Robert Parham, MBA, CISSP, HITRUST
Forward-thinking Information Security Leader who introduces cutting-edge solutions and strategies to mitigate risk and data breaches that undercut organizational integrity. Leverages subject matter expertise in governance, risk management and compliance within Financial Services and Healthcare settings, 20-year Air Force career and a passion for continuous learning to deliver information security to the full satisfaction of all stakeholders. Interfaces and collaborates comfortably with all levels of the organization, clients and third-parties, easily communicating the most technical and complex information clearly and concisely. Demonstrated success in…
Information Security Governance: Developed enterprise-wide information security governance program for Horizon Blue Cross Blue Shield of New Jersey. Introduced foundation security control framework that ensured regulatory and contractual compliance. Established capability to identify security vulnerabilities, develop corrective action plans and trend analysis metrics that facilitate continuous improvement of the security program.
Security Risk Management: Reduced information security risk across TD Waterhouse organization by developing information risk methodology and approach that was aligned to both the culture and business strategy of the organization.
Network Security: Built the first security operations capability for Headquarters Air Force Personnel Center (HQ AFPC) that aligned with the Air Force Computer Emergency Response Team (AFCERT). Mitigated security risk of unauthorized access and/or data modification to vital personal information stored on HQ AFPC database that was tied to all active duty and retired USAF personnel.
Security Consulting: Developed, conducted, and communicated, sustainable and repeatable managerial and operational processes for Marlabs. Inc. Cyber Security Management Practice; aligning cyber security processes to business strategy supporting Financial, Healthcare, Retail, and Educational industries.
Competencies that Drive Tangible Business Outcomes
Business Process Management
Security Governance, Risk and Compliance
Security Operations Center Functions
Information Security Policy Development
Digital Forensic Investigation Processes
Operational and Process Security Metrics
Capability Maturity Model Development
Identity Access Management Process Design
Security Incident Management and Response
Network Security Profiling
Cyber Security Awareness Training & Education
Cross-functional Team Development, Leadership and Mentoring
NIST,PCI DSS, COBIT, ISO 27001,HITRUST
Attribute Chain: Passionate. Pragmatic. Trustworthy. Empathetic. Inquisitive. Disciplined, Organized
A Career of Delivering Cyber Security Solutions for Operational Integrity
Chubb & Son, Warren NJ
Information Security and Compliance
VICE PRESIDENT, INFORMATION SECURITY AND RISK MANAGEMENT 2014 – 2016
Responsible for Enterprise Identity Access Management, Security Risk Management, and Security Operations and Threat Intelligence functions. Established the delivery and support policies and procedures required to maintain daily operations and adherence to regulatory obligations. Managing a staff of 20 cyber security professionals; overseeing the deployment and maturation of various Enterprise cyber security tools and processes.
Developed Formal Security Risk Management Function and implanted security risk assessment process workflow in accordance with National Institute of Standards and Technology (NIST) Cyber Security Framework; to include capability maturity dashboard, Key Performance Indicators, and risk acceptance letter
Instituted Security Awareness Training and Education Program consisting of web based learning modules, customized presentations, informational security blogs to include live “As the Expert” sessions the employee workforce.
Defined Security Operations Center Functional Roles and Actives and developed security Information event management (SIEM) use cases, Cyber Security playbook, and security incident handling checklist
Developed strategy and managed day – to-Day Security Operations For Enterprise Identify Access Management, Security Risk Management, and Security operation and threat Intelligence across the Enterprise; coordinating security process business unit functional managers across key organizational; Lines of Business
Marlabs Inc., Piscataway, NJ
Cyber Security Management Practice
DIRECTOR, CYBER SECURITY CONSULTING PRACTICE 2011 – 2014
Spearhead the business development of the organization’s first Cyber Security Management Practice. Established and the security service portfolio, staffed critical resources, and directed the creation of necessary processes and procedures required for sustaining both the professional and managed security service delivery for client- base across Healthcare, Financial,Retail, Media, and Educational industry verticals. Manages day-to-day activities
Developed and implemented Information Security Risk Assessment and gap analysis process procedures and orchestrated the organization’s achievement of obtaining status of Health Information Trust Alliance ( HITRUST) Common Security Framework Certified assessor status
Payment Card Industry – Data Security Standard, Established PCI DSS 2.0 and 3.0 assessment process to prepare clients for formal PCI DSS certification
Established Network Vulnerability Assessment (NVA), penetration testing, and security policy development & review services ensuring that formal; sustainable, repeatable methodologies and processes are used for each client engagement
Established, coordinated, maintains the necessary vendor partnerships required to facilitate operational proficient Security Operations Center (SOC), and Incident Management & Response Managed Security Service Offering
Established service pricing models for each of the six cyber security management service offerings
Ensure that staff of 12 security professionals receive appropriate mentorship, training, and professional security growth progression
Often represents the Cyber Security Management Practice at formal speaking engagements to include New Jersey Technical Council (NJTC), Secure Computing Magazine, NIKSUN World Security Consortium, HIITRUST 2013, Financial technology Forum 2014
Horizon Blue Cross Blue Shield of New Jersey, Newark, NJ
The only licensed Blue Cross Blue Shield plan in New Jersey, providing coverage to 3.2 million people
DIRECTOR, INFORMATION SECURITY GOVERNANCE 2007 – 2011
Chosen for newly created position to provide consultative information security guidance to managers of core business processes across the organization. Oversee security policy development, review and communication. Liaise among business units, information technology and internal audit regarding information security regulatory compliance issues and corrective action plan identification and tracking. Member of enterprise compliance coordinator team.
