SUMMARY:

• Expertly skilled and successful leader with broad experience initiating, managing, and completing data protection projects and resetting information security programs to reduce cost, improve efficiencies/effectiveness, and fully align with business objectives and expected pace of program implementation - experienced in business analysis, project management, system development lifecycles, and operations, including RFPs, contract management, procurement, budgets and staffing
• Extensively experienced in all eight domains of the ISC2 CISSP CBK: Security Architecture and Engineering, Software Development Security, Security and Risk Management, Asset Security, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, and Security Operations
• Consistently demonstrates communication excellence at all levels of organizations including architecture, systems engineering, technology operations, application software development, middle management, and executive-level stakeholders - achieves the “go to” information security person level, as needed with peer collaboration, staff mentoring, and team building
• Repeatedly established strategies and alignments for information security compliance with security objectives (internal and external) based on standards, such as NIST’s Cybersecurity Framework, SP, and SP, ISO/IEC 27001/2, and COBIT, as well as supply chain risk management (SCRM) program for cloud and other suppliers, achieving security and operational objectives of the third-party risk management programs
• Developed and implemented the joint Security Incident Response Plan (SIRP) with contracted cloud provider and led incident management for a world-wide Security Incident Response Team (SIRT) with 24/7/365 coverage
• Led/implemented a new Threat & Vulnerability Management (TVM) program with cloud provider based on NIST maturity models and planned, initiated, executed and closed several successful leading-edge data security projects
• Maintains long-term relationships with security industry experts on security architectures and trends, continues to develop awareness of changing threat landscapes and monitors threat levels involving Identity Access and Management (IDM), potential service disruption (DDOS), intrusion detection/protection (IDS/IPS), malware defenses, network access controls (NAC), data loss prevention (DLP), threat management, etc.

EXPERIENCE:

Confidential, Bridgewater, NJ

Senior Program Manager

Responsibilities:

• Successfully realigned security work-streams to exceed executive sponsor expectations on schedule for external stakeholders
• Successfully realigned and implemented security program to exceed business objectives for all stakeholders of a new business venture involving United States Federal Communications Commission (FCC) and North American Portability Management LLC (NAPM) members
• Successfully and securely connected to all regional telecommunications systems across the United States during contractually prescheduled system cutovers
• Participated, advised, and recommended revisions to Executive Security Leadership Council (ESLC) strategy “playbook,” fully implemented all agreed security program priorities on strategy “roadmap,” provided updates on security metrics (maintained alignment relationships with organizational heads), continuously reported progress on planning, implementation, and other status items to maintain on-time delivery according to business risk tolerance, communicating complex security concepts to all levels in an understandable manner
• Oversaw and directed multiple Information Security teams. Organized, planned, and executed on project methodology, managed teams and completed all security activities according to business requirements, architecture and engineering specifications, agile software development (Secure-SDLC) scrums, release management checklists, DevOps deployment activities, and Production Operations acceptance tests. Systems included deployment of new SOC tools for multi-site outsourced cloud computing with significant Linux virtualization system and DR hot site. Program included the management of security staff responsibilities and accountability, priority setting, directing work and monitoring key indicators that measure acceptable progress.
• Worked with business unit attorney, procurement, and other departments on information security aspects of RFPs, compliance/audit, supplier selection, supplier contracts, etc
• Monitored and addressed audit and compliance concerns around all information security requirements, policies, procedures, and standards ensuring consistent internal controls across stakeholder departments and processes
• Implemented and advised alignment for contractual security requirements with traceability to business processes and technical implementations, including lead for security plans, functional specifications and technical specifications aligned with defined security architecture and security operations compliance (internally controlled and managed cloud using NIST standards as the basis)
• Strategically organized and led efforts for assessing threat and vulnerability from a business as well as a technical perspective while improving security for software (code scanning), applying secure scripting and system configurations, deploying various infrastructure components, configuring and security relational databases (Oracle) to support production deployment and production operational readiness.
• Led security technology selection and implementation for SIEM (centralized logging and reporting with Splunk), intrusion detection/protection/response (McAfee network and host), firewalls (F5 application, Cisco internal network, and Cisco external Internet)
• Established security program work-streams as a business enabler including, but not limited to, leading secure application and system coding, data and database protection, anti-virus, email security, encryption key/ management, public key infrastructure (PKI), internal and external threat assessments, security information and event management (SIEM), identity and access management (IAM), and application and perimeter firewalls, data center and physical security, staff vetting, Advanced Persistent Threat (APT) and Threat and Vulnerability Management (TVM), security compliance audits, third-party risk assessments and supply chain risk management (SCRM), and aligned security operations center (SOC) processes and standards
• Led efforts to develop appropriate security support documentation (SOC Wiki, technical writing team) for turnover
• Developed security checklists for solution readiness (fully aligned with NIST Cybersecurity Framework and ISO 27001/2) and release management during deployment and customer rollouts (connecting telecom infrastructures)
• Led process development and implementation for third-party supply chain risk management (SCRM), aligned operations security incident response plans (SIRP), arranged and oversaw vulnerability scanning, penetration testing, and remediation across all primary and secondary environments (production and non-production)
• Partnered with the corporate, suppliers, staff to promote security awareness and
• Hands-on experience with security technologies, writing/directing all levels of business and technical documentation, including requirements definition, RFP/RFIs, functional specifications, technical specifications, system release checklists, operations acceptance plans, and deployment metrics using MS Excel, as well as agile tools CA Rally and IBM Rational
• Led activities to implement new security operation center (SOC) for NPAC to establish incident management as well as test response capabilities. Aligned with contractual business requirements, accepted production security systems and processes, and leveraged technical expertise internally and from security product and service suppliers. Led efforts to improve security incident management effectiveness as tools and processes were being acquired and defined (provided hands-on troubleshooting with developers, analysts, and engineers - go to person for security problem management/escalation and resolution when needed)

