SUMMARY:

Seeking Executive (CISO, EVP, Director) Management or a Principal position within Information Security and Cyber Security, Risk and Compliance management. Results - oriented, internationally recognized Cyber Security, Enterprise Risk Management, and technology leader offering over 28 years’ experience in leading technology programs in diverse industries. Skilled in Enterprise Security Architecture, Application Security, Privacy, Compliance, Security Awareness, Disaster Recovery, Business Continuity and more.

AREAS OF EXPERTISE INCLUDES:

• Enterprise Risk Management
• Capital Management |DDoS | DLP
• Risk Appetite & Tolerances
• Risk Mitigation Strategies
• Compliance, Governance & Controls
• Corporate Turnaround
• Asset Liability Management
• Economic Capital | Data Privacy
• Risk Evaluation & Analysis
• Thought Leadership | M&A
• Credit, Market & Operational Risk
• Cyber Risk & Compliance

CAREER TRACK:

Confidential

Principal Advisor

Responsibilities:

• Transformed the Internal Audit program to better align senior leadership and Audit Committee expectations, reliance and confidence.
• Develop and execute re-alignment of organizational enterprise risk management framework and annual risk strategy by participating in the business planning process for the broad strategic plan for the organization and delivering grater predictive Enterprise Risk analysis.
• Maintaining effective communication to provide the Board of Directors, executive management, rating agencies and regulators greater assurance of the effectiveness and sustainability of embedding operational risk management, oversight, governance and control processes within the business.
• Performed step changes in managing cyber security risks by improving an organizations governance, strategy, operational models and technologies for new acquisition/disposal, investment practices, product/business development, operational processes, reputation risk, business continuity plans and management, etc.
• Authored security standards and created a standard methodology for vendors and third-party security assessments and KRI / KPI dashboards .
• Enhancement of Technology Risk, Security Governance, and improvement of the Information Security Functions.
• Performed comprehensive ISO 31000 / 27001 Global Risk / NIST 800-53R4 / SANS / OWASP /Security Assessment and addressed identified issues, reducing vulnerabilities more than 80% for the annual internal audit. Led compliance with Personally Identifiable Information (PII), Data Loss Prevention (DLP), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI), European Banking Authority (EBA), EU Privacy Directive, SWIFT, Know Your Customer (KYC), ITIL / ITSM, CoBIT, and Basel III audit plans for the Core Banking applications and services, e-Banking, Mobile Pay, Home Pages, etc.
• Established regulatory and compliance programs with Operational Control and Support Team (OCS), Network Operations Center (NOC), Security Operations Center (SOC), Distributed Technologies Operations Center ( Confidential ), Applications Operations Center (APOC), Basel, SOX, PCI, SWIFT and ECC/EBA guidelines for the Data Center migration from IBM to Confidential Bank.
• Led Advisory services and helped create a dedicated Security Events Center group to monitor IS controls and provide an incident response capability that resulted in a less-than 15-minute disruption to operations during the 2016 DDoS attack campaign. Built the Digital Forensics capability that eliminated costly outsourcing of incident investigations.
• Implementing reporting systems to ensure that risks are adequately monitored and communicated; that control breakdowns are reported and key constituents (boards, audit committees, etc.) understand such risks in an effective and timely manner.
• Created new initiatives, such as risk self-assessments and operational reviews, to assist management in improving operations, identify control weaknesses and increase the value add contribution of internal audit. Supervised risk reviews, gap and vulnerability assessments and penetration testing against web application, server and networks.
• Consistently addressed US and EU concerns over Data Privacy . Member and Advisor to Information Security Management Committee and Security Incident Response Teams.
• Defined processes, procedures, and strategies to implement Data-at-Rest / Data-in-Transit Encryption, Data Loss Prevention (DLP), Data Masking, and Data Identification solutions.
• Led implementation and integration of AppDynamics Alert Logic Threat Management system, and respond to client questionnaires demanding security posture and compliance status.
• Led integration of IDM with enterprise SAPM / LDAP to manage provisioning and de-provisioning of HPA account and integrated CyberArk to manage HPA user password fault.
• Fostered relationships with third party CISO's. Re commended CISO on creation of Information Security Architecture, Software Security, Cyber Security, Cyber Security Governance, and Forensics teams to expand on the Operations, Third-Party Assessment, and Incident Management teams.
• Provided roadmap for integration of Operational Risk into ITIL / ITSM framework. Directed the oversight of risk probability and impact, inherent and residual risks, KRIs, KPIs, triggers and risk mapping, gaps, and testing. Supervised tested key controls over operations and IT infrastructure.
• Worked with cross-functional team in leading mapping of business-critical services down to the lowest IT components. Provided Gap/Fit analysis, Impact analysis, and Single Point of Failures (SPOF) in ITSM, CMDB, Asset Management and ServiceNow Transformation roadmap.

