Sean Kearney
CISM, CISSP, CCSP, MSc InfoSec
ac8dn6@r.postjobfree.com
A dynamic leader with a passion for Information Security and Risk Management. Strong experience developing relationships at all levels, across a range of industries including Investment Banking, Retail Banking, Professional Services and Cards and Payments sectors. Tenacious and adaptable, providing flexible solutions shaped by company and market conditions, demonstrating a resourceful and pragmatic approach to Information Security and Risk Management.
Key Skills
Strategic leadership within Information Security and Risk Management.
Security consulting in a range of disciplines including ISO27001, Information Risk Management, IT Controls management and Secure Information System design.
Building successful multi-skilled teams.
Management of third-party supplier relationships.
Experienced communicator with 'C' level professionals across a wide range of industries utilising excellent communication skills to build and nurture strong working relationships.
Regulations and standards: ISO27001, PCI DSS, NIST, GDPR, HIPPAA, SOC 2.
Employment History
InfoSCK ltd – Oct 2018 – Present
Director
Vanquis Bank – May 2016 – Sept 2018
Head of Security Architecture, Assurance and Consulting (Deputy CISO) Feb 2017 – Sept 2018
Responsibilities:
Definition and delivery of the security strategy for Vanquis Bank.
Management of a team of 8 multi skilled security consultants delivering Security Architecture and Assurance consultancy, and a dedicated security project manager.
Responsible for developing management information regarding security posture and control effectiveness.
Reporting on Information Security to Executive committee and Vanquis Board.
Achievements:
Redesigned Target Operating Model, ensuring early engagement of Security Architecture team at project kick-off, driven by a risk based approach from design through to BAU.
Developed the 3-year security roadmap for the organisation and managed the delivery of the security improvement program.
Led the delivery of the Security Improvement Program which included:
oImplementation of Splunk SIEM solution.
oRedesigned PCI estate to reduce scope and associated costs.
oGDPR alignment, including the delivery of data discovery and classification tools Imperva and Titus supported by Azure Rights Management and Information Protection product suites.
oOutsourcing of Security Operations Centre.
oPurchase and installation of Endpoint Protection suite.
oDelivery of ISO27001 aligned ISMS.
Interim Head of Information Risk, Jun 2017 – Jun 2018
Responsibilities:
Delivery of Information Risk Management activities across the organisation.
Leadership of a small team of Risk and Governance Analysts delivering risk management and 3rd party assurance across a global supply chain.
Own the Information Risk Management process, working closely with key stakeholders.
Identify threats and risks relating to information and IT Assets through formal risk assessments.
Promote a risk conscious culture across the bank through stakeholder engagement, awareness and delivery.
Collaborate with Group Audit team to ensure audit findings are tracked, remediated and treated.
Achievements:
Designed and delivered a Third-Party Risk Management (TPRM) framework supporting compliance with GDPR.
Re-engineered the risk reporting process to enable better senior management visibility of risk level across the various areas of IT and business.
Integrated new processes with key business units such as PMO, Operational Risk and Security Architecture to ensure risk identification and reporting is consistent.
Reviewed and reduced inherited risk log by 50% by conducting rationalisation activities and verifying status of mitigation activities for open risks.
Developed strong relationships with Group Audit, improving group visibility of remediation activity against various open audit actions.
Fed audit findings and open risks into 3 year security strategy, designed and delivered under the Security Architecture, Assurance and Consulting post held concurrently.
Information Security Specialist May 2016 – Feb 2017
Responsibilities:
Information Security Consultancy on all projects including Commercial, Infrastructure, Head office, Operations, Regulatory and Compliance.
Maintain PCI DSS compliance ensuring all tasks associated with compliance are completed on time and management of annual external audit.
Delivery of Project and Business process assurance engagements, including high-level and low-level design reviews, penetration test co-ordination, policy adherence, risk management and third party assurance.
Management and oversight of Information Security Policy development, implementation and review.
