Chris Morgan Email and Phone Number

• Perform product management functions for an enterprise identity and access management reporting and analytics product, including use case rationalization, implementation architecture and design, user guides, and maintenance of service level agreements.• Matured and refined initial proof of concept for the internal IAM analytics product into two specific product offerings: analytics offered directly to information security teams to proactively eliminate vulnerabilities and the incorporation of insights into lifecycle processes to help participants make more informed decisions.• Manage three teams of data analysts, infrastructure engineers, and architects to deliver security analytics as a service and develop new product features.• Performed product management for an enterprise log management solution built using native AWS services.• Actively work with executives and IAM architects to prioritize and design security and capability enhancements to enterprise IAM service based on risk reduction and business value.• Coordinate with other security teams to develop information security data analysis use cases, coordinated data ingestion patterns, and data sharing. Use cases are defined using a framework which I designed in alignment with NIST Cybersecurity Framework.• Managed procurement process for an enterprise-wide user and entity behavioral analytics (UEBA) solution.• Developed secure data sharing patterns for multi-tenant data architectures on enterprise Hadoop clusters enabling secure use of data for analytics across projects and business lines.• Created monitoring solution for configuration changes and system-specific audit event anomalies using Hadoop vendor management APIs, thereby meeting stringent NIST SP 800-53 rev.4’s high control baseline auditing and monitoring requirements.• Drove creation of team's high priority objectives and goals to drive effective delivery of measurable improvements to enterprise security posture on a yearly basis.

• Collected and prioritized use cases, created technical requirements, and validated development artifacts for a Big Data solution to enhance organizational understanding of identities and configured access privileges for enterprise users and systems. Presented outcome of development activities to executive management to demonstrate business and security value, resulting in formalization of proof-of-concept identity and access management analytics offering into formal internal security product.• Designed a comprehensive technical security control set for Cloudera Hadoop clusters based on business requirements for data security during ingestion, storage, and processing of high-risk data sets in multi-tenant environments.• Led implementation of designed security controls for Hadoop clusters in alignment with NIST standards, including Kerberos and SAML authentication for cluster services, automated configuration monitoring, encryption of data at rest, and encryption of data in motion using TLS and SASL.• Created System Security Plan for managing Hadoop clusters, including guidance for customer implementation of compliance baselines based on service security controls.• Created policies, procedures, and automation for managing security and administration of Hadoop as a service platform, as well as policies for secure customer solution implementation, such as service usage patterns.• Actively built relationships to ease cross-functional team interactions and coordinated design and build activities requiring input from multiple departments, leading to faster time-to-market of complex systems.• Mentored junior engineers and analysts to develop both technical and communication skills, particularly focusing on identifying and addressing skillset gaps for both individual contributors and department teams.• Contributed to enterprise-wide initiatives to define strategies on user and entity behavioral analytics, identity and access standards, and data engineering services.

• Iteratively enhanced department security program, including expansion of role-based security training, development of security governance, and implementation of a Security Development Lifecycle tailored for use with Agile development methodologies.• Provided risk management function by evaluating administrative, technical, and functional risks and prioritizing their remediation, ensuring effective use of resources to mitigate risks according to potential impact.• Demonstrated value of an embedded department security function, resulting in being designated lead of a newly created security team. Responsible for hiring team members, defining responsibilities, and guiding team to integrate security into department culture and governance.• Implemented department-wide threat modeling and explicit security requirement gathering processes as part of project lifecycles, resulting in increased identification of security controls required to address unique threat scenarios.• Developed strategic vision and multi-phased approach for an initiative designed to increase understanding of enterprise identities and access control and enhance IAM’s contribution to enterprise security. Defined identity, access management, and behavioral analytic use cases as part of this initiative.• Identified an emerging technology opportunity that aligned strategic initiatives with technology capabilities and directed the design and implementation of select use cases in a Big Data proof of concept, thereby proving potential for enterprise security posture enhancements. • Partnered with incident response team to develop identity and security analytics use cases. Led the socialization of security benefits with executives and creation of a business case proposal for production implementation.• Consulted on secure design and configuration of Azure Active Directory implementation, achieving implementation of strong security engineering principles and compliance with enterprise policies.

• Created risk management dashboard, provided ad-hoc executive briefings, and led monthly security status meetings, resulting in increased executive visibility into department security and risk profile.• Worked with multiple departments to develop an adjustable cyber incident response framework, using both technology- and policy-based security controls to mitigate the impact of active cybersecurity incidents. Created tabletop exercise and narrative demonstrating value to executive management.• Led and coordinated security engineering, assessment, and compliance activities for a multi-disciplinary, cross-department project team charged with creation of a new compute services environment, resulting in satisfying all project security requirements and contributing to significant enterprise security enhancements.• Used available enterprise training materials to create targeted secure application development training program based on department employee roles, thereby increasing awareness of development-specific security requirements.• Enhanced release management process by including security evaluation and impact analysis gates, resulting in proper tracking of risks and creation of remediation plans for security risks being introduced to the environment.• Performed thorough security analysis of vendor product during project design phase, causing the vendor to implement product changes to improve the application security model and changes to department security program to account for security reviews prior to product implementation.• Performed threat modeling exercise on custom developed applications, resulting in a catalog of designed security enhancements targeted to address specific high risk threat scenarios.• Evaluated security posture of critical enterprise identity systems, taking into account security best practices and principles, vendor recommendations, and enterprise security policies, then created remediation plans for identified gaps.

• Enhanced vulnerability management and baseline configuration review processes, resulting in increased efficiency and focus on security.• Worked on a small cooperative team to improve department employee provisioning process by implementing a central tracking mechanism, revising roles to ensure adherence to the least privilege principle, and mapping processes, resulting in increased security and decreased provisioning time.• Revised system security plan to comply with NIST SP800-53 Revision 4 controls with a focus on risk management, ensuring resources are properly prioritized to address impactful risks.

• Perform thorough security reviews of information systems and recommend measures to improve security, most recently of Active Directory and other Windows Server services.• Assist information system teams in creation and revision of access control, audit logging, configuration management, and vulnerability scanning policies to ensure comprehensive FISMA compliance.• Guide development teams in design of application architecture to protect confidentiality, integrity, and availability.• Recently assisted to revise Board Information Security Program and Risk Assessment Procedure resulting in a more comprehensive security program, easier implementation, and clarified presentation.

• Designed and installed ESXi virtualization to allow trainees to conduct training on Windows virtual machines.• Aided in network design and advised application developers and system administrators on security best practices.• Revised malware remediation procedures and designed new training methodology, resulting in increased successful malware remediations. • Routinely managed office operations and procedures involving 5-10 student employees.

• Created organization’s first information security program, including comprehensive policies and staff roles.• Managed a four person team responsible for conducting a full security review of the computing environment, which included various types of information systems spread across six remote locations.• Designed a new network architecture using VLANs, VPN, network attached storage, and Windows Server services to enhance security and productivity.