Sep 2023 – Oct 2024 · 1 yr 1 mo · Rochester, NY · Remote

• Lead the security and compliance function. Manage one direct employee and two contractors.
• Redesigned the security function:
• o Created mission and vision statements. Redefined all roles and job descriptions.
• o Developed two-year strategic roadmap, focused on closing known high risks. Target metrics:
• improve overall CMMI maturity from 1 to 3.x; mitigate or remediate all known high risks.
• o Reduced operating expenses by $250K, reducing tool costs by 90%.
• o Developed RACI to clarify responsibilities between Security and other Technology teams.
• o Partnered with Technology leadership to create a SOC by leveraging existing NOC.
• o Developed Splunk strategy and roadmap. Target metric: improve CMMI maturity from 1 to 2.x.
• o Migrated function management to Jira and PPM. Created Jira dashboards for better visibility.
• Integrating PowerBI with Jira and Qualys for improved analytics.
• Evaluating options for compliance automation. Business case is 50% reduction in contractor hours.
• Reviewing ChatGPT use cases, focusing on activities that would have required supplemental resources.
• Member of the due diligence team for Deem’s acquisition by Travelport.
• Increasing maturity by transitioning security processes and controls to Travelport teams as appropriate.

Dec 2021 – Sep 2022 · 9 mos · Rochester, New York, United States · Remote

• Manage Splunk professional services engagement and OneTrust implementation to assure projects were on plan and meeting defined objectives.
• Vulnerability management:
• o Assumed responsibility for vulnerability management program on first day of Deem employment due to unplanned employee separation.
• o Created Qualys runbook.
• o Changed focus from “vulnerability chasing” to systemic process issues. Improved metrics and dashboards to provide actionable data to remediation owners.
• o Tuned scan configurations, reducing run times by 50-80%, enabling more frequent scanning.
• o Manage internal PCI scans and ASV scan certification.
• SOC II Type 2 and PCI-DSS audits: Manage existing contract resources and maintain runbooks.
• Partner with Sales on RFP responses and contract redline reviews.
• Provided content updates to U.S. and Ireland employee handbooks, and global policies and standards.
• Developed security requirements for data purge policy revision. Researched current GDPR rulings as basis.

Mar 2019 – Dec 2021 · 2 yrs 9 mos · Rochester, New York

• Perform IT risk assessments against NIST CSF. Manage timeline and deliverables, status reporting, schedule and conduct opening meeting, interviews and closing meeting. Create and deliver final report that includes assessment of inherent and residual risk and risk treatment recommendations. Document risks in enterprise risk register and present to business SVP(s), CISO and CIO as required.
• Serve as team lead while manager was on maternity leave: Assign request tickets, manage workloads, manage risk assessment calendar and schedules, provide weekly status reporting to CISO and CIO.
• Lead on enterprise risk assessment conducted by an external firm. Provided input to assessment plan and timelines, managed engagement, provided collaterals, engaged internal stakeholders, reviewed draft report and provided input to management reporting through the Board level.

Nov 2016 – Mar 2019 · 2 yrs 4 mos

• Global relationship manager between GSS and the North American Operations division, including activities in Commercial Excellence and Delivery.
• Reported to CISO until recent restructuring. BIRM function consolidated under one CISO direct report.
• Provide executive level guidance, escalation and problem resolution.
• Executive approver for exception requests and Time-to-Market projects.
• Review and approve proposed changes to policies and standards.
• Provide input to budget, investment projects and roadmap.
• Facilitate service quality and enhancement discussions between business and GSS operational functions.
• Communicate business requirements to GSS and clarify GSS requirements and programs to the business.
• Assure appropriate business embedded security and operational focals are engaged in corporate communications and peer networks.
• Facilitate proper engagement with my peers for projects that span multiple divisions.
• Drive support for harmonization across regional processes to eliminate process and control differences and improve maturity across global geographies.
• Support GDPR and Privacy Shield compliance for assigned divisions.
• Identify issues that are indicators of systemic problems or opportunities that require executive support.
• Provide support and escalation for internal and customer-facing incidents in conjunction with CSIRT.
• Provide advance communications of initiatives and changes impacting assigned divisions.
• Provide forward looking guidance on new or updated regulations impacting assigned divisions.
• Support Conduent separation.
• Provide consultation for new business offerings and enhancements.
• Engage in customer meetings and RFP responses as required.
• Provide approval for supplier contracts that do not include template security and privacy language.
• Provide approval for penetration test contracts for assigned divisions.
• Participate in monthly metric reporting and quarterly executive governance board presentations.

