Jun 2022 – Oct 2023 · 1 yr 4 mos

• As a seasoned product security professional with a track record of building and leading successful security teams, I was brought into Twilio to revamp the company's product security program from the ground up. In my role as Director of Product Security, I focused on developing a team that could build and scale security programs and I created and executed on a comprehensive multi-year product security strategy.
• One of my key achievements at Twilio was democratizing the vulnerability management program. When I joined, the Engineering team struggled with complex workflows that made it difficult for Engineering to navigate vulnerabilities and understand which vulnerabilities were priorities. By simplifying the workflow and empowering Engineering leadership to take responsibility for security technical debt, my team was able to reduce risk by 60% in the first year alone.
• I also recognized the need for a more data-driven approach to security. Despite having various security tools in our ecosystem, they were not properly integrated and we were not effectively utilizing the data to gain insights into our security posture. I led the product security team to operationalize the tools using a crawl, walk, run methodology.
• First, we fully integrated the security tools and pulled the data to create dashboards, which we shared with Engineering leadership. We gained visibility into our security posture and identify areas of improvement (crawl). Next, we analyzed the data and worked closely with Engineering to prioritize and remediate low-hanging risks (walk). Finally, we established processes to operationalize the tools to prevent critical vulnerabilities from being introduced into the system. When prevention wasn't possible, we generated vulnerability tickets and worked with Engineering to ensure timely remediation (run).
• With this approach, we gained a better understanding of each BUs risk profile and we had much better partnerships with Engineering.

Jan 2021 – Jun 2022 · 1 yr 5 mos

• I had the privilege to lead the Application Security team at Segment following its acquisition by Twilio. As the head of the Application Security program, I held a critical role in overseeing all technical security-related aspects of Segment's security program and served as the primary technical contact.
• During my tenure as a manager, I successfully achieved several key objectives. Firstly, I took the lead in developing a comprehensive Application Security roadmap that aligned with the privacy and legal requirements of both Segment and Twilio. This entailed understanding the distinct needs of each organization and amalgamating them into a unified strategy.
• Furthermore, I played a pivotal role in scaling the team by recruiting and training a group of highly skilled security engineers. This was vital to support new initiatives stemming from the increased investment in Segment, ensuring a smooth integration and an elevated security posture. I actively contributed to stabilizing the technical security team during a significant organizational change.
• Overall, my experience as the Manager of the Application Security team at Segment provided a platform to demonstrate my leadership abilities, strategic thinking, and adaptability in navigating complex security challenges during a critical period of transition.

Oct 2019 – Jan 2021 · 1 yr 3 mos

• At Segment, I have had the luxury working with a world class Security Engineering (SecEng) team that is well resourced. I do not need to worry about security basics and I have been able to focus on building processes to scale SecEng for tomorrow.
• I have built out the self-serve Threat Modeling workflow by teaching every Engineer at Segment how to find risks at the design phase and building security into their feature design. This has helped ensure that SecEng is a part of the most important conversations and allowed our Threat Models to go much deeper than before. It has also enhanced our security culture and awareness program, Engineers are now more active in reaching out about security concerns.
• I am responsible for Segment’s bug bounty program and I have worked closely with our team, the vendor and the security researchers on making the program more efficient and also empowering researchers to find more vulnerabilities. Since we have a public bug bounty program, my goal is to ensure that our security researchers find vulnerabilities before the bad actors find them.
• I mentor many folks on the SecEng team, helping them think beyond security and to also be a voice for Privacy and GRC. I have also provided several team members with speaking opportunities at local security meetups, allowing them to grow outside their careers at Segment.
• I know that SecEng cannot be in every conversation at Segment, which is why I focus my energy building processes and tools to ensure that everyone is thinking about security and does the right thing.

Jul 2018 – Oct 2019 · 1 yr 3 mos

• At Zenefits, I spent much of my time building up a security program. I created the Software Development Lifecycle policy, in preparation for the SOC2 audit. I also created a Product Requirements Document dashboard, so Security Engineering knew how far along all of the PRDs were and when Security needed to engage and provide guidance. Within the PRDs and Software Design Documents (SDDs) themselves, I added the appropriate security questions to further help determine if Security Engineering needed to engage.
• I participated in many Engineering all hands to better build upon Security Culture and Awareness. In addition to the regular security training, I ran optional training for developers, so that they can understand security tools better and how adversaries can attack our systems.
• I created an automated system to report back the number of outstanding vulnerabilities per pillar and I helped drive the total number of vulnerabilities down for the Payroll pillar, so that there were no vulnerabilities outside SLAs. In addition, I worked closely with the Payroll pillar to reduce the attack surface and fraud risks, by interviewing the team and running threat models.
• I also addressed performance concerns with the Web Application Firewall (WAF) and worked closely with the vendor and our Operations team to get it in a good state.

