Member Team Security Officer
Resume:
Mark Milatovich
aduwj4@r.postjobfree.com
https://www.linkedin.com/in/markmilatovich
Summary
Highly talented and accomplished CISSP certified security, compliance, and privacy leader/expert and technologist with extensive skills and experience in Security and compliance Strategy and Management, Risk Management, Audit and Compliance, Privacy, and Security Operations.
Successfully managed budgets in excess of $2+M, effective and skilled vendor negotiator (“win/win”) and experienced in contract negotiations with enterprise vendors/global supply chain.
Passionate in all matter’s security, compliance, and privacy.
15 years of Security, GRC, and Privacy Leadership and Management experience.
Hired/Managed teams of varying sizes (6 – 50 direct/FTE’s), globally, and matrixed.
Background in SaaS and Cloud Managed Services
Proven experience in building and managing global security programs
Cyber Security Certified - CISSP, CISM, ISSMP.
Security savvy leader with strong strategic, tactical, and people skills
NERC-CIP BG Certificate and & Clearance (Sept 2019 - Sept 2026)
Certifications and Professional Memberships
CISSP-ISSMP, Certified Information Systems Security Professional (current)
CISM, Certified Information Security Manager (current)
Member of the ISACA Silicon Valley Chapter
Educational Background
University of San Francisco, San Francisco, California -MBA, Telecommunications Management and Policy
University of Michigan, Ann Arbor, Michigan -BSA, Computer Science/Information Systems
Technical Skills
Keywords: CISSP, CISM, ISSMP, CISO, VP of Information Security, Security Leadership, Security Management, Cloud – AWS, GCP, SaaS, GRC, DLP, Governance, Compliance, Privacy, ISO 27001/2, NIST 800-53, GDPR, CCPA, SOX, HIPAA, HITRUST, SSAE 16, SOC 2 Type 2, FFIEC, GLBA, Product Security, DevOps-Operations Security, SSDLC, SIEM, SOC, Vulnerability Management, Endpoint Security, Identity Management (IAM), Incident Response and Forensics, Security Awareness and Social Engineering Training, Zero Trust Security, Enterprise Risk Vendor Management, Contract Language (security, audits, IR, SLA’s), and securing microservices/container/REST API cloud architectures.
Professional Experience
Blue Clouds LLC vCiSO advisory services
cybersecurity, compliance, and privacy management 5/01/2020 - Present
TAOS, San Jose, CA Cloud Infrastructure & Operations Consulting and Managed Services
Senior Security Management vCISO Services 6/2015 – 4/30/2020
Taos' consulting expertise is in leading edge technologies and deep knowledge across all infrastructure, cloud operations, and data center domains for both innovative Fortune 500 and Start-ups in the Bay Area.
Accomplishments:
Public Utility in San Francisco CA
Data Security Program Office - Data Security and Compliance (CCPA) Project
Discovering and identifying both customer and employee sensitive data (“PII”) contained across multiple data stores enterprise (structured, unstructured), using a DLP tool (Symantec) for exact finger matching (EFM).
Conducting high level assessments to accurately categorize the PII data and update/migrate to a data management and compliance tool (Collibra). Also creating data flows, a data dictionary, and assigning data classifications (restricted, confidential, internal, and public)
Utilized Metric Stream (GRC) to update data privacy polies, processes, workflows/emails, and process owner assignments/tasks to address the CCPA data privacy requirements. Also, configured the Metric Stream platform to house and support the privacy related risk assessments, assets definition, classifications, polices, control testing, process owner surveys, and issue management capabilities.
Taos Managed Services in Boise, ID
Managed and achieved/passed an internal SOC 2 Type 2 audit within the Taos Managed Services environment with no significant exceptions
Managed and led the security & compliance for the Taos managed services business in Boise, ID. Managed the 3rd party penetration test, including scope definition and the remediation effort. Managed and passed a SOC 2 Type 2 and HIPAA compliance audit with no exceptions noted; reviewed all customer contracts for security and GRC obligations and documented any gaps/exposures for non-compliance.
