JOHN KINNANE

CISSP / CCSP / CISM / CISA / CEH / CPA / CMA / CFE / MSCS / MBA

ad09wm@r.postjobfree.com

602-***-****

Vice President, Information Security (March 2021 – October 2023) Hilltop Securities, Inc. - Dallas, TX

Lead the development and operation of the Information Security Program at Hilltop Securities, a full-service investment bank ranked as the

#1 municipal advisor in the nation based on volume of underwriting. Define and implement the firm’s information security strategy using the NIST Cybersecurity Framework to prioritize security initiatives that support greater business agility and a positive return on investment. Apply security control mappings from NIST 800-53r5 to protect information assets, improving the security posture of the enterprise. Voting member on the Information Technology Governance Board, a cross-departmental group whose charter is to maximize the enterprise value of information technology investments and approve new IT vendors. Oversee the design and approval of secure architecture models for cloud-native (Azure, AWS) and on-premise initiatives. Ensure that proprietary systems, confidential data stores and runtime environments incorporate layered defenses to withstand cyber-attacks and remain resilient in delivering organization-essential functions. Improve the firm’s vulnerability management program to more accurately measure IT asset risk exposures, define risk treatment plans and consistently achieve mean time to resolution targets. Direct external penetration tests to assess the effectiveness of network and application security controls in protecting confidential data and driving timely remediation of identified issues. Audit and apply governance procedures to an Intelligent Identity & Access Management platform that supports a seamless enterprise growth strategy. Guide the firm’s DevSecOps program to build a security-focused software development life cycle (SDLC) for proprietary business applications, web services and Robotic Process Automation (RPA). This program incorporates tenets from the OWASP Top 10 and CWE/SANS Top 25 to produce more secure code and accelerate the velocity of software enhancements that support business objectives. Hands-on skills in the management of Continuous Integration/Delivery (CI/CD), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA). Implement Center for Internet Security (CIS) benchmarks for Windows and Azure infrastructure to improve cyber-defense capabilities. Managed the firm’s Security Operations Center for 24/7/365 protection against malicious activities and employed an advanced Data Loss Prevention (DLP) program to minimize unauthorized data flows. Adopted an industry-leading AI-driven extended detection and response

(XDR) solution that enables more rapid response to security threats across endpoint, network and cloud environments. Supervised implementation of AI-based Security Orchestration, Automation and Response (SOAR) solutions that learn pattern behaviors and connect security tools in accelerating response time to containment of security incidents. Responsible for execution and improvement of the firm’s Governance, Risk & Compliance program and resolution of internal/external audit inquiries. Attain full compliance with SEC, FINRA, Sarbanes Oxley, SOC 1 and SOC 2 requirements.

Managing Director, Enterprise Application and Data Protection (July 2018 – March 2021) The Charles Schwab Corporation - Westlake, TX

Led First Line of Defense operations to protect an IT portfolio of 1,000+ business applications that managed $3 trillion of financial assets and confidential data for 10 million global clients. Coordinated projects with application and IT infrastructure teams to design secure system architectures. Applied the SABSA framework to ensure that new/modified applications met all business requirements and that security services protected critical resources. These blueprints were applied to develop resilient cloud-native, mobile, web, microservice and machine learning systems. Employed threat modeling exercises to reduce risk exposure by mitigating vulnerabilities in application attack surfaces. Implemented automated testing solutions in DevSecOps CI/CD pipelines to enforce security checkpoints and accelerate vulnerability remediation. These practices raised the maturity level of the company’s SDLC, achieving more rapid deployment of secure applications and services with reduced attack surfaces.

Expanded a Security Champions program that delivered advanced training in secure cloud service design principles to technical team leaders. Authored and promoted API security standards for REST and SOAP services to accelerate cloud-based app modernization initiatives. These were key elements of the organization's Cloud Knowledge Center program to drive cloud-enabled IT transformation across the enterprise in a secure and cost effective manner. Recipient of Key Contributor award in 2019 and 2020 for accomplishments in improving the security posture of the organization. Partnered with the firm’s Security Operations team to improve threat response capabilities by employing the MITRE ATT&CK framework and risk- based alerting models. Led a department of 12 FTE security architects/analysts and coordinated pen test engagements with 20+ remote contractors across diverse global geographic regions. Attained consistent compliance with FINRA, SEC, FRB, FFIEC, FDIC and OCC regulations through careful design and execution of IT controls that safeguarded the firm’s critical data and technologies. Leader on transition team to integrate Schwab and TD Ameritrade information security programs following Schwab’s October 2020 acquisition of TDA.

