David "Mike" Hager
**** **** ***** *****, ******, CO 80138
303-***-**** (Res.) 303-***-**** (Cell) - abh5zk@r.postjobfree.com
Executive Level Security, Risk Management, Business Continuity and
Compliance leader, successful at building high performance teams to address
Security, Business Continuity, and Business Risk Management for multiple
diverse organizations within both the public and private sector. A
strategic visionary with a clear sense of purpose and urgency when faced
with the decisions regarding the protection of corporate assets. Proven
success engineering, delivering, managing and selling complex technology
solutions and business operations. A highly energetic individual with
superior interpersonal skills that can translate complex technical terms to
common business language. Extensive experience managing projects to
completion, reducing project costs and maximizing team productivity. A
Retired Special Agent of the Air Force Office of Special Investigations
where responsibilities included conducting specialized Physical Security
surveys, investigations and polygraph examinations in the areas of Fraud,
Counterintelligence and Criminal matters world-wide. High-caliber
presentation, negotiation and communication skills. A highly sought after
speaker on Information Security, Privacy, Business Continuity and Disaster
Recovery. Both published and often quoted in numerous IT and Security
publications. Selected as one of "Computer World Magazines" Top 100 Premier
IT Leaders. Served as a member of the advisory board for "CSO Magazine".
Key qualifications include:
EXECUTIVE OVERSIGHT STRATEGY & EXECUTION
SECURITY MANAGEMENT Security Audit and Testing
Vision, Strategy & Execution Security Operations Centers
Financial Planning, Analysis & (SOCs)
Reporting Business Continuity and Disaster
P&L / Operations Management Recovery Planning
Budgeting & Cost Control Enterprise Risk Management
Team Building, Mentoring & Identity and Access Management
leadership Change Management and SDLC
Contract Negotiation & Supplier Security Policy and Standards
Relations Design and Implementation
Regulatory Compliance Physical Security
Internal & External Customer Incident Management and Response
Relations
Managed Services Deployment and Managed Security and IT
Management Operations
Project Planning & Management
Relationship Building
PROFESSIONAL EXPERIENCE
ArcSight Inc.
Aug 09 - Present
Managing Principal
Developed and managed the Enterprise View Professional Services Consulting
Practice which included the ArcSight IdentityView and Fraud View solutions
worldwide. Accomplishments include:
. Developed a set of packaged solutions utilizing the ArcSight
Enterprise Security Manager (ESM) Platform for monitoring of
identities and access within large organizational networks.
. Developed professional services offerings to support the sale and
implementation of both fraud prevention and fraud detection solutions.
. Developed a Banking Fraud solution to address ACH, AML, Credit/Debit
Card and on-line banking fraud.
. Managed all professional service activities for the identity access
monitoring and fraud management solutions.
. Acted as the Subject Matter Expert in the areas of Security, Risk
Management, Identity/Access Management, Compliance and Fraud and in
the deployment of our solutions for organizations worldwide. Some of
these solutions include very large US and Foreign Government
operations as well as many of the Fortune 500 companies worldwide.
. Developed a strategy for a large aircraft manufacturer that addressed
compliance with the Export Control Regulations of the US and Canada.
. Managed a project for a large Energy Company and provided guidance in
the areas of event monitoring and incident response and assisted them
in determining minimum physical security requirements to obtain NERC
certification.
. Managed a project for a large US Bank located in multiple locations
across the US in the areas of risk management.
Business Risk Management Group
Feb 09 - Aug 09
CEO and Principal Consultant
Led all efforts for the management and development of a start up
Information Security and Business Continuity service provider. During
first four months of operation generated over $1 million in services
revenue while developing a complete US Critical Infrastructure Security and
BCP program for a 1.2 million customer water company.
DAVID M HAGER
Page 2
SAIC
Dec 08 - Feb 09
Consultant/Senior Security Advisor
Authored major sections of a $2 billion federal proposal involving the
outsourcing of all IT Operations, Information Security, BCP/DR Planning and
the Incident Management and Response for Department of Homeland Security's
(DHS) Transportation Security Administration (TSA) Security Operations
Center (SOC). This proposal was written to address the requirements
established in DHS and TSA regulations and standards in addition to FISMA
and NIST 800-series guidelines, ISO 27001 and 27002.
. Led the development of proposal material for the majority of the
security management sections of this large government proposal.
. Provided technical continuity during transition of security management
responsibilities from incumbent to new security services provider during
the proposal development process.
