CV Michael W. Leonhirth McLean, VA ***** [U.S.

703-***-**** Citizen]

(c) 571-***-****

accpie@r.postjobfree.com Information Technology (IT) and Business leader with

over 20 years of information security, risk management,

Objective IT Audit, project management, and business management

Interested in an exciting experience. Extensive financial services industry and

opportunity to serve a great Big 4 client service experience with a focus on

organization as an executive evaluating, implementing, monitoring, and enabling IT

leader in Information risk management processes and controls, information

Security / IT Risk Management security solutions, and business process techniques to

provide measurable benefits focused on reducing risk,

protecting data, enabling secure communications,

Certifications and enhancing the internal control environment.

Certified Information Systems

Security Professional As Senior Director, Information Security Risk

(CISSP); Management at Freddie Mac the highlights of my

Certified Information responsibilities include :

Security Manager (CISM)

Certified Information Systems Security Risk Assessments, Policies, Procedures, and

Auditor (CISA) Standards, Secure Coding Reviews, Vendor Risk

Certified in Risk and Assessments, Project Security Consulting Support,

Information Systems Control Security Awareness and Training, and related Security,

(CRISC) Risk, Governance advisory activities

Member: ISC2, ISACA IS Leadership Team Chief of Staff - consensus building,

thought leadership regarding all information security

Core Competencies domains, execute and coordinate internal program

ISO 27001/27002, NIST 800-53 management and operational risk management activities

Security Risk Management IS Strategy Development and Planning - security

Framework design and capability maturity analysis and development,

implementation communication, maintenance and delivery of multi-year

Information Security IS strategy and roadmap

Awareness, Privacy, Policies Metrics and Reporting - Board level presentations,

and Procedures executive management communications, internal/external

Security Architecture audit and regulator liaison

Assessments, Design, and Budgeting and Forecasting - managing internal and

Implementations (IaaS, Paas, external labor costs, ROSIs, time reporting, training

Saas and related Cloud, ASP, budgets

and Co/Lo services) Resource Management - resource planning and

Network and Application scheduling, vendor relationship and contract

Security Vulnerability and management, employee engagement, knowledge management,

Penetration Testing supervisor, mentor, thought leadership

Regulatory Compliance -

SSAE16 SOC1/ SOC2 and Prior to joining Freddie Mac, provided over nine years

Sarbanes-Oxley/404, COBIT, of Big 4 client service and delivery to numerous

COSO, NIST, ISO 27002, PCI Fortune 500 companies by addressing the critical risks

DSS, FFIEC Guidelines, inherent with the use of technology implemented to

Privacy (Safe Harbor, support the business direction and strategic

Gramm-Leach Bliley, HIPAA, initiatives of a wide variety of organizations and

Breach Notification) industries. Served as Mid-Atlantic champion and

IT Risk Management, Business subject matter expert for Information Security Advisory

Continuity, High Services.

Availability, and Business

Resiliency Prior to joining KPMG in 1999, obtained 7 years of

Business Process, industry experience serving as an IT Security and

Internal/External Audit, Special Projects Manager where I established the

Operations, Regulatory company's first information security program and

Compliance managed key projects including implementing secure

Information Security, IT remote access technologies, creating a security

Audit, and Attestation awareness program, designing and implementing policies

Thought Leadership, and procedures, and performing technical security

Methodologies/Frameworks, reviews. Served as the Y2K Project Manager responsible

Audit Plan & Program for identifying and addressing the organizational Y2K

Development risks. Also served as an IT Senior Auditor focused on

Reporting, Proposals, and risk and controls with particular emphasis on

Oral Information Security.

