Senior Consultant / Chief Information Security Officer
Resume:
CISO • EXECUTIVE DIRECTOR • SENIOR CONSULTANT • RESEARCHER: ALWAYS KEEPING THE CUSTOMER FIRST.
CISSP, GSLC, GCCC, and NIMS (ICS-100 and 200)
The conduit who maintains impeccable integrity and manages fundamental goals to protect and secure information, overseeing cyber security, technology, and compliance. Experience designing and building processes and procedures that align IT with business functions and leverages technology to drive operational excellence, compliance, and accountability across the organization.
Empowering everyday individuals and organizations by making cybersecurity more accessible and top-of-mind.
Over 15 years of experience; leading the strategic and technical delivery of critical security initiatives and transforming business value. Strongly believes that data security and privacy are key as a business brand differentiator, especially in the era of a globally interconnected and remote access world where the perimeter has expanded and unauthorized access, intrusion, hacking, modification, and ransomware are on the rise.
An energetic cyber security leader who transforms Information security into an outstanding strategic business value. Led development of an enterprise-wide management information security framework and strategy resulting in a 35% reduction in incidents annually. Created security and information technology programs that leverage organization-wide resources to guard the confidentiality, integrity, and availability (CIA) of business-critical data, infrastructure, Intellectual property (IP), and the privacy of personal and confidential Information. Developed resolute teams with increasing responsibilities fostering an internal philosophy of continuous improvement to influence and drive positive change.
Raising the ROI in technology and developing end-to-end IT security strategy and system architecture that delivers world-class secure service reliability and consistently achieves first-quartile customer satisfaction. Outstanding collaborator with external clients, internal stakeholders, third-party service providers, and employees to create a culture rich in cybersecurity awareness. Closely collaborates with senior leadership and administration to evaluate security threats and to advocate for each of their individual information security and technology needs. Achieves goals through influencing and communicating threats and risk-related concepts to technical and non-technical audiences lessening the odds and impact of cyberattacks. Excels at synergizing people, processes, and technology around proactive layers of defense.
An analytical security professional driving confidentiality, integrity, and availability (CIA) balancing complex projects, and protecting information from accidental or malicious disclosure. A full career translating information security to business risk, improving efficiency and cyber-intelligence with robust security programs, developing strong and clear security roadmaps, maintain business continuity, increasing ROI and reducing costs.
BLENDING TECHNOLOGY AND MANAGEMENT EXPERTISE FOR BUSINESS SUCCESS - Continually drives measurable operational results: always keeping the customer first, utilizing technology, resource planning, and project management to maintain IT operations, striving for business process improvements, creating strong governance structures, raising security awareness, conducting audits and assessments, and leading incident response and security investigations to minimize risks and IT service disruptions. Business executives and security partners alike seek his advice and opinion at meetings, roundtables, and conferences for IT governance, privacy, and cybersecurity strategy.
Compliance & Regulatory Framework Experience and Key Skills
Compliance & Regulatory Frameworks: ITIL, NIST 800-53 and 171, SANS Top 20 CSC, PCI-DDS, ISO27001, CMMI, CMMC, HIPAA, Privacy Acts, GLBA, SOX, SOC2, FISMA, and GDPR.
Managerial Skills: Customer service, team leadership and building, budgets, change and project management, employee engagement & training, governance, communications, collaboration, coaching, mentoring, performance management (metrics and KPI’s), professional development, vendor relations, on-prem infrastructure, and multi-site operations.
Operational Skills: Business transformation, ITIL, Security operations, incident response, governance, policy, standards, security awareness, phishing campaigns and simulations, procurement, contract negotiations, vendor SW/HW security reviews, SLA, MSA, RFI, RFP, “X” management (X= Risk, Vendor, Change, and Operations), compliance, auditing, disaster recovery, business continuity, helpdesk and support services, IT service management, SaaS, PaaS, shared services, and process analysis and improvement.
Technical Skills: Security analysis, patch/risk/vulnerability management, MITRE ATT&CK, penetration testing, Active Directory, Microsoft Office (O365, DLP, encryption, compliance, eDiscovery), information protection, threat hunting, NextGen Firewall, IDS, IPS, SIEM, and “X” Detection and Response (X= Endpoint, Network, Managed, and Extended).
