As Motional's Director of Cybersecurity, I continued my leadership of ProdSec and took on all other cybersecurity functions. This taught me that while I love all cybersecurity topics, I tend to prefer those related to building products.Key Successes:- Managed public release of Motional's Security Development Lifecycle (SDL) / Cybersecurity Management System (CSMS), called AVCDL, including partial training content. To my knowledge, this is the first SDL / CSMS purpose-built for developing secure safety critical systems publicly released in full- Managed external assessments of AVCDL to ISO/SAE 21434 and UN R155, resulting in two confirmation letters from TÜV SÜD - Primary contributor to the successful case to create Motional's Compliance function and reinvorgate the Quality Management function. Led effort that hired a Quality Director- Directed the implementation of secure boot, secure update (A.K.A. secure flashing), device authentication (including UDS 0x29 PKI-based authentication), and secure communication (including TLS, Autosar SecOC, and Autosar Black Channel) in cameras, lidars, high performance compute, drive-by-wire, remote vehicle assistance, and other ECUs. This included making risk-based decisions about bugs and vulnerabilities or when faced with implementation delays- Directed implementation of AVCDL processes including static and dynamic analysis, penetration testing, risk analysis, and more, all contributing to a product safety case- Doubled IT Security headcount and filled the roles with top-tier hires. Retooled how this team performed program and project management. This took the team from treading water to sustainably and effectively defending the business- Initiated and staffed an ISO 27001 compliance program; completed a first successful audit in Spring 2024- When my time at Motional ended, I was working cross-functionally to implement requirements processes, a TARA process, application lifecycle management, and much more

I led cybersecurity negotiations between Aptiv's Autonomous Mobility (AM) division and Hyundai. This was part of a larger effort that closed a multi-billion dollar deal to form Motional. I managed all Product Cybersecurity functions in this joint venture as I previously did in Aptiv's AM division.Key Successes:- Founded cybersecurity team now serving all aspects of product security across the company- Hired and managed cybersecurity experts working across two US states and three countries- Managed creation of security development lifecycle complying with ISO 21434- Managed creation and spearheaded communication of product development lifecycle to unify systems (ISO 15288), software (ISO 12207), safety (ISO 26262), and security (ISO 21434) lifecycles- Co-inventor of seven cybersecurity technologies and processes that turned into patents- Primary author of the cybersecurity content in "Safety First for Automated Driving" -- now ISO/TR 4804:2020- Primary author of the cybersecurity content in Motional's first Voluntary Safety Self-Assessment (VSSA)- Used threat modeling to formulate the "Big Four" technologies disclosed in our VSSA -- used Big Four to consistently communicate top priorities to senior leadership and to coordinate key projects across a dozen suppliers- Implemented preliminary security monitoring and incident response process- Worked across the enterprise to gain support for a successful transition from C++11 to C++14- Gained corporate membership to Auto-ISACRepresentative Responsibilities:- Lead efforts to comply with cybersecurity standards and regulations within the automotive industry- Formulate and execute cybersecurity strategy- Manage cybersecurity implementation- Inform senior leadership of cybersecurity risks and deliver recommendations- Coordinate cybersecurity efforts in collaboration with Aptiv, HMC, and the supply chain

I led a team of talented engineers and specialists responsible for ensuring that self-driving vehicles and supporting infrastructure built by Aptiv's Autonomous Mobility division are difficult for hackers to successfully attack. We collaborated with teams across the division and outside stakeholders at every development stage from concept definition to product verification.

Design, analyze, and implement privacy-protecting middleware and personalization-on-the-edge technologies. Lead software engineering efforts across multinational Agile team emphasizing privacy, security, and quality.At Bezirk I have been able to test myself as a leader within a diverse team of impressive people. Every day has brought me new opportunities to mentor junior developers, design software systems, lead software engineering efforts, pick technologies to build on, contribute to business strategy, and so much more.Selected Responsibilities:- Lead software engineering efforts to develop a retail recommender system that runs on consumer phones- Architect deployable retail personalization solution to realize go-to-market strategy- Design and evangelize Security Development Lifecyle and software quality processes- Train development team spanning two countries and several cultures in secure software development and modern software engineering practices- Architect and analyze innovative security and privacy mechanisms

My research interests broadly fall within the domain of software security. In particular, I specialize in the use of sandboxes to encapsulate computations that may be vulnerable or malicious to contain unwanted behaviors. I started by designing a sandboxing mechanism for rich and extremely complicated file formats (e.g. PDF, DOC, PPT, etc.), but later turned my attention to enhancing the security and usability of existing sandboxes. In particular, my thesis project focused on eliminating unnecessary and vulnerability ridden functionality in the Java sandbox and tooling to overcome necessary complexity that is currently hampering sandbox deployment. The final project in my thesis uses program analysis and rewriting on Java bytecode to automate fine-grained application of the Java sandbox.I was a founding member of Carnegie Mellon's NSA Science of Security Lablet. I also had the privilege of working on a special project to advise the US government on the state of contractor-produced software developed for government agencies. This led to a series of a recommendations for altering contractor/government relationships to improve results.Outside of research, I found many opportunities at Carnegie Mellon to:- Give invited guest lectures on various security topics in undergraduate courses- Speak to executives at various companies about my research- Work with potential collaborators to define project goals, execution strategies, and formal statements of work- Mentor more junior PhD students

Design and implement secure software systems and consult on projects requiring security expertise.In my time at Boeing I acted as a consultant on more than twenty high assurance projects that needed secure design and coding expertise. I also acted in a consulting role to fix more than 100 vulnerabilities. The vulnerabilites I have fixed are diverse: common web application issues (OWASP Top 10), mistaken use of cryptography libraries, memory corruption and threading issues, missed mitigations in hardware systems, etc.Dedicated Projects:- Design, implement, and support two-factor authentication mechanisms- Design and support Boeing's Security Development Lifecycle and supporting tools- Modernize and simplify application threat modeling processes- CMS for Board of Directors- Define, manage, and drive cybersecurity R&D collaborations with universities- Reusable ModSecurity VM deployment for temporary vulnerability mitigation- Design and implement identity management solutions Special Projects:- Design of Boeing's formal Application Security job role- Define Boeing's IT university relations strategy- Application Security representative on CTO's Advanced Persistent Threat Panel- Application Security representative on enterprise-wide Insider Threat Mitigation project