Allison Miller Email and Phone Number

Allison Miller is Founder and Principal at Cartomancy Labs, an advisory firm that guides teams in innovating and solving problems anywhere that people, money, and technology mingle. With decades of experience at the intersection of cybersecurity, fraud, and abuse, Allison is known for implementing real-time risk prevention and detection systems running at internet-scale, with a proven track record of building and protecting customer-facing platforms and services (both B2C and B2B).

2018 - present - Selection Committee, Black Hat Briefings2019.10 - Keynote speaker, UNCC Cybersecurity Symposium, "Playing Defense as a Long Game"2018.07 - Keynote speaker, AppSec Europe, "Perimeter-less: Engineering the Future of Defense"2017.11 - Keynote speaker, SecTor, "Winning Defense"2017.07 - Keynote speaker, BSides Las Vegas, "Something Wicked: Designing Defensible Social Architecture"2015.08 - Selection Committee, BSides Las Vegas2014.10 - Speaker, SIRAcon (Minneapolis) When Algorithms Are Our Co-pilots2014.06 - Selected paper, Workshop on Economics in Information Security “Defending Debit”2014.04 - Speaker, SOURCE Boston “Bit, Bit, Coin”2013.10 - Selection Committee (Speakers/Papers), GHC (Software Engineering Track)2013.09 - Keynote, SIRAcon (Seattle) 2013.08 - General session, Nordic Security Conference (Iceland) “Operating * by the Numbers”2013.04 - Speaker, SOURCE Boston “Games We Play: Payoffs & Chaos Monkeys”2012.12 - Speaker, BayThreat "Games We Play: Defenses and Disincentives"​2012.09 - Speaker, BruCON (Belgium) "A Million Mousetraps: Using Big Data & Little Loops to Build Better Defenses"​2012.04 - Speaker, SOURCE Boston "Games We Play: Defenses and Disincentives"​2012.02 - Panelist, RSA (San Francisco) "Risk Management Smackdown II: The Wrath of Kuhn"​2011.12 - Speaker, BayThreat "A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses"​2011.08 - Speaker, Metricon 6/USENIX "Operationalizing Analytics"​2011.06 - Speaker, SOURCE Seattle "Applied Risk Analytics"​2011.04 - Speaker, SOURCE Boston "How to Isotope Tag a Ghost"​2011.02 - Panelist, RSA (San Francisco) "Risk Management Smackdown"​2010.12 - Speaker, BayThreat "Working without a (Perimeter) Net: Protecting Customers from Online Threats"​2010.09 - Speaker, SOURCE Barcelona 2010.07 - Speaker, Black Hat Briefings 2010.05 - Speaker, IT Web Security Summit (South Africa)2010.04 - Speaker, SOURCE Boston2009.12 - Organizer, Participant - BSidesBay

The Team8 CISO Village is a global community of cyber security senior executives, CISOs and thought leaders from leading enterprises. The Village is an avenue for exchanging ideas, collaborating as an industry, and promoting innovation in cyber security.

YL Ventures funds and supports brilliant Israeli tech entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages over $800M and specializes in cybersecurity. YL Ventures accelerates the evolution of portfolio companies via strategic advice and US-based operational execution, leveraging a powerful network of CISOs and global industry leaders.

Led team refactoring the defensive tech stack. Delivered a top-to-bottom (and side-to-side, naturally) review and redesign of the current defensive technology portfolio and proposed a longer-term vision to shape the bank's engagement within the larger cyber ecosystem. Drove cybersecurity technology, investment, and vendor engagement strategies from E2E.

Led engineering teams (~300 engineers, developers, data scientists) building the cybersecurity technologies used to protect the firm; during tenure successfully delivered several large scale, multi-year infrastructure programs as well as introduced new innovative solutions on more agile timelines.

Trustee for non-profit charitable trust committed to making the cyber world a safer place for everyone. We work to ensure that people across the globe have a positive and safe experience online through our educational programs, scholarships, and research. More info on us at iamcybersafe.org or our outreach programs at safeandsecureonline.org.

Elected to the Board of Directors by (ISC)2 membership (100,000+ members in >100 countries).Treasurer and Chair of Audit/Compensation committee

KeyPoint Credit Union is an award-winning credit union that continues to focus on elite member service while providing valuable products and services. We are one of California’s largest credit unions with over $1 billion in assets and 52,000 members, the majority employed in the high-tech industry.

