Core Team

The team behind Open Security Architecture.

OSA was co-founded in 2008 by Tobias Christen and Russell Wing, who saw the need for open, vendor-neutral security architecture patterns. What started as a collaboration between practitioners working in financial services has grown into a resource used by thousands of security professionals worldwide.

Tobias Christen

Aurelius

Co-founder Zurich, Switzerland

Tobias was the visionary behind applying design patterns to security architecture — an idea ahead of its time when he first developed it as IT Risk Strategist at Zurich Insurance in the mid-2000s, where he designed and rolled out a modular, pattern-based security architecture. He co-founded OSA with Russell in 2008 to make this approach openly available. He holds a doctorate from ETH Zurich in Information Science and has built his career at the intersection of security and product leadership — from R&D Manager through CTO and SVP Product Management at Stonesoft, to co-founding and leading DSwiss AG as CTO and later CEO, building the SecureSafe high-security platform. Now Head of Enterprise Security Architecture at Migros, he is returning to help drive the next chapter of OSA.

Key patterns

SOA Security, Network Security, Identity Management

Focus areas

- Enterprise security architecture and design patterns
- Secure product development and SaaS platforms
- Trust boundary analysis and threat modelling
- Security governance and risk strategy

Chris Lethaby

Vinylwasp

Co-founder London, UK

Chris joined OSA a few years after its founding and quickly became integral to its development — earning co-founder status through sheer commitment to keeping the project alive and moving forward, particularly through the Joomla years. An information security specialist with over 25 years of experience across telco, banking, payments, exchange, and government verticals in the UK, New Zealand, and Australia, he is a CISSP and SABSA Chartered Practitioner with an impressive collection of SANS/GIAC certifications (GCIA with Honours, GCFW, GSNA, GAWN, GSPA). His career includes Principal Cybersecurity Architect at the London Metal Exchange — where he led a three-year transformation programme based on CIS Controls for Bank of England CBEST STAR testing — and Head of Information GRC at Al-Futtaim. He did much of the heavy lifting on the Advanced Persistent Threat pattern.

Key patterns

Advanced Persistent Threat, Vulnerability Management

Focus areas

- Threat analysis, APT defence, and CBEST testing
- Security architecture and CIS Controls transformation
- Governance, risk, and compliance
- Community stewardship and continuity

Russell Wing

Spinoza

Co-founder London, UK

Russell co-founded OSA in 2008 with Tobias while leading IT Risk Strategy at Zurich Insurance, where he headed a global team of IT Risk strategists and security architects. A CISSP and CISA with an MSc in Engineering from the University of Manchester, his career spans Chief Information Security Architect and Head of IT Risk Strategy at Zurich, Information Security Governance at Visa Europe — where he established their internal PCI-DSS compliance programme — and over a decade as Head of Information Security at the London Metal Exchange, a systemically important financial institution. This breadth of experience across insurance, payments, and exchange & clearing drove the conviction that security architecture needed open, reusable patterns rather than proprietary frameworks.

Key patterns

Cloud Security, Industrial Automation (with James Pearce), PCI Full Environment, Secure AI Integration

Focus areas

- Security pattern design and NIST 800-53 control mappings
- Platform architecture and modernisation
- Compliance framework integration (ISO 27001, PCI DSS, NIST CSF)
- Assessment and benchmarking methodology

Contributors

OSA is a community effort. Beyond the core team, these contributors have shaped the pattern library.

Vitruvius

AI Architecture Partner

Claude-powered technical partner for the 2026 modernisation. Vitruvius has contributed to the enrichment and modernisation of all 35+ patterns, NIST 800-53 Rev 5 control mappings, compliance framework integration, and the platform rewrite.

