I’m an information security professional with over 25 years of leadership and hands-on experience designing, implementing, and administering information security programs. Energetic, flexible and results-driven with experience in fast-paced environments delivering security as a competitive advantage. Capable of operating in different corporate cultures and exceptionally adept at translating complex technical concepts into business risk language.
I’ve successfully implemented 5 separate security programs for Large to mid-sized companies (as an “acting CISO” consultant with Comcast, IBM and KPMG and as permanent CISO with Frontline Education). My technical background in the last 10 years has focused on SaaS delivery models where companies are transitioning to hybrid cloud environments (on-prem infrastructure/private cloud and AWS production workloads).
Most recently, I developed and implemented Frontline Education’s first comprehensive cybersecurity and data privacy program in 16 months with a small team of two security engineers. This was during a period of significant growth and change including 8 acquisitions, employee growth of 85%, sale of company to PE firm, migration to AWS and transition to SAFe/Scaled Agile Framework. Program covered complex hybrid SaaS infrastructure with over 6k servers in 3 co-location datacenters and AWS. Technology stack consisted of multiple frameworks and code bases (ASP.Net, Java, Node.js, Angular, T-SQL) running on multiple hosts and back-ends (Windows Server, Linux, Mongo, SQL Server, PostgreSQL, AWS Lamda/S3/RDS). Successfully completed SOC 2-Type II certification covering all of Frontline’s products.
This required strong leadership, building consensus, demonstrating results and building credibility as a business partner who can help manage risk.
My accomplishments are based on some key principles:
- Build security in – train “human firewalls”, adjust and configure current workflows/processes to incorporate security controls, make people/teams accountable and reward results, get executives to see as a strategic priority
- Balance investment across capabilities to prevent, detect and respond to threats – put in “guardrails” not barriers.
- Run security program like a profit center – Justify investments using risk-informed data and manage like any other business initiative. Infosec program should be a competitive differentiator in the market.
Governance, Risk and Compliance
- Developed and delivered customized training covering regulatory compliance, secure software development (OWASP Top 10), CI/CD security considerations and simulated phishing/social engineering
- Established Security KPI Dashboard and quantitative risk assessment based on the Open FAIR methodology to establish clear risk mitigation strategies and justify investments.
- Built unified control framework based on NIST CSF and CSA CMM (for compliance with SOC2, ISO27001, HIPAA/HITECH, FERPA, NIST CSF/800-53, PCI DSS, Cloud Security Alliance CCM)
- Established InfoSec team and governance structure
- Developed Security Policy Handbook
- Established vendor risk management process
- Use Objectives & Key Results (OKR) framework to drive results
- Target company acquisition security and privacy due diligence
Infrastructure and End-User Security
- Deployed end-point detection and response (CarbonBlack) across all user devices and servers which provided full infrastructure visibility, threat intelligence, incident investigation/containment and digital forensics.
- Managed large Active Directory clean-up project (700 accounts, 3 separate forests, flat network). Implemented least-privilege principles to redesign user roles, tag production objects with sensitivity categories and implemented process to perform quarterly validation and remediation. Built SSO capability with OneLogin and AD integration.
- Developed network segmentation architecture with tech ops leadership. Implemented bastion host model to control access and audit activity to production assets.
- Implemented Tenable.io for asset and vulnerability discovery across 6200 production servers/hypervisors.
- Developed plan to implement Microsoft SQL TDE with DBA team including key management procedures.
- Implemented BYOD security policy and deployed O365 Mobile Application Management for all users.
Secure SaaS Product Development/DevOps/Site Reliability Engineering
- Implemented Secure Product Development program including formal training, threat modeling and automated security testing. Reduced all open vulnerabilities by 60% and eliminated all critical items.
- Established strong working relationships with CTO, Chief Architects and SE Managers. Created “Security Champions Network” consisting of representatives from each product dev team and the assigned architect. Set-up Slack/Confluence/GitHub community to share ideas and lesson’s learned across teams.
- Developed a small team of two security engineers with focus on scripting, automation, configuration and AWS Lambda to improve security operations and support DevOps teams.
- Implemented Interactive AppSec Testing tools (Contrast Security Assess) which provided developers with real-time insights into how vulnerabilities were manifested in application and more effective redesign plans.
