Lead Security Program maturity initiatives for businesses either in need of bootstrapping a program or needing to optimize, adapt, and scale emerging programs.Perform application and infrastructure assessments, including pen testing, load testing, dynamicanalysis, profiling, log and metric analysis. Provide expert requirements and recommendations forsecurity and resiliency initiatives.Design and engineer Zero Trust Architecture solutions, including automated remediation with SOAR workflow integration. Design and engineer native integration with platform security tools, such as AWS Security Hub (including custom ASFF). Experienced support of HIPAA, FDA, ISO 27001, PCI, CID, NIST, FedRamp, and SOC2 aligned corporate authoring of Policies, Standards, and Procedures. Provide automation friendly, script-driven approach to authoring and transforming security and compliance documentation, supporting publication to any platform (e.g., GRC tools, Sharepoint, Confluence, etc.).

Responsible for global enterprise logical and physical security roadmap, strategy, design, and architecture. Built and managed a talented and motivated "bootstrap" team to design, implement, and automate IT security and compliance capabilities across global sites, cloud services, corporate data centers, and commercial data centers.Led security and compliance on a successful launch of a major, global new service offering requiring PCI Card Production (CP) accreditation. Included design and engineering of CP aligned securefacilities, Secure SDLC, release management, monitoring, IT management processes, and BC/DR.Led information security public cloud strategy, design, and architecture on AWS, including attention to governance, data protection, security analysis, hardening, and automation, as well as velocity and scalability.Updated application and product lifecycle management to integrate security with project and sprint activities. Emphasized matching security capabilities to an enterprise move toward Devops, including CICD pipeline methodology.Defined security requirements mapped to ISO 27001, FFIEC, NIST SP 800-53r3, PCI DSS and CP, WebTrust, GDPR, and CSA CCM. Included a defense-in-depth matrix mapped to an attack kill chain. Supported prioritization, business cases, and broader communication of strategy to technical and leadership audiences.

Established a security architecture practice, introducing new business models to the company. Included design and implementation of Secure Software Development Lifecycle processes: penetration, dynamic, and static testing with integration into existing client development lifecycle processes and tools.Established a security incident response practice, engaging new clients with potential conversion to security architecture and GRC support.Converted short analysis engagements into lengthy engagements supporting the security strategy of clients with interest in addressing architecture concerns, and design flaws.Defined security policy and standards for a healthcare exchange company, mapped to HITRUST and NIST 800-53 v2.Defined a formal pen testing service offering. Developed scripts to automate reporting to optimize engagement efforts, allowing competitive edge and operational efficiency.Researched open source security tooling, providing low-cost alternatives to clients.Designed a cloud-based deployment model for a client to fully protect their IP while meeting difficult global availability requirements. Designed custom client-based authentication for cloud deployment model. Designed an approach for protecting IP with existing, non-cloud-based deployment model for competing project.

Designed, implemented, and the initial application security architecture team focused on emerging technologies and emerging business. This team consulted closely with executives, legal counsel, senior/enterprise architects, and IT leadership across the enterprise.Led security architecture of major initiatives including a API services/REST modernization effort. Promoted and designed an externalized authorization management model, promoting: authentication standardization (OAuth, OIDC, proprietary), life-cycle management, reuse, rapid adoption, improved auditing, and simplified reporting.Led security architecture on major cloud initiatives, including initial UHG analysis of public cloud usage (AWS) in collaboration with the Optum CTO, enterprise architecture, legal, and IT departments.Bootstrapped numerous foundational Security Program capabilities; including Secure SDLC (white, grey, and black box testing), extensive control mapping (NIST 800-53, HIPAA, HITRUST, CSA CCM), consumer identity design standardization, the initial technical risk assessment (TRA) process, vendor management, technical vulnerability management (TVM), BYOD, release management security integration, secure development plan (SDP) documentation, advanced security analysis, red teaming, and partner/external security consulting.

Founding member of UnitedHealth Group's Information Risk Management department. Implemented the initial approach to secure software development, introducing dynamic application security testing and penetration testing. Later introduced software application security testing, and provided active support to numerous teams across the enterprise.Responsible for application and service related corporate policies: drafting, reviewing with stakeholders, aligning with security and compliance requirements, publishing, and promoting enterprise-wide.

Introduced advanced web services and middleware security (certificate based x.509) scalable to enterprise expectations (IBM DataPower, etc.).Led design, development, and launch of HSA product (now Optum Bank) application, including integration with a major banking platform.Extended SSO and Federated Authentication initiatives across over 50 externally facing application endpoints.

Developed a forum, prior to the emergence of social media, using open source solutions for low-cost and high availability. Includes AWS: EC2, API Gateway, SNS, SES, Lambda, RDS, S3, ElastiCache, CloudWatch, Rekognition. Also includes VueJS, Python Flask, Apache. Explore new technologies while having the work immediately consumed by thousands of users who have submitted over 1.5 million posts.

Designed and implemented SSO authentication between internal web applications using SAML (Ping Federate), later establishing the enterprise standard for all of UHG (acquiring entity).Extensively refactored Definity’s proprietary UI framework allowing transition to Spring MVC.Implemented extensive refactoring program driven by code profiling. Worked with developers and architects to address findings.

Engaged top 10 bank leadership in-person to integrate middleware product with loan origination systems in a Professional Services role.Supported customer presales with product management team, sharing insights with middleware architecture and development teams.Designed and developed middleware platform generating complete, dynamic mortgage documentation while supporting the legal and compliance requirements of large financial firms. Designed and developed key components, including service layer, data model, custom rules engine, document management integration, and security.Developed PDF content serialization components using XSL-FO/FOP and iText.Improved security on a legacy Net.Data document server using Java on AS/400.

Built a New England based travel site. Included data modeling and web application programming. Built a high speed search engine for the specialized needs of the client.Improved performance and security on various ecommerce sites.Designed and developed dynamic polling and survey systems.Developed an online enrollment and attendance system for a large public school system. This system provided the most accurate student reporting within the school district, allowing the program to meet statutory obligations.

Provided system admin services and board representation for a non-profit, technology based company.Experience included Solaris, SGI, FreeBSD, and Linux support. Coded custom shells for end-users. Founded a domain reseller function that brought additional income. Migrated them to less expensive, custom built servers. Provided on-call and colocation support.

Designed and implemented the IT infrastructure of a centralized extended day/year program.Built data-driven web applications using the following tools: Java, SQL Server, MySQL, JDBC, XML/XSLT, XSL-FO, XEP/FOP. Data modeling, administration, and reporting. Provided PDF reporting using FOP and XEP.Acted as system administrator, managing Solaris, Linux, Mac OS servers. Application systems included databases, mail services, file services, and web applications.