Risk Management Technology

DAVID R. SHAW

980-***-**** ************@*****.*** http://linkedin.com/in/davidrshaw

PROFESSIONAL SUMMARY

High-energy, dynamic, and engaging technology risk and resilience leader with 20+ years of experience advising business leaders to achieve risk-informed decisions. Financial services veteran with recent experience as CIO advisor to a digital startup. Experience operating within entrepreneurial business units of large corporate environments. Skilled manager and coach, capable of engaging top talent in a "leader of leaders" role to build highly effective teams. Excellent communicator and collaborator, recognized for cross-functional partnerships, developing integrated risk programs, and guiding transformational change. A veteran of the United States Air Force.

SUMMARY OF QUALIFICATIONS

•Career supported by 20+ years as a trusted advisor of mission-critical services across multiple industries, including top five strengths of Woo Activator Positivity Strategic Communication during all phases of Day 0 Day 1 Day 2 activities.

•Ability to persuade key decision-makers on a strategic course of action, while navigating a broad range of products and services.

•Energetically influences and encourages people to be more productive across dynamic environments.

•Adept in relationships, building trust, problem-solving, driving change, and securing results.

•Inactive Top-Secret Security Clearance.

AREAS OF EXPERTISE

●Technology Risk Management

●Practice Leadership

●Program Building

●Talent Development

●Framework Development

●Roadmap Execution

●Transformational Change

●Technology Resilience

●Cloud Risk

●Digital, Third-Party Risk

●Process & Control Improvement

●Regulatory Compliance & SoX

●Governance Reporting

●Product, Project & Program Risk

●Disaster Recovery Planning

PROFESSIONAL EXPERIENCE

Wells Fargo (Contractor) 05/15/2023 - 09/30/2024

Independent Risk Management Officer

Recruited to develop and rapidly expand the Independent Risk Management team to address High-Priority projects heavily focused on the IAM domain of the company’s technology stack; on-prem, cloud, and limited third party. Built and matured oversight capabilities, first as operational risk liaison, then as leader of a Technology Risk Discipline focused on IAM, privileged and elevated accounts, and cloud environments. Experience highlights include:

●Implement and manage risk and resilience programs, supporting the new risk management department as the organization evolved.

●Lead team to conduct second line of defense risk identification, assessment, monitoring, and reporting.

●Influence through strong stakeholder partnerships, providing guidance and direction to develop risk governance and control.

●Received recognition for championing risk management principles and practices, exceptional teamwork, and “one-firm” partnership across lines of defense.

●Establish technology resilience risk oversight of cloud, IAM operations, availability and service level management, and capacity, scalability, and performance management.

●Collaborate across risk disciplines to provide oversight of multi-year programs to modernize IAM operations.

●Collaborate with the portfolio management office to formalize project risk methodology across coverage plan activities.

●Conduct key risk profiles for IAM access profiles identifying key risk categories for targeted assessment.

●Managed publication of second-line risk update to executive leadership; key areas of concern and challenge, reduced cycle time and resource requirements by 40%.

●Implement an assessment process to identify and remediate risk coverage gaps in technology risk & control self-assessments (RCSAs).

●Respond to bank regulator examinations and audits through IAM collaboration.

Key Accomplishment: Reduced methodology confusion. Reduce process rework by 45%. Increased identification of IAM risk; standalone or aggregated, resulting in coverage plan and oversight activity efficiency. Created a high-risk Discovery catalog of activities that decreased execution scoping timelines by months.

Bank of America (Contractor) 03/2022 - 05/2023

Risk Lead

Recruited to establish a risk-driven organizational transition team. Developed and implemented successful risk practices and controls for a vertical of 2k applications, 120k servers, and 4k branch offices with 16k ATMs. Evaluating risks prioritized by significant opportunities across the enterprise. Analyzed business processes to determine business risk against risk appetite. Developed reports and metrics that demonstrated prioritized risks. Reviewed corporate documentation to determine compliance with risk policies.

•Spearheaded the design and launch of an enterprise-wide cyber vulnerability dispostioning process, enhancing risk-based identification and improving remediation SLA by 45%.

•Establish technology resilience risk oversight of disaster recovery planning, IT operations, availability and service level management, and capacity, scalability, and performance management.

•Oversee firm-wide effort to deploy high availability architecture across data center zones and regions.

•Collaborate across risk disciplines to provide oversight of multi-year programs to modernize applications and implement new data centers.

•Managed assessments of system development, change management, problem management, disaster recovery, and master data management.

•Conducted analysis of business documentation to identify areas of risk and enhance workflow processes.

