I lead the Office of Information Security and work with the CIO, General Counsel, Data Governance, Privacy, Insurance and Risk Management, Internal Audit, executive, and Board leaders to improve the maturity of the University’s Information Security Program. Our goal is to reduce the risk of material harm to the University from a cyber incident while protecting academic traditions of openness and freedom of inquiry, and ensuring compliance with DoD CMMC, HIPAA, FERPA, GLBA, NIST 171, CMMC, and PCI/DSS.Achievements include:• A comprehensive, NIST-based security assessment and review by Huron Consulting Group.• A comprehensive Information Security Plan and Roadmap that will more than quadruple the University’s commitment to InfoSec over 4 years.• Improved web content filtering to prevent connection to dangerous Internet content and websites.• Started a new security awareness, behavior, and culture program, emphasizing regular and timely communications, routine phish testing using KnowBe4, and a renewed training curriculum.• Initiated use of ReliaQuest, a Managed Security Services Provider (MSSP), to implement 24x7 Managed Detection and Response, extending our team’s capabilities and coverage, aiming for “1-10-60” Incident Response – Detection in 1 minute, Containment in 10 minutes, and recovery in 60 minutes.• Implemented new Governance, Risk and Compliance (GRC) system, OneTrust, to improve GRC work.• Implemented new Vulnerability Management system and regime using Tenable.io and Nessus and a new and more aggressive patch management discipline.• Formed effective, collaborative working relationships with IT, business, executive, and board leaders across the University.• Initiatives for Privileged Account Management (PAM), Data Loss Prevention (DLP), and Network Access Control (NAC).• A NIST SP 800-171-compliant, DoD CMMC-enclave with accompanying policies, procedures and technologies for research computing using Controlled Unclassified Information (CUI).

Keeping Information Security and Privacy Simple.Engaged Impact has deep expertise in Information Security and Privacy Risk Management, and helps companies understand their greatest risks and then identify and implement cost effective solutions.Sometimes Information Security isn't really simple, but achieving cost-effective security can be straightforward.We pride ourselves on bridging the gap between the strategic needs of business leaders and information technology solution providers, forging IT strategy aligned with business needs, charting IT strategic roadmaps, and implementing innovative systems on time and on budget.

Xpand takes on-boarding to a whole new level! Our SaaS system allows hires, managers and HR to dramatically improve the process, administration and experience of joining a new company. See www.xpand.io for more information. I serve as Data Protection Officer and a Senior Advisor to the Founders and provide expert guidance on business development, project management, the AWS-based system architecture, security and privacy, including EU-U.S. and U.S.-Swiss Privacy Shield certification and GDPR compliance.

Leadership of neighborhood summer swim club, guiding reversal of declining membership numbers, more than doubling memberships over 5-years. Conceived and launched a Summer Day Camp program to address the needs of a new membership demographic. Directed facilities maintenance, repairs and improvements. Incorporated separate 501(c)(3) Non-Profit Charity for the Barclay Farm Aquatics Team. Recruited new and additional Board members.

In early 2019, SMC carved off from a big national hospital chain, and from nothing needed to establish everything for a comprehensive, HIPAA-compliant and effective Information Security program. I have worked with the CEO, CFO, Director of Information Systems, Director of Compliance, and ITS Governance Committee to manage security and privacy risks. Achievements include:• Achieving 1-10-60 goals by implementing and establishing procedures for a 24x7 SOC service with aggregation, correlation and monitoring of all system security event logs and managed endpoint detection and response.• Authored and guided implementation of 20 Information Security and Privacy Policies and procedures including Governance, Risk Assessment, Identity and Access Management, Incident Response & BC/DR.• Led Incident Response Team after an electronic mailbox compromise, coordinating internal and external response experts in containment, diagnosis, remediation, forensics and notification processes.• Implemented and operate user Security Awareness communications, training and phish testing program, reducing susceptibility to phishing attacks from 38% to less than 5% in 7 months.• Evaluated Tenable.io Vulnerability Management platform to prioritize system updates and patches.• Ensure compliance with HIPAA and HITECH requirements.• Improved security in support of COVID-19 work-from-home and tele-medicine requirements.