Senior Product Manager leading Google's infrastructure development for Safe Browsing (anti-malware, anti-phishing) and Threat Analysis/Intel teams. Protecting people, the open web, and Google from online threats. Lots of pipelines, classifiers, APIs, graphs, pattern analysis, needing to be connected across Google products, 3rd party developers, and user experiences. aka Google's "Underground Cartographer" (better to build a flashlight than to curse the darkness).

Product lead for Ads Risk, Insights platform, and Advertiser Risk/Policy Experience revamp.

The O'Reilly Security Conference provides pragmatic advice on defensive security practices, arming today's infosec practitioners with real-world tools and techniques.

Variously: President, VP, Director of ResearchSiRA is the industry-leading membership organization dedicated to improving the practice of risk analytics in the information systems/IT security practices, and building skills/methods for data-driven security. It's a small, but growing, group of practitioners and researchers.

Digital Platform COO: Was responsible for operating and optimizing business performance on the Commerce & Identity components of EA’s Digital Platform, including both enabling payment/checkout and preventing/detecting fraud. Led commerce operations and risk/fraud teams, and expanded their respective scopes/coverage. Organized cross-team initiatives, conducted regular operating reviews of the technology organization, developed strategies/plans for executive and Board review, and ran special projects as the CTO's Chief-of-Staff.

CISO and head of Risk/Fraud: designed and built controls to protect Tagged's 300M users from online threats like spammers, scammers, phishing, fraud, etc. Included development and operation of our detection/descisioning infrastructure & tools (deployed by a team of software engineers, optimized by data scientists leveraging behavioral analysis), Account Security features (customer facing product), as well as Product & Platform technical security controls (InfoSec).

Led a team responsible for protecting the PayPal system and customers from financial fraud, with specific initiatives addressing fraudulent account creation, habitual/repeat offenders, and account takeover (unauthorized account use). The emphasis of our work is to deploy automated methods that will prevent fraud and losses from occurring. In a related effort I led the design of PayPal's identity risk strategy, which augments existing transaction-based fraud mitigation capabilities. Deployed new methods to reduce losses and improve system security by using account linking and behavioral analytics to “fingerprint” fraudulent users. Drove the development of account-level identity and risk scores. Led an effort to improve user experience by tuning risk evaluation, product availability, and in-flow experience to customer segment and account lifecycle.

In this role, I managed a team of product managers tasked with designing account risk features and technology that help protect PayPal’s 163 million customers worldwide from abuse by fraudsters. Part of this work included defining the company’s customer authentication strategy as it relates to validating and protecting customers’ personal and financial information. Account risk features introduced include real-time identity validation/verification in several markets, dynamic in-flow authentication challenges, machine ID technology, and SMS-based two-factor authentication.

As a Risk Consultant, I worked with Product Managers who were either developing new products/features or optimizing performance on their existing portfolios, making sure there were solid controls in place to minimize exposure to fraud, data security issues, and other risks. This means on a given day I might have needed to: conduct quantitative analysis of transaction data, review a technical design or spec, develop a business case for introducing a new risk feature (such as a limit, rule, authentication method, model, user criteria, or monitoring process), or spend time trying to understand how a system can be broken -- or at least twisted around a bit. There tended to be cross-functional teams involved. In this role I had the opportunity to work with PayPal's Mobile, Debit Card, Virtual Debit Card, Student Account, and Skype teams. (Plus a few innovations which are yet to be public.)

I designed a process for assessing the risks associated with new global products, as they were being developed -- and then conducted several major reviews (focusing on fraud, data protection, and regulatory compliance). I'm a big proponent building risk controls into a product as opposed to adding features on later (cure is more expensive than prevention), so I appreciated the opportunity to get involved early in the product design process. I also managed Risk's vetting process for changes to the Visa International Operating Regulations -- which is the "law" Visa's payments infrastructure "land". Both responsibilities required developing new risk controls and policy, and getting sign-off from executive management on recommendations. My specialties on the team were: e-commerce, emerging technologies, prepaid cards, authentication, remittances, micropayments, acceptance technologies.

As the first official hire into the company's IT Security team, I led the creation and implementation of key operating processes for enterprise's information security operations function, including: * Monitoring: Network & host based intrusion detection, access control * Global policy: Data protection and Acceptable Use (for all employees/systems) * Incident management: Owned investigative process for internal and external incidents, including computer forensic response * IT and Service Provider Assessments: Tested internal systems (including simulated attack testing) and set requirements/conducted vetting for service providers * General: Fielded questions about HIPAA. Worked with system administrators to protect servers, data, email, and PC's and configure routers, firewalls and operating systems. Consulted with marketing on web technology. Conducted threat assessments for executive management.

Market research, Competitive analysis, Business intelligence