SUMMARY:

• A highly motivated, strategic, risk - results-oriented leader with over 20 years of experience in the information security and risk management field, focused on building strong Security Governance, Policies & Procedures, INFOSEC Teams, providing expert leadership, and assisting diverse organizations develop and implement enterprise level information security programs that balance strong security practices with the needs of the business.
• Dynamic communicator who readily connects with both technical and non-technical users to ensure on time, within budget deliverables. Combines extensive experience in emerging security technologies and products with broad technical expertise and crisp business acumen to successfully align Information Security strategies with corporate objectives.
• Multi project experience planning, managing resources, risk management, change management and controlling project budgets. Ability to set goals, plan strategies, schedule and coordinate the work of others, and integrate planning efforts to meet organizational goals.
• Extremely experienced in performing PCI information security assessments, providing security advisory expertise to senior executive management, middle-management, and staff.
• Extensive knowledge of regulatory requirements such as HIPAA, HITECH, PCI, GLBA, FFIEC, USA Patriot Act, FERPA and hands-on experience developing compliance/governance strategies in support of industry accepted information security frameworks: ISO27001 (17799:2005), COBIT and NIST series, etc.
• PCI Security Assessments - Conducted PCI compliance assessments for two of the largest retail merchants in the Midwest. Assessments included a current state analysis against PCI DSS Security Audit procedures, a risk based gap assessment, and detailed recommendations in order to support an integrated control framework.
• HIPAA Information Security Compliance Assessment - Led a HIPAA Security project effort, which assessed the HIPAA Security compliance posture for a large Midwest HealthCare Company. The effort resulted in the organizations ability to identify HIPAA information security risks, leading to the creation of an overall risk management process in support of internal compliance initiatives, and a Risk Information Security Office.
• Enterprise-wide Information Security Risk Assessment Development - Developed an integrated risk management program for a large Southeast Bank in the North Carolina area. Leadership role performing enterprise-wide information security risk assessments leveraging information security industry accepted frameworks (ISO 27001:2005, COBIT and NIST), as well as FFIEC, GLBA.
• Information Security Program Development - Developed a comprehensive information security program for the largest Dynamite Company located in Utah. The program resulted in the Agencies ability to create an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.

TECHNICAL SKILLS:

Software: Microsoft Project, SharePoint, Smart sheets, Visio

Project Methodologies: Agile, Waterfall, Kanban

Enterprise Tools: MySQL, Apache, Remedy, Arc Sight, Sourcefire, Enterasys Dragon 7, Nessus, Ethereal, HP Openview, Solarwinds, Einstein (US-CERT program), Checkpoint, Juniper Netscreen, McAfee VirusScan/ePO, Tivoli Netcool/Management Framework, Newpoint Stratus, Newpoint Compass, Spectrum Analyzer.

Compliance/Regulatory Exp.: PCI DSS, GLBA, SAS70 SOX/HIPAA (New and Old Versions), FISMA, COBIT, NIST ISO/IEC 27000 series (New and Old Versions), HITECH, FIPS, SSAE 16, GDPR (General Data Protection Regulation).

Security Tools/Solutions: Intrusion Detection Systems (IDS), Data encryption (SHA-1, PKI, SSL, DES, IKE, etc.), Virus Protection, System Monitoring & Detection Tools (Tripwire), Encase, Webtracer, etc.

PROFESSIONAL EXPERIENCE:

Confidential

PCI Program Manager and CISO Advisor

Responsibilities:

• Performed Technical and Security Compliance Assessments and other client work related to professional services offerings.
• Collaborated with Confidential CISO, and other “C” level Executives, on either enhancing or maturing Confidential client organization’s Global Security Program effectiveness and sustainability.
• Created and recommend remediation for components of security policies, procedures, processes, and standards.
• Created detailed, professional documentation (500+ pages in length) to be delivered to customers both in written and verbal formats.
• Worked on multiple projects concurrently, manage time and budgetary requirements effectively.
• Worked as a program manager and created a road map for entire PCI DSS compliance program and managed more than 20 resources (security managers, project manager and security architects etc.,) with the project cost of more than $24 Million dollars.
• Managed entire global PCI DSS compliance programs for USA, Europe, Asia and Latin America. Designed and implemented enterprise wide security solutions and reduced security, compliance and privacy risks. Managed the implementation of enterprise-wide security policies & processes relating to PCI DSS and FFIEC.
• Defined global PCI compliance roadmap. Managed the implementation of security solutions (Mega Crypt encryption, key management, data loss prevention (DLP) and file integrity monitoring and IDM) and safeguarded the credit card data, Private Identifiable Information (PII), & company confidential information.
• Designed and implemented enterprise wide security solutions and reduced security, compliance and privacy risks. Managed the implementation of enterprise-wide security policies & processes relating to PCI DSS and FFIEC.
• As a program manager, led multiple concurrent IT Security projects in order to comply with PCI DSS compliance. Conducted a gap analysis and identified missing policies, standards, procedures and controls. Created a PCI DSS tracking sheet, identified functional units and kept track of status and progress for each and every requirement of PCI DSS (approx. 291 requirements).
• Recommended policies, standards and controls that are required for PCI DSS compliance and continuously work with process owners and led the projects to implement policies and standards, processes and controls.
• Acted as a subject matter expert for identifying and finalizing scope, policies, processes and tools that are required to comply with PCI DSS compliance.
• Created test plans, conducted audit of systems and validated the controls. Continuously interacted and worked with QSAs and process owners to finalize the scope and control requirements.
• Managed the creation and implementation of IT security architecture and systems, security policies, configuration standards and guidelines.
• Created and managed information security processes and standards for technology and application development.
• Acted as an advisor / subject matter expert and provided advices and activities related to all aspect of HIPAA as it applies to technology, policy and interpretation of HIPAA regulations related to private health information (PHI). Assisted in creating HIPAA privacy and security program and introduced policies promoting compliance. Audited and reviewed technical controls and security policies relating to HIPAA.
• Established security risk assessment framework and processes and integrated security into SDLC process. Managed the implementation of web application firewall (WAF), manual and static code review and dynamic web application security testing tools. Conducted training for programmers on secure coding practices and new secure SDLC process. Established threat modeling process (DREAD and CVSS) and risk ranking methodologies to prioritize and rank the security risks. Conducted static code review and dynamic web application security tests (Web-Inspect, Fortify, Vera code); identified application security issues, provided practical recommendations based on OWASP and SANS; worked with process owners to mitigate the issues.
• Global projects include evaluating, planning, budgeting, and deploying cutting-edge IP network / cloud infrastructure security controls to protect sensitive data per HIPAA, SOX, and PCI-DSS compliance frameworks.
• Reported all program and project finances to stakeholders.
• Prepared status, risk management reports and dashboards in the form of PowerPoints and Excel spreadsheets. Reviewed with Business stakeholders, IT leadership and project teams.
• Streamlined and consolidated the processes relating to vulnerability scans, penetration testing and security patches. Introduced risk-based approach and risk ranking tools (CVSS) for addressing the security issues based on tools (Nessus, Qualys and Web-Inspect). Created security patch management, vulnerability management and penetration testing process. Conducted vulnerability scans and penetration testing; Identified and risk ranked the issues; Worked with process owners to remediate the issues.
• Worked as a team led and created enterprise wide security risk assessments with the project cost of more than $22 Million dollars. Developed IT Security Governance and Enterprise Risk Management Framework for the company. Managed and tracked the enterprise security risk, threat, vulnerability and security issues and status of remediation plans. Prepared high level/dash board reports and presented them to senior management.

Confidential

PCI Program Manager / Chief Information Security Officer & Risk Officer

Responsibilities:

• Recruitment of information security professionals to assist with PCI program assessments.
• Leadership activities to include policy, standard and procedure reviews, security architecture reviews, wireless security reviews, vulnerability assessment reviews, system development lifecycle reviews, secure code reviews, access control and physical security reviews.
• Performed system and network audits against FISMA and FIPS200 regulatory requirements.
• Designing and implementing cloud security architecture (AWS EC2, GovCloud) and tools including: Splunk, Nessus, Security Center, TrendMicro Deep Security, Burp Suite Pro, Xceedium Xsuite, appdetective PRO, Encase, and Mandiant.
• Provide PCI subject matter expertise and education to executive management, management, internal personnel, and external vendors.
• Lead the effort to create and present quarterly PCI program status reports.
• Successfully delivered assessment phase, on time and within budget. Deliverables included a corporate Report on Compliance and Remediation Roadmap to address any deficiencies.
• Responsible for establishing and maintaining a comprehensive plan for governance, risk, and compliance (GRC) across Health, Financial Services, including formal policy and procedure management, risk assessments, and review of controls.
• Responsible for overall risk management including oversight of business continuity and disaster recovery contingency plans and security of business critical corporate infrastructure and information assets.
• Integrated Planning and Strategy: led the development of an integrated Confidential Technology strategy, updated annually, that guides technology investment strategy across Confidential . Business units. Develop and refine the organizational strategy for Information Security, Governance, and Compliance.
• Planning: Working in conjunction with Confidential ’s Directors and stakeholders, leading the development of enterprise wide technical, people and process security strategy. Understand and investigates all of the strategic security issues within Confidential Organization and helped define them in terms of priority, solutions and strategic outcomes. Developed and facilitated input to the Confidential Multi-year planning process that spans the Information Technology domains of Applications, Information, and Infrastructure & Security. Build a comprehensive system and framework to deliver information security programs to Confidential, and individual business units. Build business cases to establish, grow and change business groups, functions and technologies
• Governance: Engage major Confidential Technical projects, programs and functions to understand the technical and security implications and future roadmap and ensure appropriate security governance in place. led Confidential in any and all Confidential governance efforts
• Performance Reporting: Work with the Program Management Office, as well as the Application Services team in establishing business friendly reports and metrics for monthly and quarterly reporting. Develop and maintain the KPI's and metrics to manage the performance of the SP&A organization; work in concert with other organizations within IT (PMO and Operations) to develop an integrated set of client-facing performance metrics that can be leveraged with business unit executives.
• PMO weekly artifacts included project dashboards, risk & issues, schedule, budget, and remediation metrics of IP assets scanned by 3rd party Approved Scanning Vendor (ASV). Role also required working closely with the corporate audit officer and security director to report remediation status, develop C-level presentations, security policy, daily operations procedures, security architecture.
• Financial Management: Manage the operational finances of the Confidential Organization on a monthly, quarterly, and annual basis. Where appropriate, set and define budget, goals and functional objectives.
• Communications: Develop plans and materials for communicating and educating various stakeholders (business and IT) on security strategy, planning processes, key initiatives, etc. Partner with IT and Corporate Communications on the execution.
• Managed the annual talent review process within Confidential (performance appraisals, employee performance calibration). Manage the recruiting and talent development programs on behalf of Confidential . Managed various other day-to-day aspects of the Confidential organization, directly supporting the President. Support President in preparation of material and thought leadership to drive key decisions with Confidential Executive leadership
• Supervision and leadership: Supervise a team of 30 FTEs. Provide a vision for his/her area, develop and implement a maturation plan to develop the skills and supporting security tools/processes. Address current audit points, compliance issues and remediate current security vulnerabilities while being proactive and measureable to reduce the 'inflow' of new activates. Recruit staff and mentor functional managers, supervisors and employees as required. Make decisions for functional areas in normal and emergency situations.

Confidential

Chief Information Security Officer

Responsibilities:

• Responsible for determining and creating Global enterprise information security standards.
• Developed and implemented information security standards and procedures. Ensures that all information systems are functional and secure.
• Accountable and charged with all Global IT Audits and Risk management across the company and its subsidiaries, ensuring that the scope and span of accountability for information security remains aligned with the overall corporate risk management framework created and governed by the Chief Risk Officer.
• Serve as the company subject matter expert on privacy and security laws and regulations.
• Reported to Chief Risk Officer & CEO.
• Built and Managed a team of 25 FTEs. Also Built, Managed and Oversaw the BC/DR program.
• Provide PCI subject matter expertise and education to executive management, management, internal personnel, and external vendors.
• Led the effort to create and present quarterly PCI program status reports.
• Identified legal and regulatory requirements (i.e., PCI, PIPEDA, Bill 198/SOX, etc.) are/were enforced through policy alignment and execution.
• Responsible for overall risk management including oversight of business continuity and disaster recovery contingency plans and security of business critical corporate infrastructure and information assets.
• Created and implemented specific performance targets both within Information Security department and across the company and managed performance to those targets, while escalating issues and risks proactively.
• Coordinate security incident response, mitigation, and reporting.
• Directed the development of security standards, processes, procedures, and architectures in line with the security strategy.
• Established and maintain consistent independent industry certifications and/or audit report across the firm (e.g. ISO 27001, SSAE 16).
• Assist in the re-organization of security personnel in support of a more effective and efficient PCI program team.
• Recruitment of information security professionals to assist with PCI program assessments.
• Leadership activities to include policy, standard and procedure reviews, security architecture reviews, wireless security reviews, vulnerability assessment reviews, system development lifecycle reviews, secure code reviews, access control, and physical security reviews.
• Ensured compliance with security policies, standards, and procedures through security awareness and training programs and specification of performance requirements in job descriptions and Guidelines of Conduct.
• Implemented a Corporate-wide information security awareness and training web site.
• Performed periodic information security and privacy risk assessments and conducted related ongoing compliance monitoring activities in coordination with the company's other compliance and operational assessment functions.
• Identified and participated in the project management process to ensure security requirements are addressed in all technology/ system projects and to ensure security compliance. Acted as the liaison with Internal Audit and the Corporate Security department regarding overlapping information security issues - e.g. investigations or badge access.
• Participated in outsourcing negotiations and interfacing with external outsourcing service providers to ensure alignment to company security policies.
• Acted as liaison with human resources about personnel issues related to information security - e.g. involved in terminations due to policy non-compliance and investigates and reports on security threats, violations, and other security incidents to management.
• Consulted with Board of Directors and other CXOs in times of information security crises to ensure that the crises were properly managed internally and externally.
• Advised and counseled other C-Level Executives of changes in the technical, legal, and regulatory arenas affecting information security, privacy, IT compliance, and computer crime. Advised business managers and technical personnel about the implementation of the security program in their respective areas.
• Selected and implemented security tools (e.g. Arcsight) and executed the day-to-day accountabilities of the department including security administration.