Provide Virtual (Consulting) CISO and DPO services for small and mid-sized businesses. Develop and guide implementation of cybersecurity and data privacy policies and procedures.Ensure compliance with regulations and industry standards.Drive significant improvements in understanding and effectively managing real business risks.

Served as Interim CISO for Washington University in St. Louis.

Provide Virtual (Consulting) CISO and DPO services for small and mid-sized businesses. Develop and guide implementation of cybersecurity and data privacy policies and procedures.Ensure compliance with regulations and industry standards.Drive significant improvements in understanding and effectively managing real business risks.

Developed Privacy and Cybersecurity Policies for NY DFS 500, EU GDPR, SOC 2 and CCPA compliance. Conducted comprehensive IT Risk Assessment. Drove implementation of information security and privacy procedures and technologies. Supported AICPA SOC 2 compliance preparedness remediation effort.

Tatum is a practice of senior operating executives providing clients with hands on strategic, financial and technology leadership. The practice’s compelling value is immediate integration into clients’ operations, leadership in the achievement of results, independence and objectivity.I specialize in bridging the gap that all too often divides IT and business, inhibiting IT advancement of business goals and strategy. I am a creative and business savvy IT executive with project management, consulting, provider, and vendor leadership experience. I have demonstrated strengths in building high performance teams and solving difficult Information Technology business problems.• IT strategy vision & roadmap alignment• Communication with business partners• Vendor management• IT Project Portfolio Management• Cloud architecture - SaaS, PaaS and IaaS• COTS Implementation & Integration• IT project turnarounds • IT team development• Security and Privacy Risk ManagementAs Interim CIO for the Natural Resources Defense Council, a major environmental organization, I- conducted a comprehensive assessment of IT Capability Maturity,- managed remediation of critical infrastructure and security problems, combining on-premises, cloud-based and service alternatives, working with executive leadership and corporate counsel to address legal, cultural and policy issues, and- developed an IT Strategic Plan emphasizing creation of a virtually larger and more capable IT team, robust infrastructure and employee enablement. In 2015 I co-developed Tatum's PCI 3.1 Compliance Transformation Service Offering.I rescued a stalled ERP implementation for a small medical devices company, assessing the overall IT situation, developing an IT Strategic Plan and Roadmap, instituting corporate IT governance, IT Project Management and Project Portfolio Management, outsourcing non-core IT activities, and delivering IT value to the company’s multiple constituents.

Managed all aspects of IT for Drexel eLearning, Inc. is a wholly-owned, for-profit subsidiary of Drexel University charged with Marketing, Sales, Recruiting and Business Development for 140 online degree and certificate programs. Operating largely as an independent startup, company leverages cloud-based products and technologies including Salesforce.com, Force.com, Aprimo Marketing Studio On-Demand, Rackspace managed servers, Neustar lead scoring, Adobe Connect and Silverpop Engage.• Created Roadmap for IT-driven success in recruitment and enrollment and business partnerships with a goal of creating a Service Oriented Architecture leveraging Salesforce APIs and custom APIs written for our .NET database and web server platforms.• Led implementation of new website design, a pilot of Starfish Retention Solutions software with Blackboard and Banner integration, and development of an enrollment forecasting system.• Led employees and contractors through multiple rounds of requirements analysis, software development, testing and release of a new Online Student Application system leveraging the Salesforce Force.com platform using a hyper-Agile software development methodology.• Specified and directed migration of servers from standalone to virtualized VMware environment hosted and managed by Rackspace, improving fault-tolerance 100-fold for high likelihood risks, quadrupling application performance, and halving cost.• Improved Microsoft SQL Server operations support and reporting databases.• Oversaw development of WSDL API linkages to 3rd party services for lead scoring and lead qualification and development.• Helped Drexel University Online Business Development Representatives cross-sell professional development to the CIOs of partner organizations.• Performed security risk analysis, reviewed with leadership and counsel, and remediated issues, including a PII vulnerability worth 2 times annual revenue, reducing exposure 95% in 15 days, and 99.5% in 60 days.