. Defined program-specific responsibilities and implementation
methodologies in the TSA System Development Lifecycle process utilizing
an ITIL framework and CMM project methodology.
UNISYS Corporation
July 05 - Dec 08
Senior Manger/Practice Director and Chief Architect
Led a team of senior level consultants who provided specialized Security,
Business Continuity, Regulatory Compliance and Identity/Risk Management and
IT Infrastructure consulting services to some of the world's largest
companies. Acted as the trusted security advisor to multiple CIOs, CSOs
and CISOs world-wide.
Accomplishments include:
. Developed a full service offering around Business Continuity Planning
and Disaster Recovery. Based on expertise and completeness of our
services offering, was given sole source contract by Microsoft Windows
Live organization to access their business recovery strategy and build
their entire Business Continuity and Disaster Recovery framework.
. Developed an enterprise-wide information security program framework for
Cal State University. During this engagement thirteen (13) separate
universities and the CSU Chancellors Office were assessed in regards to
the ISO 27002 Security Standard.
. Conducted both IT and Physical security assessment of University
operations at 11 separate colleges and prepared Security assessment
reports and roadmaps for security program were development and provided
to each University. The successful completion of this project helped
Unisys win a re-compete for the outsourcing of the Cal State University
PeopleSoft operational environment for all Universities within the Cal
State System.
. Assessed the City of Chicago Park Districts Business Continuity Plan.
Follow on activities netted $1.3 million in revenue and helped secure
the renewal of a $9.6 Million contract.
. Assisted the new CISO for Washington Mutual Bank in the development of
a security program strategy and roadmap.
. Worked with CIO's, CSO's and CISO's in the development and
implementation of effective Information Security and Risk Management
and compliance strategies.
. Provided thought leadership in the development of an Enterprise
Security/Fraud Management Solution that led to a new offering for the
Global Financial Services Industry. This new set of products and
consulting offerings addressed Information Security and Fraud
Management for the Banking Industry. This included implementation of
new software technology and a new outsourcing opportunity for the
detailed review of checks for fraud.
. Assisted in the implementation of security services for the monitoring
and alerting of security incidents (both within and outside of Security
Operations Centers) utilizing ArcSight's SIEM technology, for both
Network and Host based Intrusion Detection Systems (IDS). Customers
for these services included the Department of Homeland Security (DHS),
Transportation Security Administration (TSA), the Port Authority of New
York and New Jersey, the Chicago Park District, Starbucks and Cal State
University
. Developed an enterprise wide encryption strategy offering for Unisys.
Starbucks was the first company to utilize this service offering.
. As the Chief Security Architect, conducted an information security
assessment of a single-sign-on implementation for the Distributor Trust
Clearing House (DTCC) in New York City. This assessment covered all
aspects of the company's information security program as well as the
use of the Tivoli Access Manager (TAM) and IBM's RACF. The purpose was
to ensure that the architecture and implementation met sound business
and security standards.
. Assessed PayPal's compliance with the ISO 27002 Security Framework.
. Developed Risk Management Dash Boards for use by CIOs, CSO's and
CISO's.
. Developed new tools for conducting IT/Information Security, SoX, ISO
27002, COBIT, NERC/FERC, COSO, NIST and PCI assessments.
. Developed complex PKI solution for a large Florida County Government
that involved over 1500 users of a new Hub application for storage and
retrieval of sensitive police and court documents.
DAVID M HAGER
PAGE 3
. Developed a proposal that was subsequently accepted for the outsourcing
and management of a large Disaster Recovery "hot site" for the Toll
Road systems for the State of Ill which netted $12 million in new
revenue for Unisys.
. Introduced and implemented a new check fraud detection system at
several large US and Foreign Banks.
. Assisted a large New City Bank in the encryption of back up recovery
tapes for their Disaster Recovery program.
. As project manager led the implementation of a remote access criminal
justice system for King County, Washington. Oversaw and conducted
technical and programmatic security assessments in support of this
project.
. As project manager led a review "shoot out" of Host Based Intrusion
Detection (HIDS) tools for the Port Authority of New York and New
Jersey. Engagement led to purchase and installation of the selected
product and helped secure the continue outsourcing of all IT
infrastructure components for this large organization.
Covestic Inc.
Sep 04 - July 05
Enterprise Security Advisor (Rent a CISO)
As an Enterprise Security Advisor, developed and implemented a new service
offering in the area of Physical Security, Information Security and
Business Continuity Planning.
Accomplishments Include:
. Performed duties of the CISO for a mid-sized single-source B2B provider
of converged Voice, Data and IT services. This included Hosted PBX
voice over IP (VoIP). As the CISO, developed their entire Enterprise
Security Architecture to include all policies and standards.
