Jan 2024 – Jul 2024 · 6 mos · Mountain View, California, United States

Nov 2023 – Dec 2023 · 1 mo · San Francisco Bay Area

• Sharpening the saw, reconnecting with family and myself while preparing for my next professional adventure.
• Blogging CyberGRC concepts and approaches I’ve learned over the years, hoping to give back to the industry and most importantly challenge my own way of approaching Cybersecurity: https://cybergrc.blog

Jul 2020 – Nov 2023 · 3 yrs 4 mos · Pleasanton, California, United States

• Leading Workday’s Cybersecurity Risk Management programs aimed to identify, measure and drive mitigation of Cybersecurity risks faced by the organization. Coaching people managers to achieve their full potential and to grow their teams within the Security and GRC domains.
• Key results: High performing teams helping the business understand the impact of Cybersecurity risks and support them with the creation of mitigation strategies while keeping senior leadership engaged in decision making. Driving remediation of Security issues, by guiding the business on the prioritization of work based on impact and severity.
• Leading Workday’s Cybersecurity Governance programs aimed to support security risks mitigation through enterprise wide strategies to set policy, educate workmates and measure effectiveness of security controls.
• Key results: Creation and publication of policies, standards and guidelines to address key risks. Deployment of continuous education and awareness campaigns to elevate workmates knowledge around security controls. Execution of a ongoing controls assurance program to understand the effectiveness of controls and their impact on risk mitigation.

Aug 2018 – May 2020 · 1 yr 9 mos · San Francisco Bay Area

• Led Salesforce initiatives to identify and address security control breakdowns.
• Key results: Designed a controls monitoring program to rely on automation for controls effectiveness validation. Drove controls standardization by promoting centralized processes and controls. Built a streamlined process, tools and governance structure for Security Issues and Exceptions Management. Mitigated Security & Compliance risks by driving faster closure of issues & detailed analysis of security exceptions.
• Led the Security GRC Data Management initiative
• Key results: Key process and data identified & documented. Defined next phased for data classification and management.

May 2011 – Jul 2018 · 7 yrs 2 mos

Aug 2009 – Jul 2018 · 8 yrs 11 mos

• Designed and led improvements to the Information Security GRC program; ensuring information security standards are inclusive of domestic and international regulatory standards (NIST, ISO, PCI, etc.) and obligations (NY DFS, CSSF, etc.), controls are designed to comply with those defined standards, external audits and assessments are completed effectively, resolution of control gaps is timely achieved, controls’ effectiveness across platforms is monitored and operational rhythms are supported by proper GRC tools.
• Built from the ground up, the Technology Risk Management program for the Chief Technology Officer organization; designed to identify, mitigate and monitor technology risks in alignment with the Enterprise Risk and Compliance framework.
• Established and operationalized a wide enterprise initiative to assess processes and technology against PayPal Information Security standards, identifying controls owners, consolidating implemented controls and driving remediation of acknowledged gaps.
• Created a controls management framework to prioritize information security controls monitoring mechanisms and testing frequency based on Inherent Risk, Control Effectiveness, Scope of Applicability, Criticality of Data and Viability of Automated Monitoring.
• Operationalized an Issues Management program to address information security control breakdowns, partnering with Internal Audit, ERCS, Privacy, Legal, Technology and Product to drive proper and timely remediation and validation of controls.
• Defined Objectives and Key Results (OKR) metrics for the Security Compliance and Issues Management teams. Creating dynamic data driven dashboards for operational consumption and leadership decisions making.
• Hand-picked by Senior Leadership to participate in PayPal’s Emerging Leaders Program in Singapore.

Jul 2008 – Aug 2009 · 1 yr 1 mo

• Performed Information Technology General Controls optimization projects based on AS5 guidelines for Internet and Financial organizations; optimizing time and cost spent during internal and external testing of controls.

Mar 2008 – Jun 2008 · 3 mos

• • Assessed adherence of company’s access controls to the SAS70 standard. Including scope determination, controls design, user access rights evaluation, clean up and establishment of new access management processes.

Jan 2007 – Nov 2020 · 13 yrs 10 mos

• Reviewed Journal articles before publishing.

Jan 2007 – Mar 2008 · 1 yr 2 mos

• • Led Information Technology General Controls engagements supporting integrated financial audits, defining technology scope, driving budget decision making, coordinated resource allocation, supervised assessment execution and results quality.

Jan 2002 – Dec 2006 · 4 yrs 11 mos

• Led information security controls readiness assessments for Technology, Financial and Manufacturing clients in various markets, including North America, Latin America and Europe.
• Led the implementation of the Human Resources Management System for the Mexican Federal Government. Led the implementation of network security controls for the Mexican IRS including the Security Operations Center. Led the Information Classification for the Mexican SEC based on the ISO 17799 standard and governmental regulations.
• Acted as the liaison point with solution providers such as Microsoft, Seguridata, Mercury Interactive and HP to drive business development opportunities.

Sep 1998 – Jan 2002 · 3 yrs 4 mos

• Led Information Technology General Controls audits for Financial, Hospitality and Manufacturing clients.
• Led Information Technology consulting services such as, information security assessments, disaster recovery planning (DRP), application systems integrity and control reviews, and security architectures definitions.
• Led the creation of Information Security Policies & Procedures for the Central Bank of Mexico. Led Information Security Assessments for the National Bank of Costa Rica and the International Bank of Costa Rica based on the ISO 17799 standard.

Sep 1993 – Aug 1998 · 4 yrs 11 mos

• Led the Technology training division for company’s personnel and clients. Built strategic alliances with software vendors to drive knowledge sharing and training opportunities for the company.
• Formed and led a software development quality assurance (QA) team, building a standardize frameworks for developing, testing and delivering products to market. Led development of an ERP for a media planning organization. Led development of an ERP for a brokerage firm.