Chief Information Security Officer
Highly technical Chief Information Security Officer (CISO) with a proven track record of building cross-functional, practical security approaches that align with company culture and business goals. Adept at implementing security as a force multiplier, integrating security into continuous-development / continuous-integration deployment pipelines, and building security champions programs leveraging cross-functional software engineering resources..
Aryaka Networks, Inc • San Mateo, CA 2019 - Present
Chief Information Security Officer (CISO) acting Chief Information Officer (CIO)
Serve in an executive leadership role with accountability for cyber security and privacy posture, associated risks. Inspire and manage 28 staff; report on $4M budget. Inform and lead development and implementation of information security strategy and related processes. Revamped Information Security Management System (ISMS) based on ISO27001/ISO27002 framework for Software-Defined Wide Area Network.
- Accountable for the cyber security and privacy posture and associated risks, leading a team of 28 staff
- Informed and led development and implementation of information security strategy and related processes, including the revamping of the Information Security Management System (ISMS) based on the ISO27001/ISO27002 framework for Software-Defined Wide Area Network.
- Established TrustCenter to enable security transparency and help drive sales enablement with metrics and lead generation tracking.
- Developed and managed Information Security Incident Response Process
- Initiated migration from SSAE 16 to SSAE 18 standards for SOC 2 reporting
- Reduced exposed vulnerabilities by 90% by updating vulnerability management programs and reducing overall risk to the organization.
- Developed Continuous Company wide Security and Compliance Awareness Training program, resulting in a 10% yearly cost reduction on telephony and unified communications solutions.
- Implemented Software Engineering Security solutions through SAST/DAST solutions.
- Migrate from on-prem to cloud solutions.
- Grew security team from 1 to 5, and IT team from 4 to 11, Business Information Systems team from 2 to 12
Elementum SCM, Inc • Mountain View, CA 2017 - 2019
Director Information Security (Head of Security/CISO)
Developed Information Security Management System (ISMS) based on ISO27001/ISO27002 framework for supply chain management service provider.
- Obtained ISO/IEC 27001 certification within first 90 days after restart, resolving major non-conformity issues found during phase 1.
- Developed Security integration into CI/CD process through micro-services and micro-deployments reducing sprint to deploy from 4 weeks to continuous deployment.
- Implemented security with quality tools in IDE/Jenkins build environments using Maven and SonarQube and augmented with SAST and DAST tools.
- Drove SSAE 16 SOC2 Type 2 certification after one year with no documented findings
- Established regular vulnerability assessments and penetration testing and reduced exposed vulnerabilities by 20%
- Developed company’s first internal company-wide Risk Register allowing the company to track and manage company risks.
- Implemented 3rd party license compliance program and eliminated license violations such as copyleft, GPL. Reduced 3rd party library vulnerabilities by 60% and libraries with vulnerable methods in use by 90%.
- Implemented Company wide Security and Compliance Awareness Training program with 100% participation.
Blue Jeans Network, Inc • Mountain View, CA 2014 - 2017
Security Engineer (Acting Information Security Officer)
Developed Information Security Program based on ISO framework for cloud-based video conferencing solution.
- Provided critical support to the sales team on pre-sales and post-sales customer security evaluations to help close deals.
- Coordinated security efforts across departments and functions
- Three-years SSAE 16 SOC 2 security audit with unqualified reports
- Integrated and managed Security Information Event Management (SIEM) system
- Implemented software static code analysis systems
Kaiser Permanente • Pleasanton, CA 2010 – 2014
Information Security Consultant Specialist
Providing Risk Management and mitigation recommendations for projects in large healthcare organization covering Kaiser's multiple regions providing Project Lifecycle Security Engagements for information technology projects.
- Evaluate vendors against HIPAA, SOX, and PCI security requirements for Healthcare records
- Identified potential risk, consulted on correcting or reducing risk and created reporting if uncorrected
- Performed risk assessments on new projects
- Consult with Security Operations Team on security events
Security Operations Center Lead
Lead for team of 6 security analysts providing response and investigations into security events and incidents in large healthcare organization.
- Developed automation for data-loss-prevention (DLP) tools, reducing workload from 16 man hours for single operation to 2 man hours / day
- Responded to events from Security Incident Event Management (SIEM) system distilling 50 million events into a few hundred actionable items per week.
- Investigate cases of fraud and abuse.
Proofpoint, Inc • Sunnyvale, CA 2009 – 2010
Sr. Technical Support Engineer
Provide advanced level product support for the Proofpoint Email Protection Server to Self-Hosted as well as Proofpoint hosted customers.
- SME in Networking and Information Security.
- Provide policy recommendations to customers for email security and encryption.
- Masters of Science • Information Security and Assurance
- Bachelors of Science • Information Technology: Security
- Computer Communications Systems Control Specialist - U.S. Air Force
- Basic Military Training - U.S. Air Force