Chief Information Security Officer
Resume:
IVANA COJBASIC
**** ******** *****, ******, ********, USA
*****.********@*****.***
__
SUMMARY
Technology and Security leader with an extensive and varied background in complex environments, utilizing leadership skills, and emerging technology. Focused leader skilled in building consensus, producing results, and streamlining operations. Career characterized by leading and managing Information Security with strong emphasis in all aspects of IT Security, Compliance, Internal Audit, Project Management, Operations, Process Improvement, Automation, and Cloud Security. Skills include:
Corporate Governance Application Security Disaster Recovery
Vulnerability Management Penetration Testing (Application and Network) Process Engineering
Red Team Operations Contingency Planning 7x24x365 Security Operations
Access Management Vendor Management & integration Six Sigma Green Belt
Risk Management PMO/Program Management Disaster Recovery
Data Encryption Program Management Enterprise Security/Risk Reporting
PROFESSIONAL EXPERIENCE
REGIONS BANK 2018-Present
Hoover, AL, USA
SVP of Security Architecture
Direct leadership, governance and support for Regions Bank. and its subsidiaries, resources, and data. Responsible for developing, defining, and implementing information security programs to safeguard the confidentiality, availability, and integrity of systems, applications, and sensitive data for the company. Position accountabilities include governance, risk and compliance, security architecture, outreach and awareness, application security, incident response, threat intelligence, vulnerability management, penetration testing, red team operations, and access management.
Conducting security control design reviews for information systems based on inherent risk factors informing of the level and degree of risk.
Determining and recommending adequate security design by evaluating functional requirements; concept of operations; researching information security standards; conducting system security and vulnerability analyses and risk assessments; studying architecture/platform and identifying integration issues.
Designing and educating IT colleagues on required security architecture in line with CIT standards, industry best practice and regulatory guidance.
Evaluating emerging technologies against standards and defining security solutions to mitigate risk. Reviewing and approving secure configuration baselines.
Maintaining security by monitoring and ensuring compliance to standards, policies, and procedures; evaluating deviations, evaluating mitigating controls and recommending solutions or alternate controls to further reduce risk.
Proactively recommend security improvements by monitoring security environment; identifying security gaps; evaluating and implementing enhancements.
Assists with responses to third party security assessments as necessary and responses to Information Risk/Internal Audit examination of controls.
Updates job knowledge by tracking and understanding emerging security practices and standards; participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations.
Enhances department and organization reputation by accepting ownership for accomplishing new and different requests; exploring opportunities to add value to job accomplishments.
Technical experience across security domains including Access Management, Network Security, System Defense, Data Protection/Encryption, Application Security, Configuration Management, Change Management, etc. to identify security design gaps in new and existing architectures and recommend appropriate security control design for CIT systems both in-house and third party.
Plan, implement and assist in testing of security controls through Recorded Future, Contrast Security, Aquasec, Pindrop, Threatmetrix, and Transmit Security deployments.
Collaborate with Enterprise Architecture in evaluating enhancements and new initiatives.
Collaborate with 2nd line Information Risk colleagues to ensure 1st line SOPs and Security standards are aligned.
Ability to assess system design at a detailed level to identify information security risks and make recommendations to ensure confidentiality, integrity and availability of the system.
Determine and communicate security requirements for IT systems such as network, application, OS and data by evaluating business strategies and requirements, understanding the threat landscape, evaluating emerging technology, keeping awareness of industry standard and regulatory requirement, and conducting risk assessments.
Plan and design enterprise security architecture covering protect, detect and response aspect of information security objectives using a collaborative combination of enterprise, open source(Mulesoft, Canary, etc), and cloud security technologies.
Develop and recommend security design frameworks and guidelines to help IT teams to build and ensure security throughout the system lifecycle.
Identify security design gaps in existing or newly proposed system and recommend changes or enhancements.
FIS GLOBAL 2014-2018
Little Rock, AR, USA
SVP/Deputy Chief Information Security Officer
Direct leadership, governance and support for FIS Global Inc. and its subsidiaries, resources, and data. Responsible for developing, defining, and implementing information security programs to safeguard the confidentiality, availability, and integrity of systems, applications, and sensitive data for the company. Position accountabilities include governance, risk and compliance, security architecture, outreach and awareness, application security, incident response, threat intelligence, vulnerability management, penetration testing, red team operations, access management, third party risk management, business continuity and disaster recovery.
Provides analysis, definition, and implementation of technology and policy architecture.
