Security Management

MARK A. LITTLEJOHN

**** ********** *****, ****** ******, TX 78070

accs6k@r.postjobfree.com 832-***-****

CHIEF INFORMATION SECURITY OFFICER – SECURITY & COMPLIANCE EXECUTIVE

Strategic and proactive Senior Security and Compliance Executive specializing in balancing business needs with the risks and costs of controls. More than 20 years’ experience in information security strategies and tactical planning in technically demanding environments. Acts as a change agent, with a history of building and enforcing comprehensive security and compliance programs that not only exceed business needs, but have been externally recognized as best-in-class. Leverages strategic relationships and influence of colleagues to define, implement and enforce standards development, security risk management, monitoring, and performance reporting. International certifications from ISACA and ISC2.

Corporate Compliance Risk Assessment Controls Implementation Business Continuity Crisis Management Personnel Security

Change Management Incident Response Physical Security Forensic Investigations Project Management IT Infrastructure & Design

PROFESSIONAL EXPERIENCE

Tesoro Petroleum – San Antonio, Texas 2011 – Present

Fortune 100 company and one of the largest independent petroleum producers with over 2,250 operating locations located in 18 states

DIRECTOR OF CYBERSECURITY

Established and manage this Fortune 100 company's first ever cybersecurity program. Direct staff of 19 and administer annual budget of $4.2M to implement policies, configuration standards, awareness training, and routine assessments for all operating units to include financial services, refining, logistics, and retail. Responsible for the security assurance of both traditional Information Technology (IT) and Operation Technology (OT) which includes DCS for Process Control, SCADA for Pipelines, and PLC for terminals. Coordinate all security compliance efforts for PCI, SOX, CFATS, internal audit, third party service providers, and state and federal regulators.

- Launched security program and transformed organization from virtually zero security controls to industry standard for IT & OT. Implemented comprehensive security program covering all areas of ISO 27001 / 27002 including network firewalls, antivirus, intrusion detection systems, secure proxies, email gateways, device encryption, identity management, mobile device control, and patching utilities.

Invited to meet with ranking members of the U.S. Congress committee on Homeland Security, and to participate in the President’s initiative to develop a Cybersecurity Framework for the nation’s critical infrastructure. Participated in the energy sector’s committee meetings to define and identify the country’s critical infrastructure assets, and worked with the NIST to draft a comprehensive security framework for critical Operational Technology.

- Formalized and chaired the corporate Cybersecurity Committee consisting of senior executives from all branches of the organization. Fostered support, approval, and awareness of security initiatives and accomplishments through coordination with committee members.

Originated an enterprise Security Risk Management Framework used to evaluate and report cybersecurity issues to senior executives and the Board of Directors. Worked with the corporate risk committee members to develop a security dashboard that matched other high risk issues reviewed by the committee on a monthly basis.

Implemented Threat & Vulnerability Management utilities along with Intrusion Detection and Prevention capabilities and used the output of these efforts to continuously update the risk management dashboard. Additionally utilized a Managed Security Service Provider (MSSP) to monitor all system security logs 24x7 and alert the CSIRT of suspicious activities.

- Created a Corporate Security Incident Response Team (CSIRT) including alerting, containment, investigation and reporting procedures. Worked with business units to ensure roles and responsibilities are fully understood and all groups were prepared to act.

Prevented approximately $120M in lost revenue by identifying and containing incidents before significant downtime occurred.

Stewart Title Guaranty Company – Houston, Texas 2000 – 2011

The third-largest title insurance company worldwide with more than 8500 issuing offices in 8 countries

CHIEF SECURITY OFFICER (CSO)

Designed, implemented, and enforced corporate compliance and information security programs for global WAN connecting 4 continents and 10K+ employees. Built regulatory compliance program from ground up including secure transmission policies, data loss prevention controls, mobile device management, breach notification, employee training, and third party confidentiality and security requirements. Managed staff of 16 and administer annual budget of $2.5M. Successfully maintained zero major virus outbreaks or security breaches for a 9 year period.

- Formulated comprehensive IT Compliance program based on exhaustive research of state and international regulations as well as GLBA, SOX, FCRA, CSA, HIPAA, FACTA, and PCI.

Requested to create a set of IT Security and Privacy Guidelines, published by American Land Title Association as industry standards. Selected as 1 of 4 finalists for ISE’s Information Security Executive of the Year in 2009.

Eliminated major IT audit issues for SOX, State Insurance, internal audits, and vendor assessments by major banks including Wells Fargo, Bank of America, and JP Morgan Chase.

- Orchestrated 2-year initiative to improve application security organization-wide, after uncovering vulnerabilities caused by poor development practices. Collaborated directly with development teams to create Application Security Standards, as well as Application Security Checklist (ASC) to be used in daily work.

Secured customer data and significantly improved system uptime. Implemented free and low cost utilities that enabled team to independently conduct penetration testing and code evaluation for applications.

- Established a world class Cyber Investigation Unit with unique forensic and reverse engineering capabilities. Developed all data collection and chain of custody reporting procedures and trained and certified internal staff on process and tools.

Avoided costs associated with third-party firm and saved $250K annually by leveraging internal resources.

KPMG, LLP – Houston, Texas 1998 – 2000

US audit, tax, and advisory services firm with 87 offices and 23K+ employees nationwide

SENIOR MANAGER

Directed Information Risk Management practice for Houston area. Conducted compliance audits, risk assessments, penetration testing, and security consulting for clients. Engaged in SAS70 reviews for large financial customers and conducted one of the first ever WebTrust certifications on a banking application.

- Generated $900K in annual revenue through a variety of IT security consulting projects. Managed full project lifecycle from needs assessment, design, implementation, and support.

- Selected to create Security Consulting Practice for the Houston Office whose success propelled team to national presence. Recruited and trained team, who performed engagements for industry leaders including Apple, HP, EDS, Chase, Wachovia, USAA, and Target.

Enron Energy Services – Houston, Texas 1996 – 1998

Formerly a leading American electricity, natural gas, and communications company

CORPORATE SECURITY MANAGER

Coordinated all programs for IT security, disaster recovery, and Y2K preparedness. Created and implemented Security Standards for Lotus Notes email and databases.

- Implemented Automated User Provisioning System, which eliminated need to hire additional full time employees and associated costs.

MILITARY EXPERIENCE

United States Air Force – Hahn Air Base, Germany

INFORMATION SYSTEMS SECURITY OFFICER (ISSO)

Appointed to manage all data at NATO intelligence-gathering center. Achieved Top Secret system certifications from the DIA by implementing and enforcing procedures and testing. Partnered in design of a B3 multi-level processing system with security engineers from Ford Aerospace and Hughes Air Craft. Trained by the NSA on all aspects of INFOSEC and maintained Top Secret TS/SCI security clearance.

EDUCATION & CERTIFICATIONS

BS – Computer Studies – University of Maryland – College Park, Maryland

CISSP Certification – International Information System Security Certification Consortium

CISA/CISM Certification – Information Systems Audit & Control Association

ITIL v3 Certification – Loyalist Certification Services International

Yellow Belt Certification – Lean Six Sigma (6sigma.us)

Contact this candidate