EXPERIENCE SUMMARY

• Over 18 years of experience wif information technology and software development lifecycle
• Over 15 years of information security applications and systems experience
• Over 15 years of managing, troubleshooting, and identifying solutions to complex issues
• Over 15 years of Unix/Linux Systems Administration experience wif knowledge of securing systems
• Over 10 years of Advanced Information Security technical skills and understanding of information security practices and policies
• Over 10 years of project management experience wif systems engineering and information security
• Over seven years of managing and implementing enterprise cloud systems
• Over seven years of experience developing risk mitigation action plans through engagement wif matrixed technology teams.
• Over seven years of experience facilitating remediation planning and ensuring dat identified risks are properly addressed.
• Over seven years of experience communicating identified risk to business and technology teams
• Over seven years of experience reporting on identified gaps/risks and tracking remediation activities
• Over five years of experience ensuring compliance from product teams wif the Information Security Program and policy.
• Over five years of experience wif Cloud IT systems Security
• Over five years developing information security guidelines and procedures
• Two years of direct financial industry experience working for Wells Fargo
• Offensive Security Certified Penetration Tester (OSCP)
• Certified Information Systems Security Professional (CISSP)

PROFESSIONAL EXPERIENCE

Confidential

Cloud Security Center of Excellence

Responsibilities:

• As a Business Systems Consultant, I develop new processes and strategies to assess and strengthen the security profile of LOB applications being deployed to the internal cloud environments (both Openstack and AzurePack).
• As a major contributor and key team member for the Cloud Controls Baseline/Cloud Security Service Catalog, I develop process, strategies, and tools my team uses to aid EIS Control Owners in assessing Cloud Service Provider capabilities/controls to ensure they meet Wells Fargo quality, security, and compliance standards and requirements as defined in Policy Works, FedRAMP, and NIST
• Conducted technical assessments wif LOB dev teams to identify gaps in software architecture focusing on user authentication and tracked the remediation activities throughout the lifecycle/timeline stated in the consequence model
• Create a business requirements (BRD) questionnaire wif traceability back to EIS Policy and FedRAMP/NIST controls, which is a tool my team, the Cloud Security Center of Excellence (CSCoE) and LOBs use to evaluate third party cloud service providers control capabilities to ensure they meet our policy requirements
• Created cloud security guidelines for Public and Hybrid cloud service provider assessments
• Reviewed and completed cloud security assessments for Confidential Azure and O365 products and services
• Worked wif LOBs on third party hosted environment assessments and proof of concepts
• Cloud Security Center of Excellence Initiative Lead for the public cloud security review for Office 365 and AWS public cloud products and services
• Cloud Security SME for all Confidential public cloud products and services
• Cloud Security Center of Excellence SME and Liaison to the Offensive Security Red Team
• Coordinated penetration test effort on the Windows Azure Pack environment
• Conducted interviews of prospective pentest vendors
• Developed the scope document and worked wif test vendor to create the statement of work for the test
• Validated findings identified in the pentest report
• Secure Admin Forest
• Coordinated and scoped the penetration testing of theSecure Admin Forest AD Environment consisting of the Privileged Access Workstations (PAWs) and network layer controls

Confidential

Windows Azure

Responsibilities:

• Open Source product group engineering security SME responsible for assessing the modules/plugins and completing required information security risk assessment requirements.
• Represented the Open Source Product line in partnerships wif vendors and other functional teams to manage information security risks
• Provide consultative contribution to other business units on information security topics and requirements.
• Participated in security assessments and recommended remediation actions
• Facilitated training and overview sessions as part of feature releases/demos to the support organization
• Managed all projects related to security features/functions scheduled to be released as Azure VM extensions or VM appliances across Trend, Symantic, ScaleGrid, Redhat, CentOS, Suse, and Ubuntu Linux distributions
• Worked closely wif Product Team Devs and partners like RogueWave and Redhat to track remediation activities throughout the lifecycle of Linux releases
• Worked closely wif Product Team Devs and partners like RogueWave and Redhat to test security updates for stability before being added to official marketplace Linux VM images
• Managed and conducted integration testing for planned product offerings on technologies including Azure Active Directory, Azure Security Center, and next - gen security offerings
• Developed a Secure Integration Guideline and Training book for clients integrating wif Azure infrastructure focused on Linux hardening and secure deployments in the Azure cloud environment
• Conducted threat modeling and build threat models and reports for all tool releases for Azure Media Services support tools
• SME for the Azure Security Center VM extension for Linux. Handled IaaS team escalations on the extension to our product group.
• Linux/Open-source SME responsible for the evaluation and testing of “next-gen” cloud security tool integration for emerging technologies like CASB, CSG proxies, and API Gateways/Endpoints

