Lanny Powers
Phone: (256) 278-5743 ● lanpowers@me.com
CHIEF INFORMATION SECURITY OFFICER
Multi-certified Expert in Enterprise Security Strategies
Professional Certifications
CCSK, 2011
CEH, 2009
DISA HBSS, 2012
NSTISSI 4011, 2007
IASO, 2007
CISSP, 2005
DITSCAP, 2004
CCNA, 2001
MCP, 2000
Key Skills
Network & System Security
Risk Management
Vulnerability Assessments
Authentication & Access
Control
System Monitoring
Incident Response
Regulatory Compliance
System Integration
Planning
Solutions Architecture
Business Continuity
Disaster Recovery
Multi tier Network
Architectures
Information Security Risk Management Professional with detailed knowledge of
security tools, technologies and best practices whose qualifications include a degree
in computer networking; CISSP, Cloud Security Alliance (CCSK) & Certified Ethical
Hacker (CEH) designations. Over twenty-four years experience in providing problem
resolution and leadership in the disciplines of risk management, security
architecture, vulnerability assessments, and security incident resolution. Experience
in the creation and deployment of solutions and security plans protecting networks,
systems and information assets for diverse companies and organizations. Developing
information security policies that address security issues and ensure the security
posture of the organization. Proven leadership providing guidance to ensure
compliance with security controls under various information system security
regulatory policies.
IT/IA Experience
Onapsis, Sacramento, CA
Jacobs, Ridgecrest, CA
Hypersecurity
US Army Corps of Engineers
PSG, Charlotte, NC
Emdeon, Nashville, TN
General Dynamics, Huntsville, AL
SAIC, Huntsville, AL
Jacobs, Huntsville, AL
SSI, Huntsville, AL
CIBER, Bloomington, IL
CSC, Huntsville, AL
Ogden, Fairfax, VA
United States Marine Corps
Chief Information Security Officer, 2015-2016
Cyber Security Officer, 2014-2015
Information Security Officer, 2014
Information Security Consultant, 2010-2014
Information Assurance Program Manager, 2013-2014
Enterprise Security Architect, 2012
Director Information Security, 2011
Information Assurance Manager, 2010-2011
Information Security Risk Manager, 2007-2010
Information Security Manager, 2006-2007
Information Security Manager, 2005-2006
Information Security Strategist, 2004-2005
Information Security Engineer, 1998-2004
MIS Network Security Engineer, 1997-1998
IT Network Security Engineer, 1992-1997
Recent Project Highlights:
Government Sector: Senior information and cyber security architect with proven experience
in network operations, system security engineering, risk management, penetration testing,
ethical hacking, compliance, certification and accreditation support
• Certification & Accreditation under FISMA, FedRAMP, NIST, DITSCAP and DIACAP
• Assessment and Authorization under Risk Management Framework
• Extensive experience in the design, implementation and administration of Windows
Server, Active Directory domains, and system security solutions
Education
Strayer University
BS in Computer
Networking, 2005
U.S. Department of
Defense Clearance -
Secret
• Experienced in UNIX, LINUX system administration and secure deployment
• Significant network experience including installation and configuration of servers,
storage devices, routers, switches, and firewalls
• Broad understanding of system security processes and domain implementation for
enterprise, tactical and weapon systems
Proficient with offensive and defensive cyber security tools
Financial Sector: Led business-critical information security initiatives for large financial
institutions involving encryption of customer data to ensure compliance with changes in federal
laws. (e.g. ,FIPS, GLBA, PCI-DSS, Sarbanes-Oxley, HIPAA, HITECH)
Infrastructure: Led comprehensive security infrastructure upgrades (e.g., firewall/VPN
upgrades, IDS, IPS, PKI, authentication and remote management). IA design and audit support
Electronic Security Systems (ESS), Industrial Control Systems (ICS), Building Automation
Systems (BAS), and Supervisory Control and Data Acquisition (SCADA) environments for
various mid-size and large companies.
Risk Management: Protected vulnerable networks following detailed risk assessments.
Guided cross-functional teams in the design, validation, and implementation of secure,
networked communications across remote sites for several key clients.
Chief Information Security Officer
2015-Present
Primary responsibilities include:
• Define overall Cyber Security and Data Privacy Strategy
•
•
•
•
•
•
Establish a Technology framework to enforce the Cyber Security and Data Privacy Strategy
• Conduct comprehensive DIACAP, Risk Management Framework (RMF), HIPAA, HITECH and PCI DSS compliance
assessments and security audits
Vulnerability scanning to include gap analysis, identification of severity level and provide recommendations for
corrective action
Penetration Testing services employing the latest ethical hacking techniques
Provide organizations with recommendation to improve security posture and enhance corporate defenses.
