Designed and built the information security and compliance program for a startup processing trillions of PII records. Identified and consolidated compliance, legal, and regulatory requirements for more than a dozen distinct business regions. Acted as the face of risk and security to prospective and current customers.* Created the information security go-to-market strategy and trained executives and sellers on current and prospective customers’ security and risk concerns. Engaged with CIO/CTO/CISO/CMO counterparts to establish trust and address security, compliance, and third-party risk concerns, enabling a fourfold revenue increase in one year.* Built a comprehensive information security policy, risk assessment methodology, and maturity model addressing the architecture, infrastructure, application, and operations components of critical systems. Enabled risk posture measurement, management, and prioritization of investments in the context of impacts on business objectives and initiatives for the company and our customers.* Managed the SSAE 18/SOC 2 compliance program, including objective scoping, control mapping, sprint/release planning for compliance-related initiatives, and audit execution. Initial audit completed without exceptions with less than three months of preparation.

Formed and managed the enterprise security and risk management function in a rapidly growing SaaS and professional services organization, overseeing infrastructure, application, operational, and physical security. Set and achieved clear and compelling risk management objectives aligned with corporate goals for growth and acquisition, enabling Avalara to reach new markets and secure enterprise-level customers.* Engaged with current and prospective customers, partners, and vendors to establish credibility and address information security, risk management, data privacy, compliance, and availability concerns. Worked directly with Avalara, partner, and customer legal counsel to review contracts, negotiate terms, and ensure Avalara’s interests were appropriately protected. * Managed security features and requirements for all products and implemented DDoS mitigation, vulnerability and compliance scanning, automated patch and configuration management, static and dynamic code analysis, SIEM, PKI, anti-malware, and data encryption capabilities. Managed the customer-requested security feature and capability backlog.* Established SSAE 16 SOC 1/SOC 2, PCI, HIPAA, and EU data privacy compliance programs for multiple products and services. Managed objective scoping, execution, and ongoing relationships with external auditors and regulators.* Implemented an enterprise-wide GRC toolset for the management of all risk, policy, compliance, and privacy-related requirements and controls. Provided executive visibility across systems and business units to identify and address both individual deficient processes and broader systemic failures. Regularly presented Avalara’s overall risk posture, progress, and recommendations to the Risk Committee and Board of Directors.

Implemented foundational security and risk management processes and toolsets as the first information security professional at Avalara. Performed risk assessments on multiple business processes, products, services, and solutions to guide investment and set the company’s strategic direction.* Implemented a vulnerability management program providing real-time visibility into patch, configuration, and exploit state and automated patch deployment capabilities across corporate and production networks, including 1,800 local and remote clients, 800 servers in offices and co-located/AWS datacenters, and 400 networking and infrastructure components.* Instituted a Data Privacy program as part of two EU-based acquisitions, coordinating with internal and external legal counsel, product managers, engineering, operations, and executives to provide clear guidance and ensure compliance with EU regulatory requirements. Developed sales and marketing collateral to consistently represent Avalara’s commitment to data privacy.

Business relationship manager between Information Security/Risk Management and the Global Sales & Marketing organization, providing risk assessment and prioritization, portfolio management, security strategy, and architecture consulting. Partnered with business and technical teams to align strategies, determine acceptable risk levels, and establish strategic and tactical plans to enable effective business risk management for internal and external customers. * Engaged with engineering and service delivery teams during incidents and drove root cause analysis activities. Identified and re-architected broken business processes and supporting systems, closing critical gaps with significant potential financial and reputational impacts in a system generating more than $1 billion in annual revenue.* Developed the security architecture for a high-visibility incentive compensation outsourcing initiative and provided risk management consulting during the negotiation and implementation of a $60 million multi-year contract.* Developed and maintained Azure migration templates and reference architectures for common application patterns. Consulted with internal and external application teams to ensure compliance and security objectives were appropriately identified, implemented, and verified as part of the migration process.

Provided leadership and strategic direction for application security and systems development in a $120 billion global enterprise operating in 63 countries with 74 distinct lines of business. Owned application risk management, service provider assessments, internally developed and COTS software security, and the system development lifecycles. Developed and provided leadership to the application security team, consisting of a mix of seasoned security professionals and recent college graduates.* Architected and drove the implementation of a secure systems development lifecycle, integrating risk management, security, and quality assurance activities into the development, selection, implementation, and operation of IT systems to more than 2,000 engineers and IT operations personnel.* Implemented a comprehensive risk dashboard providing visibility on known vulnerabilities, risk exposure, remediation activities, and accepted risks to business unit and platform executives.* Directed application risk assessments, remediation activities, and integration for M&A during valuation, due diligence, and post-close phases with an annual global M&A spend averaging $8 billion. * Managed global PCI-DSS and secure payment zone operations activities with enterprise-wide compliance achieved in four months, protecting a $1 billion annual revenue stream and delivering $3 million in direct cost savings annually.

Directed the Enterprise Data and Application Architecture organization, establishing reference architectures and managing the lifecycle of application development and database technologies of a $15B global business. Developed the enterprise architecture strategy ensuring support for emerging technologies, sourcing initiatives, and significant M&A activities, and aligned with business and software engineering functions.

Functioned as the product manager and liaison between lines of business and IT shared services, managing a portfolio of six manufacturing control and quality assurance applications supporting 27 business units and 100+ global locations. Built and led a global team of business and technical resources, providing full-stack development, operations, and 24/7 support.

Designed, developed, and maintained inventory management, material traceability, manufacturing control, and business intelligence software. Managed compliance with FDA regulatory requirements for both internally developed and commercial software through the integration of audits, code reviews, testing, and validations into the software development lifecycle.

Managed all aspects of multiple databases supporting ERP/MRP systems, including performance tuning, backups, disaster recovery, and security/compliance. Customized and extended commercial software packages to support specific business needs. Created and maintained architecture, data, and security standards. Core member of the ERP implementation team.