- Implemented Run-time AppSec Protection (Contrast Security Protect) used by SRE team to block active threats and monitor for suspicious activity.
- Conduct regular threat modeling workshops during product design sprints reducing logical security flaws (MS Threat Model Tool using STRIDE methodology, attack trees, OWASP Threat Dragon).
- Implemented SonarCube static code analysis with OWASP Dependency Checker into build process to provide real-time feedback to developers.
- Created GitHub code review triggers to ensure documented approval and linkage to Jira tickets for SOC2-Type 2 compliance
- Integrated container security process into dev pipeline to ensure fully patched and compliant configurations were deployed using Twistlock, Chef Automate/InSpec, Quay and OpenSCAP
- Established routine simulated attacks (red teams) using outside experts (Synopsys), internal security team and internal “hackathons” (Sec team pared with developers) to continually assess product security posture.
- Used Building Security In Maturity Model (BSIMM) and results of red team exercises to develop Product Security Scorecards which were used as key performance metrics for Product Management.
- Developed risk-based, data driven vulnerability management program to appropriately prioritize remediation efforts. Built prioritization tool based on OWASP open source project to ensure creditable business cases were made to fund and schedule remediation. Forked and customized OWASP’s Defect Dojo to integrate vulnerabilities into Jira workflow. Built infosec/privacy initiatives into enterprise agile framework (SAFe) and Jira defect workflows to ensure product security features and remediation was fully integrated into quarterly business performance goals.
- Developed AWS security architecture in tandem with CTO and Application Architects using the AWS Well-Architected Framework and Cloud Security Alliance Cloud Control Matrix (CSA CCM).
- Implemented multiple AWS services jointly with DevOps teams including GuardDuty, Inspector, Config, CloudWatch, IAM, S3 bucket policies/ACLs, Macie and Key Management Service.
- Built AWS Lambda functions triggered by GuardDuty alerts to block IPs automatically.
- Established comprehensive security monitoring and incident management capability. Created playbooks, scripts and communication protocols to ensure all incidents receive quick and adequate response. Conduct ongoing table top exercises and simulated attacks.
- Managed an average of 2-3 incidents a week
- Established close working relationship with outside counsel
Security Marketing and Promotion
- Evangelize and promote our security program with current and prospective customers
- Reviewed all contracts and agreements with proposed security/privacy language counter to our MSA. Negotiated directly with customers (and their legal counsel) to modify requirements to ensure both parties could meet obligations.
- Worked with marketing teams to create content for sales and provide thought-leadership through blogging, webinars and customer meetings
- Proposal development and presentations resulting in winning some large deals.
Frontline Education 05/2016 to 10/2018
VP, Chief Information Security Officer
KPMG, Philadelphia, PA 09/2014 to 05/2016
Director, Cybersecurity Services
IBM, Philadelphia, PA 06/2012 to 09/2014
Senior Executive Consultant
COMCAST NBCUniversal, Philadelphia, PA 07/2008 to 05/2012
Executive Director, Technology Risk
DELOITTE, Baltimore, MD /Washington, DC 06/2004 to 06/2008
Senior Manager, Enterprise Risk Services
NORTHRUP GRUMMAN, Baltimore, MD 06/1997 to 06/2004
IT Program Manager
PRICEWATERHOUSECOOPERS, Washington, DC 05/1993 to 06/1997
Senior Associate, Computer Assurance Services
|EDUCATION AND CERTIFICATIONS|
Master of Science: Management of Information Technology
University of Virginia, Charlottesville, VA
Bachelor of Science: Accounting (Minor in Decision Information Sciences)
University of Maryland, College Park, MD
Certified Information System Security Professional with Information Systems Security Engineering Professional concentration (CISSP-ISSEP), Certified Information Systems Auditor (CISA), Project Management Professional (PMP), Certified Public Accountant (inactive), PCI Professional (PCIP)
|PROFESSIONAL INDUSTRY ACTIVITIES|
Active member and contributor: The Open Group Security Forum, Center for Internet Security (Security Consensus Metrics Team), Cloud Security Alliance (CSA)
And....I like sloths!