Lead cyber team for McKinsey’s global Social, Healthcare, and Public Entities practice (SHaPE.) Responsible for program vision, roadmap, and management, including secure product design and maintenance, control implementation and compliance, organizational governance, and risk. Intimate collaborations with engineering, risk, privacy, and legal, both at Firm and practice levels. Drive practice audits (e.g., HITRUST, ISO 27001, CMS, NHS) and regularly engage with client leadership and Firm senior partners. Additional scope with highly regulated United States Government (USG) practice (e.g., NIST 800-53, 800-171, and CSF)

Lead security and compliance program for sophisticated radiology artificial intelligence and analytics startup, including privacy, audit, and patient safety. Design and execute strategy from policy drafting to control selection to solution implementation, as well as counsel leadership, teams, clients, partners, and auditors on Covera's technical and operational risks.

Led a strong, distributed team responsible for all security, audit, and compliance efforts at Welltok, an enterprise healthcare SaaS company featured in Forbes Cloud 100 three years running and considered Business Insider’s Most Valuable Colorado startup. Some of our successes and responsibilities included leading annual HITRUST, SOC 2 Type 2, ISO 27001 audits as well as HIPAA, HITECH, and client assessments; establishing, communicating, and enforcing technical and administrative policies, procedures, and standards across 10 disparate product and service offerings; driving a powerful and relevant suite of security tools and services across cloud (AWS), on-premise, and user endpoints; and integrating security and privacy guidance into product and engineering decisions and designs.

Provided specialized security and compliance support for largest clients, as well as assisting with multiple audits and assessments (HITRUST, SOC 2, AUP). Worked with Director and CISO to implement revisions to enterprise security, risk, and compliance policies and standards across enterprise each year (HITRUST CSF; NIST 800-53, 800-63, 800-66). Also contributed to security-related product features and architecture, including multifactor authentication (MFA), CAPTCHA, logging standards as well as standard SecOps - incident response, log review, third party assessments, workforce authorizations, etc.

Various consultations around IT risk management with a focus on privacy-related regulations and frameworks, e.g., HIPAA, 23 NYCRR 500, GDPR, and their implications for system configuration and design in AWS/Azure.

- Created subsidiary third party risk program spanning +20 LOBs with differentiated legal and technology portfolios - Produced and distributed weekly KPIs, ad hoc reports to Aetna CSO (dir. report to COO) - Identified major liabilities in enterprise third party risk policies and controls; contributed to revisions - Discovered and challenged multiple record discrepancies in third party risk tracking and reporting system - Conducted +200 privacy and security reviews (e.g., SIG, BSIMM, SOC II, etc.) of third parties - Led multiple audit response and remediation efforts for iTriage, bswift, and My Aetna LOBs

- Published and presented original research on multi-jurisdictional data governance and system design- Taught and supported graduate and undergraduate courses in privacy, technology, and law- Secured research funding via National Science Foundation (NSF) IGERT, the Institute for Information Infrastructure Protection (U.S. DHS), and Hewlett-Packard Innovation Research Program

- Reviewed both B2C and B2B products and sites for compliance with Microsoft Privacy Standard - Presented original research on inadequacy of browser and OS just-in-time (JIT) notifications - Researched implications of California, Colorado, and EU laws on Smart Grid data privacy using methods from own work

- Analyzed and refactored legacy client applications handling PHI to address efficiency and compliance issues - Developed and tested rich web apps in PHP, Lisp, Python, Ruby, and Javascript - Translated designers’ mockups into well-structured CSS/HTML templates - Drove marketing and communications for Local Express product line (SEO service) - Led and built projects using Symfony and Drupal frameworks