About Me

 

BACKGROUND

I’m an information security professional with over 25 years of leadership and hands-on experience designing, implementing, and administering information security programs. Energetic, flexible and results-driven with experience in fast-paced environments delivering security as a competitive advantage. Capable of operating in different corporate cultures and exceptionally adept at translating complex technical concepts into business risk language.

I’ve successfully implemented 5 separate security programs for Large to mid-sized companies (as an “acting CISO” consultant with Comcast, IBM and KPMG and as permanent CISO with Frontline Education).  My technical background in the last 10 years has focused on SaaS delivery models where companies are transitioning to hybrid cloud environments (on-prem infrastructure/private cloud and AWS production workloads).

Most recently, I developed and implemented Frontline Education’s first comprehensive cybersecurity and data privacy program in 16 months with a small team of two security engineers.  This was during a period of significant growth and change including 8 acquisitions, employee growth of 85%, sale of company to PE firm, migration to AWS and transition to SAFe/Scaled Agile Framework.  Program covered complex hybrid SaaS infrastructure with over 6k servers in 3 co-location datacenters and AWS.  Technology stack consisted of multiple frameworks and code bases (ASP.Net, Java, Node.js, Angular, T-SQL) running on multiple hosts and back-ends (Windows Server, Linux, Mongo, SQL Server, PostgreSQL, AWS Lamda/S3/RDS).  Successfully completed SOC 2-Type II certification covering all of Frontline’s products.

This required strong leadership, building consensus, demonstrating results and building credibility as a business partner who can help manage risk.

My accomplishments are based on some key principles:

  • Build security in – train “human firewalls”, adjust and configure current workflows/processes to incorporate security controls, make people/teams accountable and reward results, get executives to see as a strategic priority
  • Balance investment across capabilities to prevent, detect and respond to threats – put in “guardrails” not barriers.
  • Run security program like a profit center – Justify investments using risk-informed data and manage like any other business initiative. Infosec program should be a competitive differentiator in the market.
ACCOMPLISHMENTS

Governance, Risk and Compliance

Infrastructure and End-User Security

  • Deployed end-point detection and response (CarbonBlack) across all user devices and servers which provided full infrastructure visibility, threat intelligence, incident investigation/containment and digital forensics.
  • Managed large Active Directory clean-up project (700 accounts, 3 separate forests, flat network). Implemented least-privilege principles to redesign user roles, tag production objects with sensitivity categories and implemented process to perform quarterly validation and remediation.  Built SSO capability with OneLogin and AD integration.
  • Developed network segmentation architecture with tech ops leadership. Implemented bastion host model to control access and audit activity to production assets.
  • Implemented Tenable.io for asset and vulnerability discovery across 6200 production servers/hypervisors.
  • Developed plan to implement Microsoft SQL TDE with DBA team including key management procedures.
  • Implemented BYOD security policy and deployed O365 Mobile Application Management for all users.

