Mar 2023 – Feb 2026 · 2 yrs 11 mos · San Francisco Bay Area · Hybrid

• For early-stage startups, I've been helping them solve a variety of challenges:
• 1) Product: framing the problems, early demo feedback, how and where AI fits, PMF, roadmaps, networking
• 2) Mentoring: providing fractional-executive assistance for first-time founders
• 3) CISO advisory: transforming internal-security teams
• Current advisory:
• DevArmor is an AI-enabled Appsec platform that automates security-design reviews and threat models, based in San Francisco, CA
• Past Advisories:
• Formal, a MEGA proxy, enforcing granular human/agent access to high-value assets, based in San Francisco, CA
• SquareX, a plug-in that transforms any device's browser into a secure one, based in Palo Alto, CA (exit!)
• DeepTrail is an AI-coworker platform for Security, based in Berkeley, CA
• Hex is a data-scientist & analytics company, based in San Francisco, CA
• Datavant is a healthcare-data-platform company, based in San Francisco, CA
• Monad is a data-security infrastructure company, based in San Francisco, CA
• Off-books advisory is also ongoing 🤐

Jan 2022 – Feb 2023 · 1 yr 1 mo

• Continue the day-to-day work of the CISO, including: KPI and security-scorecard reporting per business unit for the eteam and board, conducting critical sales conversations with customers, as well as delivering external talks to the Security Community to bolster our recruiting efforts.

Sep 2021 – Jan 2022 · 4 mos

• Stepping into the role vacated by Twilio's old CISO to perform the day-to-day work of the CISO. In addition to the work below, I set a new hiring and performance bar, publishing a new set of job ladders for all the teams. Prior to this, the company chose to use the CFO job ladders to measure performance for all security jobs.
• Non-leadership contributions: reviewing and recommending changes to the outdated vulnerability-scanning capability; helping to investigate incidents using the SIEM, and then driving betterments exposed via post-mortems to our IAM/Okta setup and other back office applications.

Jul 2021 – Sep 2021 · 2 mos

• (Segment was acquired by Twilio) Now reporting to the Twilio CFO and working alongside Twilio’s CISO, my remit is to transform Twilio's Information Security and GRC orgs to set them up for success for the next several years. This includes rolling out a new org design for Twilio that supports our BUs better using a BISO-embedded model. Our BUs include Messaging, Voice, Flex, Super Network, Platform, Segment, Email, and more.

Aug 2018 – Jul 2021 · 2 yrs 11 mos

• Title upgrade ✨
• What's it like working in the Segment Security, GRC and IT Org?*
• We've attracted and grown the very best engineers to identify and automate the time-consuming stuff for SIRT, Appsec, Cloudsec, and even GRC/IT, so we could all get to the later stages of our roadmap even earlier. We could do things like: spend more time with our internal customers, build alongside them, create customer-facing security products and services, self-service much of our day-to-day, and more.
• We work off a collective five-year vision with clear success criteria, not panic projects. We've earned the respect of our parter Eng and Product orgs, and love working alongside them on OKRs from our annual roadmaps. We don't copy and paste "Security Orgs and practices of the past," because the world is changing and we prefer to write the future, instead of being a Security history museum.
• Who's working in our org?*
• Find out by checking out our external talks, podcasts, panels and blogs for a sneak peak. We'd love to attend your talk next and see how you approach Security challenges.
• At Segment, I work alongside the best Security, GRC and IT teams in the Bay Area, and we are free to do our very best work here. We continue to build a great Security culture, hire top talent and promote from within.
• Year Three was about upleveling our risk management and Board reporting, as well as widening the visibility of our Security Metrics across the company. We've integrated security into the different departments and pillars across Segment through our champions, our partnered goals, and through our engineering embeds for high-risk projects.

Aug 2017 – Jul 2018 · 11 mos

• Built the Security, GRC and IT org and practice from scratch:
• Year Two was about foundational Cloud Security and SIRT, along with the next levels for what we've already built (maturing + scaling previously formed domains). To do all this, we've hired talented Security Engineers, GRC pros and IT super stars... and we've promoted heavily from within.
• Year One was about foundational Application Security, Product Security, GRC, Corporate Infrastructure Security and growing the IT function.

