MATT TOLBERT

 

2359 Railroad Street, Apt 2722, Pittsburgh PA 15222  (908) 391-2172  Matthew.B.Tolbert@gmail.com   www.linkedin.com/in/matttolbert
 

 

EXPERIENCED INFORMATION SECURITY, IT AUDIT, & RISK MANAGEMENT LEADER

 

Certified Information Security Manager (CISM)    Certified Information Systems Auditor (CISA)

Certified Information Systems Security Professional (CISSP)   Certified ITIL   Certified Risk and Information Systems Controls (CRISC)

Certified Third Party Risk Professional (CTPRP)

University of Pittsburgh:  B.A. Physics and B.A. History & Philosophy of Science.  Graduated 1989 with honors cum laude.

 

Offering expertise to successfully implement and improve cybersecurity, IT audit, regulatory and risk management strategy.

 

Regulatory experience: BASEL, BSA, FFIEC, FISMA, GLBA, HIPAA, JSOX, NERC CIP, NRC 10 CFR 73, PCI DSS,
Sarbanes Oxley 404/ICFR, and Singapore MAS. 
Standards experience:  CMM, COBIT 5, COSO, FAIR, ISO 27001 / ISO 27002, ITIL v3, NIST, SSAE 16 / ISAE 3402.
 

First Vice President, Technology Risk Officer,  First Niagara Financial Group

Pittsburgh, PA    March 2014 – Present

 

Leader for one of America’s largest and most well-respected regional banks with dual responsibilities: Technology Risk Officer establishing First Niagara’s first and second line of defense IT risk management strategy, and Senior Security Architect for First Niagara’s next-generation Internet commercial and retail customer banking services.  Recruited, managed and mentored 12 security and risk professionals plus First Niagara’s 7 IT risk liaisons. Accomplishments improving First Niagara’s cybersecurity, risk management and regulatory compliance capabilities:
 

·               Cybersecurity & Risk Management Strategy:  earned in 2014 the Board of Directors’ and OCC regulators’ approval to implement First Niagara’s new cybersecurity and technology risk management strategy.  Completed this program in 2015 through programs and policy establishing IT governance (based on the “three lines of defense” model), risk analysis, technology controls assessment, and vendor risk management.  Communicated quarterly to Executive Leadership and the Board of Directors on key risk indicators, controls effectiveness, and regulatory compliance.

·               Merger & Acquisition: currently serving on Key Bank’s Acquisition Committee leading security, risk management, and regulatory compliance for the integration of First Niagara’s core banking systems and the secure conversion of customer data.  Responsible for sustaining business as usual technology control effectiveness while also ensuring Key Bank achieves Department of Justice, OCC and Cleveland Federal Reserve approval to allow for an on-schedule merger.

·               Vendor Management:  implemented third party risk management controls, metrics and assessment services, including for ACI, Fidelity Services (FIS), FiServ, FundTech/D+H, Vantiv, Wausau, and managed security service providers (MSSPs).

·               Security Architecture: led the design and vendor selection of “next generation” access, network, and fraud detection controls for First Niagara’s new online customer banking services encompassing Apple Pay, web portals, mobile devices, payment transmission, platform virtualization (VMWare), and third party cloud services (Amazon Web Services and Microsoft Azure).  Incorporated SAML, OpenID and OAuth standards addressing customers’ expectations for easy yet secure access, including the use of LinkedIn and Facebook/Instagram social networking accounts.

·               IT Controls Implementation:  led the improvement of change management, incident management, network firewall, and cyber-insurance, significantly reducing disruptive technology events while also advancing First Niagara’s ability to withstand financial losses from cyber-attacks, fraud and unplanned technology outages.

·               Regulatory Compliance:  managed effective relationships with the OCC and the New York Federal Reserve, ensuring First Niagara’s technology controls and compliance services successfully passed OCC/FFIEC exams in 2014, 2015 and 2016 without MRAs/MRIAs. Led First Niagara’s Sarbanes Oxley/ICFR, GLBA, and PCI DSS assessments programs.  Resolved legacy OCC concerns with vendor risk management and change management. Ensured First Niagara’s ability to perform as well as successfully pass SSAE 16 SOC 2 Type 1 and 2 assessments. 