Jan 2018 – Present · 8 yrs 4 mos · Vancouver, British Columbia, Canada

May 2015 – Jul 2018 · 3 yrs 2 mos

• My role includes educating technical staff on security practices and policies along with developing security standards, patterns, and documentation. I also identify and track the remediation of software security vulnerabilities. In other words, I ensure that all development teams are educated on OWASP Top Ten vulnerabilities and that they follow security principles to write secure code because it is more cost-effective to build secure software than to correct vulnerabilities later on. I am also a keen supporter of DevSecOps practice, which helps further the company’s security posture. Furthermore, I play an instrumental role in SOC2 reporting by interfacing with auditors and answering questions that might arise; I also guide the research and development team to ensure that strong controls are in place, resulting in outstanding reports and procedures. My security recommendations are designed with privacy in mind and comply with applicable rules and regulations such as CASL, CAN SPAM, HIPAA, and worldwide data residency and privacy laws. I also use Common Vulnerability Scoring System (CVSS) to assess and rank discovered vulnerabilities. Additionally, I participate in team scrums, bug triages, risk assessment, and epic development. I always share all available information with the engineering team, both good and bad, to ensure that projects move toward successful completion.
• Accomplishments:
• Created an effective way for senior managers to understand the company’s overall state of security by developing an easy-to-understand dashboard that pulls information from multiple internal systems.
• Expedited sales and license renewals by efficiently resolving client security concerns, ensuring product security, managing penetration tests and/or reviewing third party tests, and ensuring that sales do not stall due to security checks.
• Increased R&D security awareness by establishing workshops on security vulnerabilities for developers and QA personnel.

Nov 2012 – Apr 2015 · 2 yrs 5 mos

• I simultaneously led two development teams totaling 14 architects, developers, and staff. I also built, led, motivated, and assessed the Core Services teams to deliver special quality features on time and within budget. In coordination with 12+ internal teams, I ensured effective use of the Sparq product (a customer intelligence platform) and produced quarterly reports to facilitate senior management’s understanding of Sparq’s state and trajectory; these reports also helped to improve the development team’s understanding of managerial decisions. During client calls, I provided Sparq-related technical information and advice.
• Accomplishments:
• Led the platform team responsible for generating 95% of the company’s revenue.
• Unified, strengthened, and bolstered a fragmented team with low job satisfaction by gaining the team’s respect and creating cohesion.
• Achieved 100% employee retention during my time as team lead.
• Increased communication by pioneering quarterly meetings that included the platform team, senior managers, and CTO to ensure that everyone was informed about the state of the product and the company’s overall direction.
• Increased product quality and set a high standard for the software team; only 8% of tech support calls were to report software defects.

Jun 2010 – Nov 2012 · 2 yrs 5 mos

• I served as the early point of contact for all performance or production usage technical issues across all Vision Critical platforms. My duties included quickly and effectively resolving production issues, devising platform maintenance enhancements, and facilitating update releases. I also monitored and reported on stability, defect count, performance issues, and release status of all production platforms. Furthermore, I assisted non-technical staff in understanding and managing the implications of potential production issues and changes in production applications.
• Accomplishments:
• Created the company’s daily error system, which allowed for errors to be corrected before they impacted clients; this system is still in use.
• Reduced daily errors by 66% through tracking and reporting errors found in logs pulled from the production environment.

Aug 2007 – Jun 2010 · 2 yrs 10 mos

• I mentored software engineers in quality development practices while serving in this role. I also corrected security issues identified by penetration tests, designed features for the Sparq customer intelligence platform, and played an instrumental role in the company’s successful attempt to achieve Microsoft Gold Partner status. I wrote code based on the principles of quality and simplicity so that it would be easy for future developers to work with, and I am well-versed in the Secure Software Development Lifecycle (SSDLC).
• Accomplishments:
• Created and improved major features of the Sparq platform that contributed to its continuing popularity, including a pluggable question framework that allows for quick development of new question types without changing the core code.
• Appointed as primary technical point of contact for Microsoft Gold Partner status approval process; gaining this status generated significant savings in annual licensing fees.
• Single-handedly implemented SSL Offloading for Sparq product, easing installation and maintenance for infrastructure teams.
• Improved platform performance both on the server and client sides by upgrading Sparq from Microsoft’s .NET framework version 1.1 to version 3.5.

Jul 2004 – Aug 2007 · 3 yrs 1 mo · Vancouver

• I managed a four-member team of senior developers to design, develop, maintain, and support 80+ systems. My duties included preparing quarterly project timelines and estimates for systems development tasks and then presenting the reports to senior executives. I was also instrumental in requirements analysis, specification, software architecture, implementation, testing, and deployment for both new projects and enhancements to existing projects.
• Accomplishment:
• Surpassed domain registration expectations by 720% upon launching new domain extension.