Successfully achieved SAS 70 certification with no material findings
within 6 months of becoming their CISO.
. Utilizing the SAS 70 certification, helped this company launch a
marketing campaign that led to a 15% increase in revenue which helped
them obtain an additional round of capital funding for their
organization.
. Conducted a review of the overall Business Continuity and Disaster
Recovery Program for Sterling Commerce in Columbus, Ohio. This was a
programmatic review that resulted in an evaluation of the key Business
Continuity elements being implemented with recommendations as to how to
improve the overall recovery strategy.
NETRAT Software /Business Risk Management Group
May 03 - Sep 04
President and COO
Acted in a dual role as the President of a startup software company that
developed and sold a Microsoft Windows based resource analysis tool, and as
the head of a full scope security services/consulting company.
Achievements included:
. Full P&L Responsibility.
. Managed all professional services relating to product delivery and
services in support of the implementation of Security and Business
Continuity services.
. Developed and championed the product vision, product strategy and
product roadmap in support of corporate goals.
. Presented and clearly articulated product strategy and pipeline to
company leadership, investors and board of directors.
. Developed full lifecycle process for development of the software product
and met all dates for new releases of product.
. Collaborated with the customers, users, and engineering teams to assess
value, usability and feasibility of product features.
. Managed partner relationships, identified third party use of the
software for OEM purposes.
. Evaluated and selected vendors and partners as well as negotiated
agreements and contracts.
. Developed business case for additional funding of the company - During
first year secured $25 Million in venture capital.
. Provided acceptance and approval for all new releases of the product.
. Increased Marketing efforts for the product and obtained positive
evaluations in several IT specific publications to include "Network
Week".
. Provided strategy and direction and oversight that solved a "hacking"
problem for the University of Colorado Foundation.
. Developed and conducted a Business Impact Analysis in support of the
Colorado Department of Transportation Business Continuity Program. This
analysis covered the entire agency and met the requirements for this
unique State Government Agency.
DAVID M HAGER
PAGE 4
OPPENHEIMER FUNDS
March 99 - May 03
Chief Security Officer (CSO)
VP Network Security, Business Continuity and Disaster Recovery
Information Security:
. Executive leader for Information Security, Network Security, Business
Continuity, Disaster Recovery and Regulatory Compliance for this large
Mutual Funds Company. Given full autonomy in the design development and
implementation of security and recovery strategies corporate wide.
Accomplishments include:
. Provided vision and direction for the development of a new company wide
Enterprise Security Architecture (ESA) that resulted in a recognized
world-class protection program which mitigated the company's security
risks to an acceptable level.
. Aligned the company's IT Security Infrastructure and Business Continuity
Program to support corporate business units and enterprise requirements.
. Designed and implemented a secure on-line web access control system for
5 million on-line customers.
. Acted as a security advisor to senior management. Provided threat
updates and advisories to all Senior Managers and wrote weekly threat
assessment briefings for leaders Enterprise-wide.
. Primary interface with senior management and internal audit on all
regulatory issues. During tenure had five (5) successful SAS 70 audits
with no material findings.
. Designed and implemented a secure e-mail system for the corporate
enterprise. This system not only provided for secure e-mail
transmissions, but allowed the company to comply with the Privacy Act
and SEC Regulation S-P which saved over $5 million annually in the
electronic delivery of financial statements and records.
. Designed an intrusion detection strategy utilizing a Security Incident
and Event Management (SIEM) tool, selected the appropriate products,
negotiated the procurement of these products and had them fully
operational within 6 months.
. Spearheaded the design and implementation of a new firewall, and network
protection strategy for all company locations.
. Implemented a Policy Compliance tool for all server configurations with
our newly developed security policy and standards. This was accomplished
by partnering with IT and was implemented with the help and concurrence
of the various IT organizations.
. Led the project to acquire and implement the Tivoli Identity Manager
(TIM) Identity and Access Management solution. Implementation saved the
company time and resources in provisioning new employees, removing
access for terminated employees and reduced the number of help-desk
calls for password resets by 37%.
Business Continuity & Disaster Recovery
. Headed a project to build new Disaster Recovery and Enterprise Business
Continuity Plans for all company critical business locations world-wide.
Plans for the recovery of all critical systems and business functions
were built and successfully tested on a periodic basis. On 9/11 these
plans were put to the ultimate test as they were utilized for the
successful recovery of the company's operations in the World Trade
Center in New York City. OppenheimerFunds occupied 5 floors of World
Trade Center II which was destroyed in the terrorist act on 9/11.