Champions awareness, influencing compliance with security policies, and providing solutions for business-specific security issues.
Oversees day-to-day application security, access management, encryption, vulnerability management, and security architecture.
Establishes information security regulatory compliance programs (SOX, GLBA, FBA, etc.).
Establishes information security policies and procedures consistent with business goals and regulatory requirements, such as set forth by the FBA, NIST, and relevant state regulators.
Ensures training to the entire company on current information security topics. Annual and microburst training.
Ensures regular audits and applicable assertions or certifications are obtained as required including FBA and client audits.
Ensures that the company is compliant with all information security related requirements and meets contemporary applicable best practices.
Provides technical leadership to the IT department and other relevant parties as it relates to information security, both internal and outside entity facing systems.
Creates and leads ad-hoc security teams and/or directly reporting technical security to administer and monitor computer and network equipment logs, intrusion prevention, anti-malware, and other data loss prevention systems.
Ensures oversight of the IT department, with an emphasis on information integrity, information security architecture, threat management and security incident handling, including the coordination of investigations, and in alignment with business needs and regulatory requirements, reporting of security incidents.
Participates in threat and vulnerability information sharing organizations to foster awareness and communication of evolving security threats and risks.
Performs risk-based due diligence on third parties before contracts are signed, including review of their background, reputation, financial condition, stability, and security controls.
Create change management gate report to assist development managers in self-generated reports and the subsequent submission to the same Change Management before moving the code to production.
Conduct secure code and false positive reviews for various lines of business received from EPMO, STT, Client, and ad hoc requests.
Assume responsibility for the corporate encryption program and enhanced the associated review and reporting process.
Introduced new REST and SOAP Web Services security standards.
Automate user provisioning, project version access, migration utility, report generation, email notifications, and scoring sheet.
Develop and successfully tested an in-house solution for Threat modeling and followed up with the identification of architecture level security issues along with suitable security recommendations.
Streamline the security exception approval/rejection process by reviewing all supporting artifacts to provide quicker but thorough decisions.
Develop articulate training materials for OWASP, SANS and PCI-DSS, Threat Modeling, and Fortify Rollout for new teams.
Create a dashboard to generate critical metrics to help identify the gaps in asset inventories, and Weekly Information Security Governance Metrics.
Conduct Manual Secure Code Reviews for public internet facing products and closed all action items opened by Internal Auditors.
Identify legacy applications of recent corporate acquisition for testing
Establish global CISO PMO to provide centralized coordination and management of all information security projects to ensure proper visibility, oversight, and alignment with organizational goals.
Implement temporary access reviews on behalf of Lines of Business to remediate client contractual concerns and failures.
Perform 900 Application and Network penetration tests leveraging internal team and third-party vendor.
Scan over 1.5MM IPs monthly and 5k IPs weekly as part of vulnerability management program
Implement vulnerability management dashboard based on risk scoring to properly prioritize remediation timeframes for various Lines of Business.
Provide guidance and hands-on support for Lines of Business (including line with card-based MC/VISA transactions) with HSM configuration management, firmware upgrades and smart card generations and remote support capabilities.
Perform analysis and implement controls inclusive of 3rd party solutions in the access review process.
Create and implemented processes to validate the removal of expired access and drove integration for a separate process for permanent whitelisting.
Built partnerships and worked exclusively to achieve shared objectives inside and outside IT and Lines of Business.
Business Intelligence, learning spaces expansion, mobility strategy, IT security improvements, desktop support service, enterprise imaging, and service management adoption.
Balance Scorecard initiative clarified vision for employees and provided linked SMART goals, all of which were key drivers for improved employee satisfaction.
Partner with Procurement to deliver a 71% reduction in supplier contracting risk.
Architect and delivered a refresh of Data Theft Prevention program, resulting in 50% reduction in high-risk.
Develop IT Security Governance structure to reduce risks in business processes, enhance information security, and comply with regulatory requirements.
Director of Network Security 2013-2014
Direct responsibility for the centralized data processing environment for internal systems and for the oversight of vendor hosted systems that contain company data. Responsible for service delivery requirements that match to ITIL best practice and contractual service agreements. The overall environment must be run in accordance with all regulatory requirements and business guidelines. Provided technical leadership from an IT operations perspective and serve as a member of the IT Management Team. Directed Security Engineering with oversight of the security perimeter architecture and design, third party extranet connectivity design, network segmentation, and Intrusion Detection/Protection System evolution. Responsible for Security Assessment of critical infrastructure which the assessment function included penetration and application testing as well as verification of remediation of findings. Developed strategies for securing assets, customer services delivery, and regulatory/audit compliance for approval by senior executives, Lines of Business, and customers.