•Utilized data analysis skills to make strategic IT recommendations, improving system efficiency by 20%.

•Reviewed and updated internal risk management policies to accommodate new business processes.

•Assessed financial and business documents to determine risk appetite.

Key Accomplishment: Reduce the risk landscape; increased business agility and resiliency with risk processes capturing business alignment. Reduced production critical data recovery by 50%, Reduced critical project hosting capacity risk by 60%, and Reduced RISE delinquencies by 40% with a goal of 90%.

Carolina Cyber Center, Montreat College 02/2022 - 5/2023

Consulting Chief Information Security Officer

Building cybersecurity professionals of character through real-world consulting engagements; RFI, RFP, MSP, MSSP, SSP, and Business Governance.

•Developing post-education students addressing the nation's critical cybersecurity talent shortfall

•Creating ethical cybersecurity leaders; ethics, critical thinking, grit, curiosity, and collaboration

•Creating revenue streams for the college for scholarship awards

•Hardening community resources

•Grant writing

Spectrum Enterprise - Charlotte, North Carolina

10/2019 - 02/2022

Business Information Security Officer

Recruited to implement and manage a Cyber Risk Security program; governance, information privacy, and security controls nationally across seven business units with over 15 employees - measuredly reducing the threat landscape.

•Evaluated and Implemented security framework: NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC)

•Implemented BCP; prioritized by lines of businesses for total company; BIA, Revenue Risk, controls, TRD, conducted tabletop exercises to reduce the risk landscape by identifying key business services.

•Developed a Culture of Cyber Readiness, empowering every employee to be cyber-aware and accountable.

•Developed Cyber Risk as a Business, demonstrating risk in business terms for senior executives resulting in greater business and security alignment.

•Led efforts to conduct security risk assessments and develop security plans for various business units.

•Implement an Offensive Security program (Risk, Vulnerability Management, Threat Intelligence, IPS/IDS, Attack and Penetration Testing)

•Led Advance Threat Security Operations teams; internal and vendors.

•Led evaluation, selection, and implementation of; Governance, Risk, Compliance (GRC), Zero Trust Architecture (application and N-tier micro-segmentation), Asset Management, Account Management, Privileged Account Management (PAM), Security Information and Event Management (SIEM), Application whitelisting, Data Loss Prevention (DLP), Intrusion Preventions Systems (IPS), web filtering, and malware defense systems at the network perimeter,

•Maintained high talent retention through mentoring, motivating, and awarding of proven results-driven directs.

•Monitored and assessed risk management activities to ensure compliance with applicable laws and regulations, resulting in a 100% compliance rate and zero regulatory fines.

Key Accomplishment: Created multiyear security strategies, Drastically reduced the threat landscape, Secured government contracts, increased business agility and resiliency with a Risk BCP initiative capturing business alignment (BIA, TRD, Controls, Strategy), and developed critical data compliance dashboard and reporting.

US Restaurant Alliance - Charlotte, North Carolina 03/2019 - present

Chief Information Officer

Recruited to provide leadership, strategic planning, and oversight of the IS department; expenses, capital expenditures, configuration, implementation, and maintenance of all hardware, software, network, and telephony infrastructure, mobile devices, client-facing websites, and web-related applications, and the business applications to support operations in all business locations. As the Cybersecurity officer, I focus on the risk of critical data; understanding, managing, and mitigating the risk of critical data from being disclosed, altered, and denied access.

•Led evaluation and selection of; Enterprise Resource Planning ( ERP), Customer Relationship Management (CRM), and HR platforms

•Led mobile application development and software developers in various countries

•Delivered product development, go-to-market strategies, and solution road maps.

•Provided vendor management oversight of our third-party IT relations.

Wells Fargo - Charlotte, North Carolina 04/2017-03/2019

Information Security Engineer / Privileged Access Management Program

Recruited for PAM governance, processes, and documentation that expanded the program while meeting regulatory timelines that ensured privileged access compliance within company policies and control standards, drastically reducing PA risk.

•Authored Playbook which encompassed all Privileged Access processes, data flows, and procedures with a risk/audit perspective.

•Performed control standard compliance across platforms (mainframe, midrange, Windows, Linux, network, databases).

•Created KPIs (Reporting, Metric, and Analysis), Established SLA/OLA's (Operations, HR, Learning Center, and compliance departments), and data lineage (data lifecycle) of executive reporting.

•Established governance and process for operations; policy and control standards inclusion review board, defining preventive and detective controls, total device inventory reconciliation, full PA understanding, multi-factor authentication (two-actor/2FA), training certification process, job title eligibility (PoLP) aligned with NCCoE NIST.

