Summart

• Ensure strategic alignment of information security in support of business objectives, safeguarding data, meeting compliance, and guiding security decisions with a risk-based focus. Be a change leader that leverages application software security for more competitive products and services.
• Innovative at incorporating security practices and designs into strategic areas of a company's processes, people, and tools. Experienced at establishing and leading application security initiatives that prioritize data loss risk, enhance business performance, and strengthen business offerings.
• A keen strategist that leverages application security with the practical bounds faced in implementing IT projects. Drives organizational improvements, best practices, and tools in secure software development with a team approach. Demonstrates strong collaboration skills to merge security, technology, and business value.

Experience Achievements

Confidential

Information Security IT Consultant

• Provide the solutions to build or augment Information Security risk management programs, including security assessments, roadmaps to resolving and preventing issues, and training and awareness.
• From building security programs, managing and training teams on security, to helping technical and executive levels understand and make security and risk decisions. Building in compliance and risk management.

Establish and grow risk management programs

• Lead enterprise-wide risk management programs and projects to prioritize security risk, develop metrics to evaluate improvement, and establish baselines that balance security risk with business goals.
• Utilize action plans from third-party evaluations, identify the risks of interacting with vendors, analyzing the risk of new technologies, and refining the security mediation process as tools for managing security risk.

Define and implement data protection compliance solutions

• Align the appropriate mechanisms, policies and procedures, and processes to the right level of data protection, software assurance, and SDLC processes.
• Guidance includes DSS-PCI, PII, HIPAA, FISMA, third-party assessments, security rollout plans and policies. Evaluate and recommend security practices to comply with European Union Personal Data Protection Directive EU PDPR .

Lead security programs and strategic initiatives

• Spearhead strategies and practices to integrate a security environment and its tools with business goals. Foster developer and management acceptance for security efforts and measuring effectiveness.
• Design and implement software assurance efforts for offshore software development efforts.
• Specialize in building software assurance programs, rolling out security assessment tools and processes for development teams, and gap analysis.

Implement effective vulnerability assessment and remediation

• Assist with security scans, code reviews, architecture analysis, and threat modeling for secure outcomes.
• Analyze security flaws offer solutions that assist the business implement proactive and preventative action.

Craft and communicate security training and awareness

• Customize and deliver materials that include technical bulletins, policies and procedures, and custom training to match specific security needs.
• Distill and communicate technical solutions to development, management, and executive teams in clear, meaningful, and actionable terms.

Confidential

Information Security IT Consultant

• ISO-27001/2 external security audit remediation and risk assessment
• Guided customer in ISO-27001:2013 analysis of audit results for remediation and re-audit. Applied COBIT framework to identify realistic new controls and success measures.
• Led creation of multiple enterprise policies, standards, and processes to close audit findings.

Confidential

Information Security IT Consultant

• New product security risk analysis for HIPAA, FISMA, and Department of Defense DoD
• Managed security risk assessment on new server/mobile client offering in the medical industry. Conducted threat modeling and triage of priorities for use in agile development of mobile client.
• Risk assessment applied HIPAA, FISMA/FIPS-140, ISO-27001 controls, and FDA guidance. Provided migration from DoD DIACAP controls to DoD using NIST standards.
• Identified policies and standards on secure development lifecycle for use by off-shore development teams.
• Confidential Adjunct Faculty in Information Security Systems, Evening Courses, 2007 to Present
• Enlists daily experience in Information Security to engage and challenge the next wave of security professionals. Extends course materials with practical examples and perspectives.
• Teaches undergraduate material from curriculum and develops instructional materials for the courses:

Designs, develops, and presents course materials based on the current text, supplementing the course with books, articles, and discussion topics. Creates project, midterm and final examinations.

Confidential

Manager, Application and Product Security Information Risk Management

• Architected the key processes and services for establishing and growing an application security practice within a leading software company. Established the tools and knowledge used by development and quality assurance teams for secure development. Spearheaded the balanced use of outsourced and in-house security resources, enabling product lines to self-manage security while providing transparency on risk to customers.
• Drove initiatives to establish security baselines for the company's product lines and enterprise services
• Expanded and strengthened Security testing to 24 Web software products, SOA and integrated enterprise products, and refined the remediation process for lowering risk levels.
• Designed metrics to identify product team responsiveness to lower product vulnerabilities and follow vulnerability trends. Integrated vulnerability monitoring with several development team defect tracking systems.
• Introduced the regular use of a leading Web security assessment tool to the product teams. Structured user training and recruited users as overall security focals.
• Spearheaded the proof of concept, approval, and integration of a third-party security firm's services across all product lines as part of regular product development. Executed practices for disclosing assessment results to third-party audits and customer inquiries on product security risk.
• Conceptualized and advocated a culture of security awareness and knowledge in the corporate enterprise.
• Fostered ongoing awareness of security vulnerabilities, trends, and best practices with brown bag lunch hour seminars and discussions sponsored by Application Security or volunteers from the product groups.
• Oversaw threat modeling and security architecture sessions across the product lines. Identified key design documents and a modeling methodology, creating standard guidelines. Provided custom primer training.
• Originated awareness and training materials for developer reference, including security bulletins as an authoritative source, code review decision trees, and a primer on key aspects of the Security Development Lifecycle for agile, pull, and waterfall methodologies.
• Expanded Application Security guidelines and practices for daily operations and internal audits. Improved the processes used by development teams for engaging Application Security and incorporating security tools.