Brought on board to oversee asset and capacity management, audit and compliance, change management, DNS, DHCP, IPAM (IP Access Management), systems monitoring and automation, process improvement, and vulnerability and patch management.
Created IT KPI and CAPEX performance and metrics reporting portal to streamline processes.
Resourcefully centralized IP allocation, external DNS and internal DHCP services, domain registration, and network discovery to provide high availability services while securing FIS network perimeters.
Assessed infrastructure and defined processes to ensure strict compliance with GNVS, FIS, and external policies and standards encompassing SSAE16, PCI, FFIEC, and ISO27001.
Installed, analyzed, managed and optimized Local Area Network performance for various networking protocols, routing technology and network topologies to include TCP/IP, VLANS, Internet (HTTP, HTTPS, FTP, TELNET, SMTP) various gateways and routing protocols and smart switches.
Supervised the processing and distribution of record message traffic while utilizing DMS, NAVMACS, DPVS, JWICS, BF EMAIL, BGIXS, CENTRIXS, News Stand and News Dealer.
ACXIOM CORPORATION 2005-2013
Conway, AR, USA
Sr. Manager – Network Security Architecture and Engineering
Direct leadership, governance, and support of Acxiom Corporation globally, with over 6500 associates worldwide. Responsible for directing Information Security system or technology design, program development, quality control and quality assurance testing, implementation, maintenance, and support. Responsible for leading Security Architecture, Engineering, Security Operations, IAM, Incident Response, Forensics, Security Governance, Risk, and Compliance. Lead and directed large, complex projects across the organization. Worked closely with executives within the business units to monitor compliance and develop a strategy for future technologies and programs to enable the business to operate securely. Fostered communication with various Business and Technology Units within the company. Collaborated with Enterprise Risk Management on all security risks, internal & external audits, and pen-tests. Provided assurance for the appropriate level of confidentiality, availability, and integrity of systems, applications, and sensitive data for the company.
Supervised all Information Security and network personnel including coaching, mentoring, training, and corrective action.
Improved overall Associate Engagement score by 13% to include double digit improvements in Strategy & Leadership, Manager Quality Index (MQI), and Growth and Development.
Responsible for rapidly growing $5.5M service portfolio.
Managed team of senior security investigators to hunt threats using advanced threat intelligence, security telemetry, and advanced analytics.
Fine-tuned network and security solution to bolster delivery by 70% while slashing unresolved tickets by 85%.
Curated hot threats to rapidly respond and monitor for IOCs gleaned from emerging attacks, conceptual attacks, and urgent vulnerabilities such as Heartbleed and Shellshock.
Lead the organization to obtain PCI certification and SOX compliance.
Established a more mature, repeatable, and reproducible Vulnerability Management Program.
Grew the IS organization in policy, process, operations, and people.
Expanded Defense in Depth controls to create a proactive, mature security posture and security organization.
Evaluated and implemented technical and business practice changes that improved computing system security productivity and quality, reduced flow time, and enhanced operational surety.
Worked with business partners in a way that demonstrated excellent understanding of their needs and engendered a high degree of confidence that the desired result will be achieved.
Ensured released technologies and products had all prerequisite controls to meet with business and regulatory requirements.
Provided security representation at industry meetings, government interactions, and all internal meetings.
Interacted with all levels within and outside of the organization. Treated all internal and external customers with diplomacy, patience, and courtesy.
Communicated, explained, or defended complex information security or technology ideas and information clearly and adapted to the audiences’ level of knowledge.
PROFESSIONAL DEVELOPMENT
CISSP Training Six Sigma Green/Black Belt Academy
CRISC Certified FFIEC MRA Remediation Success
GSLC Certified Conflict Management
Leadership Development Challenge Leadership / Management Development Program
Total Quality Management Computer Forensics and Security Risk Course
Upward Communication Constructive Feedback Facilitative Leadership
Influencing for Impact Performance Management Methodologies
Developing and Implementing Policies & Standards Multiple Industry Compliance Excellence Courses
EDUCATION
Master of Arts
English – Arkansas Technical University – 2005 (GPA. 4.0)
Bachelor of Arts
English – Arkansas Technical University – 2003 (GPA. 4.0)
Bachelor of Arts
English, Italian, German – University of Belgrade-Serbia - 2002
Contact this candidate