Aug 2012 – Nov 2016 · 4 yrs 3 mos

• Provide SME consultation and review for security exception requests, Time-to-Market projects and annual risk assessments.
• 
• Provide information security consultation for new projects and initiatives. Projects include:
• Unified communications and collaboration tools.
• IaaS cloud projects (public and hybrid).
• Multiple SaaS projects involving sensitive personal and protected health data, SSNs,
• medical and payment card information for employees and customers; cloud-based storage
• projects.
• Assessed Xerox IaaS offering against the Cloud Security Alliance Cloud Control Matrix.
• Some experience with Near Field Communications (NFC) security.
• 
• Provide SME support for PCI-DSS compliance activities:
• Participate in ASV scanning and remediation processes.
• Testing and mitigation of BEAST vulnerability.
• Experience with single use and EBT payment cards.
• Assessed security process capability maturity against SSE-CCM/ISO 21827:2008 and CMMI.
• Provide input to R&D groups to assure products and services align with best practices and common customer requirements. Most consultation in mobile and cloud products and services.
• Facilitate monthly global conference call. Increased attendance by 30% (to 80-95 attendees).
• Provided feedback during the public comment period for version 3.01 of the Cloud Security Alliance Cloud Control Matrix.

Mar 2011 – Aug 2012 · 1 yr 5 mos

• ITIL SDM (Security Management) for the Xerox ITO account.
• Work with Project Managers and security tower leads to manage transition from previous service provider, steady state operations and future transformations.
• Responsibilities include enterprise (130,000 user) Exchange and SharePoint environments, client services (desktops and laptops), Citrix and global network.
• Participate in annual risk assessment processes for Xerox and ACS.
• Assist solution architects and cost modelers to assure that SOWs include security requirements.
• Developed metrics to measure performance against KPIs and customer security requirements.
• Developed dashboard to track overall performance (green, yellow, red) of KPIs and requirements.
• Developed RFI template to gather customer security requirements.
• Clarified customer requirements and streamlined processes to reduce service delivery costs.
• Identify opportunities to reallocate unused funding.
• Conduct meetings with the client to build the relationship and assure expectations are satisfied.
• Manage relationships and personalities between PMs, tower leads and customer.
• Update content in the information security chapter of the Service Delivery Reference Manual.

May 2008 – Mar 2011 · 2 yrs 10 mos

• Inaugural information security manager for a business unit. Created the position and job description. Responsibilities include 40 Web-based (SaaS) applications, 20+ million lines of code, 120 servers and 400 desktops. The applications enable MPS service offerings generating over $3 billion in annual revenue.
• Engage customers during RFP/RFI process to review contractual security requirements. Provided material assistance to over $1B in contract signings for 2010 and $300M in Q1 2011. Positioned security as a competitive advantage to justify increased spending.
• Manage team comprised of 1 direct report. Provided leadership to transform the organizational culture from reckless to security conscious.
• Developed internal service offerings to cost recover 25% of my annual salary back to my business unit.
• Manage compliance initiatives. Reviewed requirements of PCI-DSS, PA-DSS and BS 25999. Leveraged ISO/IEC 27xxx to implement framework-based processes, eliminating compliance silos.
• Authored the division’s Secure Development Life Cycle Process based on practices from Microsoft, OWASP, SAMM, CMMI, ISO9001:2000, BSIMM, OSSTMM, LSS, ISO 15504, IEEE 12207. Process includes comprehensive threat modeling, static code analysis, penetration testing and employee training.
• Manage application security with Fortify 360 and HP WebInspect. Firm understanding of the positive and negative aspects of application penetration testing and source code analysis.
• Developed the organizational approach to cloud computing security. Developed controls for cloud-based offerings in Amazon EC2 and Microsoft Azure.
• Participate in IT control, process, network security and ISO/IEC 27001:2005 audits. Review General Computing Controls prior to each software release. Review audit reports.
• Implement purchasing policy for managing security requirements in third party contracts and SOWs. Created InfoPath RFP template that quantitatively compares vendors.