Confidential, San Ramon, CA

Principal Advisor

Responsibilities:

• Risk assessed data centers production and DR processing with respect to probability and impact of risk in Integrity, Authorizations and Availability. Identified areas of exposure and worked across IT to mitigate the risks. Implemented governance, risk and compliance processes including: corporate IT policy and technical configuration standards and functional procedures.
• Led Implementation of Global Strategic Security and Enterprise-wide Risk Management: Strategy, Governance, Policy, Standards, Processes, Controls and Documentations (Process Narratives Procedures and Effective Security Operations).
• Led an initiative with the General Counsel to develop a data privacy Policy and implement a data protection strategy, bringing the organization into compliance with global privacy regulations. Conducted a comprehensive PII inventory using it to identify the applications which required database encryption controls.
• Created and implemented an internal privacy program to comply with changes in applicable data privacy laws. Developed and rolled out a communication campaign driving the new privacy concepts into operations and resulting in mitigation of immediate potential risks as well as creating a competitive edge in new business.
• Mapped internal security controls for Critical Business Information (CBI), PII, SOX, PCI, HIPAA, FDA, EC, SAS 70, OWASP, FFIEC, FISMA, FDIC, Data Loss Prevention (DLP), CoBIT and ITSM using ISO 27001 / 27002 / 17799 / 27017 / 27018 , NIST 800-r53, SANS, FedRamp CCM and established enterprise architecture, security governance, compliance and IT risk management for ITIL/ITSM.
• Implemented vulnerability assessment and penetration testing processes to identify risk and ranked them for resolution. Defined process to help ensure authorization to privileged accounts.
• Reduced downtime from DDoS attacks thru standard monitoring and operating procedures.
• Defined processes, procedures, and strategies to implement Data-at-Rest / Data-in-Transit Encryption, Data Loss Prevention (DLP), Data Masking, and Data Identification solutions.
• Led implementations and integrations of HPA Splunk logs and analytics with Securonix Apps for centralized data loss prevention monitoring.
• Led implementations and integrations of enterprise CyberArk to manage HPA user password vault. Led integration of IDM with enterprise SAPM / LDAP to manage provisioning and de-provisioning of HPA account.
• Evaluated vendors and tools selection for the BCP/DR solutions.

Confidential, Pleasanton, CA

Chief Information Security Officer

Responsibilities:

• Enhancement of Enterprise Risk, Technology Risk, Cyber Security Risk, Cyber Security Governance and improvements of the Information Security Function
• Establishment of Legal and Regulatory Compliance, Business Continuity Management and Disaster Recovery Program.
• Developed Risk Management methodology, including process for formal acceptance of risk. Ensured compliance with regulations, client commitments, and essential security practices to strengthen data protection controls and awareness. Authored data classification and protection policies and drove the establishment of a data privacy.
• Led the business in developing and introducing new Policies and Procedures , such as new acquisition/disposal, investment practices, product/business development, operational processes, reputation risk, business continuity plans, etc.
• Provided third party risk management advisory services to business partners on a variety of business issues including new business and product ventures, fully integrating risk management into marketing and new business initiatives, participating in strategy and risk workshops.
• Presented the information security strategy to external examiners that elevated confidence / support by regulators.
• Defined new information security organizational structure, built and aligned teams as partners to technology and business units, and grew the team from 9 to 65 across Security Architecture, Security Operations, Security Event Center, Security Consulting, Cybersecurity, Data Protection, Third-Party Assessment and Remediation framework aligned with Corporate Information Security Standards.
• Built the Security Consulting team to integrate information security within the business units.
• Created a dedicated Security Events Center group to monitor IS controls and provide an incident response capability that resulted in a less-than 15-minute disruption to operations during the 2013 DDOS attack campaign. Built the Digital Forensics capability that eliminated costly outsourcing of incident investigations.
• Drove the establishment of a formalized Risk Acceptance Process; the development of Monthly Risk Reports for each business unit; the creation of a Risk Assessment Process based on data privacy or network access; and the adoption of Annual Third-Party Penetration Testing program.
• Identified and mitigated offshore deployment risks, particularly those related to data privacy and security. Created a program to identify these risks and implement appropriate controls to mitigate them, resulting in the maximization of the number of functions deployed and a realized savings of 20% on operational costs.
• Built and guided the Information Security Architecture team in authoring the Security Architecture Framework that defined the criteria and entrance process for projects to request security architecture reviews.
• In the absence of comprehensive record retention policies & procedures, established a records management program using holding periods based on regulations applicable to all lines of business. Eliminated a significant volume of documents held in off-site storage and established more effective management of retained documents, resulting in a 40% savings on storage vendor costs and the mitigation of data privacy risks.
• Assessed impact of platform transitions and mergers and acquisitions on customer’s risk profile and recommend remediation.
• Achieved Sarbanes-Oxley (SOX), HIPAA, PCI, Compliance Business Integrity (CBI) Auditing and Monitoring Standards, Personally Identifiable Information (PII), Data Loss Prevention (DLP), FDA, FDIC, 21 CFR 820, SAS 70, and other security compliances by developing and implementing enterprise-wide IT controls using the COBIT, ISO 2700x, NIST 800-53R4, SANS, OWASP, FISMA, FFIEC, FedRamp CCM, and ITIL/ITSM.
• Served as the enterprise focal point for computer security incident response planning, execution and awareness. Created and provided ongoing specific business-wide security awareness plans and training.
• Improved IT infrastructure operations of UltraDNS product line (including DNS shield, DNS adv, Anti- DDoS strategies). Developed go-to market strategy for DNS product lines, managed annual budgets for product support & operations.
• Led team in re-architecting network infrastructure, implementing Intrusion Detection and Multi-Factor Authentication, and deploying Web Application Firewalls (WAF) and Splunk log evaluation platform.
• Defined Business Continuity / Disaster Recovery Plan, deployed vulnerability scanning, and automated the patch management / change control function.
• Established an Operational Change Control Review Process and Approval Committee; created a Software Security Function; and authored a comprehensive suite of security policies.

