CAREER OBJECTIVE

 

A challenging information risk management and cyber security position within an organization that recognizes the business value of properly protecting its information assets. 

 

SUMMARY OF QUALIFICATIONS

 

·               A high-impact, results-oriented information technology veteran with over 23 years of solid hands-on planning, design, implementation, operation, security, audit, leadership, and management experience supporting advanced multi-vendor enterprise environments of all sizes.

·               Over eighteen years of direct experience in the information security discipline performing comprehensive security assessments, implementing secure technology solutions, and providing strategic security management services for multiple Fortune 500 companies, military organizations, and government agencies around the world.

·               A proven information security professional with expertise in leadership and team building, a formal background in project management, a keen understanding of how to ensure successful business operations, an excellent grasp of interpersonal communications, a penchant for collaborative knowledge sharing, the patience to work with others in any environment, and a strong belief that customer satisfaction is an important aspect of any project.

 

OVERVIEW OF PROFESSIONAL EXPERIENCE

 

·               Built entire security programs from the ground up using COBIT, ISO 27000, ITIL, SSE-CMM, NIST, etc

·               Directed compliance initiatives for Sarbanes-Oxley, HIPAA, GLBA, PCI-DSS, FISMA and many more

·               Partnered with executive-level committees to determine risk appetite and set security priorities

·               Engaged in formal and informal security risk assessments leveraging OCTAVE, FRAP, FIRM, etc

·               Formalized risk management tools and techniques emphasizing ownership and accountability

·               Authored clear and functional enterprise security policies, standards, guidelines, and procedures

·               Defined and delivered structured security awareness, training, and education materials at all levels

·               Configured and monitored firewall, IDS, and VPN devices, malicious code defenses, and PKI systems

·               Created and implemented system hardening standards for applications, platforms, and devices

·               Administered and conducted penetration testing of systems, applications, databases, and networks

·               Streamlined threat management and vulnerability remediation capabilities across entire enterprises

·               Spearheaded business continuity, disaster recovery, incident response, and digital forensic initiatives

·               Conducted security audits and compliance validation checks against established control baselines

·               Managed multiple large and complex projects in a manner consistent with PMI PMBOK methods

·               Led the work efforts of other security professionals and IT personnel in teams ranging from 6 to 30

·               Formulated and administered budget plans for annual program allocations of up to 4 million dollars

·               Increased effectiveness of security operations, enhanced customer trust, and influenced profitability

·               Participated in advancing the security profession through blogging, forums, and social networks

·               Maintained strong professional relationships and actively contributed to the security community

 

Technical History: 

 

·               Network Protocols:  TCP/IP, IPX/SPX, NetBEUI

·               Routing Protocols:  RIP, IGRP, EIGRP, OSPF, BGP

·               Security:  GRC, IDM, VPN, encryption, PKI, Firewalls, IDS/IPS, pen-testing, incident response, forensics

·               Services:  Ethernet technologies, Frame-relay, ATM, Token Ring, FDDI, X.25, 802.11 (wireless), 802.1x

·               Support:  Cabling, switching, bridging, routing, client-server, security, testing, troubleshooting

·               Operating Systems:  Windows 3.1/NT4 to Win7/2K8 (w/IIS & Exchange), Unix, Linux, Solaris, Novell

·               Network Management:  SNMP, OpenView, CiscoWorks, Tivoli, Optivity, SunNet Manager

·               Languages:  HTML, PHP, SQL, C, Visual C++, Visual Basic, Delphi, Assembler, Pascal, Perl, JavaScript

 

EDUCATION AND PROFESSIONAL DEVELOPMENT

 

Master’s in Education, Capella University (in pursuit)

Additional graduate studies in business and psychology

B.S.  Information Technology, University of Phoenix (2004)

A.A.S.  Information Systems Technology, Community College of the Air Force (1998)

A.A.S.  Personnel Administration, Community College of the Air Force (1998)

 