Confidential

Information Security Technologist in Computing Security Access Services

• Delivered senior-level evaluation and direction in key security issues that affected regulatory compliance or streamlined enterprise security. Defined one of the first infrastructure security support agreements between Boeing and United States Air Force. Ensured the correct design and implementation of a security authentication mechanism for suppliers within the company system also integrates suppliers across the industry .
• Advanced enterprise efforts to implement new tools and practices to enhance business efficiency.
• Architected and led the execution of functional, performance, and acceptance testing across multiple organizations for a 17M enterprise security identity project involving integration of federated identity with enterprise user accounts.
• Negotiated Service Level Agreements and Operating Level Agreements for information security services on significant projects ie. Boeing Tanker .
• Developed and enhanced operational metrics for improvements within a large corporate security and user account access organization.
• Delivered key analysis of efforts to implement enterprise-wide Restricted Party List RPL to satisfy regulatory requirements for data export to foreign entities.
• Ensured the protection of corporate intellectual property and development of employee skill sets
• Investigated potential security incidents governed by International Traffic in Arms Regulations ITAR and formulated response measures.
• Led ISO 27001 certification effort within a large corporate security organization. Provided guidance on the enterprise-wide effort.
• Evaluated and identified new technologies for Data Loss Prevention DLP in corporate email and document distribution and support regulatory requirements for data export to foreign entities. Recommended changes to employee email to streamline communications.
• Mentored multiple information security professionals participating in skills development programs for career enhancement.

Confidential

Information Security Technologist in Application Security

• Introduced and expanded key security tools and development methodologies to minimize security risks across major business units. Implemented company's first security test and code analysis tools. Conceived of a risk-based approach to identify and prioritize flaws in software systems with data subject to regulatory controls. Created a strategy to streamline review of key source code for security flaws. Across 8 business units and 5,000 developer community.
• Advanced enterprise efforts to implement new tools and practices with the least business impact.
• Championed first security flaw analysis tools for software development and testing deployed across the corporation. Negotiated procurement contracts with vendors.
• Led company to be an early industry adopter of a binary code scanning service as an audit tool of vendors.
• Originated first risk identification evaluation tool for security in software applications. Tool used in key areas with sensitive data subject to regulatory control eg. Personally Identifiable Information, PII .
• Introduced threat analysis and modeling tool for identifying security flaws in software architectural designs.
• Innovated first static source code analysis framework with new methods to streamline reviews.
• Championed effective security best practices and technical knowledge to reduce development rework
• Envisioned security processes, best practices, statement of work guidelines, and joint development environments for the outsourcing of software development projects.
• Integrated security evaluation and validation processes into corporate Software Development Lifecycle SDLC . Leveraged best practices from various methodologies, such as Microsoft's Security Development Lifecycle SDL and Systems Security Engineering Capability Maturity Model SSE-CMM .
• Performed security architecture design guidance on database and application security from a design and implementation perspective to Boeing development projects.
• Initiated the analysis and use of analysis methods, criteria, and security guidance to reduce security risk
• Appraised and evaluated code review, scanner, and other vulnerability assessment tools open source and commercial for use as corporate standards by the security and development teams.
• Defined recommendations in Opportunity Evaluations OE to executive management for how to streamline and enhance the use of software to control the release of export-sensitive data per federal regulations.
• Identified commonly occurring application security risks in the development and security assessment communities with the use of metrics.
• Confidential Application Security Service Manager in Security Perimeter Systems, 2002 to 2006
• Initiated, enhanced, and managed an application security strategy across the corporate enterprise that efficiently used evaluations, best practices, and metrics to reduce security flaws and enable secure software development. Established the company's first application security program. Developed the company's first repository for tracking software security flaws with metrics for management. Led 5 team members.
• Innovated the framework to evaluate, prioritize, and reduce security flaws used in major programs
• Architected the Application Assessments tactical and strategic approach to security assessments for the 787 aircraft program.
• Introduced practices for the secure creation and acceptance of outsource/offshore code.
• Conceptualized, implemented, and supervised application security assessment process as a service to internal customers, including development by partner, supplier, and other non-Boeing entities.
• Established the processes for evaluating project scope, performing risk reduction, and approval reporting. Conceived the approach for ranking the severity of discovered vulnerabilities.
• Standardized a method to merge security changes in a change management process.
• Established a cohesive security program that promoted effective security analysis and success measures
• Enacted a database repository for tracking evaluation efforts, capturing flaw mitigations, and providing metrics for management and approval boards.
• Identified the first corporate metrics for the operational tracking of software security flaws found in development efforts.
• Evaluated computing security infrastructure requirements for custom and commercial applications via the Internet, portals, Web services, and other types of access.
• Established analysis of design architectures for application security.
• Drove developer and management education. Shaped adjustments to secure software policies.
• Founded and led an application assessment team in efficient evaluation and guidance
• Managed operational efforts of contract and corporate labor. Evaluated and guided team work.
• Determined initial scope, scheduling, and billing for assessment efforts and assigned individuals.
• Reviewed an approved customer actions to reduce security flaws identified. Provided direction to team and customers on best practice application controls for data sensitivity, reusable services and tools.
• Mentored team on guidance to customers throughout all aspects of the Software Development Life Cycle SDLC for integrating application security and identifying value-add assessment gates.