Confidential, Beaverton, OR

Senior Program Director

Responsibilities:

• Worked globally to develop and implement governance risk and compliance processes including: Operational Risk and Self-Assessment Frameworks, Gap Assessments, Top 10 Corporate Policies, Standards and Processes with focus on Information Security product and process, change management, continuity of business; and 37 detailed technology checklists for self-assessments.
• Expanded the role of the Information Security Committee to approve policies and endorse information security goals for large Data Protection, Third-Party Assessment, Threat Intelligence, and Business Continuity Planning programs.
• Grew the Information Security and Operation Engineering teams to support Network Access Control, Application Whitelisting, Privileged Accessed Control, Log Standardization, Arcsight SIEM Expansion, Web Application Firewall (WAF) Expansion, Cloud Security, and Dynamic Application Testing projects.
• Performed oversight of 2 third-party assessments and championed all efforts to strengthen data protection controls and awareness. Authored data classification and protection policies and drove the establishment of a Data Privacy Attorney and the appointment of a Chief Privacy Officer.
• Led risk assessments, security reviews, gap and vulnerability assessments to ensure IT and outsourced vendors complied with corporate processes.
• Increased Audit Satisfactory rating by performing pre-audit risk and vulnerability assessment testing and project.
• Spear-headed the development and implementation of Risk and Control Self Assessments for corporate processes and technologies.
• Implemented a comprehensive risk-based information security program defined in a written set of policies and standards which were aligned with ISO 27001.
• Authored security standards and created a standard methodology for vendor and third-party security assessments.
• Directed the implementation of industry first distributed security model including IPS, Firewall, Botnet and DDoS threat protection services across all regions, protecting all partner Cloud centers with 100% uptime guarantee.
• Authored data classification and protection policies and drove the establishment of a Data Privacy Attorney and the appointment of a Chief Privacy Officer.
• Established Data Loss Prevention (DLP) Audit System and Risk Management framework to be SOX compliant utilizing Sarbanes Oxley best practices, and system integrity.
• Built an enterprise Malware and End-Point Program, implemented a Patch / Vulnerability Management Program, instituted annual penetrating testing, and deployed Encryption-at-Rest strategy for all sensitive data.
• Conducted comprehensive Business Impact Analysis which identified key business functions and systems in need of Disaster Recovery and Business Continuity Plans and alignment of security program with business objectives.
• Evaluated effectiveness of Organizational Change Management activities and change program including communication to enable implementation of strategic, operational and tactical governance, risk, security and compliance frameworks;
• Created and implemented an internal privacy program to comply with changes in applicable data privacy laws. Developed and rolled out a communication campaign driving the new privacy concepts into operations and resulting in mitigation of immediate potential risks as well as creating a competitive edge in new business.
• Developed Information Security Management frameworks and client services.