Certifications:  Certified Information Systems Security Professional (CISSP) · Certified Information Systems Auditor (CISA) · Associate Business Continuity Planner (ABCP) · Certified Lean Six-Sigma Greenbelt (CSSG) · Cisco Certified Network Associate (CCNA), Cisco Certified Design Associate (CCDA) · Nortel Networks Certified Support Specialist (NNCSS) · CompTIA Certified Network Technician (Network+) · Microsoft Certified Systems Engineer, Microsoft Certified Professional plus Internet · Successfully completed 2 of the 4 CCNP exams (routing and switching), and am currently preparing to undergo the Certified Information Security Manager (CISM) certification process

 

TRAINING:  Various on-going security lectures, seminars, and events · Computer Security Incident Handling · Securing [Microsoft] Enterprise Platforms · Computer Crime and Investigations · Checkpoint Security Administration · Introduction to Cisco Router Configuration · Advanced Cisco Router Configuration · Accelerated Nortel Networks Router Configuration · Windows Architectural Design · Windows Server Administration · Exchange Server Administration · HP Openview Network Node Management · Introduction to UNIX · Advanced UNIX · Solaris Systems Administration · Solaris Shell Programming · Oracle Database Administration · Oracle Developer Application Design · Cabling for Voice and Data Networks · Motorola Voice Communications · Network Encryption Systems Administration · Network Planning · Network Systems Administration · Project Management · Technical Training Instruction · The Consultative Approach · Lean and Six-Sigma · Consumption of multiple internal Microsoft security training courses · Over 100 Lucent “Knowledge Quest” training seminars · 1,000+ additional hours of computer based training from CBT Systems · Leadership and management training through the U.S. Air Force (John Levitow Leadership Award winner), Nordstrom leadership development track, the Seattle Institute for Management Studies, formal education (MBA program), and personal study of leadership through reading and practical experience

 

AFFILIATIONS:  Active participant in the Cloud Security Alliance (CSA), Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), Computer Technology Investigators Network (CTIN), Agora, InfraGard, Washington Software Alliance (WSA), King County Bar Association (KCBA), and Pacific Northwest CISO Forum meetings and events · Current Seattle Chapter CSA Secretary, Former Puget Sound ISSA Chapter Secretary · Guest Instructor for the Pacific Northwest CISSP Study Group · Established the Security Program Management Forum for SecurityFocus.com · A key contributor within the ISC2 CISSP Forum, LinkedIn Information Security Community, and ITToolbox Security discussions · Currently maintaining an active information security portal and blog ·  Regularly consulted on issues of security awareness and training, policies and procedures, leadership and management, career development, and a wide range of technical security issues

WORK HISTORY AND PROFESSIONAL EXPERIENCE

 

SecureITExperts, LLC – Consulting Services

June 2012 to Current (Member Owner)

Founder and Principal Security Strategist

 

·               Ownership of a small business focused on information risk management and cyber security services

·               Working with customers to identify information security challenges and resolve them by performing risk assessments and establishing prioritized remediation plans

·               Providing strategic security consulting services; offering advice on how to handle a wide range of security and compliance matters, including PCI, HIPAA, SOX, FISMA, and many others 

·               Establishing security policies, processes, and technology implementation plans based on ‘smart’ security practices properly scaled to meet each customers unique business requirements

·               Developing and delivering security awareness and training plans and materials for organizations of all types and sizes

·               Offering a broad range of other generalized security consulting services covering all aspects of the information security discipline, with deep emphasis on mobile, social, and cloud service trends   

 

Network Computing Architects (NCA)

January 2011 to July 2012 (Consulting)

CISO, Security Practice Manager, and Principal Consultant

 

·               Led all internal and customer-facing security initiatives across the company, including multiple PCI, HIPAA, and other compliance engagements.  

·               Managed a comprehensive ISO 27001 certified Information Security Management System (ISMS) covering all customer data and other sensitive information

·               Developed and managed a complete security consulting services function – defining service strategies, developing marketing materials, engaging is pre and post sales, and more

·               Provided strategic security management consulting services, risk and compliance assessments, and other general security services – working with top executives in most situations 

·               Completely rebuilt NCA’s reputation in the security management space

 

Expedia – Governance and Compliance

September 2010 to January 2011 (Contract)

GRC Program Manager and PCI Technical Lead

 

·               Provided consulting services on a wide range of security issues, including executive communications, awareness and training, policies and processes, vulnerability management, and more

