April 1, 2024 the Healthcare business group from 3M split off to form a new company - Solventum (SOLV).Currently working on building out AI Governance at the new company with a cross-functional team.

Securing the software supply chain and evaluating the increasing impact of automation and AI tools in the enterprise.Areas of Focus:- AI governance, productivity enhancements, and security considerations- CNCF Software Best Practices- Secure Software Supply Chain- Code Security (SAST) +- Component Security (SCA) and Open-source licensing- Shifting Left- Secure DevOps (DevSecOps)- Container (K8) Security- Code Repositories, code management and inventory- Build and Deploy pipeline security (CI/CD)The 3M Digital Science Community (DSC) represents elite technology professionals sharing knowledge and ideas, and tackling the tough issues that face the global healthcare system. Together, we’re using the power of innovation to shape a brighter, healthier, more connected planet using advanced digital tools and technologies.

We formed a great team to protect 3M HIS with business aware security programs that address the highest risks. The HIS division has some unique security requirements and challenges that make this an exciting place to work.My most recent cross-functional project improved cost management and security by enforcing AWS resource tagging through automation. By the end of the project, tagging improved from 30% to over 95% through extensive communication and enforcement actions on non-compliant systems. - Deployed Splunk in AWS to monitor the environment and deployed applications. Continuing to build out use cases, integrate with other data sources, and deploy Enterprise Security (ES) for investigation management.- Improved AWS security by deploying 40 automated controls in 2018 via AWS-native services and DivvyCloud.- Improved threat and vulnerability management by using targeted reporting to significantly reduce outstanding vulnerabilities. (WebInspect, Nessus, AWS Inspector, BitSight)- Briefed division and corporate leadership regularly on program progress and key initiatives.- Developed incident response capability by defining processes, playbooks, responsibilities, and standards. Partnered with corporate and division leaders to ensure that major incident communications flow correctly.- Established secure application development capabilities by improving integration of Fortify and Checkmarx solutions with the build pipelines.- Worked with data scientists and ForcePoint engineers to improve data loss prevention (DLP) detection effectiveness for HIS specific terms by over 100x.- Establish a highly productive team and culture using sabbatical resources from our partner technical division.

Created a profitable technology startup within the 3M ecosystem. What a fantastic experience and culture!

Launched our critical security controls based certification program in the ServiceNow GRC. Met regularly with over 40 service teams to ensure the IT organization was aligned and the control tests were valid and understood. The system was self-service using the established ITSM platform and helped to focus leadership attention on the highest risks. Saw immediate increase in executive visibility and controls compliance.- Planned and executed a multi-year security roadmap for deploying and growing the information security controls program. Maturity levels M0 and M1 delivered in 2017, M2 planned for 2018, M3 scheduled for 2019. Additional security capabilities needed for advanced maturity levels and are added to the strategic plan.- Facilitated prioritization discussions at security leadership offsite discussions- Trained technology division leaders and project managers on the new security program and provided tools and other resources within ServiceNow to improve visibility and engagement- Created a maturity model for security program and project management- Provided effective policy and standards management for the IT organization- Created a security tools product management strategy that increased engagement with our partners

Created and led a security services team to provide ongoing operational excellence around key deliverables.- Acquired and implemented the Qualys vulnerability scanning tool to find and prioritize worrisome flaws, then worked with system owners to remediate. Saw an 80% reduction in open vulnerabilities due to effective communication and improved visibility.- Acquired and improved the firewall request process, reducing the average cycle time from 3.5 to .65 days per request within a year- Improved the SSL certificate management process by implementing Venafi as a self-service portal and integrating it with cloud services. The portal provided a win-win by improving security and reducing friction- Managed the code security process and program. Tuned and improved the strategy to better meet organizational needs- Provided access oversight for key systems. Ensured privileged accounts and roles were regularly certified- Performed operational PCI responsibilities- Created and socialize a knowledge management platform that gained rapid adoption by the division- Managed service relationships with external partners- Continuously improved internal processes through documentation and stakeholder discussions- Consistently delivered results under budget

Regularly detected and investigated threats, providing actual cost savings to the organization through rapid security incident response. Led a team of 27 security professionals to create a culture of excellence and results.- Demonstrated the value of security monitoring by showing the cost savings achieved due to avoided incidents. Easily justified the value of the function.- Established a rigorous training program for the front line defenders of the organization- Improved data availability and investigation capability for incident analysts using Splunk, RSA Envision, RSA Security Analytics, Websense, SourceFire IDS, and F5 WAF- Implemented ProofPoint Targeted Attack Protection (TAP) to improve Phishing response capabilities - Created an incident reporting intake process which standardized information gathering and improved response time- Improved and cultivated an atmosphere of pride and purpose - Prioritized systems and users with higher threat potential to increase monitoring effectiveness

We made access secure and easy. - Created a single front door process for access requests with associated SLA and performance tracking- Managed and documented the various security-related access request processes- Partnered with other functions to select and deploy the RSA Aveksa enterprise access governance solution- Provided excellent customer service to improve the perception of information security as an enterprise enabler- Built strong relationships with the customer support and directory teams by providing training, testing, and visibility services- Developed and published access governance policy and principles- Trained front line teams on access management principles and social engineering defense

- Improved the security posture of the organization by assessing card processing related business risks- Established positive relationships with business functions, evaluated new strategies and tools- Championed process improvement initiatives based on ITIL v3, led the PCI compliance program re-design in 2010- Managed contracts with vendors to perform controls mapping, process, and reporting work.- Deployed and managed the Agiliance governance, risk, and compliance (GRC) tool for PCI controls management and attestation - Ensured effective communications as the security liaison with major department functions.

Developed multiple system solutions using C and C++, the QT UI framework, and third-party resources through exposed API's. Improved page optical character recognition (OCR) performance through a combined hardware and software solution, increasing productivity by 40%. Learned COBOL (yes, COBOL) to meet a USPS address standardization requirement. Led project to help the organization become CASS-certified after translating the provided examples into C and integrating the module with existing solutions. Improved solution speed using a RAMDISK solution to meet performance objectives. Established the initial AMACAI division security policy and deployed in-line network intrusion detection system (NIDS) using Snort running on a minimalist Gentoo Linux system. Detected abuse of corporate resources shortly after enabling the new detection system.

Reviewed partner and engagement connectivity requests to Andersen external network for content and transmission security risk. Learned and became certified as a Lotus Notes Developer to improve firewall request processing - reducing delays due to invalid requests by 50%. Coordinated work with international security teams in France and Singapore as well as cross-functional US teams to ensure that business needs were met.

Coordinated assignments and task goals to solve hardware and software problems for professors and other University staff. Volunteered to re-design the web site for the college and created a web portal that lasted for over 5 years. Became great friends with my co-workers and built strong relationships with our clients to ensure that we solved the right problems. Developed deep understanding of Windows systems, networking, web design, and virus removal.