Summary

An accomplished, results-driven Technology Security and Risk Management leader with experience and success directing Information Technology Operations, Security, Privacy, and Risk Management transitioning them into efficient and profitable, process-driven organizations implementing cost-effective risk management frameworks and aligning compliance and security initiatives with the business to deliver innovative and competitive advantages.

Professional Experience

Confidential

SVP, Chief Information Risk Officer

• Led Technology Risk Management organization, responsible for independently assessing technology and information security risks, and monitoring, challenging and reporting on enterprise technology capabilities. Drove informed business decisions by ensuring a sound control framework, advising on key emerging risks and trends, and communicating applicability to the overall risk profile of the organization, not just specific to IT. Conducted threat identification and scenario analysis planned and coordinated emergency response and fraud mitigation monitored and reported on emerging risks and threats and determined investment and resource allocation for effective security management. Partnered with the Chief Information Security Officer justifying program strategy with risk analysis, prioritizing budget and challenging security architecture designs.
• Implemented unified risk assessment framework that combined controls for HIPAA, GLBA, FFIEC, Basel, ISO 27000, NIST, PCI-DSS, SOX, ITIL, CobIT, COSO, etc. to streamline assessment processes, provide a common language for control objectives, and implement a test once, use many paradigm
• Provided a governance, advisory challenge function, including adherence to the risk assessment methodology, security tolerance standards, and Key Risk Indicators KRIs
• Established and co-chaired the Technology Risk Committee with executive leadership to discuss emerging risks and evaluate status of OCC MRAs and Internal Audit findings developed an engagement model and communication plan for strategy and tactical plan articulation across multiple lines of business
• Interfaced with regulatory and other auditing bodies compliance, audit, legal to provide a unified, consistent voice for information risks, setting a consistent expectation of risk ratings and remediation efforts
• Championed and contributed to the implementation of ITIL processes, particularly with regards to change management, configuration management, incident and problem management, including root cause analysis
• Reviewed IT Operations strategic plan, and developed an analytic hierarchy process AHP model to prioritize 13 programs based on inherent and residual risk Produced risk appetite statements to justify plans
• Developed a FAIR-based risk analysis process and playbook for risk officers to engage cyber-security, technology and business teams, justifying or challenging initiatives as warranted
• Advised on the transformation of the SDLC across 5 CIOs to incorporate both Agile Waterfall methodologies
• Partnered with Cyber Security, Fraud Management and law enforcement for incident response, particularly DDoS attacks, fraud, malware infections, and attempted intrusions
• Lead deployment of enterprise GRC Archer , including integration with multiple data sources, lines of business and silo'd business processes simplified self-assessment processes and issues reporting, and provided PNC's first comprehensive Board level and regulatory risk metrics reporting
• Participated as contributor to NIST Cyber Security Framework workshops to build a critical infrastructure protection framework resulting from Feb 2013 Presidential Executive Order
• Established and maintained successful external relationships with security technology and service providers, industry intelligence experts, local and federal law enforcement, industry consortia, and regulatory agencies

Confidential

Director, IT Security, Governance, Risk, Compliance CISO

• Led the IT Security GRC management strategy, developing and maintaining policy, standards, processes and procedures to assess, monitor, report, escalate and remediate related issues. Worked collaboratively with other departments in the design and implementation of audit, risk assessment and regulatory compliance practices. Monitored and analyzed technology risk trends, and implemented appropriate IT technologies, policies, procedures and practices to strengthen internal operations.
• Conceptualized new security architecture and successfully deployed large, multi-million dollar capital projects including Security Information / Event Management SIEM , Vulnerability Assessment Management VAM , Data Loss Prevention DLP , Public Key Infrastructure PKI and Data Activity Monitoring DAM systems
• Designed and implemented OpenText / Metastorm Business Process Management solution to create ITIL-based universal ticketing system Enabled numerous business processes across the organization, centralized documentation of process flows and provided business metrics to gauge effectiveness
• Deployed an Identity Access Management IAM system to reduce provisioning time from 20d to 3d, resulting in an annual productivity savings of 965,000
• Created Data Governance framework and Data Governance Committee Charter for data analytics and Teradata data warehouse deployment, reducing data sprawl and corporate databases by 10
• Developed Business-to-IT strategy articulation maps and departmental balanced scorecards and dashboards to measure and improve performance and service delivery functions
• Created governance framework for IT using TOGAF SABSA Created strategic plans that aligned with business objectives, including KPIs, SLAs, and NPS scores to measure effectiveness for the first time NPS scores improved from 62 to 89 overall customer satisfaction, the highest in IT
• Created and applied a Unified Compliance Framework to reduce audit work effort by reducing total controls from 250 to 35, improving audit performance by 75 mapped risks to controls to reduce impact of compliance
• Consolidated security assessment requirements to reduce number of 3rd party vendors and leverage volume discount opportunities for a cost savings of 120k
• Executed PCI DSS compliance program Facilitated SSAE 16 audits Initiated ISO 27001 assessments and put company on track for ISO certification, as a competitive differentiator
• Developed and implemented IT Top Performer recognition program to reward top departmental talent Created Career Path Matrix to enable staff to visualize their current role and possible career paths down a business or technical track