Pinger (Mobile Telecom Provider) in San Jose CA
Data Governance Project – Security/Data Protection and GDPR and CCPA compliance
Conducted a risk-based security/controls posture and compliance assessment of the Pinger operational environment, focusing on the high risk/impact assets and systems, and data (e.g. customer Sensitive Personal Data (“SPD”, “PII”)
Performed a security and control gap analysis against relevant industry best security practices and standards (ISO 27001/2, NIST, CCPA/GDPR).
Prioritized the identified gaps and developed a high-level remediation/mitigation plan.
Documented and presented an executive level and detailed tactical report/plan of actions required for addressing the identified gaps. The plan highlighted priorities based on highest risk/asset impact (criticality/complexity/time required) as well as meeting audit/compliance/legal/regulatory requirements (e.g.CA CCPA and EU GDPR).
Conducted a security (data) and CCPA gap/controls assessment.
Developed a more robust and comprehensive data inventory/catalog/map/classification across both the corporate and consumer data/stores as well as identifying where Pinger engaged 3rd party vendors to store/process/monetize data.
Developed and implement a corporate wide data governance program, including end user training
Recommended a long-term security and data management and data protection strategy and plan.
Adobe in San Jose CA
Sensitive Personal Data (SPD, CCPA, GDPR) processing in Adobe Managed Services Project:
Conducted a risk-based security posture and compliance readiness assessment of the Adobe SaaS based platform distributed globally within the AWS cloud environment.
The customer end user data was sensitive (“SPII”) and the scope included requirements to meet banking data privacy protections and the CA CCPA.
Deliverables include assessment of current state, gap analysis against a standard baseline and an executive level report, and a high-level mitigation plan covering overall risk reduction, current and desired end state/security posture, and the compliance.
Spruce Financials (Fintech Company) in SF, CA
Conducted an internal security risk assessment to identify high impact risks/gaps, developed a security plan using a risk-based approach to prioritize the remediation tasks and initiatives, developed and implemented security policies and process documentation; recommended enhancements to the security technology framework (e.g. FW, UTM, NIDS, SIEM, DLP, CASB) to ensure customer data was protected commensurate with the risks and regulatory requirements; developed and implemented a security incident response plan/capability, including centralized logging, security monitoring, and escalation and containment procedures.
Cogitativo (Big Data-Computational Science Healthcare startup) in Berkeley, CA
Completed an internal security risk assessment to identify high impact risks/gaps areas and prioritize the project/remediation initiatives and activities; developed and implemented a formal cybersecurity program based on the HITRUST framework; developed and published a security plan (18-month timeline) using a risk based approach to prioritize the phased rollout; formed and participated in a quarterly internal compliance oversight committee for ongoing corporate governance and reporting; developed and implemented 40+ security policies and procedures to align with the HITRUST framework and meet the HIPAA security, privacy, and breach notification regulations;
Developed and implemented a security technology framework (PAN, endpoint, vulnerability scans, SIEM, DLP) to ensure customer data (“ePHI”) was protected; developed and implemented a security incident response plan/capability, covering centralized logging, security monitoring, and escalation and containment procedures; developed and implemented the vendor security management process (“BAA”); managed the 3rd party penetration test, including scope definition and the remediation effort.
Riverbed in SF, CA
Served in a CISO advisory capacity for both the EVP/CIO and Director of Security & Compliance. Completed a risk assessment and recommended security enhancements for their new cloud offering (AWS); conducted a GDPR readiness assessment in 2H.2017; managed their enterprise SIEM/SOC vendor selection/vetting process and supported the implementation project; consulted on IAM design recommendations for a future cloud platform offering; and served as an external advisor for a security incident, recommending both a 3rd party forensics firm and added security in-depth capabilities (e.g. next gen FW, WAF, DLP) to close the vulnerability/threat gaps identified in the forensics report;
Carrot Sense (Digital Healthcare tech startup) in Redwood City, CA
Completed a risk/gap assessment, recommended and documented a security and compliance plan (phased) & roadmap; developed policy and process documentation to support HIPAA/HITRUST compliance for security, breach notification, and privacy; completed a 3rd party vendor security reviews; completed customer security questionnaires; designed the enterprise security architecture framework (corporate and AWS hosting environments); and led security and compliance reviews with both existing and prospective clients.