May 2014 – Aug 2017 · 3 yrs 3 mos

• Built the initial Security/GRC practice and org from scratch, to get Twilio ready for IPO:
• Created a holistic security program that drives the organization's security roadmap. The Security Program was approved by company leadership and turned into a 4-year strategic roadmap. The Security Program takes into consideration the following elements:
• Company inputs: direction of the business and large, well-articulated risks, risks from key stakeholders.
• Other inputs: What certifications we want to achieve (ISO 27001)?
• Our reporting consists of: periodic updates to executives on ISO progress, weekly progress reports to R&D and periodic public events*.
• Developed security sub-programs based on “common denominators” of the company’s top security risks. Each sub-program has yearly and quarterly goals to reduce exposure and makes significant gains each year.
• Recruited security talent to lead sub-programs, tripling the team in less than two years, and built scalable programs to address specific security risks:
• Product & Application Security: Curbs security risk for insecure software while educating developers.
• Cloud Security: Reduces security risk when running a production environment in AWS.
• Corporate Infra Security: Minimizes security risk on “back office” systems and users.
• Third-Party Security: Addresses/manages security risk from critical SaaS/IaaS vendors.
• Security Monitoring and Incident Response: Minimizes security risk by understanding expected vs. unexpected behavior, and then manages security risk by handling incidents in a repeatable and efficient manner.
• Engaged a diverse group of enterprise customers and their security teams, such as one of the nation's largest not-for-profit health plans, one of the largest European banks, as well as one of the nation's largest defense contractors, to help win their business.

Mar 2020 – Present · 6 yrs 2 mos · San Francisco Bay Area · Hybrid

• Our syndicate members perform sourcing, pitch help, due diligence, and investment to build our portfolio.

Nov 2012 – May 2014 · 1 yr 6 mos · On-site

• In addition to continuing the responsibilities outlined under Senior Manager:
• Raised our app-scan pass rate from 24% to 42% by re-doing the app-vuln process:
• Partner with Chief Development Officer: application-flaw remediation tied to bonuses.
• Work directly with developers on readouts and application-flaw remediation.
• Advocate eLearning for developers with persistent code-security issues.
• Use Release Managers to have application scans automated upon check-in.
• Build/maintain a close relationship with our developers. Foster more champions each year.
• Research/budget/POC DDoS solution; present to CIO.
• Help lead MDM selection and rollout to curtail risk around mobile devices and BYOD. Solved political & privacy issues on the project.
• Perform risk assessment on malicious insiders and exfiltration of data; present to CISO/CIO.
• Process improvement: create streamlined review for datacenter moves for hundreds of applications; work with Dell IT to replace manual Legal/HR processes and cloud-vendor review requests with a Remedy self-service form with built-in approval flow.
• Work with AWS to design AWS security templates, which would use our requirements for firewall rules, tiers, access, etc. Goal is for developers to select appropriate premade environments for their applications.
• Vendor/partner management: Meet regularly with various Dell IT managers to provide direction and feedback for Dell IT towers, including Dell SecureWorks.

Oct 2008 – Nov 2012 · 4 yrs 1 mo · On-site

• In this role, I led a team of five Infosec architects and engineers in the following programs:
• Daily projects: security-design reviews and SaaS vendor assessments.
• Acquisitions: onboarding risk remediation (new businesses).
• Enterprise application-security for critical applications:
• Review scan results and weed out FPs; meet with developers for readouts & work commits.
• Track remediation efforts, accept mitigations, SLA reporting.
• As-needed:
• High-level design requirements for audited environments.
• eDiscovery/HR investigations: collect and provide evidence to Legal/HR.
• Audits: work with internal/external auditors; meet SSAE 16 (SAS 70) and EI3PA (PCI) controls.
• Mentor and develop team; goal setting and tracking throughout the year.

Aug 2007 – Oct 2008 · 1 yr 2 mos · Orange County, California Area · On-site

• Perform all Infosec system-monitoring activities and publish the weekly metrics dashboard.
• Lead the firewall-upgrade project for all POP sites.
• On point for all Infosec activities for the SSAE 16 audit, such as:
• Create, update and execute on processes tied to controls (network, operations, appsec, etc.);
• Conduct interviews with auditors; provide evidence.
• Prepare "management responses" and perform remediation.
• Write new policies and technical standards for the non-technical "business" CISO office.

Aug 2005 – May 2007 · 1 yr 9 mos · Orange County, California Area

• Perform SIRT: respond to IPS, firewall, OS security alerts. Oncall rotation & runbooks.
• Perform investigations with EnCase: collection, searches, case preparation. Runbooks.
• Perform security-design reviews and threat models with developers on projects.
• Review and approve firewall requests for the company. Update network-security diagrams.
• Administer Symantec AV and remediate non-compliant hosts.
• Operate Websense: manage groups, troubleshoot issues.
• Publish Corporate Infosec policies and procedures; coordinate with auditors for reviews.
• Create and deliver Security Awareness campaigns across the US and Canada.

Jun 2004 – Aug 2005 · 1 yr 2 mos · Orange County, California Area

• Project coordinator for a web-based servicing application to help loans stay current.
• Worked with Security Engineer to remediate all technical security issues with our project (recruited!).
• Lead BSA for loan appraisal, REO, loss mit and collections applications.
• Gathered requirements for new applications, new modules and functionality

Feb 2000 – Jun 2004 · 4 yrs 4 mos · San Diego, Silicon Valley, Orange County

• During the dotcom bust cycle, I was a contractor at various tech companies from So Cal to the Bay Area for a four-year period, serving as technical writer, systems analyst, business systems analyst and database analyst.

Feb 1999 – Feb 2000 · 1 yr