After having led some relevant transformations at Tempest, I identified the opportunity to go back to the roots and lead a technical job in the Threat Intelligence area. This activity consists of identifying patterns and trends in threats and adversaries' behavior and providing advising through reports and presentations. In this role, I also had the opportunity to create and lead two side projects: a daily podcast called Cyber Morning Call in which I cover and analyze the main cybersecurity world news and an annual technical event called Turing Day in which we celebrate Alan Turing's legacy with talks on computing.

By driving the production and dissemination of technical content at Tempest, my team and I improved the quality of periodical documents, especially the weekly Threat Intelligence report; created the company's technical blog (the Side Channel); and curated Tempest Talks, an annual event that promotes interaction between clients and partners.Moving forward, we brought the area to another level that not only covered technical publications, but also became a catalyst for knowledge: we created an area called Academy, Research and Publishing. There I laid the foundations for partnerships with teaching entities and for cybersecurity research.

After 15 years in the information security industry, Tempest was the first company to invite me based on my ideas and in my interpretation of the industry. This great place to work makes me able to act with a beloved activity for me: writing. After a year and a half developing various activities related to content production at Tempest, an area was created, under my coordination, specifically for this purpose in the second half of 2017.

During my last few months working at Trustwave, a dissatisfaction started to grow in me, which was not about the company. Believe me, Trustwave is a great place to work: with good salaries, great benefits and the ability to work in many places around the world. However, my discomfort was related to the sector the company occupies within the information security industry: compliance. Or, rather, compliance with PCI DSS. After several years working with it, the role of auditor was given to me, and the contradictions of the model became evident, transforming me into an unbeliever. So, my solution was leaving the company without any perspective on what to do.Writing has always been a pleasant activity to me and one of my desires has been to open paths for other people involved in the area of information security to produce content. It was possible in the organization of the book "Trilhas em Segurança da Informação” (Trails in Information Security), in partnership with Willian Caprino. It became possible to start writing and publishing, without any expectations.After a while, came to me and Willian the sense that it was possible to sell content on information security, because it is a specific kind of knowledge and, added to the difficulty of finding technicians who enjoy producing texts, it becomes quite rare. With that idea in mind and one more friend in the project, IO got started and we got two inicial customers. However, several factors made me give it up later.

In Trustwave, my position was a PCI Qualified Security Assessor (QSA), supporting companies from a variety of market segments - retail, technology, financial and others - seeking PCI DSS compliance and conducting certification audits .It was possible to work with clients in Brazil, Argentina, Colombia, Chile, El Salvador, the United States, Cape Verde and other corporations with technology centers around the globe.

My work at Cielo included activities to prevent fraud and to manage security incidents. From the point of view of fraud prevention, I conducted PCI DSS compliance activities at various merchants and service providers with varying levels of security maturity, presenting lectures on forms of protection, and developing awareness materials, such as the “Guia de Boas Práticas de Segurança para o E-Commerce” (Guide to Good Security Practices for E -Commerce), edited with bases on inputs provided by several professionals in the market, as well as the "Guia de Boas Práticas de Segurança da Informação para a Pequena e Média Empresa” (Guide to Good Information Security Practices for Small and Medium-sized Enterprises), entirely made up with my own resources.The perspective of incident management consisted of supporting the mechants in situations in which card data was threatened or compromised. In these cases, the following tasks were conducted: activities of containment of the incident, identification of vulnerabilities in the environment, technical support to the investigation department, the police authority and the client, until achieving the correction of the problem.

It was my responsibility to conduct the project management activities in information security involving perimeter protection, identity management mechanisms and compliance with legal demands for information security originating in the State Finance Departments and the Brazilian Central Bank.My tasks also included the coordination of project to assess the compliance of the payment card environment to the PCI DSS standard, acting as a facilitator between the QSA and bank departments. After this project, the remediation actions to compliance were started.It was my responsibity to represent the information security area in projects involving the portion of the Safra Group (Banco Safra and Banco J. Safra) in the Brazilian Payment System (SPB) linked to the National Financial System Network (RSFN).

An invitation was sent to me to join the Redecard staff with the mission of expanding the PCI DSS program in merchants and of collaborating in the elaboration of strategies for the protection of mechanisms of capture of electronic transactions.The performance of PCI DSS compliance was consistently extended to merchants, to the Redecard business partners, and to service providers. Together with the PCI group of ABECS (Brazilian Association of Credit Card Companies and Services), we worked to developed a Brazilian standard for the security of capture equipment (POS / PIN Pad), which complements the PTS - PIN Transaction standard Security of the PCI Council, and we collaborated with this group to create the program for the adherence of POS software vendors to the PA-DSS standard - Payment Application - Data Security Standard.The Redecard compliance project to the PCI DSS, led by me, made the company certified in this standard at the end of July 2009. Upon completion of this project, my responsibility was the coordination of Redecard business continuity issues, as well as the conduction of the project to review the Business Impact Analysis (BIA), evaluating all critical business processes and systems.With the delivery of the business continuity project, an invitation came to me to coordinate the Information Security Department, with the responsibility of maintaining compliance with Sarbanes-Oxley and PCI DSS controls, as well as the management of the access controls, leading six direct employees and eleven service providers.

To my mind, having accepted to work for Vivo was a mistake. At least at that time, the company had a fairly high level of bureaucratization, making implementation of any project very difficult. It was hardly possible to do anything more than operational activities and attend hundreds of meetings with subjects that could be solved in an email.

It was in the old Ticket Services - current Edenred - that came to me the first opportunity to work with information security. Until then, my tasks had been limited to a service provider for IT infrastructure.During those five years, it was possible for me x`to participate in downsizing processes of the technological platform - an important movement for the time -, in defining policies and procedures for the company, establishing business continuity plans, working in the creation of a payment card processing platform (migration of the paper voucher), in the implementation and administration of various security tools and, perhaps more importantly, in a change of mindset - a process that has transformed my way of looking at technological environments and ways of implementing security as a part of managing a business.