- As a thought leader, consensus builder and integrator of risk management, information assurance and data privacy, I attain compliance with state, federal security frameworks, national and international mandates by aligning with business and risk owners.
- I remain flexible to changing directives, and periodically think outside the box in meeting the intent of a control providing assurance that secure data, applications, and technologies remain protected and expectations met or exceeded.
- As a former CISO, I understand and meet the need for thorough documentation, integrity, and transparency, trusted relationships, leading by example, and ensuring objectives are met.
- As a member of the global cyber GRC/GRV team I have ensure alignment with business strategies and the security posture enabling technologies to achieve business growth by asking the hard questions and driving root - cause analysis.
- Embraced by executive leadership my recommendation of including the impact and likelihood for exploit of an identified risk or vulnerability be included in the vendor, product, or software GRV process lead to the prioritization and timely remediation, cohesive alignment with project management, and allocation of assets.
- My performance goals of cutting costs, addressing irrelevant security controls across multiple frameworks, and demonstrating process improvement was met by tracking remediation and collaborating with risk owners ensuring timelines and strategies were met as agreed, and providing guidance while embracing teachable moments.
- I conducted a gap analysis for our global Secure Operations Center (SOC) in preparation for ISO 27001 ISMS certification. By applying my experience as a trusted certification agent for the DoN SPAWAR certification authority I created a project specific risk register identifying opportunities and proactively drafting policy updates for executive leadership and legal teams. Standards were updated, steps to implement and timeline for completion documented and shared with the global cyber security teams. I drafted and presented role-based security training for ISO operations and lead discussions addressing unfamiliar security controls.
- I mapped PCI:DSS, HIPPA, ISMS, SOX2, and SSAE security controls to the ISO 270xx, and developed a cohesive common controls matrix. I identified and documented redundancies and erroneous information eliminating duplication of efforts and a cohesive structure within business units.
- ISO certification efforts were streamlined due to my pro-active approach to maturing and obtaining executive approval of global policies and standards. ISO internal and external audit teams were aligned which expedited the process, eliminated findings, duplication of effort, and scope creep.
- Leveraging my experience as a Department of Defense (DoD) information assurance audit and assessment agent I reduce redundancy by aligning information and data security compliance factors to multiple state, federal and international cyber laws and regulations.
- In partnership with the LVSC global Program Management Office, I pro-actively identify the potential impact to the LVSC risk threshold and common security controls sustaining secure operations. By conducting threat and risk assessments of vendors, applications, and information assurance solutions I quantify respective risk factors contributing to sustainable, cohesive asset and risk management programs.
- Aligns with local and international subject matter experts (SMEs), cultures, and the Corporate Strategic Review Board.
- Develops and presents security awareness and role-based training to team members and business units.
Lead Security Architect
- While assessing the security posture of systems and software applications critical to Confidential operations and strategic initiatives, I identified potential risks to the organizations and remediation and/or mitigating strategies thereby reducing the likelihood of exploitation and data loss.
- Precluding the introduction of new risks or unidentified vulnerabilities was accomplished by my participation in change management control board meetings. I assessed the potential impact proposed changes may have on current security operations, evaluated vendor compliance with OWASP and secure software development and testing protocols, and accomplished root-cause analysis of driving change factors.
- Developed and presented the business case for a third-party risk management program that reduced the likelihood of introducing new risks or deploying insecure software into the operational environment. Implementation afforded visibility into the vendor’s security posture, I identified risks and concerns, and assurance that compliance with Confidential security policies and procedures was achieved.
- Developed and conducted the security awareness program providing explanation of security controls and their respective intent. Training was role-based specific which provided team member an understanding of their individual security roles within the organization.
- Ensured PCI:DSS compliance factors, assessed ISO27001 certification initiatives, and aligned secure operations with the NIST.
Sr. Information Security Consultant
- In preparation for PCI/SOX recertification audits, I assessed the security posture and conducted a gap analysis of current policies and procedures identifying critical assets, and priority restoration of critical assets. I participated in BIA assessments, disaster recovery exercises, identified and mapped risks to a common controls’ frameworks providing proven corrective strategies and timely response.
- Based on the data value, ROI, MTD and risk-appetite I proposed and implemented effective remediation and/or mitigating strategies meeting recovery time objectives.
- Provided and presented metrics identifying continued progress and opportunities for improvement to the executive leadership for process improvement and maturing cyber and data security operations.
- In collaboration with team leaders, subject matter experts and key contributors, policies and procedures were updated or developed, and approved by executive leadership.
- Standards were vetted and security awareness training programs designed and presented to engineering teams, software development leads, and the legal/compliance departments in an understandable or common language.
Sr. Information Security Consultant
- Provided oversight of NIST 8500 and ISO 270xxx (ISMS) information assurance compliance factors ensuring the success of the SPAWAR DCAO (Data Consolidation & Application Optimization) transition program, vendor, and risk management programs ensuring compliance factors were met, or gaps assessed and documented.
- I conducted internal audits, risk assessments, physical penetration tests, and applied security technical implementation guides assessing the effectiveness of respective security controls assuring the confidentiality, integrity and availability of data and assets. This ensured that “in-scope” assets were identified and afforded the appropriate level of security, gaps were assessed, and recommendations for aligning with the NIST provided to business units.
- By developing and testing incident response and disaster recovery plans, aligning policies, standards, and guidelines with business strategies, and developing a managed risk-register, the recertification audit was streamlined and successful.
Chief Information Security Officer (CISO)
- As the CSO/CISO and Information Security Officer I aligned strategic initiatives and business objectives with key security frameworks to include HIPAA/HITECH, PCI:DSS, NITS, COBIT, DOD 8500 series, ISO27000 ISMS. Developed successful and productive customer and vendor relationships by providing concrete leadership, sound guidance and project plans, and maintaining a flexible, collaborative approach.
- Initiated the Change Control Board (CCB) Charter, classification management framework, a dynamic security education training and awareness program.
- Authored, maintained, and participated in annual/periodic testing of the Continuity of Operations (COOP), Disaster Recovery (DRP) and Incident Response Plans (IRP).
- Maintained evaluation of SCADA controls, vendor SSAE16, SAS70 or ISO17799, audit reports and findings, and matured the vendor risk management program.
- Applied a clear understanding of mission needs for government and commercial healthcare systems, medical case management systems, and the development and engagement of in-home health care management tools,
- I effectively managed strategic programs and initiatives and contributed to successful mitigating and/or remediation strategies for cyber risks with an eye on aggregation.
- Working collaboratively with IT, system administrators and software development teams and third-party vendors, potential risks and vulnerabilities were identified early in the development cycle and mitigated and/or remediated in a timely and acceptable manner abating the impact of a loss or compromise of critical and sensitive information.
- Security awareness training programs were delivered sustaining the corporate security posture.
- I participated in corporate and new business initiatives providing cyber and data security guidance. Conducted periodic internal audits and implemented effective and reasonable policies and practices ensuring sensitive data, systems and networks were compliant with relevant legislation and mandates. Plans of actions and milestones were developed and maintained providing transparency and real-time visibility and reporting.
- In an Agile environment and throughout the system and software development lifecycles, I participated in SCRUM meetings ensuring compliance factors were designed into the product specifications.
- Received recognition from the USMC Official Designated Approval Authority (ODAA) for exceeding expectations in obtaining the Authority to Operate (ATO) in a timely and cost-effective manner: “The DIACAP process for the Government Health Case Management System has been completed and the ATO granted. This is a huge achievement and would not have been possible without tremendous effort from our contractor Confidential (esp. Pati McGaffigan) and our government Senior Technical Architect.”