Confidential

Director, Security Compliance CISO

• Designed, managed, and implemented specific remediation plans addressing improvement opportunities within Catalina's internal processes and procedures. Functioned as the business expert and worked with executive management to lead efforts to design, document, implement and manage appropriate security risk management measures and technologies.
• Created a security program that leveraged the existing IT matrix roles and skill sets and a governance model that was inclusive and open - the key to achieving critical buy-in at multiple levels of the organization
• As a member of the enterprise information architecture design committee, assisted in the design and implementation of a secure SOA environment, including cloud-based federated identity management and single sign on, that serviced internal and external users
• Sponsored and managed projects to deploy secure wireless, file integrity monitoring, NAC, ASA firewalls, Intrusion Prevention, and Identity Access Management in federated and SOA environments
• Conducted an information assurance policy review and re-write to align with business processes and streamline regulatory compliance processes, resulting in an overall cost savings for recurring audits and assessments
• Led PCI DSS assessments and remediation to achieve first company ROC certification Documented a process that reduced execution time from 6700 hours to less than 520 hours, a savings of 393,000 annually
• Implemented oversight of all contracts for compliance to domestic and international privacy legislation, reducing post-implementation remediation efforts and costs Wrote client facing documentation and legal language for contracts and data transfer agreements
• Wrote Privacy Framework, Employee and Client Privacy Policies, and various Web Privacy Statements used in Congressional briefings about behavioral-marketing and protecting consumer privacy
• Aligned policies, processes and operational functions with HITECH Act, HIPAA, Safe Harbor and EU Privacy Directives Filed for Safe Harbor and registered with European Data Protection Authorities in 4 countries

Confidential

Chief Privacy Officer / Director, Global Security Risk Management CISO

• Established a highly visible, global presence for security, privacy, and risk management to protect personnel, facilities, infrastructure, information, and business operations. Reporting to the CIO, supported corporate executives and business unit managing directors with strategic planning, standards and process development, regulatory and internal compliance monitoring, investigations, and incident response. Supported the business development process through pre-sales discussions and contract negotiations with prospective and existing clients. Led all privacy, security and business continuity matters with a global team of 23 members and approximately 185 security guards.
• Created an award winning team, recognized by SC Magazine as a top 5 finalist for 2008 Best Security Team in the United States
• Designed and implemented a departmental web portal to provide communications, performance metrics, remediation tracking, resource management, and process workflows departmental efficiency improvements supported growth from 16,000 employees to 30,000 without additional headcount
• Conducted strategic planning that transformed the culture of an authoritarian security department into a trusted adviser and enabler of the organization's business objectives
• Developed and implemented a Global Business Continuity Management program, including strategy and standards for enterprise-wide Disaster Recovery, Business Continuity Planning Crisis Management Led the corporate Crisis Management Team in support of regional incident response
• Established leadership role in executive committees to facilitate risk management practices Created and led executive-level steering committees to accomplish privacy and security goals
• Developed, implemented, and directed corporate security, privacy, and risk management programs to safeguard operations, global systems, personnel, facilities, and physical assets Created an audit and monitoring regime and executed risk assessment engagements
• As the Privacy Officer, maintained working knowledge of external legislative and regulatory initiatives, interpreting and translating requirements for implementation Created and implemented a Privacy Framework mapped to international privacy regulations and contractual requirements
• Supported the business development process through client counseling and conducts client negotiations on matters of security, privacy, and risk management
• Initiated privacy and security assessments, audits, and investigations, including Payment Card Industry Data Security Standard PCI DSS , SAS 70 Type II, ISO 17799/27001 and ethical hacking