WORK EXPERIENCE
A CAREER LEADING INNOVATIVE IT OPERATIONS AND SECURITY PROGRAMS - A multi-faceted leader leveraging technology to drive operational excellence and align IT security solutions with business objectives. Oversaw management and development of complex teams (35+ employees) who built and delivered exceptional IT solutions, providing information security, risk assessment, compliance review, vulnerability assessment, penetration testing, and network support and maintenance services to clients, maintaining customer satisfaction.
FERRILLI - Security, Cloud, and Infrastructure; Haddonfield, NJ. - CISO / Senior Consultant: Nov 2021 – Dec 2022
Provide vision and leadership for enterprise-wide business technology and cybersecurity initiatives. Engaged my authority to ensure our employees followed information security policies and procedures consistent with applicable industry standards and governmental regulations. Developed frameworks for managing risk and information security strategies aligned with the missions, visions, and goals. Supplied security services needed to streamline operations, reduce costs, and uncover the opportunities and challenges facing our clients regarding security, risk, and assurance.
Worked closely with each institution to develop processes to protect their business with immutable backups, incident response, and layers of defense.
Brought solutions and collaborated with executive management teams to determine acceptable levels of risk and prioritizing counter measures.
Achieved higher security awareness, flexibility, and better vendor relationships through a vendor services security review and software purchasing; slashing operating and software costs by 25% negotiating pricing and fees on the client’s behalf.
Proposed and managed large-scale projects according to schedule, budget, and scope via effective project planning, reporting, and resource allocations.
Cyber Incident Response Manager – developed and deployed mitigations to counter threat activity observed through threat intelligence and alerting.
KEY ACCOMPLISHMENTS:
Centralized policy, education, governance, and operations across business units.
Drove down measured vulnerabilities by 85% in under 2 years across all campuses.
Developed a security awareness program and achieved 98% compliance in annual security training across faculty and staff.
Drove compliance, reversing the trend of consistently negative security audits.
Drafted and drove the passage of transformative cybersecurity policies, standards, guidelines, and procedures.
Participated in the developed and managed securing the new virtual environment allowing remote access to faculty, staff, and students (13 labs/650 pc’s) during the COVID pandemic.
Purdue University; Purdue System Cloud; West Lafayette, IN. - Director of Information Security Services - April 2020 – Dec 2021
A world-renowned research university with an online global presence. Supplied information security services supporting academic and administrative activities serving 85,000 students. Promoted an environment of shared ideas and responsibilities with integrity built into every step to serve our customers. Managed and mentored 10 employees to collaborate with system-wide information technology-appointed security liaisons with 18 departments.
Managed a high-performing team of analysts, engineers, and emerging IT professionals (student workers) engaging them in finding, developing, and reviewing security processes across the organization to reduce risk, improve vulnerability management, and built partnerships with academic leaders.
Advanced information security and proactive, agile security management across the corporation utilizing ITIL and project management techniques to coordinate self-assessments against NIST CSF.
Improved risk and supply chain management by conducting Risk Management reviews for 3rd party vendors. Streamlined the vendor qualification process and reduced the review cycle time to take all aspects of security best practices under consideration.
Established strong relationships managing forensic investigations and working on cases w/ local, state, and federal law enforcement agencies.
Created test scenarios with tabletop training and developed an incident response plan.
Collaborated w/ the business office adding security requirements and clear requirements in IT contracts.
KEY ACCOMPLISHMENTS:
Developed and led weekly Change Control meetings striving for better cross departmental communications regarding PM meetings.
Drafted and drove the passage of transformative cybersecurity policies, standards, guidelines, and procedures.
Created a system-wide IT and security service catalog improving business processes and customer service.
Created an information security program and advisory council to lead security initiatives, critical controls, and awareness.
Instituted a formal security review process for buying technology, software, and third-party vendor services to confirm and enhance enterprise security while reducing time, costs, and risk.
