Dec 2025 – Present · 4 mos · San Diego, CA · Remote

• Coordinate external communications for BSides San Diego, including social media posts.
• Organizing Media interviews for speakers
• Managing media response and answer questions about the conference.

Oct 2022 – Feb 2026 · 3 yrs 4 mos · Remote

• Leading a bounty team of 4 people conducting triage, reproduction, and organizing product security incident response (PSIRT) functions for the Amazon Devices and Services bug bounty program
• Organized 6 in-person bounty events showcasing devices that were evaluated by HackerOne researchers in Dublin, Amsterdam, Las Vegas, Dubai, Edinburgh, and Seattle
• Established a process to identify systemic bounty issues across product and business units, engaging with leadership and organized Ring, Blink, FireOS, and Alexa product teams to address found issues, achieving 90%+ fix rate within established SLAs
• Collaborating with engineering, product management, and business stakeholders to integrate security into development processes & prioritize findings in Confluence Jira that could affect business reputation or put customers at risk
• Managed program security for the Amazon Sidewalk program, a global IoT platform, from pre-launch to post-launch and maturity, including integration and on-boarding of 3rd party device makers
• Collaborated with data engineers collecting data using Amazon Athena for dashboards, highlighting the effectiveness of the bounty program, utilizing metrics to guide future work & organizational goals
• Coordinate with product management teams when conflicts arise in how to address security issues
• Lead 2 security engineers executing of Sidewalk's product security strategies for an on-time launch
• Collaborate with engineering, product management, business, and other technology stakeholders to integrate security into development processes and to treat security consistent with business goals and requirements

Feb 2021 – Oct 2022 · 1 yr 8 mos · Remote

• Managed $25MM yearly budget, submitted monthly invoicing and POs with Finance, and ensuring budget actuals are within tolerances; monitored bumdown for project time and resourcing
• Managed 125 security engagements across an 18 month period, ensuring scope and budget constraints were met within company guidelines
• Coordinated security testing across business groups and security teams to increasing testing efficiency by 20%
• Created metrics showing effectiveness of security vendors, and trends in findings across business units, product teams, and application services
• Managed the 3p vendor relationship with 5 different security assessment firms, ensuring quality assessments, scheduling teams for engagements across Amazon Devices and Services
• Provided guidance and advice to product teams on course of action for remediation of fixes, and managed timelines, reporting, and escalation if not addressed within stated SLAs.

Apr 2019 – Nov 2021 · 2 yrs 7 mos · Greater Seattle Area

• Coordinating with potential sponsors for the Brakeing Down Security podcast. Furthering educational initiatives by organizing trainings, meetups, and conferences.
• Organizing the Infosec Campout, an Infosec and camping conference bringing security talks and outdoor camping together. (www.infoseccampout.com)

May 2018 – Feb 2021 · 2 yrs 9 mos · Greater Seattle Area

• Update internal processes and development of an organizational change management process utilizing ProSci's "ADKAR" methodology that takes into account engagement from a change sponsor, communication management, understanding and overcoming the resistance to change in an environment.
• Updating documentation and reducing the amount of 'tribal knowledge' in the organization. This was done by an overhaul of old Mediawiki pages, deciding on the best way to highlight that knowledge, meeting with the knowledge keepers, chronicling the process or actions needed for successful repetition of the process, and auditing the existing pages on a periodic basis to maintain their veracity.
• Develop and communicate risk-based plans to drive project priorities using industry accepted risk assessment and threat analysis methodologies.
• Lead root cause analysis processes based on information about the client’s processes, technology, and maturity.
• Develop and present on remediation and mitigation plans to address systemic issues and root causes identified during and between projects.
• Mentor and guide project personnel as needed.
• Identify opportunities to leverage current and future capabilities to further support the clients business.
• Support proposal and service line development.

Oct 2015 – Mar 2017 · 1 yr 5 mos · Greater Seattle Area

• Started CascadiaSec as a long (read: LONG) term plan to do what every Infosec person wants to do... setup their own consultancy and eke out their niche in the infosec world. Also, this will make it easier for possible sponsorship opportunities for the Brakeing Down Security Podcast, as well as for being a sponsor of infosec conventions and events in the future. Ended the incorporation in 2017, as I found our podcast was not using it.

Jan 2015 – Nov 2025 · 10 yrs 10 mos · Greater Seattle Area

• SeaSec East is a networking forum for professionals in IT, information security, privacy and compliance. We foster an open environment where discussion is encouraged. Completely a 'FrieNDA'​ environment. Bounce ideas off of folks, collaborate on a project, have a 5-7 minute on a topic you're passionate about. The sky's the limit at SeaSec East. Predominately located in the Redmond-Bellevue-Mercer Island area of Seattle, we meet on the Wednesday of each new month.

