25 years of enterprise security. Strong opinions. Proven results.
Certifications validate knowledge. Experience builds judgement. After 25 years working across financial services, government, manufacturing, maritime and global enterprise — including nearly 8 years leading identity security engagements at Microsoft — what I bring is not a list of qualifications. It is a precise, hard-won understanding of where security architectures succeed, where they fail, and why most organisations are solving the wrong problems in the wrong order.
Below is how I think about the discipline — and the credentials that underpin it.
Three convictions that shape every engagement
Not aspirations. Not methodology frameworks. Positions formed over 25 years of seeing what works, what fails and why.
02
CONVICTION 02 — SECURITY ARCHITECTURE
Reactive security costs ten times more than proactive architecture — and it still fails.
Most organisations build first and secure later. They deploy cloud workloads, grant access as needed, accumulate technical debt and call a security advisor when something breaks. By that point the remediation cost — in time, money, architectural rework and reputational risk — is an order of magnitude higher than building it correctly from day one. I have worked on both sides of this equation. The organisations that engage us before a project launches — before the first workload goes live, before the first privileged account is created — spend a fraction of what their peers spend on incident response and remediation. A well-designed security architecture is not overhead. It is the foundation that keeps projects on time, on budget and out of incident reports. Build for security from day one or pay significantly more to fix it later. There is no third option.
01
CONVICTION 01 — ZERO TRUST
Most organisations implement Zero Trust completely backwards — and it is leaving them exposed.
The industry starts with network segmentation — micro-perimeters, firewall rules, VLAN architecture. That is the wrong starting point. In a cloud-first world, the network is not the control plane. Identity is. Every breach that matters today begins with a compromised credential, an over-privileged account or a service principal with standing access it should never have had. Zero Trust must start with identity — who is accessing what, under what conditions, with what level of verified trust — and build outward from there. Starting anywhere else is building on sand. I have seen both approaches in production environments. The network-first approach creates the illusion of Zero Trust while leaving the actual attack surface completely ungoverned.
03
CONVICTION 03 — REGULATORY MINDSET
NIS2, DORA and ISO 27001 are not compliance exercises. They are your 2030 security architecture blueprint.
Too many organisations treat regulatory frameworks as bureaucratic obligations to be satisfied on paper and forgotten until the next audit. That mindset belongs to a different era. NIS2, DORA and ISO 27001 mandate a proactive, risk-based, continuously improving security posture — precisely because the threat landscape of 2030 will make today's attacks look unsophisticated. Organisations that implement these frameworks with genuine architectural intent are not just compliant. They are resilient. The ones treating it as a checkbox exercise will discover the difference at the worst possible moment — during an incident, in front of a regulator, or when a major client demands evidence of their security posture as a condition of doing business. I help organisations build for 2030, not document their way through 2025.
Nearly 8 years at Microsoft. What that experience actually means for you.
I have seen where enterprise identity architectures fail at scale — from the inside
Leading identity security engagements at Microsoft across Europe meant working in some of the largest, most complex and most heavily regulated environments on the continent — under real operational pressure, with real regulatory scrutiny. I have seen Conditional Access policies create authentication loops that locked out entire organisations. PIM deployments technically complete but operationally abandoned within months. Service accounts with permanent admin access nobody had thought to include in scope. That inside knowledge of how these systems fail in practice — not in theory — is what I bring to every engagement.
Deep Microsoft expertise. Zero commercial relationship with Microsoft.
Eight years working with Microsoft technology built deep platform expertise — and the independence to tell a client when Microsoft is not the right answer. I have no commercial relationship with any vendor. No referral incentive. No pressure to recommend a product that does not fit your architecture. I know precisely where the Microsoft identity and security stack excels and where it has genuine limitations. That combination — deep expertise plus full independence — is what makes the advice worth having.
Three things I have learned that most security frameworks will never tell you
The most dangerous privileged account is the one nobody knows about
The genuinely dangerous accounts are not the named domain admins — those are at least visible. They are the unowned service accounts running critical processes under permanent admin credentials that predate the current IT team, have no documented owner and have never been included in any access review. Every organisation has them. Almost none govern them. Attackers rely on exactly this.
A security architecture the team cannot maintain will fail within 12 months
I have seen technically brilliant security architectures abandoned within a year because nobody designed for the operational reality of the team maintaining them. PIM configurations generating so many approval requests the business bypassed them. Access reviews requiring manual effort nobody had capacity for. Operational sustainability is not a secondary concern. It is a primary design requirement.
Non-human identity is the fastest growing attack surface most organisations are not governing
AI, Service accounts, managed identities, API credentials and CI/CD pipeline tokens now outnumber human identities in most enterprise environments — and they are almost universally ungoverned. No owner. No access reviews. Permanent credentials that never expire. Sophisticated attackers have understood for years that non-human identities are the path of least resistance. Most organisations are still treating identity governance as a human identity problem. It stopped being only that several years ago.
The credentials behind the convictions
Qualifications that validate the experience — not the other way around.
Industry Certifications
CISSP — Certified Information Systems Security Professional
CCSP — Certified Cloud Security Professional
Certified Identity and Access Manager
CRPO — Certified Ransomware Protection Officer
Certified AI Security Specialist
ISO 27001 Lead Implementer (in progress)
NIS2 Implementer (in progress)
Microsoft Expert Certifications
Microsoft Cybersecurity Architect Expert
Microsoft Identity and Access Administrator
Microsoft Azure Security Engineer Associate
Microsoft 365 Administrator Expert
Microsoft Azure Solutions Architect Expert
All certifications independently verifiable via Credly. Full badge portfolio available at credly.com/users/konstantinos-tsiolas
Seen enough to want a conversation?
If what you have read on this page resonates — the convictions, the experience, the way we think about identity and security — then we are probably worth talking to. Book a free Security Discovery Call and let's find out if there is a fit.
A focused conversation about your security situation. No commitment required. Available in English and Greek across Europe.