Information Security Executive
Resume:
Danny Sutantyo, CISM, PCIP, ISO*****
**** ********* **. ***********, ** L5N 7G7 adl2i6@r.postjobfree.com
Contact Number: 647-***-****
Information Security Management
Strategic, result-driven, and articulate leader with proven experience in Information Security & Compliance to protect corporate and customer data, increase organization brand and reputation. Revitalized Information Security to drive security culture and customer trust within the business functions. Inspiring and experienced thought leader; proven ability to recruit, develop, and retain top talent. Exceptional levels of integrity, work ethic, and drive to achieve. Expertise in:
ISO 27000, Cobit, Cybersecurity/CSF, Privacy, ITIL, SOX, FedRAMP, SOC2, NIST, PCI, GDPR
Governance Risk & Compliance (GRC)
Security and Privacy by Design
Information Security and Compliance
Risk Management
Program Management
Cybersecurity
Vulnerability and Security Incident Management
Information Security Polices & Standards
Industry Thought Leadership and Activities
SiberX Board member
Speaker at 2011 SC Security Congress conference
Active participant of PCI SIG (Special Interest Group)
Nominated for Information Security Executive (ISE) award
Governing Body member for CISO Executive Summit
Security Technologies
Azure, AWS, Cloud Security, O365, Anti malware, DDoS protection, WAF, SIEM, IDS/IPS, Anti-spam Services, MDM, Account Management; Multi-Factor Authentication (MFA), Single Sign On (SSO), Active Directory, DLP, CASB, Cloud provider.
Professional Experience
Sunwing Travel Group, Toronto, Canada Jan 2020 – Current
Head of Information Security
Established security strategy and framework to build security from ground up.
Developed and implemented Information Security Strategies and programs to implement data protection, security, PCI and Privacy compliance.
Implemented Identity and Access management, SIEM, Multifactor Authentication, Microsoft Advanced Threat Protection, Single Sign On, Vulnerability Management, Security awareness training, endpoint protection, asset management, risk management, server hardening standards, network security standards, and tokenization.
Introduced and implemented Information security policies throughout the organization.
Built Security operation team to monitor, triage, and investigate security events and incidents
Implemented Security monitoring for security and infrastructure monitoring.
Managed PCI Compliance initiative across the organization until certification is achieved.
Implemented compliance management program to achieve certifications GDPR, PCI, and Privacy regulations.
Implemented tokenization for cardholder and privacy data to reduce the risk and increase data protection
Partnered with Marketing team to Implement security culture throughout the company.
Partnered with business units and leaders to introduce security and privacy as part of the business process to increase data protection.
Rubrik, Palo Alto, California Nov 2018 – Dec 2019
Head of Information Security and Compliance
Accountable to establish core Information Security and compliance capabilities to increase security posture and customer trust within the organization. Build the right team and strategy to lay strong Information Security foundation within the organization.
Developed and implemented Information Security Strategies and tactical to provide robust data protection, security, monitoring, and customer trust.
Built Information security capabilities roadmap in partnership with IT, businesses, and cross functional stakeholders
Built Security operation team to monitor, triage, and investigate security events and incidents.
Spearheaded Information Security strategies, framework selection and policy development to build the security foundation.
Worked with product engineering teams to include regulatory requirements using Security by Design and Privacy by Design methodologies.
Implemented governance risk and compliance management program to achieve certifications ISO27001, SOC2, GDPR, PCI, and Privacy regulations.
Implemented Cloud and network security best practice to protect corporate and customer information.
Implemented risk assessment, penetration testing, vulnerability scans, and security monitoring to identify potential security weaknesses.
Managed ISO27001, SOC2, and PCI preparation, remediation, and certification.
Certified products and services against multiple certification and regulatory requirements to provide customer trust.
Managed RFPs and Risk assessment questionnaires for both customers and SaaS providers.
Implemented and managed GRC practice to scale security compliance programs.
Established Information Security committee to assess security matters and future strategies.
Developed, trained and mentored members of the Information Security team; grow their technical and professional capabilities and skill sets.
Transformed IT and Engineering team to integrate Information Security as a business practice not afterthoughts.
Spearheaded security transformation for entire organization to establish security foundation and embrace security culture.
