Hands-on Information Security leader with over 25 years experience establishing cross-functional, practical security approaches that fit company culture and business goals. Excellent communication skills with ability to interface with executives, customers, auditors, technical, and non-technical teams. Adept at building security champions programs leveraging cross-functional software engineering resources as a security force multiplier and integrating security into continuous-development / continuous-integration deployment pipelines.
Aryaka Networks, Inc • San Mateo, CA 2019 - Present
Chief Information Security Officer (CISO)
Revamped Information Security Management System (ISMS) based on ISO27001/ISO27002 framework for Software-Defined Wide Area Network.
- Drove ISO/IEC 27001 certification with no non-conformities through stage 2.
- Drove migration from SSAE 16 to SSAE 18 standards for SOC 2 reporting
- Reduced exposed vulnerabilities by 80% by updating vulnerability management program.
- Developed and managed Information Security Incident Response Process
- Implemented Forensics analysis and evidence gathering process
- Developed Continuous Company wide Security and Compliance Awareness Training program.
- $200k / year cost reduction on telephony and unified communications solutions
- Implement Software Engineering Security solutions through SAST/DAST solutions.
- Migrate from on-prem to cloud solutions.
- Grew security team from 1 to 5, and IT team from 4 to 11, Business Information Systems team from 2 to 12
Silicon Valley Chapter, Information System Security Association 2009 - Present
Elected to the board of directors for the Silicon Valley chapter of the Information System Security Association (SV-ISSA) from 2009 to present. Most recently serving as the President of the chapter.
- Chairing board meetings, organizing community events, chapter meetings, and annual security conference.
- Managing team of volunteers for non-profit 503(c)(6) professional organization
Elementum SCM, Inc • Mountain View, CA 2017 - 2019
Director Information Security (Head of Security/CISO)
Developed Information Security Management System (ISMS) based on ISO27001/ISO27002 framework for supply chain management service provider.
- Obtained ISO/IEC 27001 certification within first 90 days after restart, resolving major non-conformity issues found during phase 1.
- Developed Security integration into CI/CD process through micro-services and micro-deployments reducing sprint to deploy from 4 weeks to continuous deployment.
- Implemented security with quality tools in IDE/Jenkins build environments using Maven and SonarQube and augmented with SAST and DAST tools.
- Drove SSAE 16 SOC2 Type 2 certification after one year with no documented findings
- Established regular vulnerability assessments and penetration testing and reduced exposed vulnerabilities by 20%
- Developed company’s first internal company-wide Risk Register allowing the company to track and manage company risks.
- Implemented 3rd party license compliance program and eliminated license violations such as copyleft, GPL. Reduced 3rd party library vulnerabilities by 60% and libraries with vulnerable methods in use by 90%.
- Implemented Company wide Security and Compliance Awareness Training program with 100% participation.
Blue Jeans Network, Inc • Mountain View, CA 2014 - 2017
Security Engineer (Acting Information Security Officer)
Developed Information Security Program based on ISO framework for cloud-based video conferencing solution.
- Provided critical support to the sales team on pre-sales and post-sales customer security evaluations to help close deals.
- Coordinated security efforts across departments and functions
- Three-years SSAE 16 SOC 2 security audit with unqualified reports
- Integrated and managed Security Information Event Management (SIEM) system
- Implemented software static code analysis systems
Kaiser Permanente • Pleasanton, CA 2010 – 2014
Information Security Consultant Specialist
Providing Risk Management and mitigation recommendations for projects in large healthcare organization covering Kaiser's multiple regions providing Project Lifecycle Security Engagements for information technology projects.
- Evaluate vendors against HIPAA, SOX, and PCI security requirements for Healthcare records
- Identified potential risk, consulted on correcting or reducing risk and created reporting if uncorrected
- Performed risk assessments on new projects
- Consult with Security Operations Team on security events
Security Operations Center Lead
Lead for team of 6 security analysts providing response and investigations into security events and incidents in large healthcare organization.
- Developed automation for data-loss-prevention (DLP) tools, reducing workload from 16 man hours for single operation to 2 man hours / day
- Responded to events from Security Incident Event Management (SIEM) system distilling 50 million events into a few hundred actionable items per week.
- Investigate cases of fraud and abuse.
Proofpoint, Inc • Sunnyvale, CA 2009 – 2010
Sr. Technical Support Engineer
Provide advanced level product support for the Proofpoint Email Protection Server to Self-Hosted as well as Proofpoint hosted customers.
- SME in Networking and Information Security.
- Provide policy recommendations to customers for email security and encryption.
- Masters of Science • Information Security and Assurance
- Bachelors of Science • Information Technology: Security
- Computer Communications Systems Control Specialist - U.S. Air Force
- Basic Military Training - U.S. Air Force