Oct 2014 – Apr 2018 · 3 yrs 6 mos · Greater Seattle Area

• conducted vendor security assessments for software and systems to be introduced to the enterprise environment
• Setup of a vulnerability management program version to replace existing adhoc program
• This required the creation of policies for handling vulnerabilities in the enterprise, coordinating incident response measures against newly found vulnerabilities in the media (such as BadLock, HeartBleed), and ensuring affected systems are patched in a timely manner.
• Created custom vulnerability scoring uitilizing the CVSS score as a base and modifying to fit the current environment.
• Took meetings with vendors to discuss implementation of new technology, and to work through security issues pertaining to installation, and operation of new systems.
• Using popular vulnerability scanners to detect vulnerabilities
• creating reports for management to show systems that were patch deficient
• creating quarterly audit reports to satisfy SOC2 Type 2 requirements
• on the team that guided our company through 3 successful SOC2 audits and the CSA Star audit
• tested JSON based APIs for security flaws for a popular security endpoint application
• manual web application vulnerability testing using Burp, and Fiddler
• Engaged DevOps teams on proper patching and vulnerability management
• Championed a lite-weight 'half-baked' AWS image that sped up deployment of systems and reduced package loadouts
• coordinated testing and development group to discuss proper methods of addressing vulnerabilities prior to deployment of a solution
• conducted regular red team testing of network and environment, using the Kali Linux Distro and associated tools.

Jan 2014 – Present · 12 yrs 3 mos · remote · Remote

• Produce and co-host a popular Security training podcast with 20,000 monthly downloads, interviewing industry experts to provide valuable insights
• Managed audio and video editing, ensuring high-quality content delivery to thousands of podcast and stream followers
• Organized online classes, CTF events, and book club discussions to educate newcomers to Infosec and promote community engagement.

Dec 2013 – Feb 2014 · 2 mos · Austin, Texas Area

• Maintaining chapter minutes, Presiding over meetings as timekeeper, ensuring constructive flow of communication from all members/attendees. Other duties are preparing the agenda for the board meetings, and monthly meetings, and to be the 1st point of contact for any and all changes made to the chapter by-laws.

Nov 2012 – May 2013 · 6 mos · Austin, Texas Area

• Creating web content, in the form of screencast videos, displaying IT applications.
• Researching topics for 'week-in-review' segment, as well as assisting in promoting the weekly "MajorTechnicality" podcast to various social outlets.

Aug 2012 – Oct 2014 · 2 yrs 2 mos · Austin, Texas Area

• My company handles the payment card systems for US Treasury and 22 other states. We support services dealing with assistance (WIC, government assistance, child care allotments, child support, etc)
• My current position as InfoSec Principle is to maintain PCI compliance on several hundred servers, creating mitigation plans and policies to address PCI shortcomings, and managing issues that arise with various different parties (system architects, operations managers, change management) to ensure that parties responsible fix the issues that arise in a timely manner. We protect 6 Billion dollars USD worth of disbursements per month
• Received a 2 Spot Awards for creating a process to regularly review firewall ACLs to stay compliant with PCI-DSS, and another for swift addressing of the OpenSSL HeartBleed bug
• Establishing FISMA compliance requirements that were required for a re-bid of a 1 Billion USD government contract
• Installed Tripwire and Envision servers and agents hosts to ensure proper archival of system and audit logs
• Maintaining effective two-way communication with Compliance and Fraud Departments which allows us to address any issues that arise in a positive manner, and allows for creation of realistic mitigation plans, and notifications of necessary parties when handling any and all security incidents
• Managing various projects of a security nature, such as instructing QA, Test, and Developers on the proper methods of protecting against XSS, CSRF, and other Web Application Security concepts
• Using various security tools (Burp Suite, Nmap, Kali Linux, etc) to actively attack internal networks and external websites to find vulnerabilities and mitigate them as they are found
• Conducting regular security vulnerability assessments utilizing Tenable's Nessus Security Scanner And CriticalWatch, both on the external web portals and also doing credentialled internal scans to locate and remove findings

