1. Security Audit Service • Managed client-requested audits of data, cloud, and information security controls, aligning with ISO 27001 framework and internal policies. • Assessed control effectiveness and sustainability in supporting security commitments, client contractual requirements and regulatory standards. • Monitored emerging risks, internal trends, and external events for potential data security impacts. • Provided trusted advisory services, with 22% of work focused on internal guidance related to information security, privacy, and cloud technologies. • Leveraged AI-driven compliance monitoring for unstructured data, enhancing trending analysis and audit insights. 2. First Line of Defense • Managed and enforced data security, privacy, cloud capabilities, encryption, IAM, and compliance frameworks (ISO 27001, NIST 800-53).• Developed remediation plans addressing control gaps and root causes of failures, ensuring measured resolution.• Collaborated with application security, cloud engineering, and endpoint security teams to advise internal business units and external financial services clients on GRC and security controls for Azure and AWS environments.• Identified service delivery constraints and optimized Information Security processes, increasing operational capacity, scalability, and service quality through data-driven continuous improvements.3. Regional Information Security Lead• Collaborated with Legal, GRC, and application development teams to ensure ISO 27001 compliance across the organization.• Established security standards, best practices, and an operating model for InfoSec shared services, boosting service capacity by 30%.• Spearheaded improvements for key stakeholders, with BISOs, Security Operations Managers, and Cyber Security Program Managers.• Advocated responsible AI use and implemented AI solutions for enhanced data analytics and information security compliance insights.

Provided strategic and tactical guidance to enhance and mature enterprise application security programs, driving the development of high-quality, secure software with faster delivery timelines.Client Achievements• Delivered maturity plans and roadmaps to mature application security programs.• Aligned cyber and application security transformations with business goals, integrating industry best practices and client capabilities.• Built modern AppSec programs with self-service DevSecOps capabilities, reducing vulnerabilities and accelerating product deployments.• Transitioned legacy GRC-based Information & Cyber Security programs to ensure compliance and alignment with industry security frameworks in cloud-native environments.Client Services:• Conducted cloud, app development, and cyber risk assessments, delivering actionable remediation roadmaps.• Implemented GitHub advanced security and Jenkins-based DevSecOps solutions.• Provided AWS secure architecture reviews and remediation plans. • Designed and implemented DevSecOps programs and processes.• Taught secure development and AppSec courses at industry conferences.o Notable clients include DHS, venture capital firms, and asset management companies.

Advised clients on maturing 2nd and 3rd lines of defense through the development and implementation of software security initiatives. Integrated security into the SDLC, CI/CD pipelines, and software risk management processes, covering areas like penetration testing (web/mobile), SAST, DAST, SCA, SBOM, threat modeling, and software architecture analysis. Services were provided through both managed and professional channels.• Security Management Consulting • BSIMM Assessments• DevSecOps implementations and program design & management • Maturity Action Plans for Software Security Programs• Architecture Risk Analysis• Threat Modeling• Data Security controls for compliance (HIPPA, PII, PCI & ISO 27001K)• Penetration Testing• Red Teaming• Cryptocurrency Secure Wallet Recovery design • Managed Service Security Testing • Operational responsibilities included the management of 5 team members consultants and recruiting, career development, and mentoring.

Directed and oversaw vendor, product, and architecture risk assessments for Fintech products and platforms generating $2B annual net capital. Managed 17 security engineers providing AppSec services for disparate onshore and offshore development teams utilizing unique technology stacks and development methodologies. Directed monthly security champions meetings, transformed legacy technical and security capabilities into modern AppSec services, and held security maturity transformation readouts to the business with supporting service metrics, KPIs, and analytics. • Automated security testing reporting and analytics, detective and preventive control implementation, dynamic application testing and static code analysis, and late phase ethical hacking testing.• Integrated security testing into the product development lifecycle, improved applications security posture, and raised security testing and service maturity. • Instituted GRC controls, auditing, and second line of defense risk management supporting, NYDFS, ISO 27001, and PCI DSS, regulatory compliance.• Managed third party security projects, including Citigroup pen testing and Verizon CyberTrust certifications.

• Increased shared service productivity by 11%, adding a risk analytics service and supporting over 30 client audits annually.• Simplified technical reporting for clients and business executives.• Provided application penetration testing and security due diligence for an aggressive M&A schedule.• Implemented self-service security scanning (Qualys WAS), reducing service duration by 40% and improving time-to-market through defect lifecycle integration in JIRA.• Delivered seamless application security services, ensuring compliance, and supporting over 30 client audits in 2015.• As Security Architect, delivered threat modeling and architectural risk analysis workshops, identifying vulnerabilities, and promoting secure, reusable architecture.

Establish an enterprise application security shared service effecting meaningful change from policy to the line of code. All with supporting metrics to drive our risk based services. ... in a nutshellIn this initial role of Security Architect, I executed Threat modeling and Architectural risk analysis workshop services to product teams. Deliverables identified vulnerabilities as well opportunities for secure reusable architecture. Subsequently eliminating significant amounts of security vulnerabilities proactively.

Established and managed the Application Security shared service. Covered all three lines of business and, shared applications at the corporate level. Services included but were not limited to Secure Design Review, Dynamic Security Scanning and supporting the Cigital Secureassist rollout. Additionally, extensive support was provided to Compliance for PCI DSS regulatory requirements. Implemented and delivered the following projects across all three business units: Integrated BSIMM security controls, in turn, customizing each business unit's SDLC. Matured SDLC deliverables supporting seamless PCI compliance as well as the annual report on compliance.Translated technical requirements to salient business terms bridged a communication gap. Justified the incremental time and budget required to implement this SDLC maturity. Conducted vendor security reviews on systems from Microsoft, Oracle & others increasing the overall corporate security posture.

• Responsible for managing the relationship with the Interpublic Group Agency & subsidiaries supporting the DDS hosted Accounting systems• Managed team of business and product analysts in supporting new business development, and servicing of existing portfolio of applications and services • Project manager for various system enhancements, directly supporting IPG back office operations in accounting and finance• Other services included but were not limited to the following: Project Management, Customer Relationship Management, Workflow Analysis and Optimization and Non-application related solutions