Directed and led all aspects of Information Technology for the Federation and agency partners such as Jewish Family and Child Services. Responsible for computing and communications infrastructure as well as information systems applications from financial accounting, to constituent relations, fund raising and client services.• Created cost-effective Disaster Recovery and Business Continuity (DR/BC) policies and procedures with business-appropriate Recovery Time and Recovery Point Objectives (RPOs and RTOs).• Led development and execution of test plan for account management and security features of Blackbaud CRM product enhanced for use by the Jewish Federations of North America.• Conducted review and remediation of payment card handling to achieve PCI/DSS compliance.• Developed and provided IT Managed Services Offerings on a fee basis to partner agencies, including management of hosted and local servers, networks, VoIP phones, help desk, applications, data analysis and projects, as well as serving as trusted advisor for technology planning.• Migrated email and calendaring to the Google Enterprise cloud for 500 users in eight organizations.• Managed migration to a hosted endowment management system.• Implemented a cloud-based Grant and Evaluation Management System.• Implemented lightweight-ITIL quantitative quality management for help desk, network, phone and server operations using SolarWinds network management and Spiceworks help desk software.

I implemented and managed the server and network environment for this healthcare information technology company focused on design and development of business applications, systems and processes in Health Information Exchange (HIE) and Electronic Medical Records (EMR) systems for the THINC RHIO, the New York State HIE and NY State Department of Health. Designed, implemented and operated secure, high-availability systems and data center supporting eClinicalWorks EMR and a custom-built HIE.Helped develop, design, select and implement policies, protocols and services for protected and secure exchange of sensitive health care data per HIPAA, NIST 800 and ISO 27001 standards for THINC Regional Health Information Organization (RHIO), State Health Information Network - New York (SHIN-NY) and the NY State Department of Health.Supported work of the Protocols & Services Workgroup of the State Health Information Network-NY (SHIN-NY), determining standards to connect 13 RHIOs and a national HIE through open standards and an open process with multiple HIT vendors, all to advance key clinical, administrative and public health functions. Authored SHIN-NY Information Security Architecture & Requirements.

Directed broad portfolio of Information Technology services, holding P&L for the Wharton Research Data Services (WRDS) profit center.• Converted loss-making WRDS to profitability in 1 year. Increased system capacity 10-fold, achieved 700% growth in revenue and 30% profit margins.• Exceeded revenue and sales objectives every year, capturing and retaining all top 20 business schools.• Led remediation of technical problems in classrooms in new $140M building. Designed and implemented new and improved features.• Implemented grid computing system achieving research results in one-tenth the time.• Turned around faculty computing support group, reversing declines in quality of service, demand, morale & staff, leading to a 50% increase in funding.• Replaced administrative systems for multiple business units. Ensured PCI compliant payment card procedures and improved security.• Formed and directed IT support group for new executive education center in San Francisco.

Responsible for all aspects of Information Technology for a small, rapidly growing health care information technology provider, including application development, systems integration and administration, quantitative methods research, and customer service. CareScience, Inc. grew from 7 employees in 1995 to 140 in 2000, and provided data warehouse-based analytic decision support systems and consulting services that allow hospital Quality Improvement groups to identify opportunities for improving quality of clinical care and reducing costs, protecting and building their reputations as new grading systems, such as the Joint Commission on Health Care Accreditation’s, came into existence, and protecting revenues under increasingly tight federal and private insurance reimbursements guidelines.Various achievements leading all aspects of Information Technology:- Directed implementation of first web-delivered product;- Led Systems, Data and Application Architecture and Engineering for three major versions of CareScience's CaduCIS™ Quality Improvement DSS, managing development, implementation, testing (unit, integration, systems and User Acceptance), and operational monitoring. - Designed and improved state-of-the-art multilayered IT defenses;- Supported systems capacity increases of over 1000%, improving end-user response times and quartering the cost per customer.- Oversaw development of data management processes and tools for 140 hospital and health plan customers’ billing, claims, resource utilization, clinical and outcomes data.- Served as Senior Technical Architect for CareScience, Inc.’s groundbreaking Santa Barbara HIE selecting, extending and designing protocols for the secure exchange of clinical and billing data.

This was the company name before it became CareScience.

Led campus-wide task forces improving and setting standards for security, electronic privacy, network architecture, Unix systems, electronic mail, document interchange and calendaring.

Planned, implemented and supported Unix workstations, local area networking, PCs and Macintoshes. Managed computer facilities operation, customer service, projects and research programming. Conducted research and wrote proposals and reports for Office of Naval Research-sponsored research.