Faris got into security in 2008, and by 2010 he was Head of Information Security at Bank of Jordan. Then he left to do a master's degree in cyber security in Estonia.

Following Estonia, he moved to Ireland. That's where most of his hands-on career happened. Eight years of it. He started at a Big Four firm, running security risk assessments, cyber strategy, and red teaming. His clients were top-10 banks, governments, and Fortune 500 companies. Then came GRC work and leading the red team at Integrity360. After that, security architect at Vhi.

At the end of end 2021 he came back to the region and built a cyber security consultancy, worked as a fractional CISO, running security and compliance for a portfolio of MEA fintechs. He kept seeing the same thing, and it only got heavier: more frameworks, more overlapping controls, audit prep that became a multi-week scramble, and most of that weight landing on the CISO. The platforms everyone defaulted to were built for other markets, and none of them made the job any lighter.

So he built Vamu.

On this blog he writes about GRC automation, regional frameworks, security leadership, what auditors actually look for, and what it takes for a company to pass its first review.