Mary S.

CISO | Enabling Trust & Revenue Protection | SaaS Security & Compliance Leadership

Denver Metropolitan Area

About

Proven Chief Information Security Officer with 15+ years leading enterprise security, risk, and compliance programs for global SaaS organizations. I build security programs that enable business innovation while protecting what matters most - customer trust, regulatory compliance, and organizational resilience. My approach positions security as a competitive advantage, not a cost center. I've led organizations through rapid compliance maturity (achieving five certifications in 18 months), PE-backed growth and exit preparation, and digital transformation - partnering with boards, executives, and cross-functional teams to translate cyber risk into business decisions. Core expertise spans ISO 27001, SOC 2, GDPR, CCPA, HIPAA, and cloud-native security architectures. I'm equally comfortable building security operations centers, advising boards on risk posture, or working alongside engineering teams to embed security into product development.

Experience

  • CISO at SugarCRM
    May 2025 - Present · 1 yr 3 mos

    ·       Lead security architecture and risk review for enterprise AI tooling adoption, with focus on AI/ML security with secure SDLC, LLM application security, and practical AI governance.  Built custom agents for InfoSec triage and risk analysis. ·       Rationalized more than $480K in security spend within the first year through vendor consolidation and program modernization, reinvesting savings into SIEM, SOAR, 24/7 MDR/XDR, threat hunting, and unlimited incident response capability. ·       Identified and remediated nine critical security gaps in the first 10 months, strengthening source code recovery controls, access governance, endpoint management, and enterprise-wide threat detection across XDR, SSO, VPN, M365, and AWS. ·       Develop and maintain the company-wide global ISMS and enterprise risk program aligned to SOC 2, ISO 27001, and NIST CSF; report security, resiliency, compliance, and remediation posture to executive leadership. ·       Lead enterprise incident response across multiple security events, directing cross-functional containment, investigation, executive communications, and remediation efforts to reduce business risk and strengthen organizational resilience. ·       Support customer and partner security due diligence by translating technical controls, AI governance practices, and operational safeguards into clear trust narratives for enterprise stakeholders.

  • Vice President Information Security & Enterprise IT at Thought Industries
    Sep 2020 - May 2025 · 4 yrs 9 mos

    ·       Built the security program from the ground up for a $35M AWS cloud-native global SaaS platform, achieving five accreditations (ISO 27001, SOC 2, HIPAA, PCI-DSS, Tx-RAMP) within 18 months while maintaining operational continuity and establishing customer trust. ·       Served as the external face of security with prospects, customers, and investors, positioning security as a competitive differentiator and business enabler in enterprise sales, diligence, and audit cycles. ·       Partnered with Engineering, IT, and Legal to implement identity and access management, threat detection, incident response, third-party risk management, privacy-aligned controls, and secure coding practices across the organization. ·       Established and managed an ongoing penetration testing program for a cloud-native SaaS environment, improving testing methodology, vendor selection, and cost efficiency while strengthening AppSec and vulnerability management.

  • Vice President Security, Privacy, Risk and Compliance at Conga
    Mar 2018 - Sep 2020 · 2 yrs 7 mos

    ·       Led enterprise cybersecurity strategy across a portfolio of acquired global SaaS businesses, executing integration risk assessments and rapid certification programs (SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR) within eight months of acquisition. ·       Partnered with Agile engineering and DevOps teams to embed security into SDLC processes, strengthen product security, and mature a shift-left DevSecOps model across the portfolio.  Led Security Operations Center oversight to support continuous monitoring and incident response readiness. ·       Advised C-suite executives and private equity stakeholders on cyber risk, integration roadmaps, and security investment priorities; performed M&A security due diligence, gap analysis, and post-acquisition program integration.

  • Deputy Chief Global Compliance Officer at CSG International
    Jul 2013 - Mar 2018 · 4 yrs 9 mos

    ·       Served as executive advisor to C-suite and Board on cyber risk, regulatory exposure, and compliance strategy; developed risk registers, conducted global enterprise-wide gap analyses, and guided policy decisions across a globally distributed business operations and workforce. ·       Developed and managed a global compliance program, ensuring adherence to industry standards and international regulations for a $875M public company with operations in 120 countries. ·       Advised and trained on global anti-corruption, security, privacy, and compliance (GDPR, CCPA, PCI, SOX, TCPA, FCPA, OFAC, CAN-SPAM, Cookie Law) regulations.  Conducted gap analyses, developed risk registers, and assessed regulatory impacts to guide executive policies and business operations across parent and subsidiary companies. ·       Modernized compliance programs, including Code of Conduct, whistleblower hotlines, and employee training.  Enhanced third-party due diligence, strengthened risk management reporting, ensured contract compliance, and played a key role in security incident response, root cause analysis, and data breach remediation.

  • Director of Compliance at ViaWest
    Jan 2007 - Jun 2013 · 6 yrs 6 mos

    ·       Directed the information security compliance and assurance program for one of North America's largest privately held colocation, managed services, and cloud providers with 24 data centers in five states. ·       Contracted and managed third-party audit engagements, including SSAE 16/SOC 1, HIPAA, PCI DSS, AICPA Trust Principles (SOC 2/3), and NIST 800-53, expanding the accreditation program from one to five over six years. ·       Led incident response coordination and issue remediation, supported acquisition due diligence and gap analysis, and managed customer security questionnaires and sales enablement for regulated infrastructure environments.