Security Management

***** ** **** ***, ********, WA *****

JEFF LOWDER, CISSP Email: ****.******@*****.***

H: 425-***-**** / C: 206-***-****

SENIOR INFORMATION SECURITY, COMPLIANCE, RISK EXECUTIVE

Industry thought leader who leads world-class security organizations by

building and implementing custom methodologies and frameworks that

balance information protection and business agility

Energetic, visionary strategist qualified by a 14-year record of ground-up success in information security. Continuous

learner with a passion for innovation in security risk management to drive bottom-line business contributions (optimize

security investments, avoid losses from security incidents, improve customer retention, enhance business decision -

making, reduce corporate liability). Inspiring leader and articulate communicator; proven ability to recruit, develop, and

retain top talent. Exceptional levels of integrity, work ethic, and drive to achieve. Expertise in:

Information Risk Management IT Audit & Compliance Management

ISO 20000, SOX, CObIT, PCI DSS, HIPAA, NIST Security Tools, Processes & Policies

Security Incident Response Programs IT Governance & Best Practices

Global Project Lifecycle Management Information Privacy & Online Safety

Contingency Plans & Business Resumption Vendor Management

MANAGEMENT HIGHLIGHTS

INDEPENDENT CONSULTANT, Bellevue, WA 2010-present

Managing Director, Concise Consulting (1099 role)

Deliver CISO-for-hire, information security, compliance, privacy, risk management, and online safety services.

DISNEY INTERACTIVE MEDIA GROUP (DIMG), Seattle, WA 2004-2010

Branch of The Walt Disney Company (TWDC) with one of the world s largest Internet infrastructures; own category leaders Disney.com,

ESPN.com, ABCNews.com, and ABC.com representing 12th largest web property overall.

Director, Information Security / Risk Management

Plan, develop, and manage information security and risk management program for TWDC s Internet properties and shared

services. Direct team of 9 information security specialists with authority for information risk management, IT audit and

compliance, information security operations, infrastructure and applications, incident response, and capital/expense

budget of $6+ million. Coordinate security management across corporate IT, security, legal, ERM, and DIMG business unit

(BU).

Change agent for improvements in security, compliance, and audit of TWDC business-critical systems:

Designed, implemented, and led information risk management framework for DIMG. Designed risk scorecard for

graphical visualization of risk portfolio for quarterly briefings to first-ever risk management steering council.

Recognized as TWDC Center of Excellence for information risk management.

Designed, evangelized, and implemented version 3 of TWDC Information Security Policies and Standards (ISPS).

Obtained enterprise adoption of ISPS, including first-ever unanimous buy-in from DIMG stakeholders. Increased

agility by allowing BU to select the methods to achieve agreed upon control objectives. Decreased the number of

security exception requests by more than 100%. Saved over $1M in initial capital costs.

Challenged with ensuring the compliance of 2 new Safe Harbor applications (and 735 control instances) without

delaying launch. Innovated and implemented new Safe Harbor compliance program from scratch, including 143

assessment procedures. Risk-based approach reduced the number of controls by 23% year-over-year. Worked

with Legal and Sourcing to executed Vendor Agreement with third-party auditor in a record 3 days. Persuaded the

BUs to provide $108K in unexpected funding. Led team of 3 compliance analysts and IT auditors in execution of

internal audit of new Safe Harbor applications. Identified and remediated gaps; launched apps on-time.

Evangelized, launched, and co-chaired the TWDC IT Compliance Board (ITCB) with representatives from every

Segment of TWDC and from corporate compliance partners (Privacy, Customer Information Strategy, Treasury,

Audit, Information Security). Improved processes by publishing a unified IT compliance calendar and framework.

JEFF LOWDER, CISSP PAGE 2

DISNEY INTERACTIVE MEDIA GROUP (DIMG), continued

Once and Done: Managed DIMG s compliance with PCI, SOX, Privacy, IAB/MRC requirements by innovating the

Compliance Management Life Cycle (CMLCTM). Maintained full compliance, decreased evidence requests to other

teams year-over-year by 24% (pre-audit) and 90% (post-audit), with no dissatisfied customers.

Developed comprehensive proposal (technology architecture, budget) and led lifecycle of a $5 million global PCI

project to remediate IT infrastructure across 8 business units and 12 e-commerce applications worldwide. Brought

all systems into compliance with industry-standard requirements in 15 months with zero data security breaches,

avoiding potential fines (as high as $500,000 per breach) and loss of customers due to lack of adequate security.

Visionary and driving force in build-out of DIMG s information security and risk management strategic plan,

roadmap, methodology, policies, staffing/organizational model, governance, and reporting from the ground up:

Challenged with building risk management department 5 years after creation of DIMG. Defined, evangelized, sold,

and delivered the program and related systems/tools into autonomous business units with entrenched business

processes. Success led to 300% growth in demand for team s services over 3 years.

Recruited, developed, and retained a team of top security experts with each member maintaining industry-standard

credentials (CISSP, CISM, GSEC, GCFW, GSNA) and 7+ years of full-time, exclusive security experience.

Coordinated with business unit HR to develop a formal information security and risk management career path.

Negotiated multi-stage plan to drive network segmentation with less stringent security standards for networks

processing non-sensitive data. Included cross-organizational process for selecting security mechanisms and

documenting data flow based on classification level of data. Saved more than $1.5 million in annual security costs.

