• Supported penetration testing of Infor’s SaaS products and cloud-based network environments by triaging reported findings, ensuring quality, coverage, and accuracy. Developed risk-based scoping guidelines to drive efficiency and RFI process for establishing requirements and qualifying new service providers.• Updated corporate SDLC policy and process to incorporate security requirements early in the development process, including security architecture review, SAST/DAST scanning, and penetration testing.• Started a threat modeling program to assess all Infor products, with a tiered model of requirements based on the maturity level of each product team.• Managed enterprise DAST scanning solution for Infor Government (FedRAMP) SaaS products.• Supported incident response investigations with forensics, root cause analysis, and providing remediation recommendations.• Developed attack simulations to provide “live fire” exercises for the Incident Response team to identify knowledge and process gaps and improve response times and accuracy in execution.• Implemented a password audit program with a cloud-based cracking system and automated weak password notification/reset process, significantly reducing weak passwords.

• Performed annual application penetration testing of Infor SaaS products, including web, mobile, API, and thick-client applications. Supported development teams reporting findings and provided recommendations for remediation.• Provided internal and external network penetration testing of cloud-based environments on an ad-hoc basis.• Mentored staff on penetration testing and developed educational materials on various tactics, techniques, and tools.

Boutique security consulting company that provides penetration testing services for applications, networks, social engineering, phishing campaigns and physical security. Services provided to partner consulting companies and with direct clients.

* Developed strategy to implement Sandia's iDART framework to define the Red Team program including detailed services, methodology, processes, performance metrics, and standardized deliverables.* Performed threat enumeration of identified vulnerabilities to determine potential risk and impacts to organization.* Established a lab environment for the Red Team including equipment procurement for security research, performing attacks and cracking passwords

* Performed penetration testing of internal and client-facing web and mobile applications, identifying vulnerabilities, demonstrating exploitability, and communicating risk/impacts to the business.* Developed strategy to mature application penetration testing program, expanding program services, enhancing the engagement model, and implementing projects to increase the efficiency and effectiveness of services provided.* Identified as a team leader and subject matter expert on penetration testing. Mentor junior team members, providing technical expertise on security testing approach, attack methodologies, vulnerability exploitation, and testing tools.* Presented to internal and external clients on FIS security testing capabilities and increase awareness of application security threats and vulnerabilities, as well as provide “in-service” technical training to staff members.* Research new tools, technologies, threats, vulnerabilities and attack methodologies and present findings to the team.* Developed Red Team program to demonstrate adversarial capabilities and advanced persistent threats. Completed a Red Team operation that demonstrated weaknesses in preventative and detective controls to thwart fraudulent activity, and inadequacies in the ability to respond to an attack.

* Performed security architecture reviews, web application penetration testing, mobile device/application testing, physical penetration tests, social engineering and social network assessments, and wired/wireless network penetration testing, for large and medium-sized client enterprises. Provided clientele with detailed reporting and consultation on discovered vulnerabilities and security flaws, and recommendations for remediation or reducing the risk.* Successfully proposed, managed, and completed two DARPA Cyber Fast Track projects – MobiSec and SH5ARK. Completed the transition of MobiSec and SH5ARK to open source projects. Identified as a project lead on the OWASP Mobile Security Project.* Participated in the development of SANS SEC571 Mobile Device Security course and have provided training to clients on installing and using the MobiSec testing environment. Participated in reviewing and updating both SANS SEC 542 and SEC 642 courseware materials and lab environments.

* Assigned as lead for Special Testing & Assessment Team (STAT), which performs scenario-based testing, from an adversarial perspective, using a combination of threats and tactics to assess the effectiveness, coverage, and inter- dependencies of controls. Completed assessments of Network Printers, Wikis, Mobile Banking, Endpoint Controls Effectiveness, Rogue Device Detection, and Social Networking Threats.* Presented STAT program to Office of the Comptroller of the Currency (OCC) regulators, identified as unique and innovative IT Audit program within the financial services industry.* Completed technical audits of Text Banking solution, external connectivity with Merchant Services environment, and assessment of the Enterprise Technology & Delivery organization as co-Auditor in Charge.

* Assigned as lead security architect regarding Voice over IP, Messaging & Collaborative Services, Mobility Devices and Wireless Systems, providing security subject matter expertise to technology partners with enterprise design architecture, establishing documented requirements of security standards, and performing product evaluations and vulnerability/threat assessments of related systems.* Assigned leadership role on Information Security Center of Excellence (IS COE). Completed formalization of COE structure and operations in support of the Enterprise Architecture governance model. Lead virtual team in defining future state for enterprise security architecture, developing reference architecture and driving product standardization, as well as evaluate emerging technologies to ensure compliance with security standards.* Completed definition of Security Architecture Framework for the Enterprise (SAFE) based on ISO27002 standard and established high-level strategy and architectural framework for device security.* Assigned leadership role for successful execution of company transition projects regarding security architecture, technology risk assessments, product standardization, and security policy consolidation, leveraging Six Sigma methodologies. Completed security architecture assessments of high-risk Internet facing web applications for Countrywide and Merrill-Lynch transitions, identifying issues and remediation strategy.

* Facilitated the design and implementation of cost effective information security solutions to provide an adequate level of control mitigation that addresses confidentiality, integrity, and availability.* Developed and maintained sound working relationships with Information Technology and Business Clients. Participate in a key role in event management of business and technology responses to threats that occur.* Provided consultation in vendor management program regarding contract negotiations of information protection requirements, risk assessments and remediation plans to ensure compliance with corporate and regulatory policies.

Director of infrastructure consulting services program leading a small team of consultants and managing engagements with medium to small businesses. Responsibilities included scheduling of resources, developing new services, educating sales staff on service offerings, and managing development plans for resources.

* Managed messaging systems across the enterprise, including system administration, implementation new messaging technologies, and integrating with legacy messaging systems. * Designed and implemented project for integration of Internet email access with the internal messaging environment.* Facilitated the architectural design of the bank’s enterprise Lotus Domino environment including infrastructure design, system configuration standards, messaging architecture, and research of new messaging technologies.* Participated as technical lead on major bank merger migration projects including message platform consolidations and “best practices” identification and implementation.

* Provide active local area and metropolitan area network management in a healthcare setting.* Participate as a technical lead in the design, implementation, and administration of 1000 plus node network over 20 locations, leveraging site-to-site ISDN connectivity and remote network access solutions.