Achievements:
Successfully delivered the design of security solutions for a range of business and IT initiatives which included:
oLead Security Consultant on GDPR program
oSecurity Architect for Secure Cloud Connectivity
oSecurity Architect for Balance Transfer infrastructure design and deployment
oSecurity Consultant for Corporate Wireless Secure Architecture
oSecurity Architect for Loans Management System secure solution design
oSecurity Architect for Secure File Hosting and Secure File Transfer design.
Deutsche Bank – Dec 2015 – May 2016
Information Security Officer (ISO)
Responsibilities:
Performing Risk Assessments on applications, vendors, processes and projects.
Identifying Security gaps and evaluating, alongside stakeholders, options for remediation.
Assessing compliance of application portfolio to global regulations including but not limited to FCA, ICO/DPA, FFIEC and MAS.
Providing Information Security consultancy to business units surrounding Segregation of Duties and role definition as part of the Role Based Access Control (RBAC) initiative.
Working closely with various business units to establish strong relationships, enabling the promotion of value add services from the Business Information Security Services team.
Achievements:
Transition and management of a large portfolio of applications into the Business Information Security Services team.
Management and co-ordination of process improvement activities relating to risk assessment, management and reporting.
Improved efficiency and streamlined risk assessment process through bottom up review of delivery and management practices.
Mizuho Bank - Sept 2014 – Dec 2015
Business Security Consultant and Information Security Officer (ISO)
Responsibilities:
Development and implementation of an Information Security Risk Assessment framework.
Providing Information Security consultancy across London and EMEA offices.
Design, implementation and management of information security policies supporting compliance to these policies across EMEA.
Development and delivery of Information Security Awareness training for all UK staff.
Providing management assurance that Information Assets are managed appropriately.
Provide monitoring of Information Assets for identification of intentional or inadvertent misuse.
Co-ordination of Penetration Testing and completion of periodic internal scanning.
Achievements:
Successful transition and certification to ISO27001:2013
oCompletely overhauled the Risk Assessment procedures to better align to ISO27001:2013 standard
oImplemented a variant of PDCA to ensure continual improvement and better management and maintenance of Policies, Procedures and Guidelines.
Developed Information Security and Cyber Security Strategies for 3 year roadmap
Spearheaded the creation and delivery of a 2 day Global Information Security Officers Summit to enable information sharing and to improve communication channels with EMEA and Head Office Security Officers
Delivery of pilot/proof of concept for bank wide implementation of Role Based Access Control to improve efficiency and effectiveness of Identity and Access Management processes.
Delivery of Data Loss Prevention Programme which included:
oDelivery of an automated email filtering and monitoring solution to reduce manual workload and remove human error.
oUpgraded and rolled out the latest version of Internet Access management solution to prevent data leakage via forums, personal email accounts and other similar means.
oCo-ordinated the roll out of endpoint security solution for removable media – including configuring reporting and exceptions for monthly line management signoff.
Implemented the vulnerability scanning software Nessus, enhancing visibility of patch management, secure development and cyber preparedness.
Spencer Rose - Jun 2011- Oct 2013
Information Security Consultant
Technology and Information Risk Management.
Compliance – ISO27001, PCIDSS, NIST.
Security Operations – SOC, Vulnerability Management, IDS/IPS.
Security Architecture – Enterprise, Solution and Assurance.
Professional Qualifications
Certified Cloud Security Professional (CCSP) #554055
Certified Information System Security Professional (CISSP) #554055
ISACA Certified Information Security Manager (CISM) #1839879
Member of Institute of Information Security Professionals #195622
Member of Information Systems Security Association #41662620
Memberships and Training
Dev Ops Foundation – Ranger 4 – December 2017
Advanced PCI-DSS Training – 2016
Microsoft Azure Fundamentals – 2016
Amazon Web Services (AWS) Essentials (QA) – 2016
Tenable Certified Nessus Auditor – TCNA – 2015
Tenable Certified Nessus User – TSNU – 2015
ISO27001 ISMS Consultant Course – 2014
ISO27001 Lead Auditor Course – 2014
Cyber Ark – Privilege Account Security Administrator – 2014
Prince 2 Foundation – APMG - 2014
Education
Royal Holloway University of London
M.Sc. Information Security – 2014
University of Surrey
B.Sc. Human Bio-Sciences and Sports Science - 2011