Curriculum Vitae (Abridged)

Qualifications
  • Developed proprietary risk and compliance management methodology based in part on NIST Special Publication guidance.
  • Extensive experience with government and industry security regulations including:
        - NERC CIP     - ISO 2700X                          - PCI DSS
        - GLBA            - FFIEC IT Work Program    - HIPAA Security
        - DIACAP        - FIPS Guidelines                  - NIST Guidelines
  • Certified PCI QSA November 2007-November 2008
  • 12 Years experience providing pre and post sales support of security products and managed services 
  • 16 Years experience conducting risk-based information security and privacy controls analysis
  • 16 Years experience conducting incident response activities and technical investigations
  • 16 Years experience writing technical reports and proposals
  • 16 Years providing IT training to client and internal personnel and public speaking on security
  • 16 Years experience designing and implementing IT solutions based on specific organizational requirements, federal regulations, and international standards
  • 16 Years providing executive and senior-management level security briefings
  • 15 Years experience managing network projects and personnel
  • 7 years experience with web application development and security including:
    • XSS/XSRF/SQL injection identification and prevention
    • Session hardening
  • Experienced web programmer utilizing Python, HTML, CSS, JSON, and AJAX
Experience 

Vice President, Senior Consultant
Large Bank 
Nov 2009 - Present
  • Senior Consultant working within Information Security and Risk group.
    • Conducted third-party security reviews of external organizations that process Bank customer data to ensure appropriate security controls are in place.
    • Assisted in the development of new third party review process, incorporating self-developed asset-based security assessment methodology to ensure effective and efficient reviews.
    • Conducted application security control assessments of internal applications deployed within North America.
Founder/Developer/Consultant        
SCIF Software, Inc. 
Dec, 2008 - Present
  • Developed Open-Source GRC management application SCIF (Security Control Information Framework) over a seven year period and used on numerous consulting engagements to provide efficient and effective analysis of security controls in place and compliance with internal and external regulations. 
  • Currently re-factoring code in preparation of open-source release.
Senior Security Consultant            
Various Consultancies
May 2005 - December 2008
  • Consultant placed at a large, publicly-traded electric utility company.
    • Utilizing self-developed SCIF application, implemented regulatory gap-analysis process to:
      • Identify and document auditable security controls that implemented the NERC Critical Infrastructure Protection (CIP) cyber security standards
      • Assess all relevant assets (facilities, personnel, devices, etc…) and determine regulatory deficiencies
    • Developed two year budget estimate and detailed project plan to address all deficiencies including:
      • Personnel background investigations and training
      • System configurations including backup and disaster recovery plans and patch management
      • Security monitoring including intrusion detection, security event monitoring
      • Vulnerability assessments and vulnerability management
    • Provided technical assistance with third party and internal audit of CIP implementation program.
  • Consultant specializing in Network and Endpoint Security, Incident Response Management, and Regulatory Compliance
    • Provided consulting support to clients to ensure compliance with PCI Data Security Standard 
    • Provided assistance to project leads for ISO27000 and PCI audits to ensure appropriate and compliant controls were in place and functioning 
    • Reviewed and developed ISO 27000, PCI, and third-party (Client) compliant security policies and procedures
Pre and Post Sales Engineer            
Various Managed Security Service Providers
Jul 2002– May 2005
  • Provided pre and post sales support for managed security services and security products;
  • Provided strategic guidance to organizations in employing managed security services
  • Assisted internal security personnel with integrating managed security services into internal operations
  • Provided consulting services that complemented managed services:
    • Performed technical investigations regarding intrusions of client network
    • Provided security consultations to client and potential client personnel regarding a variety of security issues including: Database Security and Administration, Security Management, Perimeter security, and Risk and Vulnerability Assessment
    • Provided regulatory compliance (FFIEC, HIPAA, NERC, SOX, PCI) consulting to variety of financial services, health care, and energy services clients
Senior Security Consultant                
Security Consultancies
Mar 1998-July 2002
  • Provided pre-sales support for and consulted on a variety of information technology infrastructure projects:
  • Regulatory compliance including Government regulations, FFIEC, HIPAA, and NIST security standards
  • Conducted assessments of client hosts and networks; analyzed the structure of the networks, identified vulnerabilities and single points of failure, then recommended procedures for enhancing security, reliability, and connectivity
Counterintelligence Agent 
Armed Forces - World Superpower
May 1993 - Mar 1998
  • Coordinated with and assisted the US Army CERT in the investigation of network intrusions
  • Performed numerous personnel security and counter-espionage investigations
Public Speaking Engagements
  • Breakout Session, Society of Corporate Compliance and Ethics 2010 Energy Compliance Conference: From Compliant to Compliance Management
  • Waterpower XVI, annual conference for the hydro industry, Electric System Reliability Symposium,  “Tools and Technology: Making Reporting More Manageable”
  • Webinar for the Society of Corporate Compliance and Ethics on Understanding and Communicating  NERC CIP Requirements
  • Developed and presented a 12 hour seminar on IT security and regulatory compliance for the Independent Community Bankers Association
  • Provided Security Training to the Wisconsin Bankers Association, The Western Michigan IT Management Association, and the FDIC
  • Presented to ISSA regional conference on IT Security and Incident Response
  • Presented seminar on evaluating network security at SANS Network Security 2000