Cyber Security Program Manager
Resume:
Dear Sir,
My name is Raghunath Nair, a Canadian Citizen, a Bachelor of Commerce with Economics and Business Statistics as the major. I have also completed my Post Graduate Diploma in Computer Applications.
Having crossed the Atlantic in 2005 and before moving to the US on a TN in the year 2014, I have been with Compucom, Enerflex, Infosys and IBM. in various capacities in the technology side. With the ability to understand others' perspectives and deal effectively with people from different diversities, with exceptional ability to adapt to the changes under pressure and multiple demands; while maintaining a positive demeanor at the workplace are some of my qualities I bring to table.
I have made the difference to various clients and organizations; evaluating the board’s oversights and opinions and setting the stage for a positive outcome through the executive and management layer. In solving complex business issues from strategy to execution; through a governance process, utilizing the digital assets in information technology, operational technology, and cyber space, I have engaged with different groups. My relevance to IT and Cyber Security to manage regulatory mandates in participative engagements with the Government bodies and Semi – Govt Authorities; viewing it through a human beneficial lens received appreciation from all sectors of the business and IT.
From 2014 till 2023 I have been in the US as Cyber Consultant / Project Manager/ GRC Architect/ Service Management Architect/ Compliance Specialist/Program Manager and wore many other hats to meet the business needs of multiple clients from different verticals.
That's my brief after I crossed the Atlantic 20 years ago. Though my Emirates experience has still relevance in the technology management space and all those prior years of experience is Quality Management and Data Center Management remain fresh . Below this note, please find a few details of my experience and skills.
I would love to connect with the Hiring Team
Looking forward
Thanks
Raghu Nair
64 Soccavo Crescent
Brampton, ON
L6Y 0W3
Raghu Nair GRCP, IDPP, GRCA, ISO 27001 LA, CSP, CIP, ISO 9001 LA 1-647-***-****
**************@*****.*** https://www.linkedin.com/in/nairraghu
Recipient of Certificate for Honesty & Integrity - Los-Angeles County Police Headquarters Profile The common thread that weaved success was my Phased approach in the Governance of Process management and architecting of Security, Risk Management, Process Controls and Technology governance. As a program manager, I have worked on multiple large-scale technology initiatives from inception to execution and have led large teams in the development and implementation through road maps to fully govern, manage and provide assurance, ensuring solutions are in line with the enterprise vision. Without discarding the existing Security Policies & Risk practices, global & local privacy acts, information security mandates and regulations, I have aligned business with IT through streamlined Security & Threat management, and appropriate Governance; thus transforming customer experience in several industries including banking, healthcare, insurance, energies & utilities, government, airlines and manufacturing.
Certifications and Trainings:
Certified Governance Risk and Compliance Professional
Certified Integrated Risk Management Professional
Certified Governance Risk and Compliance Auditor
Certified Integrated Data Privacy Professional
ISO 27001:2005 – Lead Auditor -BSI
Certified Cyber Security Professional – Global Tech
COBIT - ISACA
ITIL - EXIN
ServiceNow System Administrator – Service Now
Project Management certifications – PMI & Others
Data Governance & Privacy Foundation certification – Informatica
IT & Cyber Security – CYBRARY
Data Governance & Privacy - Informatica
Asset Security Fundamentals – CYBRARY
Critical Infrastructure Protection - OPSWAT
Payment Card Industry Data Security Standards - CYBRARY
Certified Cloud Security Professional – CYBRARY
Cyber Security Professional – Global Tech Council
Insider Threat Program – CYBRARY
ISO 9000 Lead Auditor – Det Norske Veritas
SAS Fundamentals and SAS Time Series Forecasting – SAS Institute
Regulations, Standards, Frameworks
SOX, / NI -52-109, COSO, AML, PCI-DSS, HIPPA, ISO 27001, NIST, NERC-CIP,
DORA, OSFI, GDPR, PIPEDA, SSAE 18, SOC 1&2, ITIL, COBIT, HITRUST, HITECH
PM Tools
Jira, Confluence, MS Project, MS Excel, SharePoint
GRC Tools
ServiceNow, Archer, SCCM, Solar Winds
Cloud Service Provider
AWS, GCP
CI/CD Pipeline
DAST, SAST, OWASP
Experience
Oct 2024 till Apr 2025 Senior Risk Analyst – GRC CIBC Bank (6 months Contract through SI-Systems)
Governance of Deviations from Standards, Deficiencies in Control and Issues in Processes ensuring the digital risk in Infrastructure Operations & Network Engineering are managed
●End to end documentation of Audit Risk and Compliance process. (8 Weeks)
●Utilized Metric stream to define threats, risks, vulnerabilities to generate risk rating for each asset from the centralized repository.
●Support the Director in the: Audit Preparation and Engagement, Deficiency Management & Monitoring, Audit Facilitation – Internal & External, Remediation Analysis, Control Testing
●Drive Implementation support to the roll-out and adoption of new practices and effectively lead the team in managing accountabilities and deliverables
●Daily Audit / Technology connects control gap assessments and RCSA
May 2023 – Aug 2024 BeyondCX Security Architect
SEA PORT Authority
GEN AI based Security design- for a major seaport based in India. Strategized and designed the Gen AI based Cyber/ IT Security solution to benefit the SEA – PORTS cyber security, Interfacing Digital networks, (OT/IT), ICS and PLC’s. This Design and Implementation plan was specifically meant to manage SEA-PORTS Cyber security systems.