•Defined new security strategies; threat analysis; Principle of Least Privileged (PoLP) (Centralized PA, Reduce Privileged footprint), enterprise review, and governance board.

Key Accomplishment: Reduced Privilege Access risk exposure by 75% and increased SLT dashboard integrity and user training.

WhiteLabel Software LLC – Charlotte, North Carolina 01/2016-04/2017

Senior Advisor/Co-Founder

•P&L responsibility; launched/developed a new B2B sales channel; $10k to $250K+, 48%+ Gross Margin.

•Developed intern sales team and training and Managed three teams of developers.

•Consulted on e-commerce (Magneto, Shopify), HIPAA (app, hosting), and API Exchange gateways.

Citco Group – Charlotte, North Carolina 01/2015-01/2016

Cloud Director

Recruited to create a cloud environment to reduce clients onboard by months. As a C-suite decision-maker with P&L responsibility, architecture HedgeFund as a Service (HFaaS) platform, multi-year initiative - pioneering product offerings for the hedge fund industry.

•Orchestrated an elastic hybrid cloud; VMware/OpenStack IaaS with a PaaS presence to run microservice/container applications while establishing a CICD workstream to create a pipeline of application porting from a monolithic code base. Eco-system of SDDC, SDS, SDN, Hyperconverged (HCI) Nutanix, VDI, IaaS, PaaS (Pivotal, Apprenda), containers, with future public cloud consumption with AWS and Azure.

•Created cloud strategy work streams with a DevOps culture (Developers, Operations, Engineers, Monitoring, DR).

•Hadoop CoE member, ensure cloud integration and use for data.

Bank of America - Charlotte, North Carolina 06/2013-12/2015

Business Intelligence Consultant

Recruited to manage the SaaS BI platforms which supported the bank's risk, capital, investments, and treasury services (platforms contain over 4,000 reports across five environments/lanes.

•Upgraded across five lanes; 20 multi-national departments and seven development groups with zero defects on a private, hybrid cloud (IaaS, PaaS, and SaaS).

•Evangelize products and road shows. Increased product utilization by 35%, Created synergies with HA hybrid cloud solutions based on SOA.

Key Accomplishment: Established proactive monitoring, decreasing client impacts by 75%; BHW, APM, RUM

SalesVu – Charlotte, North Carolina 02/2012-05/2013

Chief Information Officer

Recruited to increase development and reduce server sprawl with P&L responsibility. Created elastic cloud infrastructures; separated resource disciplines, mitigating SPOF (AWS, RackSpace), and implementing change control management.

•Managed application developers and worked with merchants such as Bank of America and American Express; integrated with vendors; Verizon, and AT&T. Increased retention by 45%.

Bank of America, Charlotte, North Carolina 1998-2011

Senior Technology Manager, Stability & Resiliency

Promoted to manage the Health of the Plant (HotP), revolutionizing infrastructure delivery, creating a multifaceted monitoring strategy for the Global Enterprise Function (GEF) group (Risk, Compliance and Legal, Capital Investments and Treasury, Global Markets, and HR that encompassed over 100 projects, 7MM payroll transactions, 300MM internal website page hits, 6.8 trillion calculations).

Key Accomplishment: exposed high volume alerts, over 350MM per month, driving business to retire older hardware platforms, driving down 100 FTE hours per month on false incident alerts.

Senior Technology Manager, Cloud Product Manager

First Product Manager for the bank's leading edge, best-in-class high-profile, highly automated, hypervisor independent Cloud and virtualization products; Compute Hosting Platform (CHP) which encompassed IaaS, PaaS, SaaS. Developed and marketed the life cycle management of the CHP product lines (VMWare ESX, Windows Hyper-V, KVM, xCAT, MOAB) to all CIO stakeholders, obtaining buy-in and multi-year commitment.

Key Accomplishment: 30K+ cloud instances online in the first year resulted in 9+ MM year-over-year saves

EDUCATION/TRAINING/CERTIFICATIONS

Certified Information Systems Security Professional (CISSP)

CyberSecurity/Ethical Hacking

U.S. Department of Homeland Security-FedVTE

Terrorism Psychological Impact & Implications

The University of Maryland University College-BC, College Park, MD

Information Systems & Security (IFSM)

The University of Maryland University College Asia

Electrical Engineering Studies

Northern Arizona University, Flagstaff, AZ

MILITARY

United States Air Force

Computer Systems/Cryptography Specialist

Defense Communications Honor Graduate

Contact this candidate