. Directed all recovery efforts after the attacks on the World Trade
Center. All critical functions and activities were operational within
4.5 hours after the attacks - well ahead of the identified Recovery Time
Objectives for the Headquarters.
. Led the effort to mirror 6 TB of data from Denver, Co. to a recovery
site in Philadelphia, Pa. utilizing EMC's SRDF technology. The project
was completed two months ahead of schedule and under budget. Upon
testing, we discovered that we were only 8 minutes behind "real time"
processing in Denver, Co. This was a major improvement as the time to
recovery was reduced to less than 8 hours where previously it had been
197 hours. This reduced the potential loss of data from days to minutes.
. Initiated processes to conduct and update the company Business Impact
Analysis (BIA) on a semi-annual basis.
. Developed response plans for the OppenheimerFunds office in New York to
address the possibility of a major power outage in New York City. These
plans included the education of all New York employees and were put in
place 6 months prior to the major power outage in 2003. Based on the
strategy and plans developed, the company successfully recovered all
critical operations and systems within hours and continued its critical
business operations during the power outage.
COORS BREWING COMPANY - Golden Colorado
Jan 1997 -
March 1999
Chief Information Security Officer (CISO)
As the Senior Leader for Global Information Security, Disaster Recovery and
IT Change Management for this large International beverage company,
designed and developed a new Enterprise Security Architecture and Business
Continuity Program from scratch. Led the security design and implementation
efforts for a large SAP implementation. Designed and implemented a new
Change Management Program and purchased supporting software to manage and
track the change process. Previous documentation was restricted to
Microsoft Word files.
DAVID M HAGER
PAGE 5
World Wide Security - Rocky Flats Environment Technology Site
Oct 1994 - July 1996
VP and General Manager
As the VP and General Manager was responsible for all Internal Security
activities for this large Department of Energy Site. Given full autonomy
for establishing policies and procedures for all Information Security and
Business Continuity activities associated with the Sites 23 separate
subcontractors to support the overall objectives of the Integrated Site
Manger - CH2M Hill. Assisted Wackenhut in the development and support of
all physical security measures implemented within the site. Accomplishments
include:
. Full P&L for this $55 Million contract.
. Performed duties of the CIO for World Wide Security and Wackenhut
Services Inc.
. Led the Physical Security, IT Security and Business Continuity
operations for a new management organization during the annual security
survey. Under the previous contractor security ratings for the Site
were "marginal". Within 6 months of assuming responsibility for all
Internal Security functions, achieved a Satisfactory rating with no
material findings. Had the Site been rated "marginal" a third time the
overall rating would have been Unsatisfactory.
. Supported the physical accountability and control of two thirds of the
free worlds plutonium.
. Responsible for the control, maintenance and accountability of over 5
million classified DOE documents.
. Designed and directed the implementation of an Information Security
Program to address Cyber/Data Security and Tele-communications Security
for a DOE site of 8,000 employees. This included over 50,000 computer
systems and devices. It also included thousands of PCs, 2 Mainframes,
150 Midrange systems, over 50 Local Area Networks in both NT and Novell
formats, one Secure Area Network and hundreds of modems that could
directly access the Internet.
. Designed and tested Disaster Recovery plans for all "Mission Essential"
systems.
Wackenhut Services Inc/World Wide Security Services, Golden, Colorado
Oct 1991 - Oct 1994
Internal Security Officer and Polygraph Examiner
Contracted to the DOE thru Wackenhut Services Inc., to set up and establish
a new clearance program (AAA - Accelerated Access Authorization) for the
granting of an Interim "Q" Clearance utilizing a psychological evaluation,
urinalysis and polygraph examination. Activities included the design and
development of facilities for testing, conducting polygraph examinations
and collection of urine samples for drug testing. This was a pilot program
for DOE that accelerated the process of granting "Q" clearances from
eighteen months to a few weeks. This program was fully adopted at Rocky
Flats and later moved to Albuquerque, New Mexico based on the announcement
that Rocky Flats was scheduled for closure.
Upon announcement of closure of Rocky Flats and movement of the AAA to
Albuquerque, NM, was contracted to develop an Internal Security Program for
Wackenhut Security Services contract at this large DOE Site. Within the
first three months developed and obtained facility clearance for the
processing of classified information within the Wackenhut Services Inc.
facility on site. This included establishment of controls for both Physical
Security and IT security activities. Previous efforts to obtain facility
clearance had been on-going for over 2 years.