Confidential, Ashburn, VA

Chief Information Security Officer (CISO) & Vice President

Responsibilities:

• Chief IT Security Strategist, change leader, and driving force behind security improvements that safeguard data, ensure compliance, and facilitate informed advancement towards organizational goals. Managed/Oversaw and Directed Verizon's Cyber Security Operations within the Managed Services Solutions Division of 1000 mid to Senior Engineers, Security Analyst, Architects, Managers, and Directors. Oversaw& managed $50M annual IT security budget.
• Advised and counseled Executive management (C-Level, COO and CIO) on specific technologies that enable secure business growth.
• Serve as the company subject matter expert on privacy and security laws and regulations.
• Responsible for managing a unified privacy, security, and compliance program across all divisions and associated offices.
• Defined company security standards based on industry standards and best practices. Provide implementation guidance and review progression toward compliance.
• Coordinate security incident response, mitigation, and reporting.
• Establish and maintain consistent independent industry certifications and/or audit report across the firm (e.g. ISO 27001, SSAE 16).
• Provided expert technical advice, guidance, and recommendations to management and other specialists on IT cyber security issues, such as the federal government.
• Implemented a Corporate-wide information security awareness and training web site.
• Led, administered, developed, delivered, and/or supported information technology systems and services in a cyber-security.
• Established and implemented information security and cyber security policies, directives, and guidelines in supporting IT security applications.
• Maintained information security processes and security control standards for application development and technology deployment.
• Charged with evaluating new security technology and conducting vulnerability assessments.
• Developed and deliver high-value services that benefit customers and differentiate us.
• Developed client satisfaction measurement tools for each offering.
• Managed, grew, coached, and elevated the skills of the current team.
• Conducted HIPAA Security assessments for large lending institute in the Midwest area.
• Carried responsibility for effectively forecasting the business.
• Established performance metrics and tools to measure effectiveness and optimize the business.
• Worked closely with company executives, sales, customer support, product management, and engineering.
• Supported marketing efforts to clients and prospects with best practices, case study, and content derived from the services group.
• Managed client level and overall profitability on service offerings including end-to-end product management of services.
• Supported product and development teams in providing client feedback and input on software offerings.
• Ensured systems and processes were documented and optimized through product improvements and operational efficiencies.
• Collaborated with other customer facing teams including sales team, client support and implementation teams to provide a holistic customer experience that grows revenue and delivers exceptional customer satisfaction.
• Provided engineering analysis, design, and support for firewalls, routers, networks, and operating systems.
• Developed the organizations strategic risk-based information security program is support of enterprise HIPAA initiatives and defined a HIPAA security road map in support of new business processes.
• Collaborated to establish new relationships with hospital directors, home health care directors and short and long term nursing facilities.
• Created an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.
• Provided engineering support for implementing the strategic architecture of networks; provide network design and implementation direction; provide expert engineering in support of problem resolution; support product evaluation and integration; network hardware and software/system testing; strategic planning; and emerging technology investigation.
• Implemented, enforced, and communicated security policies and/or plans for data, software applications, hardware, and telecommunications.
• Performed product evaluations, recommended and implemented products/services for network security. Validate and test security architecture and design solutions to produce detailed engineering specifications with recommended vendor technologies.
• Provided enforcement of security directives, orders, standards, plans, and procedures at server sites. Ensure system support personnel receive/maintain security awareness and training.
• Maintained data and communicate to management, the impact on business/customer caused by theft, destruction, alteration, or denial of access to information.
• The Deputy Chief Designated Authority personnel for the development and maintenance of the overall system security document, the Information System Security Plan, which contains all necessary security procedures, instructions, operating plans, and guidance.
• Worked with Application Development Engineering (e.g. Secure Coders) teams to integrate the security architecture with applications including single sign-on and role based access control.
• Participated in the development or revision of System-specific security safeguards and local operating procedures that were based on specific regulations.
• Provided IT security consulting to system owners as to the other security documents, for example, security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, and contingency plans.
• Highly knowledgeable of information assurance and security engineering principles involving telecommunication security, network security, computer security, key management and other areas of information assurance.
• Excellent implementer of communication and team-working skills while working with a large team and executive management (CIO, COO) involved in the implementation of security solutions embedded for both Government and Commercial Systems products.

