Understanding Risk: Curriculum Vitae (Abridged)

Qualifications

Developed proprietary risk and compliance management methodology based in part on NIST Special Publication guidance.
Extensive experience with government and industry security regulations including:
    - NERC CIP     - ISO 2700X            - PCI DSS
    - GLBA            - FFIEC IT Work Program    - HIPAA Security
    - DIACAP        - FIPS Guidelines                  - NIST Guidelines

Certified PCI QSA November 2007-November 2008
12 Years experience providing pre and post sales support of security products and managed services
16 Years experience conducting risk-based information security and privacy controls analysis
16 Years experience conducting incident response activities and technical investigations
16 Years experience writing technical reports and proposals
16 Years providing IT training to client and internal personnel and public speaking on security
16 Years experience designing and implementing IT solutions based on specific organizational requirements, federal regulations, and international standards
16 Years providing executive and senior-management level security briefings
15 Years experience managing network projects and personnel
7 years experience with web application development and security including:

Experience

Vice President, Senior Consultant

Large Bank

Nov 2009 - Present

Conducted third-party security reviews of external organizations that process Bank customer data to ensure appropriate security controls are in place.
Assisted in the development of new third party review process, incorporating self-developed asset-based security assessment methodology to ensure effective and efficient reviews.
Conducted application security control assessments of internal applications deployed within North America.

Founder/Developer/Consultant

SCIF Software, Inc.

Dec, 2008 - Present

Developed Open-Source GRC management application SCIF (Security Control Information Framework) over a seven year period and used on numerous consulting engagements to provide efficient and effective analysis of security controls in place and compliance with internal and external regulations.
Currently re-factoring code in preparation of open-source release.

Senior Security Consultant

Various Consultancies
May 2005 - December 2008

Utilizing self-developed SCIF application, implemented regulatory gap-analysis process to:

Identify and document auditable security controls that implemented the NERC Critical Infrastructure Protection (CIP) cyber security standards
Assess all relevant assets (facilities, personnel, devices, etc…) and determine regulatory deficiencies

Developed two year budget estimate and detailed project plan to address all deficiencies including:

Personnel background investigations and training
System configurations including backup and disaster recovery plans and patch management
Security monitoring including intrusion detection, security event monitoring
Vulnerability assessments and vulnerability management

Provided technical assistance with third party and internal audit of CIP implementation program.

Consultant specializing in Network and Endpoint Security, Incident Response Management, and Regulatory Compliance

Provided consulting support to clients to ensure compliance with PCI Data Security Standard
Provided assistance to project leads for ISO27000 and PCI audits to ensure appropriate and compliant controls were in place and functioning
Reviewed and developed ISO 27000, PCI, and third-party (Client) compliant security policies and procedures

Pre and Post Sales Engineer

Various Managed Security Service Providers
Jul 2002– May 2005

Provided pre and post sales support for managed security services and security products;
Provided strategic guidance to organizations in employing managed security services
Assisted internal security personnel with integrating managed security services into internal operations
Provided consulting services that complemented managed services:

Performed technical investigations regarding intrusions of client network
Provided security consultations to client and potential client personnel regarding a variety of security issues including: Database Security and Administration, Security Management, Perimeter security, and Risk and Vulnerability Assessment
Provided regulatory compliance (FFIEC, HIPAA, NERC, SOX, PCI) consulting to variety of financial services, health care, and energy services clients

Senior Security Consultant

Security Consultancies
Mar 1998-July 2002

Provided pre-sales support for and consulted on a variety of information technology infrastructure projects:
Regulatory compliance including Government regulations, FFIEC, HIPAA, and NIST security standards
Conducted assessments of client hosts and networks; analyzed the structure of the networks, identified vulnerabilities and single points of failure, then recommended procedures for enhancing security, reliability, and connectivity

Counterintelligence Agent

Armed Forces - World Superpower
May 1993 - Mar 1998

Coordinated with and assisted the US Army CERT in the investigation of network intrusions
Performed numerous personnel security and counter-espionage investigations

Public Speaking Engagements

Breakout Session, Society of Corporate Compliance and Ethics 2010 Energy Compliance Conference: From Compliant to Compliance Management
Waterpower XVI, annual conference for the hydro industry, Electric System Reliability Symposium, “Tools and Technology: Making Reporting More Manageable”
Webinar for the Society of Corporate Compliance and Ethics on Understanding and Communicating NERC CIP Requirements
Developed and presented a 12 hour seminar on IT security and regulatory compliance for the Independent Community Bankers Association
Provided Security Training to the Wisconsin Bankers Association, The Western Michigan IT Management Association, and the FDIC
Presented to ISSA regional conference on IT Security and Incident Response
Presented seminar on evaluating network security at SANS Network Security 2000

Understanding Risk