NovaTech is a fintech start-up building and delivering SaaS-based applications to financial planners and broker/dealers. I established the company's first infosec strategy and program. Successfully completed ISO27001 certification, CCPA & GDPR compliance and NYDFS (23 NYCRR 500). Worked closely with developers and infrastructure team to embed security controls/mechanisms into serverless architecture and development pipeline. Designed and implemented multiple AWS identity and security services and Auth0 configurations to minimize threat model exposures. Implemented application security program using software engineering champions model and empowering developers to manage and fix vulnerabilities as part of their normal workflow. Integrated SCA, SAST and threat analysis as part of code review into development pipeline. Engineered privileged access process for granting JIT elevated policies on AWS. Run multiple open source CSPM apps to identify configuration gaps. Use Terraform to enforce security standards. Setup end-point security for all user devices and SSO using JumpCloud.

Developed and implemented the company's first comprehensive cybersecurity and data privacy program in 18 months covering SaaS product development, private/public cloud infrastructure, corporate systems and data. Created unified risk and policy framework based on NIST CSF/800-53, ISO27001, FERPA, HIPAA, state privacy laws, PCI DSS and GDPR. Successfully completed SOC 2-Type II certification. Built quantitative risk model to justify investments and adjust defensive posture as needed.Implemented overall security architecture based on CarbonBlack Response/Defense, Tenable IO, eSentire MDR, AWS security services (IAM, GuardDuty, WAF, Secrets Manager, Config, CloudTrail), MS SQL Server TDE, MS Identity Manager, MS 265 MAM, Cisco FirePOWER, Duo MFA, OneLogin and Kafka/ELK security event monitoring.Worked closely with software engineers to implement identity management/SSO features into product suite. Designed and tested SAML and OIDC integration.Established product security scorecard which summarized results of ongoing red team exercises, vulnerability risk scoring and Building Security In Maturity Model (BSIMM). Resulted in 40% increase in development funding for remediation.Implemented DevSecOps strategy through incremental improvements in the CI/CD pipeline. Using SonarCube static code analysis, GitHub/Jira code review triggers/scripts, OWASP Dependency Checker, TeamCity/Chef validations/cookbooks and metric reporting to forester developer feedback loops. Provided threat modeling services to product development teams and performed design reviews.Built comprehensive incident response program which resulted in early detection and remediation significantly reducing the number of reportable breaches. Evangelize and promote security program with current and prospective customers. Develop and conduct both internal and customer focused security communications, webinars and presentations to customers.

Implement security programs, including technologies and tools, architectures and network, application design, and policies / business aspects of risk. Perform IT Risk & Security assessments and develop information security strategies and appropriate policies. Recommend security solutions to assist with the assessment and improvement of technology infrastructure as well as demonstrate a strong understanding of the IT security landscape, including emerging risks and security solutions. Translate business needs and regulatory requirements into risk appropriate controls to successfully implement security policies, standards and guidelines. Develop training and awareness efforts for employees, contractors and visitors to establish a security aware culture to prevent or mitigate security incidents.Assist clients in designing, deploying and managing technology and process solutions to reduce the potential of data compromise. Assist clients with developing technical requirements, evaluating vendor solutions, developing architecture & design, and testing of data protection and data security solutions. Advise clients in understanding the future state problems and challenges in cyber security and work collaboratively with them to enhance capabilities. Contribute to thought leadership in client organizations. Be up to date on industry trends around cyber risk and data protection practicesEstablish IT security operations, delivery, and architecture for the enterprise, including vulnerability and threat management, security operational support, enterprise identity and access management, and responses to security and audit compliance activities. Experience establishing compliance programs for HIPAA, HITRUST, NIST 800-53, PCI DSS and ISO 27001/2/17.

Develop and implement security governance models based on industry best practices such as ISO 27002, NIST Cyber Security Framework, or NIST 800-53 to achieve desired security maturity. Enhancement of cyber security awareness program and improvement on risk management. Develop and establish executive dashboard reporting on Cyber Security events and trends and publish to senior management and key stakeholders. Create a process to periodically update policies and procedures to ensure they accurately reflect business requirements and align to industry leading security practices. Develop baseline hardening standards across organization. Strengthen the processes and procedures around the QRadar to aggregate logs, correlate events, and detect incidents. Assist IT to formalize the patch management program, review the patches, evaluate the risk, and apply the patches using a risk based approach. Conduct periodic vulnerability scanning process and penetration tests. Direct PCI and IT SOX compliance effort in partnership with Internal Audit Team. Manage third party risk management program in partnership with cross-functional teams.

Work collaboratively and influence others to ensure adequacy of cyber risk mitigation efforts. Identify risks associated with business processes, IT operations, information security programs, and technology projects. Supervise the activities of analyst(s) with responsibility for repeatable quality, client satisfaction, and investigative integrity. Facilitate effective, comprehensive, and consistent communications, for various audiences, including steering committees and other executive levels. Participate in major cross-functional projects affecting business initiatives, product, or service leadership. Maintain an understanding of the current vulnerabilities, response, and mitigation strategies used in cyber security operations. Represent the company in customer briefings, security reviews, application development and deployment life cycle, and network and infrastructure projects.Responsible for hiring, assigning, developing, coordinating, influencing and leading team members, contractors and other consultants. Establish ongoing communication with senior leadership on the status of security issues, evolving risks and related recommendations. Develop metrics to measure the effectiveness and efficiency of all security programs and personnel.

IT risk assessments, design and implementation assessments, and operating effectiveness testing. Assisting management with issues evaluation, reporting, aggregation, mitigation and remediation exercises. Managing complex score carding, reconciliation, and automated assessment activities for high-volume management IT processes to reduce manual operating effectiveness testing. Coordinating with Finance counterparts to develop an integrated compliance oversight function, identify inter-related needs, and coordinate automated application controls and automated reporting oversight needs. Developing management and executive level reporting (dashboards, status reports, Steering Committee reports, etc.) and conveying key messages to client stakeholders. Developing professionals within the team to enhance their technical, leadership, and communication skills. Developing strong relationships with client stakeholders, external and internal auditors, and other contractor functions to promote the stability and effectiveness of the Deloitte team. Identifying areas for expansion of services to assist management in the effectiveness of IT functions.