Executive Director of Infrastructure, Ops, and Cyber Security at PNW Jan 2019 – Apr 2020
Managed the Infrastructure, Operations, and Cyber Security teams - Maintained the delivery and integration of information technology, improving the network systems and daily security operations. Enabled the students and employees to be successful in their education and research by educating and empowering the community through policies, standards, and consulting with the Information and Cyber Security office. Worked with management at all levels, to develop, implement, maintain, improve, and enforce policies, procedures, and business/security practices.
Delivered cost savings as the change catalyst that produced high-value business impact driving change through partnerships with Technology Services and participation with departments across the institution to successfully build an information security program.
Increased the team’s maturity level by steadily increasing responsibilities and fostering a culture of continuous improvement. Worked with procurement officials to ensure information security requirements were included in contracts and consulted with vendors and procurement teams to buy software, hardware, IT services, and renewals.
Managed campus networks, AWS, Azure, and security services and delineated strategic direction for each of the network infrastructure, operations, and security teams to enhance and improve the use of enterprise technologies for faculty, staff, and students.
Increased the university security posture to help secure and protect systems, services, and data against unauthorized use, disclosure, and loss. Fortifying security through the implementation of embedded security controls and controlled frameworks.
Collaborated with academic leaders to create a system-wide security services catalog improving customer service and standardizing procedures.
Managed forensic investigations with local, state, and federal law enforcement; utilizing FTK Forensic and Autopsy to analyze and acquire evidence.
KEY ACCOMPLISHMENTS:
Achieved 99% compliance in annual security awareness training. Slashing employee rate of susceptibility to phishing scams from 15.9% to 5.3% by rolling out targeted awareness campaigns.
Drove compliance and reduced the cost of conducting audits across each customer enterprise environment.
Created infosec programs and advisory councils to lead security initiatives, critical controls, and awareness.
Drove to the passage of transformative cybersecurity policies, standards, guidelines, and procedures.
Joliet Junior College; Joliet, IL. - Chief Information Security Officer: Nov 2005 – Jan 2019
Multiple promotions marked my tenure with this institution. I joined the staff as a systems specialist/trainer and ascended into roles with increasing scope and responsibility. Ultimately turning into a CISO where I established security best practices and layers of security controls. Developed policies, procedures, and guidelines in a complex, mission-oriented academic environment to help shift behaviors and increase communications throughout the institution. Performed a business impact analysis and determined how to avert significant risk by architecting a new DR/BC solution that significantly improved recovery time objectives from days to minutes.
Developed a governance structure and change management team that verified, documented, and increased communications within the institution.
Controlled security spending to 4.5%, which compared favorably to the industry standard (5%) through business procurement processes (RFI and RFP’s).
Slashed annual service and licensing costs by 30% - negotiating pricing and fees, while ensuring the continuation and enhancements of security services.
ERP security enhancement project leader- focused on securing SSNs and enhancing the business processes that deal with confidential sensitive information, improving onboarding and separation processes, and replacing insecure legacy programs and queries.
Brought a VoIP technology optimization strategy to consummation, significantly reducing annual phone spending (saving $340K/year) and increasing the ability to quickly scale up and provide reliable voice quality over a stable network.
Established strong relationships with local, state, and federal law enforcement agencies; utilizing Forensic software (EnCase, FTK, and Autopsy).
KEY ACCOMPLISHMENTS:
Centralized security policy, education, governance, and operations across business units.
Collaborated w/Human Resources implementing consistent disciplinary action strategies in cases of violations.
Renovated the backup and recovery to use Azure Site Recovery to slash annual operations costs by 35% and decrease the RTO from 96 hours to 30 min!
Drove compliance thru audits across each department for SOC, ISO, PCI, NIST, CMMC, GDPR, NIST 800-53, and 800-171.
Achieved 99% compliance in annual employee security training.
Led the Microsoft Campus Agreement via consortium saving the college $195,000+ per year.
Managed NGFWs to classify and monitor all traffic to enable only authorized users to run sanctioned applications.
Interim Director of Information Technology - Managed day-to-day operations of network, telecom, technical support, and application delivery teams coordinating the continuation of critical projects, system maintenance, network upgrades, and business operations. Always encouraging the teams to look for continuous improvements in our business and operational processes and renewed the annual budget of $11M. Researched and became an early adopter of MS O365 and migrated test systems into Azure.