Velocity Technology Solutions, Charlotte, NC Global Cloud Managed Services Provider
Information Security Risk Officer, VP 3/2014 – 2/2015
Responsible for managing all aspects of security, audit, and data privacy functions for Velocity with oversight for protecting the global data center hosting centers and the internal corporate environment and information assets.
Coordinated with risk stakeholders (security, legal, finance, etc.) to assess risks and develop action plans for identified risks. Scheduled sessions with risk stakeholders and business owners to finalize risk ratings. Managed action items taken to ensure the findings are effective to prevent repeat findings.
Developed a comprehensive security strategy and plan to identify and remediate existing critical/high impact security gaps and exposures while providing a roadmap (phased approach) to enhance the overall global security program and capabilities.
Managed all 3rd party compliance and security related activities, including: gathering information from various internal business partners to respond to inquiries. Developed a knowledge base repository for use by various team members and more efficiently facilitate these activities.
Managed the completion of due diligence questionnaires with vendors; coordinated due diligence reviews with relevant stakeholder groups; followed up with third parties on remediation activities and periodically re-validated the compliance of a third party.
Managed the execution of third party risk management standards and procedures, including the development of analysis and key metrics for reporting on third party vendor health.
Reviewed and assessed the existing Security Technology Framework and Roadmap to ensure alignment with the business direction/strategies while addressing any high impact risk/gaps.
Developed and implemented a “security” system hardening process to ensure security baseline and configuration standards are applied during provisioning of new customer environments.
Developed, implemented, and manage the security Incident Response policy and plan, which included 24 x 7 security monitoring and 3rd Party forensics support capability.
Initiated persistent 3rd party vulnerability tests against the perimeter systems and infrastructure and implemented ongoing remediation of the critical vulnerabilities.
WEBROOT, Inc., Broomfield, CO Internet Security Solutions Provider 9/2013- 3/2014
CISO, VP of Security
Webroot provides innovative Internet security solutions, including advanced endpoint protection and threat management and reputational (URL, IP, File) services that protect personal information and corporate assets from online and internal threats for consumers and businesses worldwide.
Responsible for managing all aspects of security, audit/compliance, and privacy with oversight for protecting the Web Intelligent Cloud Network, E-Commerce platform, the physical and virtual data center centers, and the internal corporate environment.
Developed and enhanced the Security program, including conducting a comprehensive risk assessment to identify and address critical security gaps and exposures.
Developed and implemented comprehensive security and controls documentation, including a master security policy, Incident Response and Forensics plan, BYOD policy, and an ISO 27001/2 controls template.
Completed an internal cybersecurity review with legal and closed out existing security and data privacy control and process gaps.
Deployed advanced network threat protection solutions (Palo Alto Networks devices) for both threat detection and prevention of advanced malware (Zero day, APTs)
Initiated quarterly 3rd party penetration testing against critical infrastructure and E-commerce applications.
Enhanced security within the Virtual Data Centers by implementing 2 factor user authentication for privileged user access and implementing persistent vulnerability scanning assessments.
Led ongoing customer CISO feedback sessions to identify key new functionality for the development of the next generation endpoint protection platform.
Silver Spring Networks, Redwood City, CA 3/2010 – 9/2013
CISO, VP of Security Smart Grid Operations and Services
Silver Spring Networks is an innovative smart grid platform company providing the hardware, software, and networking that connect every device on the smart grid, creating a unified Smart Energy Platform. The back office smart grid systems in the hardened data centers manage over 25 million smart meters geographically spread across multiple utilities located in the US, Australia, Brazil, UK, and Singapore.
Responsible for managing all aspects of information security, audit/compliance, regulatory, and privacy functions for SSN, with oversight for protecting the Smart Grid infrastructure, the data center hosting centers, and the internal corporate environment and information assets.
Designed and managed the deployment of a multiple layered security model, integrating next generation threat protection security platforms that provided both prevention and risk mitigation within the hardened data centers and back office systems.
