In addition to the Cybersecurity Operations team, I now lead the Identity and Access Management team providing overall identity and access governance to achieve segregation of duty and least privilege including role-based access control, the access certification process, as well as strategic and operational aspects of IAM in Amazon AWS. As part of my Threat & Vulnerability Management team, I am also responsible for the Corporate Security Exceptions process. Recently added External Attack Security Management (EASM) to the Threat & Vulnerability Management team. Continue to drive and implement many focus areas in the Zero Trust journey, including least privilege, multi-factor authentication, strong IAM segregation of duty, software defined perimeter, microsegmentation, and continuous verification. Collaborates with IT infrastructure and software engineering teams in multiple ways such as vulnerability management and remediation, enterprise architecture, and cross team project oversight. Responsible for incident response internally and with Tier 3 on retainer. Member of the corporate GenAI working group. Recently completed the new Sallie Mae's Leadership Program (LEAP).

Lead the cybersecurity operations team that provides security engineering for endpoint security, endpoint forensics, network threat detection, vulnerability management, secure baseline configuration management, external attack surface management, wireless intrusion prevention, email security, inbound and outbound web security, data leak prevention, application security, purple teaming, insider risk, threat intelligence, and technical incident response. Purchase and provide security solutions for primary data center infrastructure in the public cloud providers as Sallie Mae migrated all managed data center assets to AWS. Manage 3rd parties providing pen testing, ethical hacking, and MDR/SIEM/SOC Tier 1 providing alerting, limited automated response, and threat hunting. Direct the MSSP that operates 24x7 cybersecurity infrastructure with on-prem and India-based resources. Represent Sallie Mae on the Financial Services Information Sharing and Analysis Center (FS-ISAC) bi-directional information sharing activities while continuously monitoring for emerging threats. Provide support for audits (PCI-DSS, FDIC/FFIEC/GLBA/SOX) and evidence for continuous monitoring of internal controls based on a unified controls framework focused on NIST and FFIEC in a highly regulated environment. Measure security maturity with CIS Critical Security Controls, FFIEC Cybersecurity Assessment Tool, and Cyber Risk Institute Financial Profile. Provide Tier 2 Incident Detection and Response capability to the corporate Incident Response organization. Using Breach Attack Simulation tools under Mitre ATT&CK framework to validate prevention, detection, and event generation in the overall security stack. Partnering with Agile teams such as IT architects, infrastructure, and application development to secure IT during the cloud digital transformation journey to the serverless cloud. Deliver metrics for Risk Committee and Board reporting. Completed Sallie Mae's Leadership Development Program.

Subsequent to Sallie Mae splitting the company into Sallie Mae and Navient, I grew and developed the Cybersecurity Operations team from scratch to augment the 3rd party MSSP security operations solution selected for the new Sallie Mae.

Managed a team that provided enterprise-wide services in application security (penetration testing, application security assessments, web app scanning, ethical hacking, mobile app security assessment), vulnerability management (threat intelligence, vulnerability scanning, database security scanning, web site scanning), and security operations (two-factor authentication, virtual datacenter protection).

Member of the IECC and currently on the Finance Working Group.

I participate on numerous advisory boards. The delivery varies from informal breakfast meetings to formal established SAB/CABs. These are all in the IT industry.

2022 Executive Boardroom - Cybersecurity Insurance -- What Price Will You Pay? 2021 Executive Boardroom - Executing Your Security Operations Plan 2018 Executive Boardroom - Securing a Multi-Cloud Strategy2017 Breakout Session - Up Your Security Game With Threat Intelligence2017 Breakout Session - Conquering Ransomware – No Magic Wands Required2016 Breakout Session - Threat Intelligence 1012016 Breakout Session - Orchestrating an Effective Data Loss Prevention Program2013 Breakout Session - Application Security and Your Business – the People, Processes and Technology That Lead to Success (Cincinnati)

Responsible for local chapter membership operations and website management.

Pondurance LLC is a professional services and risk management firm specializing in Information Security, Business Continuity Management, and Compliance Readiness.As a Co-founder and consultant at Pondurance, I helped clients navigate the maze of information security requirements and develop secure information technology programs that significantly reduce risk to the organization and ensure compliance to industry regulations, including HIPAA, NERC CIP, and PCI-DSS.

ArchMaven merged together with Theseus Security and Pondurance

Forsythe is a leading, independent provider of technology infrastructure solutions to Fortune 1000 and mid-market companies across all industries. Our clients value our unparalleled expertise in helping them optimize their technology investment, from assessment and design to integration, management, and financing. Our employees are highly motivated self-starters and problem-solvers who value the chance to make a difference. Headquartered in Skokie, Illinois, Forsythe has an unbroken 38-year record of profitability.

Focused on enhancing security of products and providing risk management and IT security answers regarding products and services to customers. Developed security solutions in an FDA regulated environment focused on business risk and regulatory compliance. Developed strategy and roadmaps in remote vendor access infrastructure and security that drove global development and local implementation. Worked with customers (CIO, CISO, Lab Director), industry partners and competitors to establish standards for healthcare IT and medical device industries. Elected chair of the HIMSS Medical Device Security Workgroup for 2006-2007 term. Developed security-related standards while member of HIMSS / NEMA / CLSI.

Developed the global IT security organization, reported directly to the global divisional CIO. Responsible for the information security program, including policies and procedures, awareness, global IT security emergency response, and IT security consulting. Acted as the divisional representative in cross-divisional IT security activities. Continued to grow the global security organization by hiring resources and providing organizational development support for the regions. Worked closely with internal IT audit, Corporate Audit and external audit to assess risk in the IT environment. Continuously provided management information about the state of security, including global incident cost analysis. Developed the global solutions for intrusion detection and vulnerability management. Completed the Roche Global Leadership Program.

My group administered security systems and performed other information security functions. Managerial activities included direct supervision of user and access administration personnel and project management. Technical activities included IT Strategy and Architecture, Information Security Consulting and System Security Review, Intrusion Detection System Architecture and Implementation, IT Incident Investigation and Response, Vulnerability Management and coordination of Third-Party Security Assessments.

Chair of the HIMSS Medical Device Security Workgroup, member of the HIMSS Privacy & Security Steering Committee, member of the HIMSS IT Systems Security Workgroup. Helped develop the HIMSS Manufacturer's Disclosure Statement on Medical Device Security (MDS2) and the Application Security Questionnaire.

Technical activities ranged from project technical lead to project manager. Project management activities included workplan development, project planning, resource management, and deliverable quality review. Client related activities included consulting, new business development, proposal development, and engagement kickoff/closure presentations. Other administrative activities included mentoring, resource management and personnel development. Specific client service activities included performing security assessments such as vulnerability identification and risk assessment and performing computer-related intellectual property forensics investigations.

Primary duties include developing security architectures, evaluating security components, and deploying security systems for hosts, networks, and applications. Co-developed and managed engineering workstation network of servers and workstations (over 500) for 1000's of users globally. Developed the Corporate Software Bank (presented at USENIX LISA '93). Setup and managed mail and Usenet services.

Developed advanced concept vehicle displays including Head Up Displays. Also acted as department computer manager including Apple Macintosh and Sun/HP UNIX system administration. Installed first external email connection for Delco Electronics.

Coop engineer working in multiple engineering assignments.