UNITED ONLINE, INC. (FORMERLY NETZERO/JUNO), Westlake Village, CA 2002-2004

Third largest internet service provider in US at the time; more than 5.3 million subscribers and exceeding $339 million annua l revenues

Senior Security Architect / Manager, Network Security Team

Led global information security department with management scope including 5 direct/2 indirect reports and all aspects of

security in distributed environment with 1,200+ servers in multiple data centers worldwide. Managed systems security

audits, incident response team and procedure documentation, risk analysis methodology, intrusion detection systems, and

information security guidance to executive management team. Evangelized security to legal, HR, and finance.

Drove numerous security processes and controls (security patch management, system access for Sarbanes-

Oxley compliance, best-practice business continuity plans, and more). Highlights of programs and results:

Built the company s first-ever Information Security Steering Committee and teamed with internal audit department

to define an IT security audit roadmap/strategy that addressed risks enterprise-wide. Gained buy-in for the program

across all levels, extracting the security organization from deep within IT to direct awareness to executive levels.

Engineered overall product strategy for protecting 5.3 million dial-up customers against malware and other Internet

threats while enhancing user experience. Reduced customer churn/service calls, resolved connectivity issues due

to malware, and protected competitive advantages with reputation for providing reliable Internet access.

Launched security architecture between e-commerce billing system and other servers on the production network.

Resulted in zero known security breaches for system managing billing information for millions of consumers.

Secured management buy-in/funding for first-ever third-party security review of proprietary software supporting

critical business processes. Improved data protection and executive confidence in security due diligence.

ELEMICA, Wayne, PA 2001-2002

Leading provider of web-based supply chain management software integrating global chemical companies with customers and vendors.

Director, Security & Privacy

Managed security of a global B2B exchange/hub with distributed network environment. Involved in security reviews, risk

analysis, business continuity strategy, disaster recovery plans, and security architecture reviews in all internal and

outsourced environments. Developed security compliance action plans for senior management. Supervised team of 6 full-

time staff and consultants. Liaison with clients information security departments.

Pioneered ground-up information security program that was given highest possible rating by a Big 5 audit firm.

Rapidly recruited team of contractors and security employees to develop and implement the comprehensive, cost-

effective information security program. Supported race for startup Elemica to beat the competition to market with its

flagship product. Implemented 100% of security features without delaying product launch date.

JEFF LOWDER, CISSP PAGE 3

PRICEWATERHOUSECOOPERS, LLP, Philadelphia, PA 1999-2001

$14.5 billion Big 4 accounting firm.

Senior Consultant, Technology/Security Group

Provided IT security consulting and auditing services to numerous Fortune 500 clients in various industries. Delivered audit

findings and reports to client executives and boards of directors. Supported clients in implementation of security tools.

Developed and taught course materials for several internal and external security training programs.

Managed above 90% on-schedule/budget delivery next-generation security solutions for client engagements

resulting in add-on engagements and increased revenues. Representative project successes:

Conducted independent research to develop a custom risk analysis methodology for a leading healthcare benefits

corporation. Enabled on-time completion of the risk analysis and ensured full compliance with HIPAA requirements.

Directed other consultants in developing PwC s first-ever intrusion detection system (IDS) audit methodology.

Executed methodology to audit Internet infrastructure for a Fortune 500 financial services company.

US AIR FORCE ACADEMY, Colorado Springs, CO 1995-1999

Acclaimed university responsible for training future leaders of the US Air Force.

Director, Network Security (1996-1999) / System Administrator (1995-1996)

Directed 5 network security specialists in protecting a $32 million academic network consisting of 14,500 devices in 111 +

physical locations and supporting 8,400 users. Authored, disseminated, and implemented security procedures and policy

to protect mission-critical IT equipment and data. Reviewed security advisories and delivered quarterly security report to

base executives. Additionally served as Interim Chief for the Network Control Center, second-in-command of 65 staff.

Leader in developing and maintaining a safe, secure IT environment with systems, processes, and

documentation specific to the unique blended military/academic environment:

Distilled standard AF information security regulations into a specific set of policies for the university. System

security policy praised by AF Inspection Agency as a model document for all AF bases.

Engaged independent organization to conduct security penetration test of the entire network following merger of 2

IT organizations. Brought all rogue systems into compliance and improved security awareness by 80%.

Expert witness in 2 federal law enforcement investigations into computer crimes on the base network.

Recognized for outstanding achievements with several prestigious, highly competitive awards: USAFA Information

Protection Individual of the Year (1997, 1998) and Company Grade Officer of the Year (1998).

EARLY CAREER SUCCESS:

Systems Analyst, Seattle Pacific University Program Manager (Intern), Microsoft Corporation Database Developer,

Intuitive Manufacturing Systems Software Tester, Acropolis Software

EDUCATION & PROFESSIONAL PROFILE

B.S. in Computer Science, Emphasis in Mathematics (honor graduate): Seattle Pacific University, Seattle, WA

Certified Information Systems Security Professional (CISSP)

FAIR Basic Analyst (in progress)

Certified Information Privacy Professional (CIPP) (in progress)

Industry thought leadership and activities:

Author of Agile Security column on industry-leading blog at bloginfosec.com

Currently authoring book on the Compliance Management Life Cycle. Additionally published several security-related

articles in leading publications/books.

Speaker at numerous industry conferences and executive forums (e.g. SecureWorld Expo, ISSA CISO Executive

Forum, ISSA Regional Conference, Pacific CISO Forum, Disney IT Risk Management Roundtable, IIA, ISACA).

Additional leadership in the Society for Information Risk Analysis (Member), Society for Risk Analysis

(Member), Information Systems Security Association (ISSA CISO Executive Member), International Association of

Privacy Professionals (IAPP), SANS Institute Advisory Board (former Member), ISSA Delaware Valley Chapter

(former Vice President).

Contact this candidate