Developed Common Control Framework and control matrix to manage compliance requirement more efficient.
Managed multiple projects and implementations of controls throughout the organization to enhance GRC.
Implement Information Security processes into Change Management, SDLC, and Architect Review Board.
Implemented Vulnerability Management, Security Incident Response, DRP, BCP, and bug bounty programs.
Apttus, San Mateo, California May 2017 – Oct 2018
Head of Information Security & Compliance
Developed Information Security and compliance program that strengthen the business by building the right team and department to lay strong Information Security foundation within the organization. Deliver Security and Compliance program to protect customer data.
Developed Information Security and Compliance programs and strategies for cloud services (SaaS and PaaS) to implement preventative, detective, and corrective controls.
Identified security gaps/needs on corporate systems, infrastructure, and applications.
Built security capabilities roadmap in partnership with IT and cross functional stakeholders.
Established GRC practice to scale and mature security compliance programs.
Built tactical and cross-functional teams to increase Information Security maturity.
Executed Information Security and Compliance strategies and managed all related security programs.
Conducted risk assessment, penetration testing, vulnerability scans, and security monitoring through threat intelligence.
Certified products and services against multiple certification and regulatory requirements to provide customer trust using privacy by design and security by design methodology.
Lead and managed FedRamp compliance requirements and remediation
Managed ISO27001, SOC2, and PCI audit preparation and certification.
Lead implementation of a governance risk and compliance management program to achieve certifications ISO27001, SOC2, GDPR, PCI, and Privacy regulations.
Developed Information Security strategies as a SaaS provider to provide trusted and secure environment for customers.
Spearheaded to certify all products and services to meet SOC2, PCI, and ISO27001 certifications.
Developed compliance common control framework for cloud services and strategies to minimize the effort to become compliant against multiple requirements.
Developed and maintained security control frameworks/guidelines to increase security posture from preventative, detective, and corrective perspectives.
Modernized Change management, Information Security Awareness, Vulnerability Management, Incident Management, Network Security, Application Security, Security Incident Response, and Risk assessment.
Developed security into SDLC process to implement security best practice and compliance requirements as part of the process.
RSM US LLP, San Jose, California April 2016 – April 2017
Sr. Manager, Information Security & Privacy
Accountable to manage client engagement, relationship, and project delivery by providing the highest quality service to clients in Risk Advisory Services including Information Security, PCI, and IT General Control services.
Managed overall Information Security and PCI engagement, budget and projects to provide consulting services to the clients including remediation and strategy to assist clients (worldwide) to meet the ever changing security threats and compliance requirements.
Managed client-vendor relationships to set expectation and goals to deliver projects successfully.
Performed SOC2 and PCI pre-audit to prepare for audits.
Managed and mentored staff members, budget and prepared proposal for client RFP and Statement of Work (SoW)
Developed information security and compliance governance program to manage and mitigate risk for the client
Lead and managed multi-disciplinary team to deliver Information Security, Cybersecurity and compliance projects as well as developed recommendation to reduce overall risk for one of Fortune 50 Company client.
Performed detailed Information Security technical risk assessment and audit to identify potential improvement to increase Information Security posture including people, process, and technology.
Provided Information Security recommendation for Identity Theft Protection client to secure their critical customer information (SSN and Credit Card) from potential breaches.
Performed Information Security and PCI, cybersecurity, privacy and Information Security gap assessment and developed recommendation and provided executive reports for senior management.
Provided Information security best practice, architecture, and design for IT Infrastructure and Applications to increase security posture of the organization as well as meet Security best practice.
LCBO, Toronto, Ontario Feb 2014 – April 2016
Head of PCI and Internal Control Compliance
Accountable to establish, implement, and manage PCI, IT General Control, governance, risk and compliance programs for retail & government environments. Provide direction and leadership in the ongoing Information Security risk management and audit to reduce overall risks. Manage remediation strategies and activities to be cost effective and meeting compliance requirements.
Managed overall PCI and Security Compliance programs for the organization to identify gaps and achieve PCI compliance state against the new version.
Managed overall budget to increase productivity and efficiency and reduce cost.
Managed IT Security audits and other security-related audits and assessments.