·               Governance, Risk and Compliance:  collaborated with the Chief Risk Officer to implement First Niagara’s new GRC strategy.  Ensured quarterly reporting of risk management effectiveness, key risk indicators, and emerging risk trends to the Enterprise Risk Management Committee and the Board of Directors’ Risk Committee.  Established First Niagara’s technology risk appetite setting acceptable financial loss thresholds.  Lead First Niagara’s RSA Archer 6.0 design for IT risk management, completing all application configuration, integration, control framework, and data architecture planning. 

·               Risk Assessment:  led the development of First Niagara’s IT Risk Control Self-Assessments (RCSA).  Established key risk indicators as well as quantitative risk analytics capabilities based on FAIR allowing Executive Leadership to make informed controls and risk management investment decisions.  Improved assessment efficiency and reduced the time burden on IT personnel’s participation by instituting a unified security controls assessment program.

·               Crisis Management:  led the improvement of First Niagara’s disaster recovery, incident response, and crisis management capabilities addressing cyber-attacks, fraud, unplanned technology outages, and other disruptive events.

Chief Information Security Officer, Duquesne Light

Pittsburgh, PA    October 2013 – December 2013

 

Interim Chief Information Security Officer advising Duquesne Light’s Executive Leadership and Board of Directors on cybersecurity, regulatory compliance, and insurance solutions.  Completed the development of Duquesne Light’s cybersecurity strategy to implement security operations, regulatory compliance (including NERC CIP and PCI DSS), and risk management solutions.  Resolved compliance issues with new Federal critical information protection regulations, and established controls protecting customers’ private information in Duquesne Light’s new Oracle Customer Management System.
 

 

Managing Director, Technology Risk Management, Bank of New York Mellon

Pittsburgh, PA and New York City     September 2012 – October 2013

 

Leader responsible for implementing BNY Mellon’s technology risk assessment strategy, program and policies for security controls protecting $26.6 trillion in transactions and assets under custody.  Accomplishments improving BNY Mellon’s cybersecurity, risk management and regulatory compliance capabilities:
 

·               Security and Risk Services:  managed and mentored three teams comprising 20 professionals plus security vendors and contractors providing services including application and infrastructure security assessments, dynamic and static code analysis, ethical hacking, firewall management, mobile device (iOS and Android) security reviews, threat and vulnerability analysis, and U.S. and international regulatory compliance testing. 

·               Guidance to Leadership:  presented risk assessment and analysis findings to BNY Mellon’s Executive Team as well as Board of Directors. Recommended technology priorities based on how threats and risks exposed BNY Mellon and its clients to the largest financial losses or regulatory issues. 

·               Security and Risk Metrics:  developed and presented vulnerability and risk compliance reports plus scorecards using RSA Archer.  Improved BNY Mellon’s security metrics program by using the Capability Maturity Model (CMM), ISO27001 and ITIL resulting in Information Technology and business unit cooperation in promptly resolving security and risk findings.

·               Enabling Use of New Technology:  established security and risk management solutions allowing BNY Mellon to securely use new technology such as SaaS, cloud computing, mobile devices and BYOD.

·               Vendor Management:  completed vendor and 3^rd party security assessments based on SSAE 16 and ISAE 3402.

·               Threat and Vulnerability Analysis:  built BNY Mellon’s Risk Lab to test new attacks (such as denial of service and advanced persistent threats) to critical systems and to determine new cybersecurity controls’ effectiveness.
 

