EXTENDED RESUME INFORMATION
OHIOHEALTH, Columbus Ohio
OhioHealth is a Fortune 500 company with over 35,000 associates, physicians and volunteers, and a network of 14 hospitals, 200+ ambulatory sites, hospice, home health, medical equipment and other health services spanning 47 Ohio counties.
As a seasoned information security leader, I had the unique opportunity to serve as both a managing Director of Information Security Operations (my title) and a technical Enterprise Security Architect and subject matter expert for technology acquisitions. One of my proudest accomplishments was recruiting and developing the Information Security Department and Program from a team of two to a robust team of thirty, including two other Directors. Together, we worked tirelessly to protect the confidentiality, integrity, and availability of company information and optimize technology and security related functions across the organization.
One of my primary responsibilities was leading the successful PCI compliance initiatives around P2PE and voice, and I led the Merchant Services and Card Processing replacement enterprise-wide, including EPIC eCommerce integration, EPIC Hyperspace integration, and POS device deployment. As a result of these initiatives, we have reduced our PCI scope and the risk of data breaches and ensured compliance with industry regulations and best practices.
As a director, I led several teams, including the Information Security Operations Team, Network Security group, Incident Response Team, Vulnerability Management Team, Active Directory Services Team, CIS Controls Team, and PCI Compliance Teams. I developed governance policies, standards, and procedures based on NIST Cyber Security Framework (CSF) and internal requirements. Additionally, I led and conducted vulnerability management and penetration testing efforts to assess overall risk to internal, critical, and internet-facing assets, initiating remediation efforts and compensating controls as needed.
Throughout my tenure, I worked closely with Risk, Enterprise Compliance, Supply Chain, Treasury, and Legal to ensure contract redline, negotiations, and approval of dozens of vendors/services and full RFPs for various business units. As a subject matter expert in information security and data protection, I provided valuable insights and guidance to ensure that all vendor agreements and services met our stringent security standards and requirements.
Overall, my experience in recruiting and developing teams, leading successful compliance initiatives, and collaborating across multiple teams to ensure the protection of critical assets makes me an ideal candidate for any role in the information security field.
Established Governance
- I provided regular reporting on the current status of the information security program to enterprise risk teams, and senior business leaders as part of a strategic enterprise risk management program.
- Directed the creation of a targeted information security awareness training program for all employees, contractors, and approved system users.
- Provided clear risk mitigating directives for projects with components in IT, including the mandatory application of CIS controls.
- Oversaw the implementation of all (20) CIS 7 controls in line with Ohio Safe Harbor Data Protection Act (DPA) legislation, collaborating with IT teams as a technical subject matter expert.
- Assisted with the development of the third-party risk management (TPRM) program allowing for the vetting of vendors using risk based questionnaires and assessment metrics.
Led Information Security Function
- Led the information security function across OhioHealth to ensure consistent information security management in support of the business goals.
- Successfully managed budgeting, resources, and products while collaborating with dozens of vendors, partners, and other contract agreements.
- Determined the information security approach and operating model in consultation with stakeholders.
- Managed the information security organization which included hiring, training, staff development, performance management, and annual performance reviews.
Developed and Implemented Comprehensive Information Security Program
- Developed, implemented, and monitored a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled, or/and processed by the organization.
- Assisted with the identification of non-IT managed IT services in use and facilitated an onboarding program to prevent "shadow IT."
- Developed up-to-date information security policies and standards based on the NIST Cybersecurity Framework.
- Established the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
- Liaised with external agencies, such as law enforcement and other advisory bodies, threat intelligence vendors and organizations (H-ISAC) as necessary, to ensure that OhioHealth maintained a strong security posture.
- Collaborated with the enterprise architecture team in a consulting capacity to ensure information security requirements were implicit in their architectures, ie. built-in by design.
- Worked with the IT staff to ensure that all information owned, collected, or controlled by or on behalf of OhioHealth was processed and stored in accordance with applicable laws and regulatory requirements.
- Collaborated and liaised with the Chief Information Security Officer to ensure that data privacy requirements were included where applicable.
Led Security Operations
- Initiated and led an enterprise-wide effort to achieve PCI compliance following a negative external audit review, resulting in successful compliance for the first time.
- Developed comprehensive information security policies, standards, and procedures at the enterprise level, guided by common security frameworks.
- Championed an internal effort to enhance the skillset of staff resources and obtain CISSP certification.
- Offered technical guidance on identity architecture, particularly around authentication, SAML, and federated services.
Developed Incident Response Team
- Managed and contained information security incidents and events to protect corporate IT assets, intellectual property, regulated data, and OhioHealth’s reputation.
