May 2025 – Present · 11 mos

Mar 2025 – Jul 2025 · 4 mos · San Francisco Bay Area

• Responsible for annual operating plan and buget allocation for Security, IT, and Cloud
• Saved $500K+ in contract negotiations, software license optimization, and building in-house AI tools
• Automated customer questionnaires and vendor security assessments with AI to bring 98% efficiency and save $100K in annual spend
• Led strategic security initiatives and introduced forward-thinking privacy and AI risk management practices

Mar 2023 – Jun 2025 · 2 yrs 3 mos · San Francisco Bay Area

• My role sits at the intersection of Security, Engineering, Product, Privacy, Legal, Compliance, Sales, and Care teams. I believe GRC & Security are the glue that bring all the above together with the unique expertise in business and technology.
• Managed a team overseeing GRC, Privacy Engineering, and Security Engineering.
• Conceptualized and operationalized the ‘Product, Security & Compliance Working Group’ with leaders from Legal, Product, Engineering, Privacy, and Security. This group prioritized risks and remediation for high-impact projects such as unifying Headspace and Headspace Care under a single app, Headspace Care D2C, and a unified EAP offering.
• Conceptualized and operationalized the ‘Product Risk Review Process’ in collaboration with Security, Privacy, Legal, Engineering, and Compliance. Implemented Security-by-design and Privacy-by-design, including PRD reviews, technical specs review, threat modeling, and internal penetration tests for major feature rollouts.
• Operationalized the Privacy Operations Center (POC), centralizing all privacy programs including member DSAR, media inquiries, new privacy requirements, and adherence to current requirements.
• Presented key security and privacy risks and opportunities to the audit committee and BoD. Represented InfoSec in compliance committee meetings and provided inputs on risks escalated to CAPs.
• Obtained the initial SOC 2 Type 2 audit report within 3 months and led the FedRAMP gap assessment to determine scope and associated costs.
• Defined and executed the roadmap and budgeting for GRC and Corporate Application teams. Also, defined the leveling matrix for InfoSec and IT teams.
• Managed aspects of Product Security, including bug bounty, vulnerability disclosure, internal/external penetration tests, SAST/DAST/SCA, findings prioritization and remediation.
• Conceptualized and organized the first Capture The Flag (CTF) event and Secure Code Training for the engineering team.

Oct 2021 – Mar 2023 · 1 yr 5 mos · San Francisco Bay Area

• Ginger and Headspace merged in Sep 2021, and I was responsible for leading the combined GRC teams, security tools consolidation, and develop a coherent culture.
• Managed hiring, coaching, and mentoring for IT, AppSec, InfraSec, and oversaw a GRC team of 6.
• Orchestrated HITRUST interim assessment for Headspace Care (Ginger) and merged HITRUST assessment for Ginger and Headspace scope, including merger of policy and systems, security tools, LMS platforms, MyCSF instances, and inheritance from IaaS.
• Evaluated bug bounty platform vendors, established scope and policies for researchers, and devised internal process flows for prioritization and remediation.
• Led monthly syncs with Product, Legal, and Security groups to discuss current risks, challenges, and key priorities.
• Completed Google’s Data Privacy Questionnaire and defined Apple’s requirements for deletion button for the engineering team.
• Conducted security due diligence for companies Headspace acquired, managing asset transfers including domains, social media accounts, Google Workspaces, security and member notification emails, content, and member data.
• Conceptualized and led monthly privacy office hours with the Chief Privacy Officer and CISO to promote best practices around member data privacy and foster a privacy-first culture at Headspace.
• Implemented an out-of-band communication tool and spearheaded the first BCP call-tree exercise at Headspace for employees in the US, UK, France, and Germany.
• Implemented a privacy scanning tool to support privacy engineering and led efforts to implement a cookie consent tool across all Headspace assets.
• Spearheaded the implementation of SSO on key internal systems.
• Presented Headspace’s budget-friendly approach to achieving HITRUST at BSidesSF, 2022.

May 2021 – Sep 2021 · 4 mos · San Francisco Bay Area

• Managed hiring, coaching, and mentoring for IT and GRC teams.
• Conducted CCPA internal audit, gap assessment, and remediation.
• Trained and enabled Sales/RFP team to respond to customer questionnaires.
• Supported the CISO and represented InfoSec for investor due diligence.
• Reviewed external frameworks (NIST series, ISO series, HIPAA, CCPA/CPRA, GDPR, state privacy laws) for compliance adherence.
• Evaluated and finalized the incident response retainer.
• Led accessibility tests for compliance with WCAG Version 2.1 Level AA requirements.
• Conducted annual risk assessments with Engineering, Product, and Member Support teams, prioritizing high-risk remediation for inclusion in the roadmap.
• Coordinated with the engineering team to perform data tagging, cataloging, and building pipelines for facilitating member DSAR requests.
• Registered Headspace for Privacy Shield Framework self-certification, finalized the arbiter, and responded to requests received via the Privacy email.
• Logged, tracked, resolved, and drafted an investigation report for all security incidents including complaints reported on the BBB.
• Managed social media security, including registering domains to prevent squatting, securing relevant social media handles, and ensuring security hygiene for all accounts.
• Collaborated with payment processor vendors on PCI compliance best practices, and completed relevant PCI compliance attestation.
• Worked with the CISO & Privacy Officer to develop and facilitate the annual executive tabletop exercise with the executive team.
• Partnered with the Finance team to assess Headspace’s security posture and obtain relevant cyber insurance.

