Portland, Oregon Metropolitan Area
Results driven and highly motivated Information Security leader with an extensive 25 years of experience of operational risk reduction, improved regulatory compliance, and enhancement of secure development practices for IT infrastructures and applications. Natural leader with the special ability to balance security requirements with business objectives. Highly effective in creating and managing programs to transform strategies into actionable goals and risk reduction methods. Specialties: • Information and Cyber Security • FISMA, FIPS, PCI-DSS, SOX, and HIPAA compliance • CobiT, ITIL, ISO 27001/27002 standards management • Security Policy and Standards creation and implementation • Security Architecture and Engineering • IT Strategic Management and Operations • Metrics Management • Application and Network Architecture • Change and Release Management • Risk Management • Security Incident Response • Vendor Management • Business Continuity Management • Process Modeling and Improvement
Lead engineering first Application Security organization for Geico and setting strategy for secure SDLC.
Currently lead global organization of security engineers to enable 14k+ developers to design and deliver secure solutions for the Alexa line of products and services. Prioritize security efforts for engineering teams to ensure security resources are focused on the highest risk applications and services. The organization is focused on building reusable secure services, secure by default processes and architecture reviews, code reviews, incident handling and secure code training. Achievements: • Implemented organization wide security review process and tool covering 14K+ developers and 25+ different product lines worldwide. • Implemented program to reduce unmanaged risk to zero. • Streamlined security review process to reduce review time by 28%. • Increased security review coverage by 250% through combination of talent growth and automation tooling. • Launched developer training and continued education platform for secure coding.
Formed and currently lead global organization of embedded security experts to enable technology and business teams to deliver secure solutions. Prioritize security efforts for business teams ensuring labor capacity is focused on highest brand and security return. Organization is focused on risk remediation, secure by default process and architecture reviews, static code analysis, and developer secure code training. Achievements: • Implemented enterprise secure software development lifecycle to achieve the goal of no critical or high vulnerabilities being released to production. • Automated security testing in CI/CD pipelines achieving a frictionless testing experience for developers. • Deployed standard risk and vulnerability remediation process greatly reducing risk to Nike’s technology portfolio. • Increased security testing coverage by 300%
Promoted to transform organization focused on the delivery of enterprise cyber security solutions. Spanned several areas of cyber security including Cloud & Automation, Identity & Access Management, Network, Endpoint, Mobile, Data Loss Prevention, and Encryption services. Achievements: • Transformed security architecture & engineering team responsible for the successful delivery of several complex enterprise services and solutions. • Developed and deployed cloud security strategy enabling enterprise application teams to deploy solutions quicker and at greater frequencies thus creating revenue-generating opportunities. • Managed $40 Million portfolio of security services and solutions.
Founded the Nike security organization responsible for the creation and delivery of $30 Million annual enterprise security services portfolio. Deploy and deliver enterprise security services including end-point, network, and application layer security solutions. Collaborate with various business and IT partners across Nike to ensure alignment on secure solution deployment practices. Evaluate information security trends and companies to ensure alignment with new capabilities and potential services. Lead the development of standard practices to transfer world class solutions and services to security operations and governance teams. Influence and educate executive and senior leadership on the delivery of secure capabilities and strategies. Represent corporate security in the deliver of innovative technologies and services to enable an enterprise technology transformation. Achievements: • Built high performing security engineering team responsible for the successful delivery of several complex enterprise solutions including: o Certificate Management services o Advanced Anti-Malware o Network Security (IPS, DDoS Prevention, Anti-Malware, URL Filtering, etc.) • Developed and deployed cloud security strategy enabling enterprise application teams to deploy solutions quicker and at greater frequencies thus creating revenue-generating opportunities.
Managed the development and delivery of a comprehensive enterprise cyber security program in line with ISO 27001 and 27002 frameworks for security and business continuity operations. Developed and implemented rules and policies for enterprise information security program. Developed and implemented a security incident report and response system. Lead the development and delivery of an ongoing risk assessment program for security. Managed the security staff in the creation of an online court system for OJD formally known as eCourt. Represented OJD to statewide committees, federal agencies, and the general public for cyber security and information privacy related matters. Partnered with the Oregon Judicial Department’s (OJD) training and development organization to create and deliver a security education and training program across the enterprise for cyber security and privacy matters. Continually manage security office and evaluate the information security program for effectiveness and efficiencies. Develop and deliver cyber security related metrics and reports for Oregon Judicial branch executive staff. Directly manage team responsible for monitoring IT applications and infrastructure for cyber security threats and respond accordingly. Achievements: • Developed and implemented security management plan for OJD including long and short-range goals reducing overall risk to OJD information assets. • Created and implemented enterprise wide information security program 12 months ahead of schedule. • Developed and implemented enterprise security governance model for OJD. • Created and implemented security vulnerability management program for OJD including physical and information assets. • Reduced Information Security budget by 25% while improving OJD’s cyber security capabilities.
Advanced rapidly through a series of increasingly responsible Information Technology management positions. Initially hired to lead load, security and integration test engineering activities and resources for internet applications, managed team responsible for security of internet applications, advanced to leading information security team for the Imaging and Printing division. The scope of responsibilities were expansive and focused on strategic IT security management, regulatory compliance, and the development of secure applications and network architectures for IT applications within HP’s Imaging and Printing division. Managed, trained, and collaborated with Enterprise Architects, Business Security Officers, and Executive IT Management to plan and implement strategic IT programs and projects. Developed and implemented security rules and policies both physical and information related. Developed and ensured long and short range goals and plans were appropriately aligned and properly resourced to meet business objectives. Managed security incidents and escalations and implemented IT continuity plans for mission critical applications. Continually evaluated security programs through metrics and presented to technical and non-technical staff including senior level executives. Also represented HP to the Payment Card Industry (PCI) Security Standards Council.