• Review and recommend policy sets that ensure organization meets or exceeds industry standards and compliance
regulations
Provide recommendations for remediation and elimination of attack vectors
Established security operations center by hiring, training and managing security consultants
• Review and approve security policies, controls and cyber incident response planning
• Management and containment of security incidents via monitoring with QRadar and other security solutions
• Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding
similar vulnerabilities
•
•
•
Provide intrusion detection and attack mitigation solutions
Provide forensic services appropriate for the incident severity
Provide project management services to implement recommended solutions within customer environments
• Ensure that disaster recovery and business continuity plans are in place and tested
• Maintain a current understanding the IT threat landscape for the industry
• Ensure compliance with the changing laws and applicable regulations
•
Identification of risks and development of actionable plans to protect the business
• Oversee identity and access management
• Make sure that cyber security policies and procedures are communicated to all personnel and that compliance is
enforced
• Manage all teams, employees, contractors and vendors involved in IT security, which may include hiring
•
Provide training and mentoring to security team members
• Constantly update the cyber security strategy to leverage new technology and threat information
•
• Communicate best practices and risks to all parts of the business, outside IT
Cybersecurity Professional
Onapsis, Sacramento, CA
Cybersecurity sales professional exceeded target 200%.
•
•
•
•
2014-2015
Brief the executive team on status and risks, including taking the role of champion for the overall strategy and
necessary budget
Perform demonstrations of Onapsis SAP vulnerability management solutions with prospective customers
Provide technical expertise for sales support in pre and post sales advising CISO and corporate leadership teams
of numerous client companies.
Perform project management supporting delivery and integration of Onapsis security software including customer
installations and user training.
Provide quality assurance testing and performance improvement recommendations supporting the SDLC on beta
releases of software
• Expert-Level experience in cybersecurity strategy, vulnerability management, policy and planning
Information Security Officer
Jacobs, Ridgecrest, CA
2014
Information Assurance Validator providing information assurance support for the NAWC WD Information Assurance
Division.
•
•
•
•
Infusing new IA Polices, Disciplines and Practices required by Navy and DOD
Provide written DIACAP Validation strategy for NAWCWD using acceptable practices, processes and approaches.
Perform analysis of validation findings to the IA Division Head and Command IAM to identify IA trends.
Provide recommendations for IA posture improvements.
• Implementation of Defense Information Systems Agency (DISA) Security Technical Implementation Guides
(STIGs)
• Develop and maintain IA and IT programs required to establish and maintain compliance with DOD directives.
•
Provide intrusion detection and attack mitigation solutions
• Entry and management of systems with Enterprise Mission Assurance Support Service (eMASS)
•
Utilize Assured Compliance Assessment Solution to ensure security posture of systems.
Information Security Consultant,
Hypersecurity
2010-2014
Information Security Consultant providing IT audit, breach response, security architecture, engineering, project
management and governance risk and compliance services.
Primary services offered include:
• Conduct comprehensive DIACAP, HIPAA, HITECH and PCI DSS compliance assessments
•
•
•
•
•
•
•
Provide gap analysis and make recommendations for corrective action
Penetration Testing services employing the latest ethical hacking techniques
Provide intrusion detection and attack mitigation solutions
Provide organizations with recommendation to improve security posture and enhance corporate defenses.
• Review and recommend policy sets that ensure organization meets or exceeds industry standards and compliance
regulations
Vulnerability scanning to include identification of severity level
Provide recommendations for remediation and elimination of attack vectors
• Management and containment of security incidents
•
Provide forensic services appropriate for the incident severity
Provide project management services to implement recommended solutions within customer environments
• Develop and implement solutions based on requirements and needs of customer
Information Assurance Program Manager (CISO)
US Army Corps of Engineers
2013-2014
Information Assurance Program Manager managing multiple, complex projects within geographically dispersed
organization. Created Information Security compliance policy and procedure documents to clearly define roles,
responsibilities and build foundation for the organizations business practices in order to correctly support security rules
and regulations.