Presentations/Demonstrations

to Executive Management Career History

Supervisor, Advisor, Mentor,

Coach, Performance Manager Freddie Mac - (May 2009 - January 2014) Senior Director

and Leader of Information Security Risk Management & Governance

Resource Management, Principal, Information Security Chief of Staff

Supervision, Scheduling, Principal, Information Security Risk & Controls

Recruiting

Project Management, KPMG LLP - (July 1999 - November 2008), Senior

Budgeting, Billing, Manager/Director - IT Risk Advisory, Information

Collections, Proposal and Security Services, IT Audit, & Risk Management, McLean,

Engagement Letter Development VA

IT Strategy and Advisory Media General, Inc. - (May 1994 - July 1999)

Services Information Security and Special Projects Manager, IT

Proven Record of Delivering Senior Auditor, Richmond, VA

Quality, New Business

Development, Sales, and Heilig-Meyers Corporation - (June 1992 - May 1994) IT

Managing Revenue Auditor, Richmond, VA

Industry Experience

Financial Services Project Delivery Highlights

Healthcare

Manufacturing Information Security Program Strategy and Frameworks

Retail Performing ongoing assessments of the Information

Transportation Security program including analysis of the maturity of

Public Sector/Government IS services and capabilities (People, Process, and

(Familiar with Yellow Book Technology) and the creation, execution, and management

Standards, FISCAM, FISMA, of a large enterprise ($15M - $25M) Information

NIST Guidelines) Security roadmap and strategic plan. Key member of the

IS Leadership with active participation in designing,

Technical Experience managing, and optimizing the security program including

Experience with security strategy, risk assessment, monitoring, incident

testing software including response, controls, security tools and capabilities,

Wireless, Port and Service resource management, budgeting, planning and overall

Scanners, Vulnerability program delivery.

Scanners, Server, Database,

Application, and Host Based Security Policies & Standards

Security Tools, and various Responsible for the development, implementation, and

open source and free-ware monitoring of Information Security policies, standards,

utilities controls, and configuration requirements. Responsible

Implemented and utilize for creating and maintaining productive relationships

Agiliance RiskVision to with key risk stakeholders including Legal, Privacy,

aggregate and manage security Compliance, Audit, IT, business areas, and external

risks and threats across the regulatory agencies.

enterprise

Fortify 360, Qualys, Qualys Security Control Rationalization and Optimization

WAS, Tenable Nessus, Led an initiative to rationalize and optimize the IT

Burpsuite, DBProtect, General Control environment in support of

TripWire, Sarbanes-Oxley compliance requirements. This

Collaboration and initiative resulted in an 80% reduction in key

Communication Productivity controls, improved operational efficiencies, reduced

applications including MS testing impacts, lower administrative overhead, and a

Word, Notes, Excel, Office, more focused and mature internal control environment

Outlook, MS Project, that was aligned to support and enable the business.

PowerPoint, Mobile Computing

Experience with AS/400, RACF, Security Risk Management

MPE/iX, Windows NT/AD, Novell Responsible for numerous application, infrastructure,

Netware, TCP/IP, UNIX, Linux and third party service organization security

and similar operating systems assessments to test and evaluate security defenses and

identify security risks and vulnerabilities.

Two Factor Authentication, Responsible for driving security requirements into key

Logical Access Security initiatives including Mobile computing (BYOD), Cloud

Assessments and Services, SaaS solutions such as WorkDay, Out of Region

Implementations Data Center with IBM and Verizon Terramark, Windows 7

Extensive experience as an IT Migration, Wireless network infrastructure, Web

auditor and IT Risk assessor Application Firewall, Managed Security Services, and

related key initiatives.

Application Security

Established the first functioning application security

assessment and remediation capability that included

static code analysis reviews using Fortify and a funded

remediation factory to drive timely remediation of the

security vulnerabilities. Resulted in significant

security risk remediation and earlier identification of

secure coding issues to reduce costs and attack

vectors.

Education and Professional Certifications

B.S. Accounting Information Systems - Virginia

Polytechnic Institute and State University (Virginia

Tech 1992). Certified by the International Information

Security Consortium (ISC2) as a Certified Information

Security Professional (CISSP), Information Security

Audit and Control Association (ISACA) as a Certified

Information Security Manager (CISM), Certified

Information Systems Auditor (CISA), and Certified in

Risk and Information Systems Control (CRISC).

Previous speaker at various industry groups on a

variety of information security and privacy topics and

related information risk management topics.

References

Available Upon Request

Contact this candidate