Information Security and Compliance Officer (June 2015 – July 2018) Best Western International, Inc. - Phoenix, AZ

Directed enterprise IT audit programs to protect the technology infrastructure and confidential customer data of a global franchising organization. Integrated COBIT, ISO 27002, and NIST 800-53 frameworks to build effective IT controls that enabled successful business initiatives in launching new brands and expanding international operations. Led cross-functional teams of 30+ staff in achieving compliance with PCI-DSS, Sarbanes-Oxley, and the EU General Data Protection Regulation (GDPR). Defined and enforced standards for federated identity management (OAuth, OpenID Connect, SAML) to securely share digital IDs with business partners and SaaS providers. Applied Center for Internet Security (CIS) hardening standards for Red Hat Linux, Windows Server, VMWare, Oracle and Docker to improve data protection, system resiliency and uptime. Hands-on proficiency in Python, Java, .NET Core, JavaScript and NoSQL databases.

Designed fraud detection solutions utilizing Splunk User Behavior Analytics and Palo Alto Networks Next-Generation Security Platform. Performed cybersecurity-focused forensic investigations to acquire evidence in support of litigation activities. Coordinated penetration test exercises to assess the effectiveness of application and network security controls that protect critical data stores and address vulnerabilities from these exercises. These initiatives yielded measurable improvements in risk management as evidenced by increased Mean Time Between Security Incidents.

Adopted NIST 800-61 controls to rapidly detect, contain, eradicate, and recover from security issues across global retail operations. Spearheaded a Managed Security Services Program across 4,000+ franchise establishments with a centralized Security Operations Center to achieve 24x7 monitoring and response capabilities. Directed initiatives with IT infrastructure teams to design and build a more secure network architecture with intelligent segmentation controls across trust zones to control access to confidential data stores. Led the implementation of a cloud-based Business Continuity solution using Amazon Web Services (AWS) and a Disaster Recovery as a Service (DRaaS) provider to attain Recovery Time Objectives at lower annual operating costs.

Chaired the organization’s Risk Advisory Board, apprised executive leadership of emerging cyber security issues and recommendations to reduce risk exposure. Directed IT audits to validate the effectiveness internal controls, identified control gaps and oversaw remediation activities. Re-architected Nessus Security Center to deliver more accurate and timely vulnerability assessments of critical system assets and guidance to achieve higher systems resilience. Authored and presented seminars on information security best practices to a worldwide audience at Best Western’s annual Global Convention. Received consistently high ratings from attendees on the clarity and relevance of seminar content in improving the security of their business operations and protection of customer data. Director of Information Security (May 2014 – April 2015) Apriva, LLC - Scottsdale, AZ

Established an enterprise information security program to protect critical technology assets and customer data from cyber threats, improve business continuity plans, build a secure mobile payment gateway infrastructure and meet all regulatory requirements. Instructed application development teams on use of CERT Secure Coding practices to build more secure software (Android and iPhone mobile apps, .NET web services). Incorporated the Veracode platform to automate code reviews, detect critical security flaws and resolve issues in a more timely manner. Hardened RSA tokenization systems for higher dependability and integrated SafeNet Hardware Security Modules (HSMs) to protect cryptographic keys. These initiatives were vital to the enablement of point-to-point encryption (P2PE) capabilities and support for EMV chip-card readers that protected sensitive data in transit and at rest. Improved cyber defenses by engaging Dell/SecureWorks to launch 24x7 Security Operations Center (SOC) capabilities. The managed SOC achieved more accurate analysis of threats, faster detection of intrusions and more effective response against exploit attempts. Adopted the Qualys Cloud Platform to inspect on-premise and cloud-hosted IT assets for vulnerabilities and promptly remediate risks. Achieved compliance with industry security standards (PCI-DSS, SSAE 18 SOC2, ISAE 3402) and managed audits from external partners to verify effectiveness of IT controls across the company’s credit card processing environment.