Confidential

Engineering

Responsibilities:

• Project Manager/SME focused on middleware security enhancements for threat visibility and detection, forward and return path DSL networks, and service provisioning
• Identified gaps in process and worked wif management to conduct the security assessment of the pre-conversion OSS/BSS message-bus which included assessing user authentication and account management, network and systems vulnerabilities, network and endpoint compliance, web application, and virtual infrastructure
• Responsible for gap remediation planning and ensuring dat identified gaps were properly addressed.
• Managed the security incident and event monitoring integration, security policy administration, and software development for the Connecticut conversion projects
• Co-designed and architected the E2E implementation of the AlienVault SIEM project, and managed the development of procedures and runbooks for all SIEM tools implemented
• As the SME I managed the implementation project for the SIEM and vulnerability and configuration management solution at the OSS/BSS layer on several provisioning systems

Confidential

Platform Engineering Security Consultant

Responsibilities:

• SME for multiple cloud projects for aging technology on a national level all across North America
• Delivered the network enhancements required to support the secure Information Rights Management (IRM) portion of the solution
• Responsible for the integration of third-party components for the Linux footprint, including the testing and bug tracking wif the vendor
• Conducted testing and integration of the Information Rights Management solution to secure content and data
• Supported security architecture, solution integration, solution documentation and initial training and development

Confidential

Global Services

Responsibilities:

• Managed projects focused on the security of a billing/charging system application where my responsibilities and tasks included reporting identified risks and tracking remediation activities throughout the product roadmap
• Worked closely wif customers, developers, and relevant stakeholders as the information security risk SME supporting my product unit, and working to ensure a system compliant wif required policy
• Led a team of engineers responsible for security event monitoring as well as performed security assessments and audits as special services engagements
• Met wif customers and presented remediation options and action plans
• Conducted training activities to create awareness and promote best practices on information security
• Provided SME expertise in security recommendations to staff and clients
• Recognized as a nominee for the Confidential Distinguished Engineer Award for contributing to the Verizon national back-office conversion project
• Co-sponsored the introduction of using internal resources to be incorporated into business continuity planning and information systems disaster recovery solutions. Identified ways in which security could be baked-into our solutions and product offerings
• Designed and implemented a prototype basic SIEM system based on syslog sinks and Splunk for correlation, which evolved into a support tool, generating revenue for the company
• Created a database of custom indicators of compromise based on heuristics and normal operating footprints for the environment, which were used in Splunk to generate alerts for our SOC
• Led development, documentation and maintenance of information security policies, procedures and standards
• Participated in system and software architecture and design inspection to develop a security baseline to ensure all configurations were appropriately secure
• Created a Security-Centric Professional Services portfolio to raise awareness and revenue for the support organization
• Performed penetration tests as part of large-scale security engagement focused on targeting encryption keys stored on servers for DRM protected content
• Conducted penetration tests as part of network security assessment for Comcast Engineering networks peering wif the regional C-RAN

Technologies: NIST SP-800 Series, Secure SDLC, RESTful APIs and SOAP, Proprietary Private and Hybrid Cloud, Proprietary Secure Middleware Architecture, CentOS Linux 6 and Redhat Linux 5/6, VMWare ESXi, TLS/IPSEC, and Python Custom Tools, Wireshark, NMap, Solaris 9/10, Oracle 9i and 10g, Custom BASH Scripts, Metasploit Framework, Nessus, Custom Python Tools, Splunk, Nagios and Cisco MARS