- Conducted all internal, sensitive technical investigations involving employees and associates at all levels as a responsibility.
- Monitored the external threat environment for emerging threats and advised relevant stakeholders on the appropriate courses of action.
- Provided technical expertise in incident response and successfully developed an IR team that utilizes SIEM and SOAR tools, such as Splunk, Demisto, and Sentinel.
- Coordinated the development of implementation of incident response plans and procedures to ensure that business-critical services were recovered in the event of a security event; provided direction, support, and in-house consulting in these areas including tabletop exercises and purple team exercises with trusted partners.
- Facilitated the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem as recommended or required by security frameworks and compliance mandates.
NOVACOAST INC., Santa Barbara California
Novacoast is an IT services and solutions company specializing in the areas of security, privacy and compliance, collaboration, data center availability, storage and recovery, software development, and staffing services.
As a PCI-DSS Qualified Security Assessor (QSA), I have led audits and performed gap analyses for a variety of companies of all sizes, ensuring that they meet the rigorous standards required for PCI compliance. I've worked on everything from SAQs to Reports on Compliance (ROCs) and Attestations of Compliance (AOCs), reviewing documentation and providing expert guidance to ensure that everything is in order. In addition to these technical aspects, I've also led security awareness training webinars for employees, emphasizing the importance of cybersecurity and risk management. My experience in this field has allowed me to develop a deep understanding of the intricacies of PCI-DSS compliance and the strategies required to achieve it.
Aside from the PCI consulting I served as a senior field engineer implementing and supporting a variety of products and solutions for Novacoast's ever expanding customer base. The following are some examples of engagements I had over the course of my second career at Novacoast.
- Security Assessment and Consulting for 3 of the top 10 banks in the world.
- Large Movie and Media company Incident Response to famous breach
- Large Gulf Coast Casino: Internal Security Assessment/Penetration Test, and PCI Gap Analysis.
- Large West Coast Travel Agency: Internal Security Assessment/Penetration Test, and PCI Gap Analysis.
- Regional Hospital: Internal Security Assessment/Penetration Test, and HIPAA Gap Analysis.
- Large Las Vegas based Casino Penetration Testing Symantec Control and Compliance Suite
- Fortune 100 Bank: Instructor; Led class of Security Professionals
- Fortune 500 Energy Corporation: Symantec CCS Internal Proof of Concept
- Fortune 500 Aerospace and Defense: Symantec CCS Proof of Concept Symantec Data Loss Prevention
- Federal Department DLP Implementation and Tuning, Washington DC
- Nationwide Health Insurance DLP Implementation
- Nationwide Retail: Symantec DLP Risk Assessment and PCI Gap Analysis
- Fortune 100 Retail: Symantec DLP Internal Risk Assessment and Internal Proof of Concept
- Multiple Proofs of Concept for DLP LogRhythm Security Information and Event Management (SIEM)
- Large Regional Hospital Implementation or Data Loss Prevention
- Large Casino Implementation and Support for Data Loss Prevention.
Customers Included:
Bank of the Sierras
BNP Paribus
Bimbo Foods
California Department of Justice
CA Department of State Hospitals
Cesars's Palace
City and County of Tulare
Cottage Hospital
First National Bank
Las Vegas Metro Police (LVMPD)
Pearl River Casino
Sony Pictures
Susan G Komen
Thunder Mountain Casino
US Department of Transportation
... and many more.
SANTA BARBARA BANK & TRUST, Santa Barbara California
Santa Barbara Bank & Trust (Pacific Capital Bancorp) was a small regional bank in the central California area, with over 50 branches and $6 billion dollars in assets. The company of 2000+ employees was acquired by Union Bank in 2012.
As a Senior Information Security Engineer, I interfaced with key business owners and project leads to ensure the rapid and secure implementation of internal banking applications with minimal risk. I engineered and implemented new security solutions, including infrastructure and application penetration testing, security research, protocol analysis, password cracking, social engineering methods, OS hardening, infrastructure devices, wireless security, and implementation of encryption and authentication methods. These efforts improved our security posture and reduced our risk of data breaches and cyber attacks.
I also designed and executed network and application vulnerability assessments and infrastructure scanning, which helped identify vulnerabilities and potential security gaps. In response to rolling PCI, GLBA, and network security audits, I worked with the internal organization around CIS and NIST CSF implementation to ensure compliance with industry regulations and best practices. Additionally, I administered dozens of physical and virtual servers for network security infrastructure and was responsible for real-time auditing, monitoring, and incident response.