Partnered with business units to drive the business process to be compliant and provide awareness of information security and PCI Compliance matters to all personnel.
Assessed IT and business units to identify risks/gaps (in both Privacy and Security) and provided recommendation to mitigate the risks.
Developed PCI and IT General Controls compliance strategy for compliance status and continuous improvement; presented to executive committee (CIO, CFO, and SVP level) to present current and future state.
Developed ecommerce security review processes and recommendation to secure the ecommerce applications as well protection on privacy matters.
Developed governance process to identify any PCI and security impact changes within the organization.
Assessed and remediated non-compliance issues and developed continuous improvement processes to sustain compliance.
Regularly provided the CFO and CIO measurements of corporate security risks and an action plan to mitigate
Conducted detailed PCI and ITGC gap assessments and audits to manage the overall risk as well as to identify potential issues and increase continuous improvement throughout the organization.
Developed, implemented, and managed security and controls framework for monitoring and managing information risk exposures.
Developed and deployed GRC practice within the organization to manage overall risks.
Performed Information Security assessment to improve PCI environment to meet PCI DSS.
Developed and introduced cybersecurity framework for the organization to develop cyber security practice.
Provided Information Security recommendations for IT Security to increase security posture.
Reviewed and implemented required security controls to protect sensitive and confidential information including network security, access controls, application security controls, and compensating controls.
Loblaw Companies Limited & PC Financial Services, Brampton, Ontario (2004 – 2013)
Head of Information Security and Compliance 2011 – Oct 2013
Accountable to establish, and execute information-security, privacy, and risk management programs for retail, pharmacy, and bank environments. Provide leadership in the security governance, strategy, risk management, solution, and consulting to protect all critical information and systems by managing overall risks.
Key Instrumental in developing long-term and short-term Information Security, Governance, and Risk management strategies to align with corporate strategies.
Established continuous process improvement to increase the overall efficiency and effectiveness and reduce cost.
Managed Information Security operation/engineering on security incident response, threat & vulnerability management and security analysis.
Streamlined departmental security operations on a continual basis to improve business processes and reduce redundant personnel, lowering overhead costs by 20%.
Developed and implemented overall information security and risk management roadmap to align with business strategies, presented results to executive committees, and achieved goal successfully.
Developed, implemented, and enforced Information security policies and standards and procedures in accordance to applicable regulatory compliance, legal, and business requirements.
Lead strategic security planning with business leaders to achieve business goals by prioritizing security initiatives and coordinating the evaluation, deployment, and management of current and future security roadmaps.
Spearheaded strategic planning to mitigate and reduce inherent and emerging security risks within the organization.
Managed Information security and risk advisory for all business initiatives such as projects, architecture, design, implementation and execution of risk management framework and managing all regulatory and audit activities.
Implemented and integrated security best-practice and processes across the board to ensure all systems are secure and compliant to Information Security policies, standards, and regulatory requirements.
Established end-to-end process for risk registry, exception, risk assessment, and change management.
Partnered with senior business leaders to develop and implement business risk remediation through technology controls, assessed effectiveness of the controls, and managed overall risk.
Developed meaningful metrics and translated into risk-based methodology for the business to manage business risk and measure the effectiveness of security controls to stakeholders.
Implemented security SDLC process to address security and compliance requirements into the application and infrastructure.
Loblaw Companies Limited & PC Financial, Brampton, Ontario
Sr. Manager, Information Security and Compliance 2010 – 2011
Managed information security, governance, and risk department and all aspects of security and compliance within the organization. Managed business relationships with retail, pharmacy, and bank business units to manage risk through people, process, and technology.
Instrumental in developing and managing strategies and planning (risk, compliance, privacy, technology, architecture, and budget) for Information Security programs.
Successfully remediated audit and compliance issues from IT infrastructure to business applications across line of business units.
Lead Enterprise Technology and Security Risk management program to develop risk metrics, and recommendation to reduce the risk and increase efficiency for business units and senior management.
Developed action plans and recommended management action plans for senior management to mitigate risk and brought all systems into compliance with industry-standard requirements with zero data security breaches, avoiding potential fines and loss of revenues and customers.
Spearheaded strategy to integrate all compliance requirements into risk management monitoring process, managed all security gaps and worked together with business to reduce the risk.
