Seattle, Washington, United States
Most security programs are assembled, not designed. They accumulate tools, policies, and controls over time — reactive, framework-driven, shaped more by audit requirements than by the actual risk architecture of the business. The result: programs that look complete on paper but can't survive contact with reality. I build the other kind. My work sits at the intersection of security architecture, team leadership, and business strategy. I'm a Security Engineering Manager who builds and leads teams that solve the hardest security problems at enterprise scale — application security, M&A integration security, IoT, and divestitures. What I bring to any team: the ability to design security programs from first principles, hire and develop strong engineers, build security automation that scales, and communicate risk in a way that drives executive decisions. I'm equally comfortable writing threat models and presenting to a CISO. My technical foundation: CISSP, GWAPT, AWS Security, M.S. in Cybersecurity Engineering from USC. I write about security program design on Medium and speak at industry events including ISC2 and ASIS GSX. I'm focused on the intersection of security engineering leadership and AI security — where the next generation of application security programs will be built. Open to connecting with security leaders, CISOs, and engineering managers working on complex program challenges. Areas of focus: Application Security · Enterprise Security Program Design · Security Engineering Leadership · M&A & Divestiture Security · IoT Security Architecture · Risk Frameworks
Led teams of security engineers across application and infrastructure security by implementing structured threat modeling and vulnerability triage workflows in apps across 200+ services.
Led the M&A Security Program across 3 major acquisitions/divestitures, managing a team of 6 security engineers to execute comprehensive security architecture assessments that identified and remediated 150+ vulnerabilities pre-integration. Designed an adaptive acquisition security framework using risk-based prioritization and automated compliance checks, reducing M&A security integration timelines by 37% and improving compliance posture by 64% across divestiture activities. Expanded known asset universe coverage by 65% during acquisition assessments by building a discovery methodology combining automated scanning using home grown tools with manual architecture review, ensuring zero untracked high-risk assets at integration close. Coordinated security workstreams across 25+ cross-functional teams (Legal, IT, Engineering, Compliance) by establishing unified operational procedures and consolidated assurance dashboards, delivering executive-ready risk reports to CISO leadership.
Launched and scaled the IoT Security Assessment Program from a pilot to an enterprise-wide program serving Microsoft's 350K+ employee environment, growing the request pipeline by 300% while maintaining SLA compliance. Automated 60% of manual IoT assessment processes by developing custom assessment templates and scripted checks, reducing average assessment completion time from 3 weeks to 5 days.
Delivered review consistency in the 3P Software Security Review Program, conducting threat modeling and security testing of third-party software packages before approving them for use across Microsoft's ecosystem, protecting 350K+ employees from supply chain risk. Developed a comprehensive 3P security review checklist that standardized evaluation criteria across the team, reducing average review cycle time by 15% and eliminating inconsistencies in approval decisions. Built automation for the 3P review pipeline that automated repeatable testing and compliance checks, accelerating end-to-end review throughput by an additional 40% and freeing senior engineers to focus on high-risk assessments.
Built and deployed custom static code analysis tools for the AWS AppSec team, automating vulnerability detection across 215+ public-facing cloud services and reducing manual review time by 45%. Conducted in-depth security assessments of 35+ AWS-based solutions, identifying critical architectural risks and delivering remediation roadmaps that reduced high-severity findings by 60% within 90 days. Developed reusable security assessment frameworks for the AppSec team's high-priority application reviews, improving assessment consistency and reducing onboarding time for new reviewers by 30%.
Integrated a regex-based linter into AWS's internal code review system, catching and preventing 120K+ OWASP-category security issues daily across the entire AWS codebase.