Apr 2006 – May 2008 · 2 yrs 1 mo

• Responsible for achieving certification of SaaS environment against ISO/IEC 27001:2005, Safe Harbor and Corporate risk assessment processes. Aligned controls with FISMA and COBIT. Reviewed P3P.
• Developed local policies, processes and standards as part of ISO/IEC 27001:2005 certification.
• Implemented digital certificates with Office 2007, Adobe Acrobat Professional 8.0 and PGP Desktop 9.5. Implemented certificate-based authentication on ssh servers with Bitvise WinSSHD.
• Secured and managed Windows 2003, IIS and SQL Server 2005 using MBSA, CIS Scoring Tool, WSUS, MOM 2005, NetIQ SCM, WebInspect 7, Foundstone Enterprise 6 and ePO 4. Created emergency-use Registry keys to prevent DoS attacks against Server service and TCP/IP communications. Designed a report against the WSUS database using Crystal Reports to provide better patch reporting.
• Assisted with process of moving hosting infrastructure to a new datacenter vendor. Participated in physical security and information risk assessments. Reviewed the vendor’s SLA and controls.
• Utilized Microsoft Fiddler to improve application caching and reduce download size of client-side scripts.
• Management of Windows 2003 NLB clusters and SQL Server 2005 multi-instance failover cluster.
• Developed tape backup policy. Implemented backup policies in EMC NetWorker 7.
• Experience with ssh for file transfer (SFTP) and port forwarding (tunneled RDP and SQL Mirroring).
• Interact with third-party vendors on software issues and submit feature requests.

Sep 2010 – Dec 2010 · 3 mos · Rochester, NY

• Courses Taught:
• SECR 180 - Introduction to Network Security
• The course covered topics related to enterprise risk management and security.

Feb 2005 – Apr 2006 · 1 yr 2 mos · Rochester, New York Area

• Developed business intelligence reports using Crystal Reports Developer and Server XI (CR XI).
• Developed enterprise Intranet portal using Windows SharePoint Services. Implemented the Microsoft Solutions Accelerator for Sarbanes-Oxley to improve workflow management.
• Administration of Citrix Access Suite environment. Implemented Citrix’s Crystal Reports for farm management and the Citrix Presentation Web Server Interface for SharePoint.
• Created Crystal Reports to obtain information from SolarWinds Engineer’s Edition 8 (EE8).
• Utilized Windows 2003 Automated Deployment Services and Sysprep for bare metal server deployment.
• Utilized EE8 and Orion server to monitor availability and bandwidth utilization on six T1 lines. Implemented NetFlow on routers. Created network management reports using CR XI and EE8.
• Adopted BartPE for troubleshooting and administration tasks.

Jul 2004 – Oct 2004 · 3 mos · Rochester, New York Area

• Designed and developed a SaaS Point-of-Sale application on a LAMP architecture. Optimization efforts reduced existing application code by 75%. Designed the database schema. Created data migration scripts.
• Managed secure application development. Implemented role-based security, input validation and pushed adoption of basic PHP input sanitization methods, including trim() and strip_tags().
• Interfaced with users to gather system requirements; designed, implemented and tested application functionality; designed the user interface.
• Utilized WAPT 3.0 to determine server sizing and required network and user bandwidth.
• Managed environment using tools from Quest, Teratrax, Paessler, PremiumSoft and mySQL.