Confidential, Pleasanton, CA

Principal Program Manager

Responsibilities:

• Established the information security strategy and program focused on risk management, governance, controls, and continuous improvement.
• Assessed technology-centric proposal developed by consultants and advocated a holistic risk management-based information security approach to CSO, CEO, and Executive Management Committee.
• Wrote a 4-pillar strategy (22-point plan and 3-year execution roadmap) to transition organization from a reactive approach focused on security controls to a proactive risk-based decision making model.
• Worked with internal and external auditors, security team and senior management in reviewing and drafting security Processes, Procedures and Policies for HIPAA, PII, SOX, PCI, FDA and SAS 70.
• Led Operational Risk, IT Risk and ERM including BCP, Information Security, SOX, PII, PCI, FDA, HIPAA, SAS 70, RCSA, Data Loss Prevention (DLP), KRIs, Privacy, and Governance. Led Qualification, Stress Testing, Recovery and Resolution.
• Mapped security control for FDA, PII, HIPAA, PCI, SOX, FDA, ITIL/ITSM using ISO 27001, 27002, 27017, 27018, NIST 800-53, SANS, OWASP, FedRamp CCM, FFIEC, FISMA and established security governance, enterprise architecture and compliance management for the IT risk.
• Led an initiative with the General Counsel to develop a data privacy Policy and implement a data protection strategy, bringing the organization into compliance with global privacy regulations. Conducted a comprehensive PII inventory using it to identify the applications which required database encryption controls.
• Built an enterprise Malware and End-Point Program, implemented a Patch / Vulnerability Management Program, instituted annual penetrating testing, deployed Encryption-at-Rest, and Data Loss Prevention (DLP) strategy for all sensitive data.
• Built and deployed file integrity monitoring, log monitoring, encrypted remote access, encrypted data store, and a system of virtual machines that guaranteed data deletion.
• Drove the build out of firewalls, intrusion detection, load balancing, and secure web / application / database servers.
• Successfully resolved extended DDoS attack against company and led re-architecture of network/security for future attacks.
• Established a fully automated metrics program along with key performance indicators (KPIs) to drive performance and track compliance.
• Drove the establishment of a formalized Risk Acceptance Process; the development of Monthly Risk Reports for each business unit; the creation of a Risk Assessment Process based on data privacy or network access; and the adoption of Annual Third-Party Penetration Testing program.
• Increased Audit Satisfactory rating by performing pre-audit risk and vulnerability assessment testing.
• Led team in re-architecting network infrastructure, implementing Intrusion Detection and Two-Factor / Multi-Factor Authentication, and deploying Web Application Firewalls (WAF) and Cisco MARS log evaluation platform.
• Instituted server hardening standards, security policies and guidelines, and secure coding training for developers.
• Defined Business Continuity / Disaster Recovery Plan, deployed vulnerability scanning, and automated the patch management / change control function.
• Established an Operational Change Control Review Process and Approval Committee; created a Software Security Function; and authored a comprehensive suite of security policies.

Confidential, Houston, TX

Principal Architect

Responsibilities:

• Defined new information security organizational structure, built and aligned teams as partners to technology and business units, and grew the team from 9 to 65 across Security Architecture, Security Operations, Security Event Center, Security Consulting, Cybersecurity, Data Protection, and Third-Party Assessment.
• Created a dedicated Security Events Center group to monitor IS controls and provide an incident response capability. Built the Digital Forensics capability that eliminated costly outsourcing of incident investigations.
• Built and guided the Information Security Architecture team in authoring the Security Architecture Framework that defined the criteria and entrance process for projects to request security architecture reviews.
• Built the Third-Party Security Assessment Team and a formal information security assessment / remediation framework aligned with corporate information security standards.
• Built and guided the Information Security Architecture team in authoring the Security Architecture Framework that defined the criteria and entrance process for projects to request security architecture reviews.
• Achieved ISO 27001, NIST 800-53, SANS, OWASP, PII, FFIEC, FISMA, SOX, PCI, ISO 27001, FERC, FASB, Data Privacy, Data Loss Prevention (DLP) Compliance and SAS 70 certifications by developing and implementing enterprise-wide IT and security controls.
• Worked globally to enhance and implement Corporate Policies, Standards and Processes with focus on Information Security.
• Defined and implemented the information governance strategy, vision, structure, operating procedures and metrics to standardize and report globally on their operations.
• Defined and executed the roadmap to align controls, environments, and policies with regulatory requirements.
• Authored security standards and created a standard methodology for vendor and third-party security assessments.
• Authored IT Security Plan with PKI architecture for Encryption, Authentication and Digital Signatures.
• Established Monitoring & Control, Risk and Opportunity Management functions.
• Reviewed risk management programs and practices for appropriate coordination and consistency of data, analytic, and reporting.
• Demonstrated DOS/ DDoS protection capabilities at DHS HSARPA for specific National Critical Infrastructure Protection (NCIP) scenarios.
• Partnered with data stewards to classify sensitive data, operationalize data profiling, and establish data quality dashboard monitoring and management initiatives to continually increase quality, consistency, security and business value.
• Managed strategic corporate technology roadmap delivery and maintenance for portfolio of 100+ technology solutions.
• Integrated c redit risk, market risk, and Operational risk analytics, decision management, legal, customer service, and business optimization resulting in savings of $135 million over 2 years’ period.
• Created and published reference architectures for enterprise data life cycles management and governance.
• Partnered across the organization to deliver full customer lifecycle technology capabilities for all areas of the business. Focused on delivering innovative solutions resulting in continuous improvements in process and service.