Confidential

Director, Information Security Audits 2004-2005 Technical Services Manager 2003-2004

• Planned, directed and coordinated activities of technology projects to ensure that business goals and objectives were accomplished within prescribed time frame, budget and quality. Managed team of database administrators, architects, and network engineers responsible for the production support of e-commerce systems and networks, including support of Development and QA environments. Was promoted to lead security team, reporting to executive management, creating and executing security, business continuity policy, and regulatory audit compliance.
• Exercised direct oversight of design, development, maintenance, operations and support of networking infrastructure and database clusters
• Led complete redesign, development and successful deployment of new e-commerce web site and database architecture on schedule, exceeding sales goals in first week of deployment
• Conceptualized and communicated technology and process improvement solutions to senior management, improving availability from 99.23 to 99.91 and page load times from 2.4s to 1.09s within first 6 months
• Architected deployed enterprise monitoring performance, capacity, security, and availability system ahead of schedule and with no budget impact
• Implemented full SDLC process using SW-CMM framework, including requirements gathering, analysis, design, development, implementation, support, testing and deployment using Six Sigma quality measurement methodologies and MS Enterprise Project Server
• Produced Business Impact Analysis, Gap Analysis and led Business Continuity Planning efforts
• Implemented redundant hot data center as well as Sungard cold site
• Coordinated 2 hurricane disaster declarations which exercised DR and BC plans and provided seamless failover to DR sites, as well as return to normal operations within 48 hours, rather than the planned 96 hours
• Developed maintained strategic security plan and policies, enhancing security awareness within the company
• Created and managed cross-functional corporate security team and an incident response team
• Implemented security best practices firewall rules, conducted OCTAVE risk-based assessments, penetration testing and regularly scheduled security audits using COSO framework
• Led Sarbanes-Oxley SOX and first VISA CISP/PCI security compliance audits, developing process to streamline audits, reducing audit period from 10 weeks to 4
• Performed effective risk management and cost containment of IT security and disaster recovery functions

Confidential

US Information Security Manager

Production Support Manager

• Directed operations of Internet social networking site, interfacing with product management and business development to create strategic product and operational plans. Led network operations and cross-functional customer service team, managing four direct reports and seventeen indirect. Served as final authority for all product releases. As Security Manager reporting to the CIO and SVP of Operations, oversaw all company security efforts.
• Managed integration of Matchmaker.com into Lycos Network Spearheaded migration of 120 servers with 260 million page views per day as the fastest integration effort in Lycos history 14 days
• Instituted Six Sigma methodologies within operations for better quality control, achieving the fastest page loads and highest availability of any Lycos product
• Initiated capacity optimization project, which contributed to 2.5 million annual savings to the bottom line
• Increased customer service call center productivity by 720 while reducing costs by 15
• Formulated enterprise infrastructure security vision in alignment with organization's business model
• Designed and implemented security monitoring systems and infrastructure Created Incidence Response Team Performed threat, vulnerability, and risk analysis Conducted security audits using CobIT framework

Confidential

Founder / Information Technology Operations Management

• As the head of IT infrastructure, directed 7x24x365 network security operations center, providing primary network, systems and application support installation, configuration and maintenance for services, including web, e-commerce, database, e-mail, DNS, and file servers. As co-founder and SME, advised on all product, operational, marketing and M A initiatives. Designed and implemented entire architecture, managing 18 direct reports.
• Negotiated and secured 5 million in bridge funding from Silicon Valley Angels Transitioned Company from raw start-up to pre-IPO and eventual sale to Lycos.com for 45 million in July, 2000
• Created NOC SOC and procedures to handle upgrades, maintenance, security, disaster recovery, and Y2K readiness tests
• Designed Oracle database using Designer Developer 2000 to convert proprietary NoSQL database to a relational and object oriented architecture
• Directed planning of network and system architecture, reducing servers from 200 to 120, resolving issues with an unstable environment and generating annual support savings of over 200,000
• Initiated implementation of proprietary ticketing system, including configuration management, to create workflows and manage release, problem and incident management ITIL services , server builds and routine maintenance, decreasing system crashes/reboots from 20 to 2 per week
• Led migration of production environment from BSDI Unix to Redhat Linux, 3 days ahead of schedule, increasing server performance by 100 , producing 300,000 revenue increase in 6 months