CV Michael W. Leonhirth McLean, VA ***** [U.S.
703-***-**** Citizen]
(c) 571-***-****
accpie@r.postjobfree.com Information Technology (IT) and Business leader with
over 20 years of information security, risk management,
Objective IT Audit, project management, and business management
Interested in an exciting experience. Extensive financial services industry and
opportunity to serve a great Big 4 client service experience with a focus on
organization as an executive evaluating, implementing, monitoring, and enabling IT
leader in Information risk management processes and controls, information
Security / IT Risk Management security solutions, and business process techniques to
provide measurable benefits focused on reducing risk,
protecting data, enabling secure communications,
Certifications and enhancing the internal control environment.
Certified Information Systems
Security Professional As Senior Director, Information Security Risk
(CISSP); Management at Freddie Mac the highlights of my
Certified Information responsibilities include :
Security Manager (CISM)
Certified Information Systems Security Risk Assessments, Policies, Procedures, and
Auditor (CISA) Standards, Secure Coding Reviews, Vendor Risk
Certified in Risk and Assessments, Project Security Consulting Support,
Information Systems Control Security Awareness and Training, and related Security,
(CRISC) Risk, Governance advisory activities
Member: ISC2, ISACA IS Leadership Team Chief of Staff - consensus building,
thought leadership regarding all information security
Core Competencies domains, execute and coordinate internal program
ISO 27001/27002, NIST 800-53 management and operational risk management activities
Security Risk Management IS Strategy Development and Planning - security
Framework design and capability maturity analysis and development,
implementation communication, maintenance and delivery of multi-year
Information Security IS strategy and roadmap
Awareness, Privacy, Policies Metrics and Reporting - Board level presentations,
and Procedures executive management communications, internal/external
Security Architecture audit and regulator liaison
Assessments, Design, and Budgeting and Forecasting - managing internal and
Implementations (IaaS, Paas, external labor costs, ROSIs, time reporting, training
Saas and related Cloud, ASP, budgets
and Co/Lo services) Resource Management - resource planning and
Network and Application scheduling, vendor relationship and contract
Security Vulnerability and management, employee engagement, knowledge management,
Penetration Testing supervisor, mentor, thought leadership
Regulatory Compliance -
SSAE16 SOC1/ SOC2 and Prior to joining Freddie Mac, provided over nine years
Sarbanes-Oxley/404, COBIT, of Big 4 client service and delivery to numerous
COSO, NIST, ISO 27002, PCI Fortune 500 companies by addressing the critical risks
DSS, FFIEC Guidelines, inherent with the use of technology implemented to
Privacy (Safe Harbor, support the business direction and strategic
Gramm-Leach Bliley, HIPAA, initiatives of a wide variety of organizations and
Breach Notification) industries. Served as Mid-Atlantic champion and
IT Risk Management, Business subject matter expert for Information Security Advisory
Continuity, High Services.
Availability, and Business
Resiliency Prior to joining KPMG in 1999, obtained 7 years of
Business Process, industry experience serving as an IT Security and
Internal/External Audit, Special Projects Manager where I established the
Operations, Regulatory company's first information security program and
Compliance managed key projects including implementing secure
Information Security, IT remote access technologies, creating a security
Audit, and Attestation awareness program, designing and implementing policies
Thought Leadership, and procedures, and performing technical security
Methodologies/Frameworks, reviews. Served as the Y2K Project Manager responsible
Audit Plan & Program for identifying and addressing the organizational Y2K
Development risks. Also served as an IT Senior Auditor focused on
Reporting, Proposals, and risk and controls with particular emphasis on
Oral Information Security.