Confidential, Warren, NJ

Vice President, InfoSec Controls/Data Protection, Global Operations & Technology Risk Management

Responsibilities:

• Successfully deployed technologies and managed associated processes to establish security program excellence
• Significant contributor to security policies, standards, and guidelines during transition to FFIEC, ISO and COBIT
• Expertly defined, initiated, executed, and closed several global information security and data privacy projects to significantly improve data and information security standards across regions
• Successfully implement leading-edge technologies and processes on fast-track schedules (3 years or less), provided extensive milestone reporting to global executive management on multiple complex initiatives
• Successfully reduced annual expenditures by millions of dollars by centralizing key security systems and significantly reducing security risks by consolidating technologies, improving security reporting, and reducing the number of technologies across all divisions
• Represented all divisions and countries, collectively developed appropriate encryption policies, standards, and security for business applications, enterprise systems, and networking components, including centralized management, resolving production issues associated with expirations and addressing key lifecycle management (replacing crypto keys)
• Planned and led implementations for new systems to centrally manage asymmetric (s) and secure symmetric keys - developed policies, standards, procedures and guidelines for global cryptography use
• Managed global process for addressing privacy regulation and key recovery compliance with a view toward business enablement and risk tolerance across divisions/countries - reported on country reviews of privacy laws and encryption use centrally to minimize regulatory and court ordered legal discovery issues (worked with Corporate Security and Legal)
• Significantly contributed to improvements in global deployments previously accomplished only regionally by shepherding key projects through technology acquisition, planning, initiating projects, and executing on standard program management principles while addressing organizational resistance to new security technology and methods (drove results, helped hands-on when needed)
• Planned, built, implemented advanced security systems including content monitoring, unstructured data security, transportable media security, and encrypted email (internal and external systems)
• Served as senior manager on global security incident response team (SIRT), resolved complex security issues
• Projects included leading data protection (DP), anti-virus, email security, encryption key management/public key infrastructure (Microsoft, Entrust, and Venafy PKIs), internal threat assessments, threat intelligence and monitoring, portable media security, content monitoring, unstructured data security (DLP), identity and access management (IAM), and biometrics for staff and customers

Confidential, New York, NY

Principle Business Analyst

Responsibilities:

• Effectively aligned business requirements and functional specifications to achieve information security objectives
• Competently wrote business requirements, security technical requirements, functional specifications, and technical specifications (developed/documented security architecture definition and architecture) for new authorization and authentication system (JP Morgan Investment Banking portal project)
• Diligently worked with management, peers, purchasing/contracts, and key vendors to develop and manage request for proposal (RFP) process