Confidential, Houston, TX

Chief Information Security Officer

Responsibilities:

• Built a Risk-Based Information Security Program that enabled organization to pass a third-party assessment, negotiate a final settlement, and mitigate millions of dollars in losses.
• Grew Information Security Organization from 15 to 55 resources. Created the Information Security Architecture, Software Security, and Forensics teams. Expanded the Operations, Third-Party Assessment, and Incident Management teams.
• Transitioned to a risk-based model with a standard-based service focus. Trained staff on security best practices, increased communication, elevated risk-based metrics, and improved documentation and consistent standards.
• Held critical role in creating the Information Security Awareness program for all employees and in documenting full suite of information security policies leveraging the ISO 17799 / ISO 27000 / NIST 800-53 / SANS / and OWASP Framework.
• Defined and executed the roadmap to align controls, environments, and policies with regulatory requirements.
• Expanded utilization of SIEM from fraud prevention to information security; drove the adoption of Oracle IAM for Identity and Access Control; and replaced obsolete McAfee Endpoint Protection technology with Symantec.
• Authored security standards and created a standard methodology for vendor and third-party security assessments.
• Built an enterprise Malware and End-Point Program, implemented a Patch / Vulnerability Management Program, instituted annual penetrating testing, and deployed Encryption-at-Rest strategy for all sensitive data.
• Authored the Third-Party Security Policies, Procedures and Processes in managing the ongoing improvement efforts in the areas of audit methodology, reporting, training, associate development and quality assurance.
• Built the Third-Party Security Assessment Team and a formal information security assessment / remediation framework aligned with corporate information security standards.
• Built the Security Consulting team to integrate information security within the business units.
• Led third-party assessments and championed all efforts to strengthen data protection controls and awareness. Defined strategies for BCP/DR to implement Data-at-Rest / Data-in-Transit Encryption, Data Loss Prevention, Data Masking, and Data Identification solutions. Authored data classification and protection policies and drove the establishment of a Data Privacy.
• Identified information security risks across various portfolios, resulting in securing approval to manage the enterprise remediation project and to develop the Vulnerability Management Model.
• Delivered integrated Intruder Detection and Isolation Protocol (IDIP), Cooperative Intruder detection and Traceback Response Architecture (CITRA), a statistical distributed denial of service (DDoS) system (FLOODWATCH), and a legitimacy test-based distributed denial of service (DDoS) system (NETBOUNCER) to McAfee's Intrushield product division for commercialization.
• Established C&I Lending, Capital Markets and Indirect Lending Groups; transformed / scaled the bank's Credit Card and Retail Brokerage businesses. Led Credit Risk Management; Asset/Liability; Enterprise Risk Management; and Investment / online banking / e-Banking.
• Transformed bank's Credit, Market and Operational Risk Management capabilities by developing and implementing integrated credit / market / and operational risk analytics, portfolio management and performance optimization using Asset Liability Management (ALM) tool for all Programs praised by banking regulators. Complied with FDIC, SEC, SOX, Basel II, PII, PCI, SWIFT, BSA, FCRA, USA Patriot Act, Anti-Money Laundering (AML) , FFIEC, FISMA, and Data Privacy.
• Established Operational Centers of Excellence (CoE) in Strategic IT Security, DLP, Data Privacy, Cyber Security, Enterprise Risk Management, IT and Security Governance: Strategy, Policy, Standards, Processes, Controls and Documentations.