Serves a team of analysts and engineers that work with partner teams to identify, contextualize, and measure cybersecurity risks to better inform their decision making and priorities. Responsibilities include: - leading our vulnerability management program through influence backed by high quality data and analysis- identifying high risk attack paths and engaging system owners to take timely action- consulting with developers on proposed design changes that impact our threat models- mentoring our team of world class engineers and analysts

Responsible for earning the trust of enterprise clients by developing the client-facing elements of the company’s information security program and representing Information Security during negotiations with prospective enterprise merchant clients and strategic partner engagements. Responsible for managing SOC2 Type II attestation, and rationalizing the company's modern cloud native engineering and security practices for our enterprise clients in various stages of digital transformation or cloud adoption.

Leads enterprise information security teams involved in complex projects driven by corporate actions including divestitures, mergers, acquisitions, and strategic investments. Advises business leaders and program managers to ensure that operational risks are understood and minimized while meeting the project's objectives. Works with corporate and external counsel to negotiate contract terms with regarding data security and privacy representations and warranties. Serves as primary decision maker for information security risk acceptance and policy exceptions from initial due diligence through integration.Separately, serves as primary point of coordination between the bank's cyber threat management team and the third party risk organization. Advising on the development of the bank's third party incident response program and developing capabilities to monitor the posture of the bank's extended attack surface.

My team works with current and potential vendors, international operations and allied partners to assess their technology risks and develop strategies to meet internal and industry standards as well as external requirements such as PCI-DSS, SOX, GLBA, etc. We empower confident decision making from IT and business leaders by providing insights into the technical risks implicit in proposed third party relationships and potential mergers and acquisitions.Accomplishments:- Designed and implemented a formal third party risk assessment program that balances business objectives with their inherent risks and aligned to common standards such as ISO 27001, NIST 800-53, and the BITS Shared Assessments framework.- Developed program for assessing and improving the information security programs at domestic and international subsidiaries in China, Mexico, Canada and India.Relevant buzzwords include: third party vendor risk assessments, mergers and acquisitions, assurance

At Fidelity I led a fantastic team of experienced information security practitioners. Our primary responsibility was to work alongside our business partners and internal software development teams to ensure that the systems they built met the security requirements of Fidelity's Information Security program. This required deep knowledge of application security principles, agile and waterfall software development practices and security architecture best practices.Our best accomplishments include:- Building the company's formal program for evaluating the security posture of trusted service providers.- Standing up a formal process to respond to the many requests from our institutional clients to assess our security program.- Defined the security requirements for several key development efforts, such as: - Fidelity's first international trading platform - Prime Brokerage platform, focused on the hedge fund industry - WealthCentral, the redesign of Fidelity's platform used by Registered Independent Advisors - Streetscape, Fidelity's platform and APIs utilized by Broker-Dealer organizations - The integration of WealthCentral with Fidelity.com to provide a secure account holder experience

At IBM, I worked with clients to improve their disaster recovery strategies and participated in several disaster recovery tests. I also helped to develop the initial Governance, Risk and Compliance consulting practice for the Global Technology Services organization.

I started working for FirstNLC as a (Protiviti) consultant and they hired me on to complete the development of their Information Security and disaster recovery programs in preparation for their initial Sarbanes-Oxley 404 audit following their acquisition by FBR Group.

As a senior consultant with Protiviti, I helped customers that were new to the information systems audit process prepare for their first required external audits by conducting very thorough internal audits and advising them on building information governance and security programs. Typically these were newly public or recently acquired companies that needed to comply with section 404 of the Sarbanes-Oxley Act.Keywords: SOX 404, First year SOX, Internal Audit