Managed and implemented information security and compliance programs to address gaps and risks including PCI, privacy, ITIL, OSFI, and SOX. Developed sustainment strategy and a repeatable process.
Developed and implemented Information Security awareness training for all employees.
Designed, Implemented and managed cybersecurity operations to proactively mitigate the risk, continuously improve security maturity and posture.
Chaired Information Security committee to develop and review security strategy and review security policies.
Managed security forensic investigation on privacy and security breach incident activities, and remediate gaps and non-compliant system resulting in reducing overall risk to the organization.
Developed strategy to manage security and privacy impact changes and maintain compliance against security standards and regulatory compliance.
Developed information security programs and strategies to improve organizational functions as they pertain to organizational growth and staffing needs.
Developed security, compliance, privacy strategies, policies and procedures governing corporate security, email and Internet usage, access control, system hardening, and incident response.
Implemented first-time Security Risk Management Framework; Conducted enterprise-wide information security business risk impact analysis, risk assessments and third party vendor security risk assessments.
Developed and implemented Information Security and privacy framework for monitoring and managing risk exposures resulting in data exchanges and activities with external parties.
Performed detailed PCI audit for the enterprise and developed end-t-o-end remediation strategies to meet PCI compliance deadline. Managed remediation activities to meet deadlines and developed sustainability strategies.
Provided security expertise across the enterprise and related projects, initiatives, and strategic decisions to ensure proper security controls are in place
Provided senior leadership and direction for Information security posture, operations, and the continued development and enhancement of the enterprise security strategy.
Loblaw Companies Limited & PC Financial, Brampton, Ontario
Lead, Information Security June 2004 – 2010
Led information security and compliance department to provide support and project management. Executed security reviews, risk analysis, disaster recovery plans, and security design and architecture reviews in all internal and 3rd party environments. Led team of 6 fulltime staffs and consultants to successfully deliver multiple projects on-time and on-budget.
Established first-time security risk management methodology, security hardening standard, and vulnerability and patch management processes. Developed end-to-end process and prioritization to mitigate security gaps and vulnerabilities.
Successfully managed IPS, Firewall, DLP, SIEM technology deployment and integration into existing infrastructure.
Successfully mitigated multiple high risk audit issues, reduced overall security risks, and sustained compliant.
Directed consultants in first-time IPS and application firewall technology implementation in complex environment with no downtime.
Analyzed numbers of projects to identify potential threats and vulnerabilities and proposed solution architectures to reduce security risks.
Conducted risk assessments and quality assurance reviews to evaluate compliance and security requirements and to identify potential gaps in policies, procedures and business processes.
Developed multiple RFP (Request for proposal) and RFI (Request for information) documentation for multiple security vendor selection.
Assisted and participated in Disaster Recovery drills for all applications and key business systems.
Provided expertise across the enterprise and related projects, initiatives, and strategic decisions to ensure proper consideration of information security requirements; direction for Information security operations and the continued development and enhancement of the information security strategy.
Introduced first-time vulnerability management tool to perform vulnerability and compliance scan for enterprise-wide system.
Developed end-to-end process to address security gaps and vulnerabilities.
Livingston International, Etobicoke, Ontario 2002 – June 2004
Sr. Consultant, IT Security
DirecTV, Cupertino, California 2001 – 2002
Sr. Engineer, Network Security
Intel Corp., Santa Clara, California 1999 – 2001
Sr. Engineer, Network Security
Westinghouse Security Electronic, Fremont, California 1998 – 1999
Administrator, Network System
Education and Professional Profile
B.A. Degree in Management Information System
University of Toledo – Toledo, Ohio
Professional Training and Certifications
CISM – Certified Information Security Manager
PCI-QSA – Payment Card Industry Internal Security Assessor
Industry Thought Leadership and Activities
Speaker at 2011 SC Security Congress conference
Active participant of PCI SIG (Special Interest Group)
Nominated for Information Security Executive (ISE) award
Governing Body for CISO Executive Summit
Professional Affiliations
Member – Information Systems Audit and Control Association (ISACA)
Member – PCI Standard Council Special Interest Group (SIG)
Contact this candidate