Niek J. Nigg

I work at the intersection of:

• Information Security
• Governance, Risk & Compliance
• Organisational design
• Automation & GenAI
• Culture change at scale

My focus is simple:

Build security programs that actually reduce risk.

Not slide decks. Not checkbox factories.
Real controls. Real data. Real ownership.

I believe GRC is an engineering problem — and should be treated like one.

daVera — Founder & CEO

AI-powered Governance Engineering platform

daVera is my current venture: a new kind of GRC platform that treats governance as infrastructure.

It’s built around three principles:

• Threat-driven, not audit-driven
• Controls as living systems, not static documents
• Evidence and insight as data pipelines, not manual toil

The goal is to give organisations a way to build security programs instead of performing them.

CtrlCon — Side Project

Community-driven GRC events

CtrlCon is a global, practitioner-led event series for people who are done with compliance theatre.

It’s where security engineers, GRC practitioners, and builders meet to talk about:

• Controls that actually work
• Automation patterns
• Threat-driven design
• The messy reality of scaling security

No vendor theatre. No buzzword bingo. Just real conversations.

Klarna Group — Chief Security Risk Officer

2022–2025

• Designed and implemented Klarna’s global security and GRC model
• Built a unified, business-aligned ISMS across all markets
• Repositioned the second line from “audit layer” to engineering partner
• Shifted large parts of GRC to GenAI-powered automation
• Reported directly to the Board on group-wide risk posture

Built during a period of extreme organisational change and downsizing.

Klarna Inc. — Chief Information Security Officer

2024–2025

• Built the full U.S. security program from scratch
• Delivered FFIEC, NYDFS, SOX, and NIST-aligned controls
• Supported multi-state banking licences
• Integrated GenAI into audit and control workflows
• Bridged U.S. regulatory reality with global group strategy

University of Luxembourg — Chief Information Security Officer

2021–2022

• Built the university’s first formal security program
• Implemented Zero Trust in a decentralised academic environment
• Created a university-wide security culture
• Balanced academic freedom with modern security standards

International Atomic Energy Agency — Information Security Officer

2018–2021

• Rolled out ISO27001 ISMS across a UN organisation
• Reduced phishing susceptibility from 38% to 6%
• Introduced data-driven security operations
• Deployed ML-based threat classification

Earlier roles at IAEA, Accenture, and Maastricht University shaped my engineering mindset.

A few principles that guide my work:

• Compliance should be threat-driven, not audit-driven
• GRC is a data and systems problem
• Controls should be continuously observable
• Evidence collection is infrastructure
• Culture beats policy
• Automation beats heroics
• Security must fit how people actually work

• Long-term PhD Candidate — Applied Informatics
• CISSP
• MSc in Information Systems & Economics
• ISO27001 Lead Implementer

Languages

Fluent in Dutch, English, and German.
Professional working knowledge of French and Italian.

Get in touch

Email: niek@nigg.nl

LinkedIn: linkedin.com/in/nieknigg

If you’re:

• Building security at scale
• Rethinking GRC
• Designing risk as infrastructure
• Or just tired of compliance theatre

I’m always happy to talk.