·               Quickly took ownership of the PCI compliance portfolio – identified a number of security and business integration opportunities, then led efforts to close gaps and embed security into the corporate culture

·               Drafted a series of PCI compliance ‘how to’ guides to assist upwards of 10 separate brands – addressing everything from firewall rule audits to advanced policy and governance topics

·               Served as the lead technical advisor on all compliance related activities – driving the compliance roadmap and connecting compliance activities to broader enterprise security initiatives

·               Became the leading advocate for a holistic approach to information protection, working directly with mid-level and senior leaders to see the business value of security as a lifecycle process

 

 

 

Microsoft – Security Response Communications

December 2009 to May 2010 (Contract)

Program Manager – Operations and Communications

        

·               Drove process and tools improvement initiatives to help Microsoft better manage its vulnerability remediation practices

·               Drafted a revised user’s manual for a key internal tool used at Microsoft to consolidate, manage, and distribute security vulnerability information

·               Established a new team collaboration and information sharing portal for Microsoft’s Software Security Incident Response Process (SSIRP) Emergency Communications Team (ECT)

·               Revised metrics and key performance indicators for tracking the efficiency and effectiveness of security response measures during a SSIRP event

·               Stepped in to help support the Microsoft Security Response Center (MSRC) as part of the Emergency Engineering Team (EET) during two especially challenging SSIRP events

 

Clearwire – IT Operations

July 2009 to October 2009 (Contract)

PCI Compliance Lead and Senior Security Engineer

             

·               Successfully built and executed a strategy for ensuring Clearwire met all PCI-DSS 1.2 requirements during its October 2009 self-assessment

·               Initiated and managed segregation of the cardholder data environment, including changes to the network architecture, database structures, and business applications

·               Delivered policies and procedures, application security plans, threat and vulnerability management strategies, incident response methodologies, and other supporting documentation

·               Selected, purchased, and deployed a comprehensive endpoint protection solution for the enterprise while under extremely aggressive time constraints

·               Established a framework for the new IT Security and Compliance team to deliver security services for its internal customers and continue its compliance initiatives

 

T-Mobile – Engineering and Operations

December 2007 to February 2009

Manager, Security Operations Team

        

·               Created and managed two new security operations teams within T-Mobile 

·               Led efforts to establish a new security framework within the company, define new processes and procedures for security functions, and enhance the technical security portfolio of the company

·               Directly supervised the administration of all security appliances and services across the enterprise, including critical infrastructure components directly effecting the customer experience

·               Established a structured security service delivery model founded on ITIL, ISO 27002, and other general industry best practices that exceeded all expectations

·               Worked with internal customer-centric engineering and operations teams to streamline workflow and define specific criteria for the prioritization of day to day work

·               Provided training and support for a team of eight security professionals while transitioning from non-technical security roles to being directly responsible for securing the entire T-Mobile infrastructure

·               Lauded by team members and peers as a clear leader within T-Mobile's security community

 

Microsoft – Windows Vulnerability Management

October 2007 to December 2007 (Contract)

Program Manager – Windows Vista Vulnerability Resolution

        

·               Performed end-to-end case management and patch delivery activities for all reported vulnerabilities in Windows Vista prior to and during the initial release of Vista SP1

·               Participated in the triage, evaluation, classification, and solution engineering process for all security-related vulnerabilities impacting the Windows Vista platform during this time period

·               Led key developers from the various Microsoft product teams and internal security entities through in-depth threat modeling and secure code review sessions

·               Served as the teams expert on deployment implications within large-scale enterprise environments, offering strategic and tactical advice on how to minimize customer impact

·               Monitored internal and external vulnerability reporting services, newsgroups, and other social media services to evaluate the effectiveness and impact of each new patch released

·               Advised Microsoft on specific ways to improve their remediation processes and increase efficiency    

 

Independent Volunteer Worker

November 2006 to October 2007

Volunteer Worker and Avid Outdoors-man

        

·               Took a 1-year voluntary sabbatical away from the security industry

·               Studied various aspects of psychology at the graduate level - focusing on interpersonal communications, human interactions, leadership, organizational psychology, and more

·               Conducted volunteer work with the Seattle and East-side hospice care programs, the King County Crisis Clinic, Snohomish County search and rescue teams, and other worthwhile organizations