 

Global Manager of Information Security, Westinghouse Electric

Pittsburgh, PA     July 2009 – August 2012

 

Leader responsible for building and managing Westinghouse’s global cybersecurity operations and regulatory compliance strategy encompassing Westinghouse, its customers and its vendors at 56 locations across the U.S. as well as in China, India, Japan, Poland, and Sweden. Accomplishments improving Westinghouse’s cybersecurity and compliance capabilities:

 

·               Security Services and Architecture:  centralized global security operations and services that achieved Westinghouse’s center-led organization, cost management, and ITIL goals.  Built Westinghouse’s new security operations center (SOC). Recruited and mentored 11 managers, analysts, and contractors plus vendors providing services including: code analysis, data loss prevention (DLP), firewall management, forensics and eDiscovery, identity and access management (IDM), intrusion detection and incident response, malware analysis, security awareness, and vulnerability assessments. 

·               Guidance to Leadership:  presented emerging risk and threats as well as recommended policies and cost-effective risk management solutions to Westinghouse’s Board of Directors, Audit Committee, and Security Advisory Council.

·               Regulatory Compliance:  successfully ensured Westinghouse’s compliance with new NERC CIP and NRC 10 CFR 73 regulations. Managed all NRC cybersecurity examinations conducted at all Westinghouse global facilities.

·               Threat Analysis: developed and implemented innovative new netflow network data and log file data mining and data analytics techniques to detect and proactively stop advanced persistent threat and denial of service attacks.

·               Enterprise Resource Planning (ERP) Security:  ensured Westinghouse’s successful on-time, on-budget upgrade from SAP R/3 to SAP ECC 6.0.  Implemented SAP’s Governance Risk and Compliance (SAP GRC) software and assured Sarbanes Oxley 404 as well as JSOX compliance with new security controls and access roles.

·               Vendor Management:  established and managed contract requirements allowing the secure use of IT outsourcing, cloud services, and managed security service providers (MSSPs).  Completed SSAE 16 vendor security control reviews.

·               Forensics:  completed computer investigations and eDiscovery requests for Internal Audit and Legal.

·               Disaster Recovery:  established and documented Westinghouse’s data center disaster recovery plan, with quarterly testing.

·               Law Enforcement:  managed all relationships with FBI and Secret Service agents involving advanced persistent threats, and coordinated all counterintelligence activities performed in coordination with these agencies, successfully reducing nation-state threat actor attacks against U.S. and Westinghouse interests.

Chief Information Security Officer, University of Pittsburgh

Pittsburgh, PA    December 2004 – June 2009

 

Leader responsible for developing the strategy and then implementing the University’s security governance, operations, and compliance policies and program at this leading U.S. research university of 60,000 users.  Protected over 20,000 University computers and measurably reduced cybersecurity events by implementing innovative security architecture defense in depth, monitoring, data analytics, and incident response capabilities. Recruited, managed and mentored a team of 10 security professionals plus 60 departmental security liaisons. Accomplishments improving the University of Pittsburgh’s security and regulatory compliance:
 

·               Security Services and Architecture:  led the implementation of University’s new Security Operations Center (SOC) as well as of services including computer forensics and e-discovery, firewall management, intrusion detection and incident response, PeopleSoft security administration, secure VPN, and threat analysis. 

·               Regulatory Compliance:  ensured the University’s compliance with FERPA, FISMA, GLB, HIPAA, PCI DSS, and Sarbanes Oxley 404, with no audit or regulator significant findings from 2005 thru 2009.

·               Vendor Management:  protected University employee and student personal information provided to outsourcing and cloud computing vendors through due-diligence contract reviews and IT audits.  Also implemented standard security and data protection contract terms successfully protecting University interests and intellectual property.

·               Forensics:  reduced costs and improved investigation capabilities by instituting internal computer forensics services.  Coordinated investigations with the General Counsel, University Police, and the Federal Bureau of Investigation. 

 

Managing Director, Technology Risk Management, Jefferson Wells International

Pittsburgh, PA     April 2003 – October 2004

 

Established Jefferson Wells’ new Pittsburgh-Cleveland region IT risk management, IT audit and cybersecurity practice achieving over $3 million in revenues.  Recruited, managed and mentored 25 security professionals, IT auditors, technical writers, and business development managers.  Ensured clients successfully launched new IT audit as well as cybersecurity programs.  Completed security vulnerability assessments and introduced cost-effective solutions that ensured compliance with Sarbanes Oxley 404 (SOX) and HIPAA. 
 