Secure SaaS Product Development/DevOps/Site Reliability Engineering

  • Implemented Secure Product Development program including formal training, threat modeling and automated security testing. Reduced all open vulnerabilities by 60% and eliminated all critical items.
  • Established strong working relationships with CTO, Chief Architects and SE Managers. Created “Security Champions Network” consisting of representatives from each product dev team and the assigned architect.  Set-up Slack/Confluence/GitHub community to share ideas and lesson’s learned across teams.
  • Developed a small team of two security engineers with focus on scripting, automation, configuration and AWS Lambda to improve security operations and support DevOps teams.
  • Implemented Interactive AppSec Testing tools (Contrast Security Assess) which provided developers with real-time insights into how vulnerabilities were manifested in application and more effective redesign plans.
  • Implemented Run-time AppSec Protection (Contrast Security Protect) used by SRE team to block active threats and monitor for suspicious activity.
  • Conduct regular threat modeling workshops during product design sprints reducing logical security flaws (MS Threat Model Tool using STRIDE methodology, attack trees, OWASP Threat Dragon).
  • Implemented SonarCube static code analysis with OWASP Dependency Checker into build process to provide real-time feedback to developers.
  • Created GitHub code review triggers to ensure documented approval and linkage to Jira tickets for SOC2-Type 2 compliance
  • Integrated container security process into dev pipeline to ensure fully patched and compliant configurations were deployed using Twistlock, Chef Automate/InSpec, Quay and OpenSCAP
  • Established routine simulated attacks (red teams) using outside experts (Synopsys), internal security team and internal “hackathons” (Sec team pared with developers) to continually assess product security posture.
  • Used Building Security In Maturity Model (BSIMM) and results of red team exercises to develop Product Security Scorecards which were used as key performance metrics for Product Management.
  • Developed risk-based, data driven vulnerability management program to appropriately prioritize remediation efforts. Built prioritization tool based on OWASP open source project to ensure creditable business cases were made to fund and schedule remediation.  Forked and customized OWASP’s Defect Dojo to integrate vulnerabilities into Jira workflow.  Built infosec/privacy initiatives into enterprise agile framework (SAFe) and Jira defect workflows to ensure product security features and remediation was fully integrated into quarterly business performance goals.
  • Developed AWS security architecture in tandem with CTO and Application Architects using the AWS Well-Architected Framework and Cloud Security Alliance Cloud Control Matrix (CSA CCM).
  • Implemented multiple AWS services jointly with DevOps teams including GuardDuty, Inspector, Config, CloudWatch, IAM, S3 bucket policies/ACLs, Macie and Key Management Service.
  • Built AWS Lambda functions triggered by GuardDuty alerts to block IPs automatically.

Security Operations

  • Established comprehensive security monitoring and incident management capability. Created playbooks, scripts and communication protocols to ensure all incidents receive quick and adequate response.  Conduct ongoing table top exercises and simulated attacks.
    • Implemented OpsGenie to track, monitor and communicate security incidents
    • CarbonBlack Response implemented and monitored for all production servers
    • Implemented Demisto incident orchestration platform to automate playbooks
  • Managed an average of 2-3 incidents a week
  • Established close working relationship with outside counsel

Security Marketing and Promotion

  • Evangelize and promote our security program with current and prospective customers
  • Reviewed all contracts and agreements with proposed security/privacy language counter to our MSA. Negotiated directly with customers (and their legal counsel) to modify requirements to ensure both parties could meet obligations.
  • Worked with marketing teams to create content for sales and provide thought-leadership through blogging, webinars and customer meetings
  • Proposal development and presentations resulting in winning some large deals.
WORK HISTORY

Frontline Education                                                        05/2016 to 10/2018

VP, Chief Information Security Officer

KPMG, Philadelphia, PA                                                 09/2014 to 05/2016

Director, Cybersecurity Services

IBM, Philadelphia, PA                                                     06/2012 to 09/2014

Senior Executive Consultant

COMCAST NBCUniversal, Philadelphia, PA                07/2008 to 05/2012

Executive Director, Technology Risk

DELOITTE, Baltimore, MD /Washington, DC              06/2004 to 06/2008

Senior Manager, Enterprise Risk Services

NORTHRUP GRUMMAN, Baltimore, MD                    06/1997 to 06/2004

IT Program Manager

PRICEWATERHOUSECOOPERS, Washington, DC       05/1993 to 06/1997

Senior Associate, Computer Assurance Services

EDUCATION AND CERTIFICATIONS

Master of Science: Management of Information Technology

University of Virginia, Charlottesville, VA

Bachelor of Science: Accounting (Minor in Decision Information Sciences)

University of Maryland, College Park, MD

Certified Information System Security Professional with Information Systems Security Engineering Professional concentration (CISSP-ISSEP), Certified Information Systems Auditor (CISA), Project Management Professional (PMP), Certified Public Accountant (inactive), PCI Professional (PCIP)

PROFESSIONAL INDUSTRY ACTIVITIES

Active member and contributor: The Open Group Security Forum, Center for Internet Security (Security Consensus Metrics Team), Cloud Security Alliance (CSA)

And....I like sloths!