Resume focus on finishing the "Guide to the Information Risk Management Body of Knowledge" (IRMBOK Guide) for the Society of Information Risk Analysts (www.societyinforisk.org).

Owned security and privacy for all stores, online properties, and guided adventures. Directed team of 8 information security and privacy specialists with authority for cybersecurity, privacy, and compliance. Managed a capital/expense budget of $3M+. Coordinate IS-GRC across corporate IT, retail, loss prevention, legal, ERM, and Internal Audit.

Tasked with leading the Governance, Risk Management, Compliance, and Continuity (GRCC) group’s effort to automate manual tasks involving business continuity management, security governance, risk management, and compliance across all of Microsoft.

Owned security and privacy for online services. Tasked with establishing an Information Security Management System (ISMS) for OpenMarket’s Software-as-a-Service (SaaS) platform, consisting of 88 services, which must comply with 9,817 citations in 254 authority documents, linked to 484 controls, and implemented by 6,913 control activities, based upon industry standards like ISO 27001, NIST SP 800-53, PCI DSS, and the EU General Data Protection Regulation (GDPR). Develop security policies and procedures; oversee compliance monitoring and improvement initiatives. Perform security risk assessments as internal auditor. Championed information security awareness enterprise wide.

Editor and lead author of SIRA's Information Risk Management Body of Knowledge (IRMBOK). Have already written 40,000 words. Once complete, the book will likely be 60,000-80,000 words long.

The Society of Information Risk Analysts (SIRA) is dedicated to continually improving the practice of information risk analysis. We endeavor to do this by supporting the collaborative efforts of our members through research, knowledge sharing and member-driven education. Our membership is rapidly growing, from 150 in October 2011 to 470 in October 2012.

Deliver CISO-for-hire, information security, compliance, privacy, risk management, and online safety services.Client Industries: Healthcare, software, retail, online (MMOG), and non-profit.

Worked with TWDC CISO to redesign security policies and standards. Founder and Co-Chair of TWDC's IT Compliance Board; responsible for the overall strategy for enterprise-wide IT compliance program management and audit support. Regulatory scope includes SOX 404, PCI DSS, EU Data Protection Directive, U.S.-EU Safe Harbor Framework, FACTA, Japanese Personal Information Law, Interactive Advertising Bureau (IAB)/ Media Ratings Council (MRC).

Brought on board to design and lead the technology security risk management program for The Walt Disney Company’s (TWDC's) Internet properties including category leaders Disney.com, ESPN.com, ABCNews.com, and ABC.com, which together represent the 12th largest Web property overall. Chair of TWDC’s Media Technology Board Security working group; responsible for overall strategy for the security of TWDC’s digital media assets. Defined risk management roadmap and strategy and evangelized to first-ever Executive Security Steering Council. Led effort to manage compliance with the Payment Card Industry (PCI) Data Security Standard. Coordinate security incident response team and document incident response procedures. Helped lead a task force to manage technical recruiting process. Span of control includes 12 security and privacy risk management professionals.

Led global information security department for nation’s 3rd largest dial-up Internet Service Provider, with more than 5.3M subscribers and annual revenues exceeding $339M. Managed security of over 1200 production machines. Established and coordinated the security Incident Response Team. Conducted periodic security audits of information systems, including firewalls, routers, switches, load balancers, Free BSD, Red Hat Linux, Solaris, Oracle, and Apache. Coordinated strategy to protect dial-up users from the latest Windows security vulnerabilities, including worms, viruses, and Trojans. Implemented formal security patch management process, ensured the latest security vulnerabilities were evaluated and addressed in a timely and cost-effective manner. Developed and implemented security architecture for e-commerce consumer billing system with millions of credit card numbers; no known security breaches during my tenure. Span of control included 4 full-time security professionals.

Reporting directly to the SVP/CTO, responsible for the protection of a global B2B exchange/hub serving the chemical industry. Built the Information Security Program from scratch. Executed an Incident Response Program. Implemented audit strategy to meet assurance requirements of clients (chemical companies). Developed Incident Response Procedure, trained employees, handled "real" incidents, worked with law enforcement. Span of control included a staff of up to 6 full-time security professionals (both employees and consultants).

Provided IT security consulting and auditing services to Fortune 500 clients in the Energy and Financial Services industries. Assisted clients with the implementation of security tools, including firewalls and intrusion detection systems (both host- and network-based). Conducted vulnerability assessments and information security risk analyses. Conducted numerous audits and security reviews of firewalls and Unix machines. Developed and taught course materials for security courses.

Initially started at USAFA as a systems administrator, but transitioned into the Director, Network Security role, where I was responsible for protection of $32M academic network, consisting of 14,500 devices in over 111 physical locations, supporting 8,400 users. Worked with Special Assistant US Attorney to prepare for prosecution of computer crime; testified as expert witness for US Government in federal criminal trial. Span of control included 5 network security specialists as director of Network Security office and 65 personnel as Deputy Chief, Network Control Center.