KEY ACCOMPLISHMENTS:
Reorganized the IT career ladder and rightsized the pay structure with HR, resulting in 0% attrition while the institution searched for an IT Director.
Championed the development/implementation of an innovative project management/budget methodology, integrating individual project metrics into long-term objectives which resulted in significant improvements leading to a complete revitalization of project progression and successful completion.
Drove infosec programs and advisory councils to lead security initiatives, critical controls, and awareness.
Took to passage transformative cybersecurity policy, standards, guidelines, and procedures that were easily understood by all levels of the organization.
Managed NextGen firewalls to classify and monitor all traffic to enable only authorized users to run sanctioned applications.
Software Licensing Compliance - organized the development of a software license inventory and management system.
Network Technician - Established standard operating procedures, disaster recovery, and incident handling playbooks. Consolidated two Active Directory domains and data centers into one, designing a new layout, air handling, and physical security requirements. Migrated 150 servers with zero downtime; in conjunction with modernizing the data center to mitigate operational risks.
KEY ACCOMPLISHMENTS:
Installed a core router (Cisco ASR 9000) connecting three remote campuses, 22 buildings, 720 access points, and 575 surveillance cameras: increasing network bandwidth and speed by 20%.
Upgraded the firmware on network equipment yearly by keeping track of released updates resulting in a 25% improvement in network stability.
Used network monitoring (SIEM, IDS/IPS) and access control to block malicious threats.
Maintained backups, tape vaulting, and offsite storage resulting in 100% accountability for the chain of custody.
Implemented NAC to enforce policy, manage endpoints, and deliver trusted access.
Help Desk Technician, Systems Specialist/Trainer, City Center Campus
Managed computer and server maintenance, patching, backups, upgrades, mitigated threats, and raised security awareness for the campus.
Part-time class instructor for A+, Network+, and Security+ classes.
KEY ACCOMPLISHMENTS: Able to turn around helpdesk services and increase customer satisfaction (21%). Upgraded over 2,200 computers from Windows XP to Windows 7 and installed/configured over 250 laptops increasing work efficiency and performance by 50% and increasing the ticket closeout rate from 80 to 95%.
Silliker Laboratories Group, Inc. Corp Research Center, South Holland, IL.
Senior Research Microbiologist: Managed multiple projects and conducted product and process development-method validations, thermal death time studies, and developed a microorganism, mold, and toxin testing and identification programs from the ground up.
SECURITY AWARENESS CAMPAIGNS, CONFERENCES, PRESENTATIONS, AFFILIATIONS, AND EDUCATION
SECURITY AWARENESS CAMPAIGNS
RUSSIAN CYBER ACTIVITY UPDATES & PREPARATION ADVICE
GOOGLE PATCHES ACTIVELY EXPLOITED CHROME ZERO-DAY VULNERABILITY
PATCH RECENT VULNERABILITIES FROM GOOGLE AND MICROSOFT
VMWARE ALERT: PATCH THESE VULNERABILITIES IMMEDIATELY!
10 CYBERSECURITY BEST PRACTICES FOR INDIVIDUALS
ZOOMING IN ON ZERO-CLICK EXPLOITS (PATCH YOUR ZOOM SOFTWARE!)
CONFERENCES AND PRESENTATIONS
Microsoft Ignite (2018) – Real-world examples of implementing cloud-based backup and DR #THR2205
Camp IT 2019 - How to ID and Decrease Potential Risks Leveraging 3rd Party Vendors
Camp IT 2021 - Creating a Value Proposition Business- Outcome-Driven Enterprise Architecture Program
LOG4J VULNERABILITY AFFECTS ALL INDUSTRIES (2022)
GLBA AMENDED SAFEGUARDS RULE. ARE YOU PREPARED? (2022)
10 CYBERSECURITY BEST PRACTICES FOR INDIVIDUALS
AFFILIATIONS
(ISC)2
InfraGard (FBI)
US Secret Service Electronic Crimes Taskforce
CISO Executive Network- Chicago Chapter
Information Systems Audit & Control Association (ISACA)
South Metropolitan Higher Education Consortium
EDUCATION
University of Illinois at Chicago – BS in Biology; Minor in Chemistry
Educause – Leadership Program Graduate – CREDLY #18148392
Contact this candidate