·               Section hiked most of the Pacific Crest Trail from Canada to Northern Oregon, and many other trails

·               Continued to stay on top of industry trends – especially topics on security program management

·               Used a portion of this time to study the hacker mindset, patterns of attack, and breach reporting

 

Symetra Financial – IT Risk Management Services

December 2005 – November 2006

Senior Information Security Specialist and Program Manager

        

·               Established a senior leadership council to unite disparate but interrelated programs such as information protection, regulatory compliance, business continuity planning, privacy, physical security, etc. under a single umbrella

·               Successfully championed the adoption of ISO 17799 and COBIT as key components of Symetra's overall information protection and regulatory compliance strategies

·               Completed a comprehensive rewrite of all information protection policies and procedures, greatly reducing their length and complexity while enabling the company to better focus on its core business

·               Led the implementation of solutions for enterprise encryption, integrated identity management, and enhanced network defenses; resulting in heightened asset protection and management confidence

·               Partnered with technical project teams, management groups, and internal auditors to advise on challenges and solutions for all security subjects ranging from the adoption of new technologies to daily change management decisions

·               Created a new security risk management planning template and instructional guide to assist information asset owners and custodians in making good, risk-based decisions in accord with defined standards of due care

·               Instituted new processes and technologies for the detection and management of potential security incidents; decreasing reaction and recovery times by nearly half

·               Sought out by senior management to play a key role in the development of Symetra's business continuity and disaster recovery plans, including those for the potential bird flu epidemic

 

Microsoft Corp. – Sales, Marketing, and Services Group

December 2004 to December 2005 (Contract)

Information Security Subject Matter Expert and Instructional Designer

        

·               Developed comprehensive on-line and instructor led security process and technology training courses for the 22,000+ personnel assigned to Microsoft’s Sales, Marketing, and Services Group (SMSG)

·               Defined a modular curriculum mapping method to meet the individual security training needs of each learner, and established knowledge measures and psychometric testing criteria for assessments

·               Worked closely with each SMSG Segment, and all Microsoft security-oriented business units, in order to determine security training requirements and solicit input into the curriculum design process

·               Helped organize the FY06 security curriculum into 30+ knowledge consumables (ranging from basic (100 level) security sales processes to advanced (400 level) technical security solutions delivery and support) based on Bloom’s Taxonomy and the latest in instructional design and e-learning

·               Began the formal study of security awareness, training, and education as its own discipline within the field of information security – making this a primary area of professional expertise

·               Delivered the all-time best e-learning course available on Microsoft security and working with customers to change perceptions

·               Regularly lauded for creative, highly-interactive course components that helped learners understand and use the materials presented    

·               Assumed interim leadership of the Instructional Design Team while the positions of Lead Instructional Designer and Development Manager were vacant  

 

Nordstrom, Inc. – Information Technology Services                                         

September 2003 to December 2004

Senior Information Security Engineer and Department Supervisor

        

·               Initially hired as the Senior Security Engineer responsible for security program development and management, but quickly promoted into a security leadership role as Supervisor of the struggling Nordstrom Enterprise Security (NES) Department 

·               Immediately began working with the team to identify key points of pain and implement solutions allowing NES to transition away from a reactionary firefighting mode and toward a proactive strategic direction 

·               Refocused the team on taking a risk management approach to project involvement - including team development of a risk analysis model with accompanying tools and techniques; Established a holistic 5 year vision covering all aspects of security and business integration; Lobbied for the first ever security budget for the NES department (1.2 million dollars for the first year)

·               Partnered with the executive Information and Privacy Councils as well as other IT departments to redefine Nordstrom’s approach to information security and privacy across the entire organization, developing a comprehensive information security framework designed to balance the dual imperatives of enablement and protection while working toward a corporate standard of due care 

·               Championed for executive level commitment, a hierarchal approach to the deployment of policies and supporting guidance, a targeted security awareness campaign across all areas of the company, and an emphasis on pragmatic ownership and accountability

·               Ensured that all work efforts accounted for regulatory and contractual obligations, including Sarbanes-Oxley, HIPAA (prosthesis unit), GLBA (Nordstrom Bank), VISA CISP/PCI-DSS, and others; as well as the extension of Nordstrom’s focus on superior customer service to include proper protection of the sensitive personal information that was entrusted to us by our customers 