GENERAL ELECTRIC AIRCRAFT ENGINES
March 1989 - Oct 1991
Security Architect and Security Program Manager
Senior Program Manager responsible for development and implementation of
both tactical and strategic security plans internationally for the largest
manufacturer of aircraft engines in the world.
. Developed Information and IT Security Program for the GE Aircraft
Engines' (GEAE) Commercial Division. This was the first program of its
type for GEAE that addressed proprietary information protection.
. Developed and implemented a security strategy that included the
deployment of fax encryption devices at multiple locations around the
world. Worked extensively with the Government of Israel and the United
Kingdom in the deployment of these security devices to protect sensitive
GEAE data being transmitted via fax.
. Built an entire information protection program in support of a billion
dollar operation, the Foreign Military Sales division for GEAE. This was
the first security program ever built in support of non U.S. Government
classified programs at GEAE.
. Developed a special security program and detailed information security
plan for the Government of Israel in support of the DOD Foreign Military
Sales Program. The Government of Israel accepted the security controls
outlined in the plan. This saved GEAE a $500 Million contract with the
Government of Israel that was in jeopardy due to lack of an adequate
security program to protect sensitive Israeli information.
United State Air Force Office of Special Investigations
April 1972 - March 1989
Special Agent/DOD Polygraph Examiner
As a special agent, was responsible for conducting Investigations and
Polygraph Examinations for the USAF, NASA and the DOD. Types of
investigations include fraud, cyber/computer crime, counterintelligence,
and other major criminal activities. Conducted physical security and loss
prevention surveys and assessments of major USAF facilities world-wide.
Additionally, achieved certification as a DOD Fraud Investigator and as a
DOD Polygraph Examiner supporting criminal and counterintelligence
investigations conducted by AFOSI, NASA and the DOD.
DAVID M HAGER
PAGE 6
Education
University of the State of New York, 1981
Bachelor of Science with Concentrations in Security Administration,
Sociology and Criminology
Air University (DOD Polygraph Institute), 1982
Master of Science (Equivalent), Scientific Investigations (Polygraph)
Professional Certification
Certified Computer Systems Security Officer (CSSO)
Certified Information Security Officer (CISO)
Certified Business Continuity Planner (CBCP)
Certified Protection Program Manager (CPPM)
Certified Information Systems Security Professional (CISSP)
Six Sigma Lean
US Government Certifications
DOD Facility Security Officer (FSO)
DOD Certified Fraud Investigator
DOD Counterintelligence Investigator
DOD Criminal Investigator
DOE Certified Counterintelligence Control Officer
DOE Certified Information System Security Program Manager
DOE Technical Security Countermeasures Officer (TSCM)
DOE Certified Telecommunications (COMSEC) Officer
DOD/DOE Certified Operations Security Program Manager (OPSEC)
DOD/DOE Certified Polygraph Examiner
Speaking Engagements
Key Note Speaker - Maximum Security Conference, San Francisco, Ca 2001
ICM e-Business Summer Forum - Naples, Fla. 2001
E-Business Summit 2001, Keystone, Co 2001
Special Post 9/11Briefing to Colorado Emergency Planning Organization
Special Security Briefing to Colorado Front Range CEO's 2001
Co-Key Note Speaker with Former U.S. Senator Garry Hart - Metro Club Denver
Colorado 2002
E-Business CIO Forum - Pasadena, Ca. 2002
INT Media Group's E-Security Conference & EXPO - Wash DC 2003
Key Note Speaker - IT Forums - Salt Lake City, UT and Denver, Co 2003 and
2004
Key Note Speaker - MIS Training Institute's WEBSEC - San Francisco, CA 2004
Key Note Speaker - MIS Training Institute's FINSEC - New York, NY 2004
Interface 2004 - Boise, Idaho
Interface 2005 - Focus Session, Seattle, Washington
Key Note - Rocky Mountain Software Association - Security World, Denver, Co
2005
Key Note - Interface 2005 IT Event, Denver, Co 2005
Fusion - Public Sector IT Conference, Las Vegas, NV 2005
Key Note - Rocky Mountain Security Conference, Denver, Co 2006
INFOSEC World - Orlando, Florida 2007
Cal State University's SecurIT Conference, Sacramento, California 2007
Tech Forums, Los Angeles, California 2007
INFOSEC World - Orlando, Florida 2008
Secure 360 World Conference, Minneapolis, MN 2008
ISSA Security Conference, Colorado Springs, Co 2008