Patterns All pattern enrichment, Zero Trust Architecture, API Security, Cyber Resilience, Modern Authentication, Passkey Authentication, Incident Response, Security Monitoring, Privileged User Management, Offensive Security Testing, Vulnerability Management, Secure SDLC, Secure Remote Working, Secure Network Zone Module

Oliver Jaeschke

Contributor

Information Security and Data Privacy specialist with deep experience in security strategy, governance, risk management, and supplier security across finance and telecoms. Oliver contributed the original data loss prevention work that formed the basis of SP-013 Data Security during the Zurich Insurance era, where he worked as an IT Risk Strategist alongside the founding team. His career spans Head of Security Governance & Services and Product Owner Security Assurance at Swisscom, Information Security Officer at Avaloq, and senior consulting roles. A CISA with CAS qualifications in Integrated Risk Management and Leadership from ZHAW.

Patterns Data Security

Mary Keung

Contributor

Security Risk Manager and former Head of GRC with extensive expertise in aligning IT and business controls with industry standards across financial services, airlines, and entertainment. Mary has championed multi-year initiatives to elevate security maturity, leading third-party assessments and managing GRC teams to develop first and second-line IT risk and governance practices. With global roles across the UK, Europe, the US, and Hong Kong, she brings invaluable cross-jurisdictional perspective to compliance framework mappings. Mary was instrumental in building and reviewing several of OSA's international framework mappings.

Framework Mappings MLPS 2.0, HKMA TM-E-1, international framework review

James Pearce

Contributor

Chartered Engineer (CEng) and Head of Electrical & Controls Engineering at Texkimp Ltd. James holds a PhD in Combined Heat & Power and a BSc in Electrical and Electronics Engineering, both from the University of Manchester. A long-standing IET member with deep expertise in industrial automation, control systems, and functional safety (IEC 62061/ISO 13849), he co-developed the Industrial Automation security pattern with Russell.

Patterns Industrial Automation

Krzysztof Samplawski

Contributor

Technology leader and entrepreneur with over 25 years of experience across software engineering, AI, and product development. Founder of TachyonX Ltd and creator of CharacterSphere.ai. Holds an Executive MBA from Imperial College Business School. Krzysztof identified the critical gap between security control frameworks and practical developer implementation — the insight that drove the creation of SP-041 Secure Application Baseline for Developers. His developer-first perspective is shaping how OSA makes security controls actionable for engineering teams.

Patterns Secure Application Baseline for Developers

Panos Zarkadakis

Contributor

Senior Manager at Detecon Schweiz and Cybersecurity Advisor with deep roots in security architecture. Panos spent nine years at Swisscom, including nearly seven as Head of Security Architecture & Business Owner IAM within the CISO organisation. He co-founded SEC Consult (Schweiz) AG, served as COO/CIO a.i. at saltech AG, and is a member and investor at Cyber Club London. He holds an M.Sc. in Information Security Management (with distinction) from Universität für Weiterbildung Krems, an Executive Certificate from MIT Sloan, and a CSA Certificate of Competence in Zero Trust (CCZT). Panos started his security architecture journey using OSA and is now contributing back — new patterns, enterprise use cases, and meta-model improvements.

Patterns Network Zoning, AI Chatbots

Use Cases Enterprise security use case definitions

Meta-Model Model structure and entity improvements

The Story

OSA grew out of practical necessity. In the mid-2000s, Tobias Christen was working as IT Risk Strategist at Zurich Insurance when he had the visionary idea of applying software design patterns to security architecture — a modular, reusable approach to problems that teams were repeatedly solving from scratch. Russell Wing quickly recognised the potential and together they shaped the concept into what would become OSA.

The idea was simple: document proven security architecture patterns, map them to recognised control frameworks like NIST 800-53, and make them freely available. Chris Lethaby joined a few years later and became instrumental in the project's development and continuity. An open approach meant that the patterns could benefit from the collective experience of the security community, not just one organisation's viewpoint.

The first patterns and articles were published in early 2008. The approach was later featured in O'Reilly's Cloud Security and Privacy and adopted by security teams across financial services, government, healthcare, and technology worldwide.

Today OSA provides 35+ security patterns with over 1,100 NIST control mappings and 5,500+ compliance framework references — all freely available under Creative Commons.