Presentations/Demonstrations
to Executive Management Career History
Supervisor, Advisor, Mentor,
Coach, Performance Manager Freddie Mac - (May 2009 - January 2014) Senior Director
and Leader of Information Security Risk Management & Governance
Resource Management, Principal, Information Security Chief of Staff
Supervision, Scheduling, Principal, Information Security Risk & Controls
Recruiting
Project Management, KPMG LLP - (July 1999 - November 2008), Senior
Budgeting, Billing, Manager/Director - IT Risk Advisory, Information
Collections, Proposal and Security Services, IT Audit, & Risk Management, McLean,
Engagement Letter Development VA
IT Strategy and Advisory Media General, Inc. - (May 1994 - July 1999)
Services Information Security and Special Projects Manager, IT
Proven Record of Delivering Senior Auditor, Richmond, VA
Quality, New Business
Development, Sales, and Heilig-Meyers Corporation - (June 1992 - May 1994) IT
Managing Revenue Auditor, Richmond, VA
Industry Experience
Financial Services Project Delivery Highlights
Healthcare
Manufacturing Information Security Program Strategy and Frameworks
Retail Performing ongoing assessments of the Information
Transportation Security program including analysis of the maturity of
Public Sector/Government IS services and capabilities (People, Process, and
(Familiar with Yellow Book Technology) and the creation, execution, and management
Standards, FISCAM, FISMA, of a large enterprise ($15M - $25M) Information
NIST Guidelines) Security roadmap and strategic plan. Key member of the
IS Leadership with active participation in designing,
Technical Experience managing, and optimizing the security program including
Experience with security strategy, risk assessment, monitoring, incident
testing software including response, controls, security tools and capabilities,
Wireless, Port and Service resource management, budgeting, planning and overall
Scanners, Vulnerability program delivery.
Scanners, Server, Database,
Application, and Host Based Security Policies & Standards
Security Tools, and various Responsible for the development, implementation, and
open source and free-ware monitoring of Information Security policies, standards,
utilities controls, and configuration requirements. Responsible
Implemented and utilize for creating and maintaining productive relationships
Agiliance RiskVision to with key risk stakeholders including Legal, Privacy,
aggregate and manage security Compliance, Audit, IT, business areas, and external
risks and threats across the regulatory agencies.
enterprise
Fortify 360, Qualys, Qualys Security Control Rationalization and Optimization
WAS, Tenable Nessus, Led an initiative to rationalize and optimize the IT
Burpsuite, DBProtect, General Control environment in support of
TripWire, Sarbanes-Oxley compliance requirements. This
Collaboration and initiative resulted in an 80% reduction in key
Communication Productivity controls, improved operational efficiencies, reduced
applications including MS testing impacts, lower administrative overhead, and a
Word, Notes, Excel, Office, more focused and mature internal control environment
Outlook, MS Project, that was aligned to support and enable the business.
PowerPoint, Mobile Computing
Experience with AS/400, RACF, Security Risk Management
MPE/iX, Windows NT/AD, Novell Responsible for numerous application, infrastructure,
Netware, TCP/IP, UNIX, Linux and third party service organization security
and similar operating systems assessments to test and evaluate security defenses and
identify security risks and vulnerabilities.
Two Factor Authentication, Responsible for driving security requirements into key
Logical Access Security initiatives including Mobile computing (BYOD), Cloud
Assessments and Services, SaaS solutions such as WorkDay, Out of Region
Implementations Data Center with IBM and Verizon Terramark, Windows 7
Extensive experience as an IT Migration, Wireless network infrastructure, Web
auditor and IT Risk assessor Application Firewall, Managed Security Services, and
related key initiatives.
Application Security
Established the first functioning application security
assessment and remediation capability that included
static code analysis reviews using Fortify and a funded
remediation factory to drive timely remediation of the
security vulnerabilities. Resulted in significant
security risk remediation and earlier identification of
secure coding issues to reduce costs and attack
vectors.
Education and Professional Certifications
B.S. Accounting Information Systems - Virginia
Polytechnic Institute and State University (Virginia
Tech 1992). Certified by the International Information
Security Consortium (ISC2) as a Certified Information
Security Professional (CISSP), Information Security
Audit and Control Association (ISACA) as a Certified
Information Security Manager (CISM), Certified
Information Systems Auditor (CISA), and Certified in
Risk and Information Systems Control (CRISC).
Previous speaker at various industry groups on a
variety of information security and privacy topics and
related information risk management topics.
References
Available Upon Request