Jan 2020 – Apr 2021 · 1 yr 3 mos · San Francisco Bay Area

• First Security hire at Headspace (former Ginger), reporting directly to the CISO.
• Prepared for HITRUST certification including scoping, finalizing assessor, administering the MyCSF portal, gap assessment and remediation, leading audits, training team members for evidence collection and interviews, determining inheritance from IaaS and PaaS, and closing CAPs.
• Evaluated and implemented DevSecOps (DAST, SAST, and SCA) tools in collaboration with the engineering team.
• Managed external penetration tests including scoping, methodology, and setting test environment with credentials.
• Led the remediation of findings from dev tools and penetration tests as part of vulnerability management program.
• Authored Headspace Security & Privacy training, rolled it for all employees through LMS, and evolved the course over 4 years, earning an industry award.
• Conceptualized and implemented the Security Insider Program, securing executive sponsorship, recruiting 'security insiders’ from each department, conducting monthly meetings, and spearheading all cybersecurity awareness initiatives.
• Collaborated with Sales & RFP teams to complete customer questionnaires. Developed a 'Security & Privacy Package' with pre-filled artifacts such as SIG, CAIQ, Google VSAQ, pentest summary and remediation report, security overview, etc. to expedite the assessment process.
• Led vendor security assessments, including collecting and reviewing audit reports (SOC 2, ISO 27001, HITRUST) or security questionnaires. Also, performed annual security assessment for critical vendors and monitored impact of industry-wide vulnerabilities.
• Oversaw IT onboarding and offboarding processes and new hire orientation. Additionally, managed laptops, desktop applications, and SaaS inventory.
• Addressed IT tickets related to access provisioning for critical systems, ensuring Single Sign-On (SSO) implementation where supported, and conducted access reviews for critical and non-critical systems.

Oct 2024 – Jul 2025 · 9 mos · San Francisco Bay Area

• Supporting Calbright's mission of increasing economic mobility and closing equity gaps for working adults who lack easy access to traditional forms of higher education.

Sep 2024 – Present · 1 yr 7 mos · San Francisco Bay Area

• Helping portfolio companies with PMF, GTM, and building their security programs.

Feb 2022 – Sep 2023 · 1 yr 7 mos · San Francisco Bay Area

• Wrote a bestseller book on GRC and ISACA's CRISC certification.
• Available for order on Amazon here - https://a.co/d/jfMNCJz

Jan 2019 – Dec 2019 · 11 mos

• I was responsible for providing Risk Management, Governance & Technical guidance for Akoya, a FinTech incubator within Fidelity (know more about Akoya here: https://www.akoya.com/).
• Primary responsibilities:
• Built Akoya’s policy governance framework & policies per guidance from NIST 800-53 and ITIL.
• Worked with the CISO to perform control gap analysis for SOC 2 Type 2 readiness.
• Developed a vendor assessment questionnaire with guidance per ISO 27001 & AWS cloud security controls.

May 2018 – Aug 2018 · 3 mos

• Having worked previously in the 2nd/3rd LoD, at PayPal I had the opportunity to work first-hand in the 1st LoD.
• I worked for the Technology Governance, Risk, & Compliance team, and responsibilities included the following:
• Adopted the Global GRC directive and developed a Meta-Policy to be used by all the technology functions & contributed to building the cadence with the working group (VP, Sr. Directors, Directors).
• Managed the scope of Policies & Procedures to be developed & mapped the control objectives from COBIT 5 to create tailored templates for each of the domain/technology function.
• Developed a centralized repository for all the Policy Documentation & created a scorecard for tracking the overall progress of the project.

Aug 2016 – Jul 2017 · 11 mos

• Performed 2nd LoD activities including Incident Management Reporting, calculation of capital loss allocation, and deriving key actions for the leadership team per BCBS 239 standards.
• Automated the Incident reporting process and reduced the manual errors and efforts by 90%.

Sep 2015 – Aug 2016 · 11 mos

• Global GTB Complaints Handling Project
• Developed Global GTB Complaints Handling Policy, Procedure, Framework for capturing the complaints, thresholds, and key metrics report.
• Developed automation utility in Excel and reduced manual errors and efforts by 85%.
• Mapped all the complaints as per the Basel categories and identified specific action items and process gaps.
• L1 Supervisory Controls System Enhancements
• Represented Global Transaction Banking for control enhancements in the existing supervisory system.
• Facilitated the changes suggested by business & the technology team, produced the BRD and leading the change to the implementation.
• Performed Quality Assurance and testing of the implemented changes.

Jul 2011 – Sep 2015 · 4 yrs 2 mos

• IT Security Audits
• ISO 27001 implementation, testing, and audits for financial critical applications across Information Security, System Change Control, SSDLC, SofD, & business process controls.
• Creation of audit and test plans, identifying gaps in existing controls and prepare the audit findings report for senior management.
• Group Segregation of Duties Project
• Identified and remediated Sensitive Business Transactions for 500+ applications by coordinating and mapping the transactions with ‘conflict of interest’. Closed the global audit finding.
• Database Leavers and Orphan Accounts Management Project
• Onboarded 300+ Oracle databases on BMC ControlSA and created a shell script to remove the orphan accounts automatically, resulting in 90% efficiency.
• Risk Summary Matrix Project
• Collaborated with the Regional, Business, and Functional heads of InfoSec and executed the Risk Summary Matrix project. Automated the reporting process using MS Business Intelligence (SSIS) and reduced manual efforts and errors by 80%.
• Centralized SharePoint
• Developed a SharePoint site for 'Group Security and Fraud Risk' using HTML, CSS, JavaScript. Provided access to 6000+ users using Excel, VBA, & Active Directory.