A technology leader with 9 years of experience managing information security in commercial and government sectors. Deeply skilled in Enterprise Security Architecture and Analysis, Threat Management, Information Security Risk Management, Security Engineering, Security Policies and Regulatory Compliance. Skilled in making security understandable to business users. Seeking an information security leadership opportunity.
Security Architect Security Risk Specialist
- Enterprise Security Architecture: Designed and led implementation for over 10 enterprise-wide security efforts spanning across multiple domains and fields of knowledge. Efforts entailed strategic planning with C-Suite officers, large-scale project management, and a high-level of technological complexity. These efforts resulted in the implementation of the RSA Archer enterprise Governance, Risk, and Compliance platform, secure identity and access management systems, secure remote access management systems, two-factor authentication for critical systems, and business continuity and disaster recovery programs.
- Security Architecture Analysis: Executed over 100 architectural and design reviews of information systems, applications, and networks. Authored and published company's windows security hardening standards and approved application listings. Led implementation on SANS Top 20 critical controls resulting in a 300 increase on the number of systems hardened and the elimination of over 7,000 vulnerabilities across the infrastructure.
- Threat Management: Developed and trained security staff on industry leading threat modeling techniques. Rather than focusing on uncommon yet well-known threats, security professionals were trained to focus their efforts on threat proximity, appetite, skills, resources, and attack vectors resulting in a 70 growth to effectiveness in security activities and implementations.
- Information Security Risk Management: Developed and implemented the company's first information security risk management program. Integrated the ISO/IEC 27005 processes and the OpenGroup FAIR taxonomy and methodology for the management of information security risks. The program identified over 6,000 information security risks and decreased security incidents by over 60 .
- Security Engineering: Developed and Implemented security departments SharePoint 2013 intranet sites, incident management reporting systems, asset register, risk register, and a sophisticated risk crowd-sourcing solution that accepts up to a hundred submissions per day. Streamlined security communication, risk identification, and incident management responses.
- Third Party Security Risk Management: Developed and implemented the company's first third party information security risk management program. Developed strategy for integrating information security objectives into supply chain business objectives. Efforts resulted in over 7.5MM vendor cost-savings and a 90 increase to the overall security posture with third parties.
- Security Policies, Regulatory Compliance: Authored and was the owner of over 40 Information Security Policies, Standards and Processes. Performed annual reviews to ensure information security content was still relevant and in line with corporate and industry regulatory obligations. Provided training to the departments and project teams on security compliance requirements including, internal policies, ISO/IEC 27001, PCI-DSS, Safe harbor, and SSAE 16.
- Security Metrics and Reporting: Implemented and fine-tuned a business-centric information security metrics program. Provided business leaders with actionable insight on the state of their information security risks, resulting in greater alignment, buy-in and positive change.
- Vulnerability Management: Prevented over 3,500 existing vulnerabilities from becoming risks to the enterprise. The program identified and eliminated over 1,200 critical system vulnerabilities in the environment and resulted in the creation of a security committee chartered to review all critical information security vulnerabilities identified by the program. This program ensured that vulnerabilities were documented, tracked and remediated.
- Security Monitoring: Enhanced IT / Information security compliance monitoring to identify, assess and correct weaknesses before they could affect business objectives. Integrated the ITIL V3 process model between Security and the IT Operations Bridge. Response times to security incidents decreased, identified vulnerabilities increased by 90 and root cause identification increased by 60 .
- Security Management: Subject matter expert of a team of 7 in developing and maintaining a security awareness program, security management processes, security incident response, and security engineering advisory services. Prevented over 2,000 existing vulnerabilities from becoming security risks to the enterprise.
Sr. Manager, Security Operations Center
- Security Operations Center SOC : Led SOC and staffed the team with Information Assurance team resources and Network Operations Center NOC subject matter experts from the network, server, telecom, desktop and messaging teams. Led the Implementation and trained SOC staff on DIACAP compliance and security tools, including: Vulnerability Management System VMS , Symantec Endpoint Protection SEP , Retina Vulnerability Scanner, McAfee Sidewinder Firewall, and Cisco Secure Access Control Server ACS .
- Computer Forensics: Led computer forensics program. Saved in excess of 1.75M in outsourced consulting services. Built a Security Incident Management, Response and Forensics Examination team and lab for managing enterprise-wide response and recovery activities for all security incidents and eDiscovery requests. The forensic examination team averaged over 100 incidents / investigations annually ranging from security incidents and internal HR cases to civil issues, criminal and fraud matters.
- Incident Response: Managed and enhanced Incident Response program, processes, and procedures. This effort resulted in faster response times, higher accuracy in root cause analyses RCA , and relational analysis capability that mapped events to real-time data on facilities, technologies, security controls, identified vulnerabilities, and identified security risks.
- Cross Departmental Collaboration: Developed and maintained IT security policies, standards, and processes in accordance with industry regulatory obligations and to meet or exceed industry best practices. Established and led a cross-functional steering committee including members from Legal, Human Resources, Audit, and other key business units. Improved the understanding of the issues surrounding legislation that are relevant to information security.
Lead, IT Operations
- Security Awareness: Led Information Security Awareness training program which experienced a 95 , 97 and 99 increase in the number of employees who successfully completed the program over the past three years. This effort ensured compliance with internal and external regulatory obligations.
- Network Administration: Provided switch and telecommunication administration for over 1,000 Independent Telecommunication Networks ITNs . This included cable maintenance, designing network topologies and segmentations, troubleshooting telecommunications systems, cryptographic systems, switches, modems, and routers.
- System Administration: Provided Windows 2000 / 2008 Server Windows XP / Vista / 7 administration for over 12,000 systems. This included hardware and software installation, updates, upgrades, diagnosis, and repair in a wide range of business environments and classification.