Senior Manager, Ernst & Young LLP Security & Technology Solutions

New York City Office    February 2001 – March 2003

Led teams responsible for instituting new cybersecurity and disaster recovery strategies, programs and policies as well as for performing cybersecurity assessments and IT audits for clients including Allegheny Energy, Disney, G+G Retail, Morgan Stanley, and Pfizer. Achieved over $2 million in services revenues.

 

Principal Consultant, PricewaterhouseCoopers LLP

New York City Office    August 1998 –January 2001

Led teams responsible for the successful full-lifecycle implementation of SAP R/3, PeopleSoft, and Oracle Financials as well as Internet e-Commerce systems for Fortune 500 clients including Delta Airlines, Siemens, and UPS. Achieved over $5 million in services and software/hardware resales revenue. 

 

Honors and Community

 

·               2016 regional banking representative on the Financial Services Information Sharing Analysis Center (FS-ISAC) Compliance & Audit Council, focusing on introducing innovative new quantitative risk analysis and data analytics solutions.

·               2015 American Banker “Most Innovative Bank” recognition due in part to introducing new quantitative risk analysis and data analytics solutions for cyber security and technology risk management.

·               2014 – 2016 Regional Bank Technology Risk Forum Board of Directors, promoting collaboration of risk management and regulatory compliance practices among the top 30 U.S. banks.

·               2013 power utilities cybersecurity representative for the U.S. Department of Homeland Security’s Pennsylvania Critical Infrastructure Resiliency Exercise, improving the U.S. mid-Atlantic region’s ability to respond to major regional crises.

·               2008 – 2013 CISO Executive Network Governance Board, promoting global information sharing amongst fellow CISOs.

 

·               2010 and 2011 Westinghouse Chief Information Officer “Coin of Excellence” recipient for the successful implementation of Westinghouse’s cybersecurity strategy, program and security operations center.

·               2008 Chief Security Officer Magazine NEXT Security Leadership Award recipient for advancements in cybersecurity metrics.

·               2008 Computerworld Honors Laureate: Secure Guest Wireless Access; 2006 Computerworld Honors Laureate: Secure Remote Access to Restricted Network Resources; 2005 Computerworld Honors Laureate: Strategic Network Security Architecture.
 

 

·               Explorers Club of Pittsburgh rock climbing and mountaineering instructor.

 

 

International Travel and Regulatory Experience: 
Brazil, China, England, Germany, Hong Kong, India, Japan, Poland, Scotland, Singapore, Sweden.

 

System Platform and Mobile Device Management Experience: 
Apple iOS and ApplePay, Good Mobile Device Management, Google Android, HP-UX, IBM AIX, IBM Z/OS,
MaaS360 Mobile Device Management, Microsoft Windows, Red Hat Enterprise Linux (RHEL), VMware ESX.

 

Major Enterprise Systems Implementation Experience: 
Oracle, PeopleSoft, SAP R/3, and SAP ECC.

 

Governance, Risk and Compliance (GRC) Systems Experience:

Brinqa, RSA Archer (5.3 - 6.0), RiskLens, (FAIR), SAP GRC, SAP Client User Provisioning (SAP CUP), SAP Global Trade Services (SAP GTS), SAP Risk Analysis and Remediation (SAP RAR), SAP Superuser Privilege Management (SAP SPM).

 

Vendor Product Implementation and Management Experience:

Amazon AWS, BlueCoat, Cisco, Encase, Entrust, FireEye, Fortinet, HP (ArcSight), IBM, Juniper, Lancope, McAfee/Intel, Mandiant, Microsoft, PaloAlto, Qualys, Rapid7, RSA, Splunk, Symantec, Tufin, VMWare.