Hi, I’m Demetri!
Enterprise risk professional specializing in cyber risk and governance.
I transform uncertainty into actionable insight by advancing how we think about, measure and report on risk and opportunity.
My professional interests
Risk based decision making
I’m a strong believer in making informed, data-driven decisions that fully consider key dimensions of uncertainty – risk and reward. I’m also appreciative of the role of biases and heuristics and how they can lead to suboptimal outcomes.
Risk governance and oversight
I enjoy tackling challenges related to the translation of complex risks into clear, actionable insights that align with and support business goals. This involves a focus on candid, transparent reporting and relationship building between the board and management.
Cyber risk quantification
I’m particularly interested in using data and analytical methods to quantify cyber risk. Exploring how quantification advances the objectives of prudential regulation through evidence-based decision-making was the central focus of my MSc dissertation.
Cyber performance metrics
I’m skeptical of cyber metrics that don’t help organizations effectively track security performance or make better decisions. This is an issue I’m passionate about solving with practical, actionable solutions.
My background
I’ve spent the greater part of the past fifteen years working in the fields of enterprise and technology risk management. During this time I’ve designed and implemented risk frameworks, worked on improving governance arrangements, and spent considerable time assisting first line colleagues in the improvement of processes and controls. Most of my recent experience has been within the financial services sector, however underpinning this is extensive experience across multiple sectors earned from my time in the consulting field.
Professionally qualified, I hold multiple certifications including CISSP, CRISC and CISA. I’ve also obtained my MSc in Risk, Crisis & Resilience Management from the University of Portsmouth. My dissertation focused on the role of cyber risk quantification in supporting the prudential objectives of financial services regulators in the Caribbean region. I actively support the continued development of the risk profession having volunteered time to furthering the work of the Institute of Risk Management and ISACA at both the local and international level.
If you’re interested in learning a bit more about my background, you can get in touch or visit my Linkedln profile.
My recent writing
-
Risk management stopped being about understanding how things fail somewhere around the time it became more important to demonstrate that a process was followed. We now have popular artefacts hiding shallow thinking.
-
Most security programs have a number of controls. The hard question rarely asked though is whether those controls would hold against an adversary actually trying to get through. The gap isn’t primarily a technical problem. It’s what happens when the systems used to evaluate security are the same ones optimized to avoid uncomfortable truths about…
-
The traditional idea of inherent risk rests on imaginary scenarios and binary assumptions about controls. This piece unpacks where the concept falls apart and why better tools already exist.
Projects & Professional Contributions
Expert Reviewer – ISACA Whitepapers and Risk Related Publications
I’ve reviewed multiple ISACA publications as a subject matter expert, ensuring ISACAs publications are technically accurate, relevant and aligned with the needs of the profession.
Some of the publications I’ve reviewed: Risk IT Framework & Practitioner Guide, IT Audit Framework (5th Edition), Certified Data Privacy Solutions Engineer Review Manual, Conducting an IT Security Risk Assessment whitepaper and the IT Policy Template for Vulnerability Management.
Course Developer – IRM’s International Certificate in Financial Services Risk Management
I worked with the Institute of Risk Management (IRM) to redevelop the learning materials for their International Certificate in Financial Services Risk Management.
My updates to the “Regulation in Financial Services” and “Introducing Operational Risk in Financial Services” modules helped ensure the course remained current and aligned with industry standards. This redevelopment led to the qualification achieving OFQUAL Level 5 recognition for the first time.
Public Speaking & Presentations
I’ve had the privilege of presenting and contributing to various webinars, workshops, and panels on topics at the intersection of technology, risk, and governance.
Topics I’ve touched on include: the benefits and myths related to cyber risk quantification (ISACA TT), practical steps to enabling an effective risk management culture (ISACA TT), the opportunities and challenges of AI Adoption in the Caribbean (ACCA/BCCI) and AIs role in fraud prevention (ACCA/IIA TT).
Teaching and training – online & in-person
Working with industry associations and academic institutions, I have designed and delivered online courses for secondary school students, technical workshops for professionals, and master’s level modules for postgraduate students.
My areas of expertise include: cybersecurity fundamentals and data protection, technology governance and risk management, cloud computing audit and oversight, and the psychology of risk, it’s influence on risk culture and the benefit of behavior modification in IT environments.