 

Airborne Express, Inc. – Information Technology Services

July 2002 to September 2003

Senior Information Security Engineer

        

·               Formalized a comprehensive strategic information security program emphasizing the proactive defense of Airborne’s extremely diverse enterprise environment 

·               Coordinated and performed information security risk assessment activities.  Identified information security deficiencies, investigated risk mitigation solutions, and recommended corrective actions as appropriate

·               Implemented technology solutions to enhance the security of Airborne’s IT systems and corporate data.  Acted as the internal IT auditor for ensuring compliance with established control objectives 

·               Enhanced visibility into network and system security events for the correlation and analysis of event activities.  Defined, developed, and deployed incident handling processes and procedures to ensure the continued operation of Airborne services in the face of an adverse event 

·               Developed, implemented, and maintained corporate information security policies, standards, guidelines, and procedures 

·               Facilitated information security awareness, education, and training opportunities.  Established cross-functional information sharing forums to encourage group involvement at all levels of the company 

·               Advised senior management, business unit representatives, and IT personnel on all information security related matters, serving as the sole internal information security consultant for Airborne’s entire operation

·               Monitored security program compliance through cooperative efforts between all IT functions, internal audit, human resources, and legal services 

 

Lucent Technologies - Enhanced Sales and Services

April 2000 to June 2002

Information Systems and Security Engineer

        

·               Provided comprehensive security evaluation services, secure technology solutions, and strategic security management consulting services for multiple Fortune 500 companies and government agencies located in the Pacific Northwest region 

·               Core services provided include:  security program development and management; security policy/procedure development and review; business continuity and disaster recovery planning; incident handling; security audits and assessments; security requirements determination and analysis; perimeter security architecture design and implementation; network security infrastructure design and implementation; security awareness training curriculum development and presentation; and formal security-focused project management 

·               Identified as Lucent ESS’s Pacific Northwest Subject Matter Expert on security reviews and auditing, security policies and procedures, business continuity and disaster recovery planning, security awareness program development, and technical security deployments of firewall, IDS, and VPN solutions

·               Active regional point-person for internal Lucent engagements and security practice functions which included:  client proposal development, quality assurance of client deliverables, building and managing client relationships, internal training program management, security methodology modeling, development of service marketing materials, and security service business process development 

·               Regularly provided assistance to other consultants, and strategic support on other engagements; often called upon to address delicate situations, or to refocus engagement teams on effectively meeting (or exceeding) client expectations

 

United States Air Force – Special Operations

September 1991 to March 2000

Information Systems and Security Engineer

                

·               Involved in all aspects of planning, design, implementation, and management of complex integrated network systems, including their proactive defense against internal and external threats 

·               Determined network security requirements, configured network security devices, monitored networks for intrusion attempts.  Developed security accreditation packages and security awareness program materials, taught security awareness seminars, conducted physical security reviews, assessed disaster recovery plans, authored security policy and procedure documents 

·               Engineered entire network architectures from the ground up on a daily basis.  Provided wireless, fiber-optic, and copper-wire connectivity between backbone and end-user devices. Configured routers, bridges, hubs, and switches for use in multi-protocol environments

·               Administered Windows, Windows NT, Solaris, and Linux operating systems in mixed network configurations.  Monitored network connectivity and operational status using HP OpenView, CiscoWorks, and Optivity network management utilities 

·               Wrote several field guides and training references that were distributed Air Force wide, and either created or consulted on the development of numerous Air Force technology training programs

·               Served as the Non-Commission Officer In Charge (NCOIC) of Wing Command and Control Systems Management under Headquarters Pacific Air Forces (PACAF), and as a Combat Communications Team Chief for Theater Deployable Communications under Headquarters Air Force Special Operations Command (AFSOC) – leading each group to unprecedented success

·               Directly supervised over 30 military and civilian network and security operations personnel, often under real-world combat conditions while operating in the field  

 

ADDITIONAL INFORMATION

 

·               Previously held a Top Secret Department of Defense security clearance with access to Sensitive Compartmented Information (TS-SCI)

·               References and additional information will be made available upon request

 

Page 1 of 8