Dec 2011 – Jun 2012 · 6 mos · Austin, Texas Area

• Provided hands-on consulting services to clients that offered enhanced levels of information security
• Conducted risk assessments and information security program assessments as mandated by HIPAA requirements. Interpreted HIPAA, HITECH, Meaningful Use and other requirements as they relate to a specific internal information system, and assisted with the implementation of these and other information security requirements.
• Traveled on-site to do risk assessments for hospitals according to HIPAA/HITECH guidelines, the ISO 27002 standard.
• Created specialized reports highlighting findings found during technical and non-technical evaluation of healthcare information systems. Non-technical evaluation required interviews of key personnel, as well as review of policies and procedures to ensure the client was conforming to HIPAA/HITECH guidelines.
• Conducted physical security assessment of the facilities while on-site. This entailed checking security camera coverage, checking physical access points, evaluating the location of workstations and printers for possible tampering by outside sources, and assessing network security controls for possible breaches of sensitive information.
• Scans were conducted utilizing the QualysGuard appliance on internal and external information system assets, and reports were created detailing the results of the vulnerability assessment to the client.
• Held workshops with hospital administration (CIO, Legal, Compliance, etc) to go over the results of the assessments and to chart out a course of action to help them become more compliance with HIPAA/HITECH and Meaningful Use Stage 1 requirements.
• Created nightly reports using Log Logic appliance that detailed various metrics for hospital clients (accounts created/deleted, number of failed logon due to certain conditions, etc)

Jan 2010 – Nov 2011 · 1 yr 10 mos · Austin, Texas Area

• Maintained Information Assurance Vulnerability Assessment (IAVA) scripts for several projects to ensure proper information security standards were followed.
• Managed classified computer systems according to NISPOM Chapter 8 Guidelines and policies set by the ISSM and FSO
• Created Plan of Action and Milestone (POA&M) documents that initiated timelines to help customers understand when security vulnerabilities would be mitigated
• Maintained accurate documentation to show changes between IAVA builds
• Interfaced with customers on changes being made to systems, and modified systems accordingly
• Updated SOPs and access control lists to ensure proper permissions were given to the proper personnel
• Used virtualization technology to create multiple hosts to decrease testing time by 30% and decreased time between customer deliveries by 50%.

Aug 2006 – Nov 2009 · 3 yrs 3 mos · Greater San Diego Area

• Coordinated with vendors to resolve testing issues and develop possible solutions.
• Worked against deadlines on several key multi-million dollar incentive projects for the US Navy global information network
• Created complex and detailed test plans during white box testing
• Collaborated in review of testing processes to eliminate inefficiencies using Lean Six Sigma methodologies
• Applied certified test hardware to lab environment to mimic production environment
• Oversaw training of new personnel to enable faster and easier introduction to testing environment
• Implemented applications built on Windows and Solaris 8, 9, 10, as well as RedHat Enterprise Linux
• Provisioned storage area network (SAN) LUNs to create storage on various Windows and Unix servers utilizing the EMC Symmetrix DMX-3
• Setup service level agreements and statement of work agreements to provide customers with service after installation of software and hardware solutions

Jan 2005 – Aug 2006 · 1 yr 7 mos · Greater San Diego Area

• Supervised 4 person team to complete networking and setup of 20 unclassified and classified servers in the Weather Command operations center to support vital US Naval operations and exercises
• Performed maintenance on 20-25 Sun Solaris 7, 8, and 9 workstations and servers including networking, patching, and security vulnerability compliance
• Managed group of 6 technicians monitoring help desk functions and servicing user workstations. Created schedules for support based on operational necessity.
• Managed the Trusted Gateway System (TGS) and the Joint Operational Data Interchange (JODI) to pass unclassified data safely to classified networks for support of DOD assets worldwide
• Maintained proper network documentation in accordance with the Defense Information Security Agency (DISA), Including updating network diagrams, IAVA compliance, and physical security guidelines
• Setup and maintained DHCP, DNS and NFS servers, as well as Web servers for sharing information to external customers, and Windows file servers for sharing of information to internal personnel
• Cataloged and secured COMSEC equipment in accordance to physical and information security guidelines
• Conducted training with operations personnel on operation of various meteorological and IT systems
• Created risk assessments on information systems to highlight operational need, and used assessments to create plans for business continuity and disaster recovery
• Conducted security training to help new personnel understand proper storage and handling of secure media and materials
• Briefed senior leadership on operational status and status of projects at weekly meetings
• Replaced outdated protocols like FTP, Telnet, and RSH, with OpenSSH and SFTP to further secure networks and reduce attack vectors from the outside

Nov 1997 – Nov 2004 · 7 yrs · Worldwide assignments

• Monitored Cray XMP supercomputers for completion of advanced weather forecast models using Hummingbird Exceed
• Maintained heterogeneous network of Windows and Linux clients at a remote base to provide timely meteorological data to the US Navy Fleet in the Indian Ocean.
• Managed training records for military and civilian personnel using in-house database system
• Briefed senior leadership on weather phenomenon in areas of importance to Naval assets
• Performed maintenance and upgraded meteorological hardware to mitigate outages
• Setup and maintained Symantec Enterprise Antivirus to ensure proper distribution of anti-virus updates
• Created meteorological observations that required timely transmission to a centralized database using web site upload interface