Qualifications
- Developed proprietary risk and compliance management methodology based in part on NIST Special Publication guidance.
- Extensive experience with government and industry security regulations including:
- NERC CIP - ISO 2700X - PCI DSS
- GLBA - FFIEC IT Work Program - HIPAA Security
- DIACAP - FIPS Guidelines - NIST Guidelines
- Certified PCI QSA November 2007-November 2008
- 12 Years experience providing pre and post sales support of security products and managed services
- 16 Years experience conducting risk-based information security and privacy controls analysis
- 16 Years experience conducting incident response activities and technical investigations
- 16 Years experience writing technical reports and proposals
- 16 Years providing IT training to client and internal personnel and public speaking on security
- 16 Years experience designing and implementing IT solutions based on specific organizational requirements, federal regulations, and international standards
- 16 Years providing executive and senior-management level security briefings
- 15 Years experience managing network projects and personnel
- 7 years experience with web application development and security including:
- XSS/XSRF/SQL injection identification and prevention
- Session hardening
- Experienced web programmer utilizing Python, HTML, CSS, JSON, and AJAX
Experience
Vice President, Senior Consultant
Vice President, Senior Consultant
Large Bank
Nov 2009 - Present
- Senior Consultant working within Information Security and Risk group.
- Conducted third-party security reviews of external organizations that process Bank customer data to ensure appropriate security controls are in place.
- Assisted in the development of new third party review process, incorporating self-developed asset-based security assessment methodology to ensure effective and efficient reviews.
- Conducted application security control assessments of internal applications deployed within North America.
Founder/Developer/Consultant
SCIF Software, Inc.
Dec, 2008 - Present
- Developed Open-Source GRC management application SCIF (Security Control Information Framework) over a seven year period and used on numerous consulting engagements to provide efficient and effective analysis of security controls in place and compliance with internal and external regulations.
- Currently re-factoring code in preparation of open-source release.
Senior Security Consultant
Various Consultancies
May 2005 - December 2008
May 2005 - December 2008
- Consultant placed at a large, publicly-traded electric utility company.
- Utilizing self-developed SCIF application, implemented regulatory gap-analysis process to:
- Identify and document auditable security controls that implemented the NERC Critical Infrastructure Protection (CIP) cyber security standards
- Assess all relevant assets (facilities, personnel, devices, etc…) and determine regulatory deficiencies
- Developed two year budget estimate and detailed project plan to address all deficiencies including:
- Personnel background investigations and training
- System configurations including backup and disaster recovery plans and patch management
- Security monitoring including intrusion detection, security event monitoring
- Vulnerability assessments and vulnerability management
- Provided technical assistance with third party and internal audit of CIP implementation program.
- Consultant specializing in Network and Endpoint Security, Incident Response Management, and Regulatory Compliance
- Provided consulting support to clients to ensure compliance with PCI Data Security Standard
- Provided assistance to project leads for ISO27000 and PCI audits to ensure appropriate and compliant controls were in place and functioning
- Reviewed and developed ISO 27000, PCI, and third-party (Client) compliant security policies and procedures
Pre and Post Sales Engineer
Various Managed Security Service Providers
Jul 2002– May 2005
Jul 2002– May 2005
- Provided pre and post sales support for managed security services and security products;
- Provided strategic guidance to organizations in employing managed security services
- Assisted internal security personnel with integrating managed security services into internal operations
- Provided consulting services that complemented managed services:
- Performed technical investigations regarding intrusions of client network
- Provided security consultations to client and potential client personnel regarding a variety of security issues including: Database Security and Administration, Security Management, Perimeter security, and Risk and Vulnerability Assessment
- Provided regulatory compliance (FFIEC, HIPAA, NERC, SOX, PCI) consulting to variety of financial services, health care, and energy services clients
Senior Security Consultant
Security Consultancies
Mar 1998-July 2002
Mar 1998-July 2002
- Provided pre-sales support for and consulted on a variety of information technology infrastructure projects:
- Regulatory compliance including Government regulations, FFIEC, HIPAA, and NIST security standards
- Conducted assessments of client hosts and networks; analyzed the structure of the networks, identified vulnerabilities and single points of failure, then recommended procedures for enhancing security, reliability, and connectivity
Counterintelligence Agent
Armed Forces - World Superpower
May 1993 - Mar 1998
May 1993 - Mar 1998
- Coordinated with and assisted the US Army CERT in the investigation of network intrusions
- Performed numerous personnel security and counter-espionage investigations
Public Speaking Engagements
- Breakout Session, Society of Corporate Compliance and Ethics 2010 Energy Compliance Conference: From Compliant to Compliance Management
- Waterpower XVI, annual conference for the hydro industry, Electric System Reliability Symposium, “Tools and Technology: Making Reporting More Manageable”
- Webinar for the Society of Corporate Compliance and Ethics on Understanding and Communicating NERC CIP Requirements
- Developed and presented a 12 hour seminar on IT security and regulatory compliance for the Independent Community Bankers Association
- Provided Security Training to the Wisconsin Bankers Association, The Western Michigan IT Management Association, and the FDIC
- Presented to ISSA regional conference on IT Security and Incident Response
- Presented seminar on evaluating network security at SANS Network Security 2000