• Serve as Information Assurance Program Manager for multiple projects
• Experience with Certification and Accreditation under FISMA, FedRAMP, NIST, HIPAA, HITECH, DIACAP and RMF
DOD IT
• Advise organization of regulatory requirements IA policy, Federal Information Security Management (FISMA),
Defense Information Assurance Certification and Accreditation Process (DIACAP), and other governance, risk and
compliance issues
• Define overall Cyber Security and Data Privacy Strategy
•
•
•
Establish a Technology framework to enforce the Cyber Security and Data Privacy Strategy
Identify Information Assurance requirements to mitigate impact to networks, computer and information programs
• Evaluated, architected cyber security solutions for Electronic Security Systems (ESS), Industrial Control Systems
(ICS), Building Automation Systems (BAS), and Supervisory Control and Data Acquisition (SCADA) systems
Provide intrusion detection and attack mitigation solutions
• Review and recommend policy sets that ensure organization meets or exceeds industry standards and compliance
regulations
• Ensure system documentation to include certification and accreditation packages meet all compliance
requirements
• Manage information security vulnerability analysis and assessment audits in accordance applicable regulations
• Manage the development of long and short range Cyber Security Program planning
• Develop, implement, integrate and coordinate the Information Assurance requirements for assigned projects
• Develop Information Assurance language for contract requirements activities
• Monitor dollar amount (>$2.5B) budget utilization of these contracts and advises when replacement contracts
are anticipated
• Ensure systems are accredited in accordance with Defense Information Assurance Certification and Accreditation
Process (DIACAP) requirements, certifying assigned systems achieve and maintain certification and authority to
operate (ATO)
• Ensure systems are authorized in accordance with Risk Management Framework DOD IT requirements, ensuring
systems achieve maintain assessment and authorization to operate (ATO).
Enterprise Security Architect
PSG, Charlotte, NC
2012
Enterprise Security Architect responsible for designing information security architectures to support new and existing
information systems and information security processes within Time Warner Cable. Responsible for reviewing and
investigating suspicious activity identified in IDS, web application firewall, vulnerability scan results and other data
sources, providing recommendations to system owners and ISD management, and monitoring to ensure that
recommendations are effectively implemented. Additional responsibilities include monitoring, measuring, testing and
reporting on the effectiveness and efficiency of information security controls and compliance with information security
policies. Also creating security architecture documentation and policies that ensures the successful implementation and
maintenance of an enterprise Governance, Risk and Compliance program.
Director Information Security
Emdeon, Nashville, TN
2011
Director Information Security managing multiple, complex projects within geographically dispersed organization.
•
Director Information Security in charge of company’s single largest contract ($95 million)
• Defined overall Cyber Security and Data Privacy Strategy
•
•
•
•
•
Establish a Technology framework to enforce the Cyber Security and Data Privacy Strategy
Established appropriate structure and built strong Information security team to ensure success meeting the
challenges of organization.
Created and implemented foundational Information Security compliance policy and procedure documents to
clearly define roles and responsibilities
Authored Mitigation Strategy Reports (MSRs) and Plan of Action & Milestones (POA&M) documents to bring
enterprise network into full 100% compliance.
Eliminated 90% of all information security vulnerabilities and configuration deficiencies within data center and
enterprise network to include legacy systems.
• Experience with Certification and Accreditation under FISMA, NIST, HIPAA, HITECH, and DIACAP
• Make sure that cyber security policies and procedures are communicated to all personnel and that compliance is
enforced
• Manage all teams, employees, contractors and vendors involved in IT security, which may include hiring
•
Provide training and mentoring to security team members
• Constantly update the cyber security strategy to leverage new technology and threat information
•
Information Assurance Manager
General Dynamics, Huntsville, AL
Brief the executive team on status and risks, including taking the role of champion for the overall strategy and
necessary budget
2010-2011
Information Assurance Case Manager for the Chief Information Security Officer of the Missile Defense Agency. Served as a
subject matter expert
(SME) in Information Assurance and security concepts, standards, and methods. As information
security subject matter expert made recommendation for systems to receive authority to operate, interim authority to
operate or denial authority to operate based on assessment of recommended security architectural changes. Provided and
promoted consistent interpretation of common requirements, thereby lessening the chance that inadequate
implementations by one organization/system will compromise the security of all members within the net-centric
enterprise.
• Created and implemented foundational Information Security compliance policy and procedure documents to clearly
define roles and responsibilities
• Created policies and procedures to ensure the confidentiality, integrity, and availability of systems, networks, and
data.
• Conducted Preliminary Design Reviews and Critical Reviews, in order to access whether information assurance
practices, procedures, and technical solutions were properly implemented.
• Provided advice and information on emerging Information Assurance technology and doctrine issues.
Information Security Risk Manager
SAIC, Huntsville, AL
2007-2010
Senior Information Systems and Cyber Security Manager performed lead engineer and project management duties related
to systems security, boundary protection, design review and certification & accreditation artifact generation for NASA, US
Army Software Engineering Directorate (SED), Aviation and Missile Research Development and Engineering Center
(AMRDEC) Agent of the Certification Authority (ACA) Vulnerability Assessment Team and other DOD assets and resources.
• Charter member of Information Assurance Consultancy Group
• Established strategies for growth of business resulting in 650% growth in 3 years.
• Consistently exceeded customer expectations and received numerous individual customer awards for excellence
that promoted and elevated group reputation.
• Program manager for multiple projects leading information security professionals that resulted in numerous group
awards for excellence.