Confidential

Adjunct Faculty in School of Management, Evening Courses

• Maximized impact on student learning by bringing professional experiences and hand-on examples to the classroom. Demonstrated diverse abilities to teach undergraduate and graduate courses across a variety of Information Technology disciplines. Showed initiative in developing additional curriculum offerings.
• Led effort to create prototype for university's first Information Security graduate-level certificate program. Identified target students, career opportunities, learning outcomes, texts, and create course materials for the introductory, perimeter security, and ethics and regulatory courses.
• Provided distance learning, interactive online, and live course instruction for graduate and undergraduate courses in computer security and technology:

• Develop security curriculum for course offerings for City University, Greece. Participate in design and creation of curriculum and course materials for graduate-level security certification.
• Designed, developed, and presented course materials based on the current text, supplementing the course with books, articles, and discussion topics. Create project, midterm and final examinations.
• Evaluate curriculums of new courses and proposed text books for existing courses.
• Confidential Security Analyst in Microsoft Infrastructure Security, Short Term Project 2002

Provided analysis of security flaws and countermeasures in early efforts to reduce business impact.

• Developed one of the first ISAPI filters for MS Internet Information Server IIS in C and C to prevent Cross-Site Scripting XSS vulnerabilities in Web pages.
• Analyzed common security vulnerabilities and recommend mitigations. Created recommendation whitepapers to detail the vulnerabilities and their solutions. Designed whitepapers based on internal project architecture reviews.
• Established methodology for system vulnerability assessments and testing techniques. Participated in penetration testing of applications to determine if the targets can resist attack.
• Collaborated with product development teams to provide guidelines, training, and security code reviews during design, development, and testing phases.

Confidential

Technical Consultant in Security Perimeter Systems

• Delivered programming and architecture solutions to software systems and products that utilized the network security perimeter. Supported a major Virtual Private Network VPN product line to enable workers to telecommute. Designed the first external networks extranet for access by customers.
• Insured the creation and enhancement of technical solutions that enabled secure business
• Designed and programmed Virtual Private Network VPN configurations and reporting tools, customized vendor reporting tools to corporate requirements. Developed Graphical User Interface GUI tools to allow users to configure their communication sessions. Prototyped applications for compatibility on various operating systems. Initial beta software rollout of 200 users, increased to 5,000 users.
• Designed the external network architecture for the Internet presence of the Boeing job board. Identified requirements for network routing and firewall configurations. Coordinated implementation and testing.
• Drove the analysis, best practices, and education to raise security baselines
• Established Security Perimeter Design policies and approval methodologies based on technology analysis includes the vulnerabilities, risks, and security mitigation of products and network protocols .
• Evaluated and set Web development practices for application code signing and authentication, using Microsoft, Sun Java, and Netscape public key PKI technology for evaluation. Determined security risks of emerging technologies like XML, SOAP, and WSDL via creating prototypes.
• Determined business requirements and alternatives for managing Internet access through forward proxy servers and directory authorization servers, including training and configuration on those servers.
• Recommended e-commerce solutions, originated technology standards, and determined best practices for customers building secure e-commerce Web sites and Web hosting.
• Mentored department staff on use of Perl, MS Access, and MS SQL Server for use in various UNIX and NT application support tools. Trained others on Oracle PL/SQL to expand familiarity of product suite.