Director of Application Security (November 2010 – May 2014) Choice Hotels International, Inc. - Phoenix, AZ

Spearheaded an application risk management program and implemented a Secure Software Development Lifecycle across the enterprise. Directed enterprise application and IT infrastructure teams in applying the SABSA security architecture framework to design resilient system architectures for critical business initiatives. Instructed the teams in applying the SANS Top 20 Security Controls for Effective Cyber Defense. Provided training in CERT Secure Coding Standards, OWASP Top 10 principles and CWE/SANS Top 25 Most Dangerous Software Errors. These strategies significantly lower the number of application runtime vulnerabilities and achieved higher velocity in developing secure business applications.

Delivered security leadership to guide transformation of the company's legacy IT infrastructure to a Service Oriented Architecture (SOA). Defined and enforced enterprise standards for Single-Sign-On (SSO) and Federated Identity via SAML v2.0. These initiatives helped achieve secure and rapid integration of B2B, B2C, and cloud-based SaaS projects, opening new channels of commerce and higher revenues. Achieved consistent compliance with PCI-DSS, Sarbanes–Oxley and EU Data Protection Directive regulations.

Senior Director, Internet Application Development (April 2001 – October 2010) Choice Hotels International, Inc. - Phoenix, AZ

Led transformation of the global franchising organization’s eCommerce platform from a basic transactional website to a highly sophisticated suite of secure web applications, web services, and mobile apps for Android and Apple iOS. Consistently delivered projects on time, on budget and with zero critical defects.

Introduced Agile-Scrum project management and integrated security requirements into the framework. This promoted a Secure-Agile development model that was emulated across the company. Incorporated recommendations from NIST 800-34 (Contingency Planning) to formulate and verify more effective disaster recovery and business continuity capabilities. Played vital role in the organization’s attainment of Sarbanes-Oxley Section 404 compliance by adopting guidelines from COBIT and ITIL frameworks to achieve robust protection against fraud and misuse of financial records for 20+ million global loyalty program members. Improved information security governance by applying ISO 27002 to design IT controls that delivered greater reliability and efficiency to critical business processes. Attained cost-effective compliance with PCI-DSS and international privacy regulations such as the EU Data Protection Directive.

Responded effectively to mitigate revenue impacts of a large-scale Distributed DoS attack and promptly authored a business case advocating benefits of cloud-based DDoS and DNS protection. Secured funding for the project and implemented a comprehensive DDoS mitigation solution across the company's Internet application platform and DNS infrastructure. Directed a department of 3 Managers, 18 Software Architects/Engineers and 20+ contract staff (onsite and remote) to accelerate completion of critical IT projects. Received consistently high engagement scores via 360-degree team reviews. Responsible for a multi-million-dollar annual operating budget and negotiated favorable contract provisions with several major IT vendors and service providers.

EDUCATION / CREDENTIALS

Master of Science, Computer Science - DePaul University, Chicago IL Master of Business Administration (MBA) - Indiana University, Bloomington IN Bachelor of Science, Accounting, Marketing Management - California State Polytechnic University, Pomona Certified Information Systems Security Professional (CISSP) - ID 337084 Certified Information Security Manager (CISM) - ID 1737513 Certified Information Systems Auditor (CISA) - ID 17137640 Certified Cloud Security Professional (CCSP) - ID 337084 Certified Ethical Hacker - ID ECC5743609182

Certified Fraud Examiner (CFE) - ID 666091

SANS GWAPT Web Application Penetration Tester – ID 1274999 Certified Public Accountant (CPA) – Illinois (ID 065021611) California (ID 77985), Arizona (ID 12873) Certified Management Accountant (CMA) - ID 147448

Oracle/Sun Certified Enterprise Architect for Java Platform EE Oracle/Sun Certified Developer for the Java Platform ITILv3 Practitioner

EMC Data Science Associate (EMCDSA)

Contact this candidate