Instituted company’s first information security common security framework and information security governance risk compliance tool.
Developed and directed web-based security awareness training and education program for 5,000+ workforce.
Established data protection program to enhance protection of electronic protected health information.
Created and enacted information security risk management and risk analysis program and conducted 32 vendor security risk assessments as part of data protection program.
Performed PCI-DSS gap analysis, reviewed policy, procedures, and systems in accordance with standards set forth in PCI Data Security Standards Version 2.0 covering 6 control areas and 12 key control groups
Implemented HITRUST Common Security Framework compliant policy and standards.
Recommended, developed and governed organization’s Identify Access Management Program; reduced risk of “Segregation of Duty Access” and “User Role Entitlement “conflicts within seven core business applications. Process design included: (1)Governance, (2) Identity Management,( 3) Access Management, (4)User Role Management, (5) resources, and (6) services
TD Ameritrade/TD Waterhouse, Jersey City, NJ
US-based online broker with more than six million customers
MANAGER, SYSTEM ACCESS CONTROL AND FORENSIC SECURITY 2006 – 2007
SENIOR MANAGER, TECHNICAL RISK AND INFORMATION SECURITY 2004 – 2006
During a period of significant reorganization leading up to and following Ameritrade’s acquisition of TD Waterhouse, integrally involved in identifying risk, threats and vulnerabilities to network infrastructure, forensic security and system & user access control. Guided teams of up to eight security experts and administrators. Provided forensic support for Internet abuse, compliance violations, malicious activity and intellectual property theft.
Appointed to cross-functional client asset protection and client information incident response teams that provided detailed incident data to chief executive’s general council office.
Enhanced forensics acquisition and analysis capabilities through creation of forensic investigation life cycle process, training and hardware/software solutions.
Drafted, implemented and coordinated security access control plan, enforced data classification policies, entitlement review processes and fulfillment service-level agreements.
Created organizational incident response and forensic security program to respond to fraudulent client activity.
Developed organization process for incident detection, triage and emergency response.
Established and integrated technical risk assessment processes into the system development life cycle for more than 45 projects valued from $100K to $1M.
Planned, designed, developed and implemented information security requirements in accordance with International Standards Organization 27002:2005.
Gathered and presented proof of audit control items for SOX 404 and annual external and internal audit programs.
Virtual Corporation, Inc., Budd Lake, NJ
Technology and management consulting firm specializing in business continuity, contingency planning, disaster recovery and technology staffing
MANAGER, BUSINESS CONTINUITY SERVICE 2004
Brought in on short-term engagement to develop curriculum for business continuity process assessment training class and conduct two-day workshops that produced 15 certified business continuity assessors. Drafted strategic plan for business continuity center and provided direction for newly established service department.
Associated Press, New York, NY
Global news network
MANAGER, ENTERPRISE INFORMATION SECURITY 2002 – 2003
Raised awareness, enhanced security posture and provided guidance for information security strategy and policy for 242 locations and 3,500 remote users worldwide. Established 18-member cross-functional information security forum, instituted VPS access controls and designed training manual tor VP users and administrators.
Developed the security metrics process in accordance with National Institute of Standards and Technology (NIST) guidelines.
AimNet Solutions, Inc., Norwalk, CT
Technology services company offering network professional and managed services
DIRECTOR SERVICE DEVELOPMENT, SECURITY 2001 – 2002
Came in as subject matter expert on intrusion detect system design and implementation. Advised chief technology officer on information security service offerings. Drafted ISO 27001:27002, GLB and HIPPA compliant general organizational information security policy and conducted security assessment for healthcare and financial services clients.
Bear Stearns, New York, NY
Global investment bank and securities trading and brokerage firm
ASSOCIATE DIRECTOR, NETWORK SECURITY 2000 – 2001
Oversaw security testing and evaluation that resulted in the selection and subsequent deployment of company’s first-ever network intrusion monitoring device. Developed and instituted administrative security process and procedures that reduced the number of known vulnerabilities 27%.
US Air Force
CHIEF OF NETWORK SECURITY, NETWORK PLANS AND SECURITY BRANCH 1995 – 2000
RETIRED MASTER SERGEANT 1980 – 2000
Led staff of 10 in implementation of cutting-edge automated network security tools, providing the Air Force Personnel Center with intrusion detection capability for 3,500-computer node, 200-server infrastructure valued at $2M+. Developed continuous risk management process and provided repeatable methodology for identifying and reducing information security risk within the network infrastructure to an acceptable level.
Dedicated to Continuous Education
MBA, Computer Resources and Information Systems, Webster University, 1998
BS, Administration of Technical Services and Information Management, Bellevue University, 1995
Certified Information System Security Manager (CISM), 2012
Certified Health Information Trusted Alliance Common Security Framework Assessor (HITRUST CSF), 2011
Certification, Excellence in Corporate Governance, Tulane University Law School, 2006
Certification, Computer Security Incident Response Team Manager, Carnegie Mellon University, 2005
Certificate of Information Risk Management, MIS Training Institute, 2002
Certified Information System Security Professional (CISSP), since 1999
Commitment to Continuous Professional Development
Open Web Application Security Association
Anti-Phishing Work Group
ISACA, New York Chapter
Carnegie Mellon, Software Engineering Institute Program
Institute for Applied Network Security
International Security Computer Consortium (ISC2)
National Association of Black MBAs