One of my key responsibilities as a Senior Information Security Engineer was managing the internal Identity and Access Management program (IAM). This involved designing and implementing security policies and processes for managing user access to critical systems and data. By ensuring that only authorized users had access to sensitive information, I helped reduce the risk of data breaches and unauthorized access to our network. Overall, my efforts as a Senior Information Security Engineer helped strengthen our security posture, reduce our risk of data breaches and cyber attacks, and ensure compliance with industry regulations and best practices.
- Managed and administered bank identity system including the provisioning and deprovisioning of users and access. Validated automated flow of access to internal resources.
- Managed dozens of servers and software applications for ideneity and password synchronization.
- Designed and executed network and application vulnerability assessments, infrastructure scanning, and penetration tests.
- An a security engineer and architect, participated in a variety of infrastructure and application penetration testing methods, security research, protocol analysis, password cracking, social engineering methods, OS hardening, infrastructure devices, wireless security, implementation of encryption and authentication methods.
- Worked with internal organization around CIS and NIST CSF implementation in response to rolling PCI, GLBA, and Network Security audits.
- Responsible for real time auditing, monitoring, and incident response.
Education
Major in Law & Society with an emphasis (minor) in Criminal Justice
Current Industry Certifications
- Certified Chief Information Security Officer (C|CISO)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified Information Systems Security Professional (CISSP)
- Microsoft Azure Security Technologies Associate (AZ-500)
- Microsoft Azure Administrator Associate (AZ-104)
- Microsoft Security Operations Analyst Associate (SC-200)
- Microsoft Identity and Access Administrator Associate (SC-300)
- Microsoft Information Protection Administrator Associate (SC-400)
- Microsoft Azure Fundamentals (AZ-900)
- Microsoft Security, Compliance, and Identity Fundamentals (SC-900)
- Microsoft 365 Fundamentals (MS-900)
- Payment Card Industry (PCI) Internal Security Auditor (ISA PCI DSS 3.2.1 / 4.0)
- Payment Card Industry Professional (PCI-P)
Certified Chief Information Security Officer (C|CISO)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
Microsoft Azure Security Technologies Associate (AZ-500)
Microsoft Azure Administrator Associate (AZ-104)
Microsoft Security Operations Analyst Associate (SC-200)
Microsoft Identity and Access Administrator Associate (SC-300)
Microsoft Information Protection Administrator Associate (SC-400)
Microsoft Azure Fundamentals (AZ-900)
Microsoft Security, Compliance, and Identity Fundamentals (SC-900)
Microsoft 365 Fundamentals (MS-900)
Payment Card Industry (PCI) Internal Security Auditor
(ISA PCI DSS 3.2.1 / 4.0)
Payment Card Industry Professional (PCI-P)
Former / Legacy Certifications
- Certified Novell Administrator 5 (CNA5)
- Certified Novell Engineer 5 (CNE5)
- Novell Specialist: Border Manager
- Master Certified Novell Engineer (MCNE)
- Certified Novell Engineer 6 (CNE6)
- Microsoft Certified System Administrator 2000 (MCSA)
- Citrix Certified Administrator (CCA)
- Certified Ethical Hacker (CEH)
- Microsoft Certified TS: (MCTS) Windows 7
- CompTIA Linux+
- Symantec Sales Expert
- Symantec Sales Expert Plus
- Payment Card Industry Professional (PCI-P)
- PCI Qualified Security Assessor (QSA)
- LogRhythm Certified Deployment Engineer (LCDE)
- Tenable Certified Nessus Auditor (TCNA)
- VMware Certified Professional (VCP5)
- VMware Certified Associate (VCA-WM)
- VMware Certified Associate (VCA-Cloud)
- VMware Certified Associate (VCA-DCV)
- Certified Novell Administrator 5 (CNA5)
- Certified Novell Engineer 5 (CNE5)
- Novell Specialist: Border Manager
- Master Certified Novell Engineer (MCNE)
- Certified Novell Engineer 6 (CNE6)
- Microsoft Certified System Administrator 2000 (MCSA)
- Citrix Certified Administrator (CCA)
- Certified Ethical Hacker (CEH)
- Microsoft Certified TS: (MCTS) Windows 7
- CompTIA Linux+
- Symantec Sales Expert
- Symantec Sales Expert Plus
- Payment Card Industry Professional (PCI-P)
- PCI Qualified Security Assessor (QSA)
- LogRhythm Certified Deployment Engineer (LCDE)
- Tenable Certified Nessus Auditor (TCNA)
- VMware Certified Professional (VCP5)
- VMware Certified Associate (VCA-WM)
- VMware Certified Associate (VCA-Cloud)
- VMware Certified Associate (VCA-DCV)
- AWS Certified Cloud Practitioner (AWS CCP)