We provide IT Staff Augmentation Services!

Chief Information Security & Risk Officer Resume

Denver, CO

SUMMARY:

  • A highly motivated, strategic, results - oriented leader with over 20 years of experience in the information security and risk management field, focused on building strong Security Governance, Policies & Procedures, INFOSEC Teams, providing expert leadership, and assisting diverse organizations with developing and defining enterprise level information security programs, which balance strong security practices with the needs of the business.
  • Extremely experienced in performing Confidential information security assessments, providing security advisory expertise to senior executive management, middle-management, and staff.
  • Extensive knowledge of regulatory requirements such as HIPAA, HITECH, Confidential, GLBA, FFIEC, USA Patriot Act, FERPA and hands-on experience developing compliance/governance strategies in support of industry accepted information security frameworks: ISO2 799:2005), COBIT and NIST series, etc.
  • HIPAA Information Security Compliance Assessment - Led a HIPAA Security project effort, which assessed the HIPAA Security compliance posture for a large Midwest HealthCare Company. The effort resulted in the organizations ability to identify HIPAA information security risks, leading to the creation of an overall risk management process in support of internal compliance initiatives, and a Risk Information Security Office.
  • Confidential Security Assessments- Conducted Confidential compliance assessments for two of the largest retail merchants in the Midwest. Assessments included a current state analysis against Confidential DSS Security Audit procedures, a risk based gap assessment, and detailed recommendations in order to support an integrated control framework.
  • Information Security Program Development - Developed a comprehensive information security program for the largest Dynamite Company located in Utah. The program resulted in the Agencies ability to create an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.
  • Enterprise-wide Information Security Risk Assessment Development - Developed an integrated risk management program for a large Southeast Bank in the North Carolina area. Leadership role performing enterprise-wide information security risk assessments leveraging information security industry accepted frameworks (ISO 27001:2005, COBIT and NIST), as well as FFIEC, GLBA

SKILL:

Software: Agile software development Methodology, Microsoft Office Suite, Outlook, Access, Visio, Project, Adobe Reader, Lotus Notes, Symantec Ghost/Antivirus, VMware, VirusTotal, C, C++, Java, Python, Ruby.

Hardware: RAID, ProLiant, PowerEdge, LAN/WAN, WLAN, Cisco Routers/Switches, Symantec/Cisco Firewalls, T-1, VoIP.

Operating Systems: Apple Mac, DOS, UNIX Solaris 9/10, Linux Suse/RH/FC-4, Novell Client, Windows 95/98/2000, XP Pro.

Network Operating Systems: Windows NT 4.0/2000 Advanced Server 2003 Standard/Enterprise, IIS 6.0, and Exchange 5.5-2003.

Network Services: AD, DNS, WINS, DHCP, LDAP, FTP, TCP/IP, SNMP, SSH, SSL/TLS, VPN, Confidential, PKI, PPP, MPLS.

Enterprise Tools: MySQL, Apache, Remedy, ArcSight, SourceFire, Enterasys Dragon 7, Nessus, Ethereal, HP Openview, Solarwinds, Einstein (US-CERT program), Checkpoint, Juniper Netscreen, McAfee VirusScan/ePO, Tivoli Netcool/Management Framework, Newpoint Stratus, Newpoint Compass, Spectrum Analyzer.

Compliance/Regulatory Experience: Confidential DSS, GLBA, SAS70 SOX/HIPAA (New and Old Versions), FISMA, COBIT, NIST ISO/IEC 27000 series (New and Old Versions), HITECH, FIPS, SSAE 16.

Forensic Tools/Software: Encase, Webtracer.

Security Enhancing Tools/Solutions: Intrusion Detection Systems (IDS), Data encryption (SHA-1, PKI, SSL, DES, IKE, etc.), Virus Protection, System Monitoring & Detection Tools (Tripwire), etc.