Implemented “secure coding practices” into the product development/design (SDLC) and QA processes, significantly driving down critical security related flaws before production release.
Deployed and supported an innovative SSN security platform that manages and enforces policy based “rate limiting” of Smart Grid critical commands to protect against unauthorized automated load shedding.
Managed the design and implementation of a security system build process (“TQM”) to ensure security baseline hardening and settings and configurations are applied during the customer environment builds and also updated quarterly in production as part of the “golden image” refresh process.
Developed, implemented, and managed the Security Incident Response plan which allowed SSN to detect and respond to security incidents. The plan included 24 x 7 security monitoring (SOC) integration, incident scenario definitions, and escalation and forensics procedures.
Adopted, developed, and implemented the ISO 27001/2 security control framework and the supporting documentation. It served as the foundation for driving SSN’s audit and overall governance while addressing multiple industry compliance or regulatory requirements, including NERC-CIP, NISTIR 7628, SOX, and NIST 800.
Successfully passed SOX audit reviews for multiple utility clients with a significant smart meter deployment base.
Developed and publish quarterly security metrics and dashboard reporting for trending and executive oversight.
Partnered with Legal to develop SSN's Global Privacy policy framework to address customer utility and consumer data protection requirements.
Introduced and led the implementation of a supply chain security audit framework to address security of the mission critical SSN firmware and NIC components during the product manufacturing phase.
Manage and lead a monthly client CISO executive level sponsored focus group, providing SSN with valuable customer feedback on both current and future security product and services capabilities and R&D direction.
Created and funded a dedicated security lab to conduct both 3rd party and internal penetration testing of SSN products and infrastructure while also offering the lab as a “rental” service to the utility clients for conducting their own penetration testing.
Corporate Security – enhanced endpoint security via 100% laptop encryption coverage and partnered with HR to implement an annual employee security awareness training program.
Provide ongoing security leadership and support for customer “C” level sales engagements, RFP’s, and client industry and regulatory oversight meetings.
International Business Machines Corporation (IBM), San Jose, CA (acquired Corio in 2005) 7/1999 - 2/2010
Security Officer, Global Technical Services Managed Application Services Delivery
Responsible for managing all aspects of Information Security and Risk Management for Global IBM MSD, including the Global strategic and tactical security planning, business strategy alignment, budgeting, policy and process development and implementation, security architecture design, project management, operational security, audit, compliance and regulatory preparation and oversight (SAS 70 II, PCI, SOX, HIPPA, Gov C&A)
Designed, implemented, and evangelized an innovative security enterprise management platform that delivered real-time security metrics across a managed hosting services environment comprised of 7500+ systems. These critical security reports were incorporated into the delivery and operations metrics and significantly improved both security and IT controls posture.
Delivered seven key and critical quarterly security metrics and reports for internal executive oversight.
Hired, developed, and mentored a 30+ member team of talented, highly motivated security professionals.
Established and implemented a comprehensive set of security policies, standards, guidelines and procedures to provide appropriate protection of company assets while flexibly addressing the diverse
Regulatory and customer compliance requirements (SAS 70 II, SOX, HIPPA, Gov C&A, FDA, FFIEC, and HIPAA).
Managed the SAS 70 II 3rd Party Audit without qualifiers for four years and passed other external Security Audits and Compliances including Government C&A.
Developed and implemented a Security “TQM” Process to implement security quality during the customer go-live activation process.
Reduced the Annual Security Budget capital outlay by 400K over 4 years while enhancing security capabilities through prevention, automation, and quality process, instituting security metrics reporting for continuous process improvement and executive management oversight.
Advised and consulted both IBM MSD and Customer “C” level senior management teams on security trends, challenges, and issues.
Achieved numerous IBM leadership awards
Oracle Corporation, Redwood City, CA 1994 to 6/1999
Security Architect and InfoSec Manager – Global Information Security
Held a variety of security positions both at the technical and management levels, including information security analyst, security architect, and security manager where I was responsible for protecting the company’s Global information technology and operations environment.
Contact this candidate