Confidential

CISO & GSOC Managing Director

Responsibilities:

• Performed network security monitoring by analyzing events from various Network-based Intrusion Detection Systems (NIDS) as primary Incident Handler for the Night Shift responsible for IDS logs, proxy services, incident response, opening/updating trouble tickets, and answering calls in a 24X7 Security Operations Center (SOC) environment.
• Coordinate security incident response, mitigation, and reporting.
• Identified suspicious and malicious activities, track malicious code (i.e. worms, viruses, Trojan horses, etc), and create trouble tickets for the removal of unauthorized software.
• Created an integrated risk-based security posture, leading to a sustainable and repeatable program framework while aligning with business initiatives.
• Implemented an Agency-wide information security awareness and training web-site.
• Lead security analyst responsible for streamlining the information security administration process, violation reporting, supporting documentation and defining security response times. Spearheaded the information security compliance reporting process.
• Assisted with the creation of policies and procedures for the Computer Security Incident Response Center (CSIRC) systems.
• Conducted performance measures and audits to ensure network and installation sites conform to critical security guidelines.
• Lead on all computer incidents involving company assets, viruses, spyware, and allegation of misuse, coordinates mitigation procedures with DHS components, files incident reports, and monitor all Internet facing services for attacks.
• Mentored younger members of network security group in new IDS troubleshooting, packet analysis and security architecture design procedures.

Confidential

Manager, Information System Auditor

Responsibilities:

• Provided technical analysis of Voice and Data services for large commercial accounts
• Supervised and Led a team of 12 FTEs.
• Performed IT General Control reviews in support of Sarbanes-Oxley (SOX) federal regulatory requirements.
• Responsible for the creation of IT Governance framework.
• Implemented a Corporate-wide information security awareness and training web-site.
• Leadership responsibilities include supervision of staff members, promotion of teamwork through collaboration, performance management reviews, and goal setting exercises.
• Provided productivity analysis for installation of a bridge to services that would increase voice usage between integrated Wide Area Network (WAN) services.
• Resolved control issues surrounding system access.
• Communicated daily with System Engineering, Business Implementation, Presale, and Customer Financial Services

Confidential, Lorton, VA

Manager of IT Security Service

Responsibilities:

• Supervised and Led a team of 15 FTEs.
• Leadership responsibilities included pre and post-sales support, project management, mentoring junior staff and product support.
• Implemented a Corporate-wide information security awareness and training web-site.
• Leadership role performing enterprise-wide information security risk assessments leveraging information security industry accepted frameworks (COBIT, ISO27001).
• Developed an information security compliance program in support of business initiatives and regulatory requirements.
• Responsibilities include compliance program development, establishment of monitoring and compliance activities, development of a formal risk assessment process, information security policy, standard and procedure development and management.
• Provided operation support to client operations related to security control, monitoring, auditing.
• Established and maintained positive relationships with internal, external, and third-party vendors.
• Researched, evaluated, designed, tested, recommended, and planned implementation of new or improved information security practices.

Confidential, Dulles, VA

Lead IT Security Analyst

Responsibilities:

• Provided technical analysis of Security incident and responses.
• Responsible for the development of a risk management program framework.
• Managed, grew/hired, coached, and elevated the skills of 10 FTEs and 50 Contractors.
• Provided and resolved Tier II customer support to all AOL clients of IT Security Incidents.
• Oversaw disaster recovery and backup policy implementation and maintenance. Identified requirements; designed, created, and maintained disaster recovery system.
• Network and Security analysis/assessments and security monitoring.
• Provided technical leadership to the enterprise for the information security program.
• Mentored and train others in information security.
• Recommended preventive, mitigating, and compensating controls to ensure the appropriate level of protection and adherence to the goals of the overall information security strategy.
• Maintained and Enforced AOL's corporate Global security policy.