EXPERIENCE:

Confidential, Denver, CO

Chief Information Security & Risk Officer

Responsibilities:

  • Recruitment of information security professionals to assist with Confidential program assessments.
  • Leadership activities to include policy, standard and procedure reviews, security architecture reviews, wireless security reviews, vulnerability assessment reviews, system development lifecycle reviews, secure code reviews, access control and physical security reviews.
  • Provide Confidential subject matter expertise and education to executive management, management, internal personnel, and external vendors.
  • Lead the effort to create and present quarterly Confidential program status reports.
  • Responsible for establishing and maintaining a comprehensive plan for governance, risk, and compliance (GRC) across Health, Financial Services, including formal policy and procedure management, risk assessments, and review of controls.
  • Responsible for overall risk management including oversight of business continuity and disaster recovery contingency plans and security of business critical corporate infrastructure and information assets.
  • Serve as the company subject matter expert on privacy and security laws and regulations.
  • Build, Manage and overseeing our BC/DR program.
  • Integrated Planning and Strategy: Lead the development of an integrated Confidential Technology strategy, updated annually, that guides technology investment strategy across Confidential . Business units. Develop and refine the organizational strategy for Information Security, Governance, and Compliance.
  • Planning: Working in conjunction with Confidential ’s Directors and stakeholders, leading the development of enterprise wide technical, people and process security strategy. Understand and investigates all of the strategic security issues within Confidential Organization and helped define them in terms of priority, solutions and strategic outcomes. Developed and facilitated input to the Confidential Multi-year planning process that spans the Information Technology domains of Applications, Information, and Infrastructure & Security. Build a comprehensive system and framework to deliver information security programs to Confidential, and individual business units. Build business cases to establish, grow and change business groups, functions and technologies
  • Governance: Engage major Confidential Technical projects, programs and functions to understand the technical and security implications and future roadmap and ensure appropriate security governance in place. Lead Confidential in any and all Confidential governance efforts
  • Performance Reporting: Work with the Program Management Office, as well as the Application Services team in establishing business friendly reports and metrics for monthly and quarterly reporting. Develop and maintain the KPI's and metrics to manage the performance of the SP&A organization; work in concert with other organizations within IT (PMO and Operations) to develop an integrated set of client-facing performance metrics that can be leveraged with business unit executives.
  • Financial Management: Manage the operational finances of the Confidential Organization on a monthly, quarterly, and annual basis. Where appropriate, set and define budget, goals and functional objectives.
  • Communications: Develop plans and materials for communicating and educating various stakeholders (business and IT) on security strategy, planning processes, key initiatives, etc. Partner with IT and Corporate Communications on the execution.
  • Managed the annual talent review process within Confidential (performance appraisals, employee performance calibration). Manage the recruiting and talent development programs on behalf of Confidential . Managed various other day-to-day aspects of the Confidential organization, directly supporting the President. Support President in preparation of material and thought leadership to drive key decisions with Confidential Executive leadership
  • Supervision and leadership: Supervise a team of 3-6 FTEs. Provide a vision for his/her area, develop and implement a maturation plan to develop the skills and supporting security tools/processes. Address current audit points, compliance issues and remediate current security vulnerabilities while being proactive and measureable to reduce the 'inflow' of new activates. Recruit staff and mentor functional managers, supervisors and employees as required. Make decisions for functional areas in normal and emergency situations.

Confidential, Salt Lake City, UT

Chief Information Security Officer

Responsibilities:

  • Responsible for determining and creating Global enterprise information security standards.
  • Developed and implemented information security standards and procedures. Ensures that all information systems are functional and secure.
  • Accountable and charged with all Global IT Audits and Risk management across the company and its subsidiaries, ensuring that the scope and span of accountability for information security remains aligned with the overall corporate risk management framework created and governed by the Chief Risk Officer.
  • Serve as the company subject matter expert on privacy and security laws and regulations.
  • Responsible for Confidential Inc and its subsidiaries passing its 2010 external KPMG and internal Deloitte Audits.
  • Reported to Chief Risk Officer & CEO.
  • Built and Managed a team of 3-20 FTEs.
  • Built, Managed and Oversaw the BC/DR program.
  • Responsible for overall risk management including oversight of business continuity and disaster recovery contingency plans and security of business critical corporate infrastructure and information assets.
  • Created and implemented specific performance targets both within Information Security department and across the company and managed performance to those targets, while escalating issues and risks proactively.
  • Coordinate security incident response, mitigation, and reporting.
  • Directed the development of security standards, processes, procedures, and architectures in line with the security strategy.
  • Established and maintain consistent independent industry certifications and/or audit report across the firm (e.g. ISO 27001, SSAE 16).
  • Assist in the re-organization of security personnel in support of a more effective and efficient Confidential program team.
  • Recruitment of information security professionals to assist with Confidential program assessments.
  • Leadership activities to include policy, standard and procedure reviews, security architecture reviews, wireless security reviews, vulnerability assessment reviews, system development lifecycle reviews, secure code reviews, access control, and physical security reviews.
  • Provide Confidential subject matter expertise and education to executive management, management, internal personnel, and external vendors.
  • Led the effort to create and present quarterly Confidential program status reports.
  • Identified legal and regulatory requirements (i.e., Confidential, PIPEDA, Bill 198/SOX, etc.) are/were enforced through policy alignment and execution.
  • Ensured compliance with security policies, standards, and procedures through security awareness and training programs and specification of performance requirements in job descriptions and Guidelines of Conduct.
  • Implemented a Corporate-wide information security awareness and training web site.
  • Performed periodic information security and privacy risk assessments and conducted related ongoing compliance monitoring activities in coordination with the company's other compliance and operational assessment functions.
  • Identified and participated in the project management process to ensure security requirements are addressed in all technology/ system projects and to ensure security compliance. Acted as the liaison with Internal Audit and the Corporate Security department regarding overlapping information security issues - e.g. investigations or badge access.
  • Participated in outsourcing negotiations and interfacing with external outsourcing service providers to ensure alignment to company security policies.
  • Acted as liaison with human resources about personnel issues related to information security - e.g. involved in terminations due to policy non-compliance and investigates and reports on security threats, violations, and other security incidents to management.
  • Consulted with Board of Directors and other CXOs in times of information security crises to ensure that the crises were properly managed internally and externally.
  • Advised and counseled other C-Level Executives of changes in the technical, legal, and regulatory arenas affecting information security, privacy, IT compliance, and computer crime. Advised business managers and technical personnel about the implementation of the security program in their respective areas.
  • Selected and implemented security tools (e.g. Arcsight) and executed the day-to-day accountabilities of the department including security administration.

Confidential, Ashburn, VA

Chief Information Security Officer (CISO) & Vice President

Responsibilities:

  • Chief IT Security Strategist, change leader, and driving force behind security improvements that safeguard data, ensure compliance, and facilitate informed advancement towards organizational goals. Managed/Oversaw and Directed Verizon's Cyber Security Operations within the Managed Services Solutions Division of 1000 mid to Senior Engineers, Security Analyst, Architects, Managers, and Directors. Oversaw& managed $50M annual IT security budget.
  • Advised and counseled Executive management (C-Level, COO and CIO) on specific technologies that enable secure business growth.
  • Created and ran the Information Security Office charged with creating and maintaining the Enterprise Security Architecture for all technology platforms.
  • No vulnerabilities exploited for over 30 months once the program was established.
  • Responsible for overall risk management including oversight of business continuity and disaster recovery contingency plans and security of business critical corporate infrastructure and information assets.
  • Serve as the company subject matter expert on privacy and security laws and regulations.
  • Responsible for managing a unified privacy, security, and compliance program across all divisions and associated offices.
  • Built, Managed and Oversaw the BC/DR program.
  • Defined company security standards based on industry standards and best practices. Provide implementation guidance and review progression toward compliance.
  • Coordinate security incident response, mitigation, and reporting.
  • Establish and maintain consistent independent industry certifications and/or audit report across the firm (e.g. ISO 27001, SSAE 16).
  • Provided expert technical advice, guidance, and recommendations to management and other specialists on IT cyber security issues, such as the federal government.
  • Implemented a Corporate-wide information security awareness and training web site.
  • Led, administered, developed, delivered, and/or supported information technology systems and services in a cyber-security.
  • Established and implemented information security and cyber security policies, directives, and guidelines in supporting IT security applications.
  • Maintained information security processes and security control standards for application development and technology deployment.
  • Charged with evaluating new security technology and conducting vulnerability assessments.
  • Developed and deliver high-value services that benefit customers and differentiate us.
  • Developed client satisfaction measurement tools for each offering.
  • Managed, grew, coached, and elevated the skills of the current team.
  • Conducted HIPAA Security assessments for large lending institute in the Midwest area.
  • Developed and manage schedules to maximize utilization and optimize performance.
  • Carried responsibility for effectively forecasting the business.
  • Established performance metrics and tools to measure effectiveness and optimize the business.
  • Worked closely with company executives, sales, customer support, product management, and engineering.
  • Supported marketing efforts to clients and prospects with best practices, case study, and content derived from the services group.
  • Managed client level and overall profitability on service offerings including end-to-end product management of services.
  • Supported product and development teams in providing client feedback and input on software offerings.
  • Ensured systems and processes were documented and optimized through product improvements and operational efficiencies.
  • Collaborated with other customer facing teams including sales team, client support and implementation teams to provide a holistic customer experience that grows revenue and delivers exceptional customer satisfaction.
  • Provided engineering analysis, design, and support for firewalls, routers, networks, and operating systems.
  • Developed the organizations strategic risk-based information security program is support of enterprise HIPAA initiatives and defined a HIPAA security road map in support of new business processes.
  • Collaborated to establish new relationships with hospital directors, home health care directors and short and long term nursing facilities.
  • Created an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.
  • Provided engineering support for implementing the strategic architecture of networks; provide network design and implementation direction; provide expert engineering in support of problem resolution ; support product evaluation and integration; network hardware and software/system testing; strategic planning; and emerging technology investigation.
  • Monitored security audit and intrusion detection system logs for system and network anomalies.
  • Monitored user access process to ensure operational integrity of the system. Enforce the information security configuration and maintains system for issuing, protecting, changing and revoking passwords.
  • Developed technical and programmatic assessments, evaluated engineering, and integration initiatives and provide technical support to assess security policies, standards, and guidelines.
  • Implemented, enforced, and communicated security policies and/or plans for data, software applications, hardware, and telecommunications.
  • Performed product evaluations, recommended and implemented products/services for network security. Validate and test security architecture and design solutions to produce detailed engineering specifications with recommended vendor technologies.
  • Provided Firewall Intrusion Detection, Intrusion Prevention, and Antivirus engineering and technical support necessary to design, implement, and maintain the customer infrastructure.
  • Reviewed and recommend the installation, modification or replacement of hardware or software components and any configuration change(s) that affects security.
  • Provided enforcement of security directives, orders, standards, plans, and procedures at server sites. Ensure system support personnel receive/maintain security awareness and training.
  • Maintained data and communicate to management, the impact on business/customer caused by theft, destruction, alteration, or denial of access to information.
  • Assessed security infrastructure, and network system design to evaluate and ensure system/network security.
  • The Deputy Chief Designated Authority personnel for the development and maintenance of the overall system security document, the Information System Security Plan, which contains all necessary security procedures, instructions, operating plans, and guidance.
  • Worked with Application Development Engineering (e.g. Secure Coders) teams to integrate the security architecture with applications including single sign-on and role based access control.
  • Participated in the development or revision of System-specific security safeguards and local operating procedures that were based on specific regulations.
  • Provided IT security consulting to system owners as to the other security documents, for example, security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, and contingency plans.
  • Performed monthly vulnerability assessment scans (Tenable Nessus, Security Expressions, Nmap, etc), system test & evaluation tasks of assigned systems.
  • Performed systems engineering and design architecture tasks in the areas of information assurance and information security.
  • Highly knowledgeable of information assurance and security engineering principles involving telecommunication security, network security, computer security, key management and other areas of information assurance.
  • Excellent implementer of communication and team-working skills while working with a large team and executive management (CIO, COO) involved in the implementation of security solutions embedded for both Government and Commercial Systems products.

Confidential, VA

CISO & GSOC Managing Director

Responsibilities:

  • Performed network security monitoring by analyzing events from various Network-based Intrusion Detection Systems (NIDS) as primary Incident Handler for the Night Shift responsible for IDS logs, proxy services, incident response, opening/updating trouble tickets, and answering calls in a 24X7 Security Operations Center (SOC) environment.
  • Coordinate security incident response, mitigation, and reporting.
  • Built, Managed and Oversaw the BC/DR program.
  • Manage, grow, coach, and elevate the skills of 20 FTEs.
  • Identified suspicious and malicious activities, track malicious code (i.e. worms, viruses, Trojan horses, etc), and create trouble tickets for the removal of unauthorized software.
  • Created an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.
  • Implemented an Agency-wide information security awareness and training web-site.
  • Lead security analyst responsible for streamlining the information security administration process, violation reporting, supporting documentation and defining security response times. Spearheaded the information security compliance reporting process.
  • Analyzed correlated security events using a Security Event Management System (ArcSight), Cisco Routers, Cisco PIX and Symantec Gateway Firewalls in order to identify malicious traffic, and perform forensic analysis.
  • Assisted with the creation of policies and procedures for the Computer Security Incident Response Center (CSIRC) systems.
  • Provided support for Network-based Intrusion Detection Systems (NIDS) within a distributed environment on multiple platforms including UNIX, Linux and Windows operating systems.
  • Conducted performance measures and audits to ensure network and installation sites conform to critical security guidelines.
  • Lead on all computer incidents involving company assets, viruses, spyware, and allegation of misuse, coordinates mitigation procedures with DHS components, files incident reports, and monitor all Internet facing services for attacks.
  • Highly knowledgeable in securing evidence, TCP/IP, OSI Model and protocols, routers/switches, DNS, 802.11 technologies, VPNs, Classified Data Spillage (Top Secret and below).
  • Mentored younger members of network security group in new IDS troubleshooting, packet analysis and security architecture design procedures.

Confidential, Ashburn, VA

Manager, Information System Auditor

Responsibilities:

  • Provided technical analysis of Voice and Data services for large commercial accounts
  • Supervise a team of 12 FTEs.
  • Performed IT General Control reviews in support of Sarbanes-Oxley (SOX) federal regulatory requirements.
  • Responsible for the creation of IT Governance framework.
  • Implemented a Corporate-wide information security awareness and training web-site.
  • Leadership responsibilities include supervision of staff members, promotion of teamwork through collaboration, performance management reviews, and goal setting exercises.
  • Provided productivity analysis for installation of a bridge to services that would increase voice usage between integrated Wide Area Network (WAN) services.
  • Resolved control issues surrounding system access.
  • Communicated daily with System Engineering, Business Implementation, Presale, and Customer Financial Services

Confidential, Lorton, VA

Manager of IT Security Service

Responsibilities:

  • Supervised a team of 15 FTEs.
  • Leadership responsibilities included pre and post sales support, project management, mentoring junior staff and product support.
  • Built, Managed and Oversaw the BC/DR program.
  • Responsible and accountable for design, implementation, and monitor of security systems across client networks.
  • Implemented a Corporate-wide information security awareness and training web-site.
  • Leadership role performing enterprise-wide information security risk assessments leveraging information security industry accepted frameworks (COBIT, ISO27001).
  • Developed an information security compliance program in support of business initiatives and regulatory requirements.
  • Responsibilities include compliance program development, establishment of monitoring and compliance activities, development of a formal risk assessment process, information security policy, standard and procedure development and management.
  • Provided operation support to client operations related to security control, monitoring, auditing.
  • Established and maintained positive relationships with internal, external, and third-party vendors.
  • Provided operation support to Firewalls, IDS, ACL, and Syslog Analysis.
  • Remained current on new threats, patches, and operational improvements that relate to information security and pertain to client managed services including TCP/IP, Cisco network equipment, PIX firewalls, IDS, VPN devices, Syslog gathering and analysis etc.
  • Researched, evaluated, designed, tested, recommended, and planned implementation of new or improved information security practices.

Confidential, Dulles, VA

Lead IT Security Analyst

Responsibilities:

  • Provided technical analysis of Security incident and responses.
  • Responsible for the development of a risk management program framework
  • Managed, grew/hired, coached, and elevated the skills of 10 FTEs and 50 Contractors.
  • Assisted in maintaining and troubleshooting the internal network setup dealing with the projects at hand.
  • Provided and resolved Tier II customer support to all Confidential clients of IT Security Incidents.
  • Oversaw disaster recovery and backup policy implementation and maintenance. Identified requirements; designed, created, and maintained disaster recovery system.
  • Network and Security analysis/assessments and security monitoring.
  • Provided technical leadership to the enterprise for the information security program.
  • Mentored and train others in information security.
  • Recommended preventive, mitigating, and compensating controls to ensure the appropriate level of protection and adherence to the goals of the overall information security strategy.
  • Maintained and Enforced Confidential 's corporate Global security policy.

Hire Now