Streaming Industry · Sweden
Owned the enterprise security function end to end — programme strategy, team leadership, regulatory accountability, and board reporting. Defined the security roadmap and drove cultural adoption across engineering and operations. Developed the organisation's first formal risk quantification framework for the audit committee and CFO. Designed the incident response programme from the ground up and led managed security partner selection and governance.
Programme Design Board Reporting Risk Governance MSSP Oversight Incident Response Risk Quantification
2014 – 2020
Senior Security Architect
Enterprise Technology · MENA / EU
Defined and enforced security architecture standards across complex multi-vendor outsourcing environments — setting the security baseline across multiple third-party delivery teams. Led the design of zero trust access programmes, drove compliance positioning across FDA, GMP, and regional data protection frameworks, and built the vendor security governance model that became the organisational standard.
Security Architecture Zero Trust FDA/GMP Compliance Vendor Governance Third-Party Risk
2008 – 2014
Security Operations Lead
Managed Security Services · Regional
Operated and scaled SOC capabilities across enterprise clients. Established logging and monitoring baselines, vulnerability management workflows, and vendor security governance frameworks. First exposure to outsourcing security risk — now a specialist domain.
SOC Operations SIEM Vulnerability Mgmt Governance
2002 – 2008
Network & Security Engineer
Infrastructure & Telecoms · MENA
Built foundational expertise in network security, firewall architecture, VPN infrastructure, and secure access controls. Formative years in a high-pressure, low-margin-for-error telecoms environment that shaped a bias for operational precision over theoretical frameworks.
Firewall VPN Network Security IAM
CISSP ISC²
CISM ISACA
NED Board Advisory
AWS Cloud Security
Advisory Offering

What I Deliver

01
Fractional CISO / vCISO
Embedded executive security leadership for organisations that need board-credible, operationally experienced security oversight without a full-time hire. Engagement scoped to 1–3 days per week. Covers programme design, team mentoring, board reporting, and regulatory positioning.
02
Security Architecture Review
Structured assessment of cloud, application, and infrastructure security posture. Delivered as a prioritised risk register with remediation roadmap. Includes secure SDLC gaps, DevSecOps pipeline assessment, IAM review, and control coverage mapping against ISO 27001, NIS2, or SOC2.
03
Board & Audit Committee Advisory
Translating technical risk into board-digestible reporting. Includes cyber risk quantification, metrics frameworks, regulatory exposure briefings (NIS2, GDPR), and pre-IPO or M&A security due diligence support. Designed for CFOs, audit chairs, and NEDs who need security accountability.
04
Product Security Programme
Strategic ownership of security integration across the software delivery lifecycle. For engineering organisations that need security embedded from design to deployment — with clear accountability, measurable outcomes, and team capability transfer built in from day one.
05
Incident Response & Readiness
Design and test of incident response programmes against realistic threat scenarios. Includes playbook development, tabletop exercises, MSSP integration review, and post-incident analysis. Benchmarked against NIST CSF and ENISA guidelines. Leaves the organisation with a durable, exercised capability.
06
Vendor & Outsourcing Security
Security governance frameworks for organisations relying on third-party delivery. Covers vendor risk assessment methodology, contractual security requirements, audit rights, and ongoing monitoring. Specialist experience in regulated outsourcing environments with FDA, GMP, and EU data protection exposure.
Thought Leadership

Security Insights

All Articles →
Board Advisory · Featured
Presenting Cyber Risk to an Audit Committee That Doesn't Speak Security
The CFO wants numbers. The chair wants accountability. The NED wants to know if the company is on the front page tomorrow. Here is how to structure a risk presentation that lands.
March 2025 7 min read
Governance
NIS2 in Practice: What Swedish CISOs Are Getting Wrong
Transposition deadlines passed. Board accountability clauses are live. But most implementation efforts are still treating NIS2 as a documentation exercise rather than an operational shift.
Feb 2025 6 min read
AI & Detection
AI-Augmented Detection: Real Gains vs. Vendor Noise
After running AI Detection & Response in production, here is an honest assessment of signal-to-noise ratio, integration complexity, and where human analysts remain irreplaceable.
Jan 2025 5 min read
DevSecOps
Why Your CI/CD Pipeline Is Your Biggest Attack Surface in 2025
Most organisations have patched their perimeters. The new front line is the software delivery pipeline — where secrets leak, images ship unscanned, and IaC misconfigurations reach production at sprint velocity.
Dec 2024 7 min read
IAM
Temporary Privilege Escalation: Building Just-In-Time Access That Actually Works
Standing privilege is the enemy. JIT access sounds clean in theory — implementing it in GCP with a Slack-based approval workflow exposed every assumption we had about operational friction.
Nov 2024 9 min read
Engagement

Let's Talk

I am selectively available for advisory mandates, board-level security oversight, and executive security leadership engagements across Sweden and the EU. Engagements are evaluated on strategic fit, not volume.

Available for new engagements — Q2 2026

"The right security conversation starts long before an incident."

Email elie@feghaly.io LinkedIn linkedin.com/in/eliefeghaly Location Stockholm, Sweden · EU Remote