Architecture & Design
Engaged, Discussed and strategized with executives
Program Governance, Project Plan and Road Map
Key stakeholders & Execution Partners and it’s collaboration
Network Transformation
Network Transformation of an Aluminum Plant through a Technology refresh. Extend the wireless coverage, Security controls and Access controls using converged plant wide Ethernet, centralized tool to manage wireless and wired network, administrative, engineering and plant environment. The Project was implemented in five (5) phases.
●High Level Design & Network Discovery
●Risk Management
●Low Level Design
●Implementation
●Document & Training
March 2020 – April 2023 Cognizant Technology Solutions – Sr. Program Manager/ GRC Architect
Revamp Architect GRC – Cyber Security Posture – (A major health care provider, Bloom field Connecticut, USA)
To integrate with an existing Control Based Management system - HI Trust control, Compliance control delta between current and potential integrated
Entity: Policy and Standard Harmonization, Access Integrations, and Application assessment and Data Lake were normalized
●Responsible for the project plan, timeline and budget (ETC)
●Responsible for the program management and reporting of 3 major projects.
IT/Cyber Risk Assessment
Identity & Access Management (OKTA integration)
Policy Governance & Hitech Compliance
●Designed and Established RISK ASSESSMENT framework utilizing NIST 800-53, COBIT and ISO 27001, factoring resiliency into solution controls.
●Responsible for the oversight and interdependencies and integration of interrelated projects
●Build relationships across organization including legal, compliance, IT and Business
●Risk Management, Policy Integration and Data Governance (Enterprise and Amazon VPC)
●To define evaluation report to establish the baseline for security measures utilizing Balance Scorecard ● Advocate for Policies & Procedures
●To statute HIPAA requirements as applicable to its affected business functions and covered entities that utilize PHI/ePHI
●Participate in special projects and initiatives as cyber security advocate to align with HITECH mandates.
●Performed an internal Cyber Security risk assessment of IT systems and infrastructure based on NIST CSF to enhance information security
The Implemented solutions were transitioned to a managed security service.
●Report gap analysis, assess security process maturity against the controls and framework of NIST.
●Developed solutions in the space of:
● Policies
● Training & awareness
● Risk Assessment
● Access management
●Data Security
●Network Security
●Conducted DR testing, Learn and Analyze results to improve the BCP and Resilience
Interoperability Architect – Regulatory mandate on Interoperability (HL7) – Multiple clients in US Health Sector - California, USA
Reporting to the Vice President for the geographies which the customer serves; analyze implications of federal, state, tribal, and local regulations including but not limited to HIPAA privacy rule, security rule, unique identifiers rule, and enforcement rule to define and strategize the shall and will aspects of the Medicare units embrace the interoperability norms.
●Identified and developed policies for Personal representative access and privacy regulatory requirements.
●Finalized policies applicable for Interoperability Solution. (HIPAA, CURES ACT, ONC, CMS)
●Designed and implemented risk assessment “Expectation Based Interoperability Risk Assessment Framework.”
● Weaved the RA framework through ISO 27001 Domains and NIST 800-53 cyber controls.
●Mapping of health solutions to manage the covered entities of Payer, provider, and patient within the rules of HL7 standards and FHIR profile cross mapping.
●This involved:
oAdherence to CMS guidelines on Member Data Rules
oMember Data Entity Exchange
oData movement mandated through FHIR rules
oDesign of Data Privacy Engine
oIntegration with member portals
oScope data Elements to be mapped for access via API’s
●Data Extract process and design inclusive of:
Pharmacy encounter data,
medical claims,
provider data,
laboratory data
●Sensitive data definition areas for governance
●Designed and documented third party applications risk management and onboarding processes
●Designing the Third-party APP Risk Strategy and Member portals integration
●Integration of member portal with privacy and consent engine
●Security review – Application Security – Test Strategy
●Establishing the design of data and privacy consent engine driven by the compliance standards and integration of those with member portals
●Redefining the rules for member view for adjudicated claims data including provider remittances, encounter data, clinical data and other data managed by Medicare advantage, Medicaid FFS and Medicaid Managed Care.
Subject Matter Expert COBIT - IT Risk Consultant – Large Investment Management co., Jersey City, New Jersey, USA
As a COBIT IT Risk Consultant, I worked closely with department management and engaged key cross-functional stakeholders across Technology and with Operational & Strategic Risk to implement COBIT within the Technology organization. Evaluate, assess, and provide recommendations to the management in identifying, assessing, and documenting key risks and controls and assess the COBIT maturity level of the organization.
Evaluate, assess, and provide recommendations to management for identifying, assessing, and documenting key risks and controls,
Redefine the Governance – Tracking - reporting of Archer Based Regulatory artifacts
Developed and documented procedures and processes for Control categorizing, Control assessment and Control Testing
Evaluate, assess, and provide recommendations to management for identifying, assessing, and documenting key risks and controls, Policy Changes, vendor management.
Trained Business unit and IT control owners in the review and testing Key controls (Archer Based)
Assess process maturity based on COBIT capability levels.
Map COBIT (2019) to the existing technology policy statements
Identify gaps and propose new controls and tests plans to be recorded in The Enterprise Risk Management tool(Archer).
Identify controls in the internal Enterprise Risk Management system that meets specific criteria to map with COBIT 2019 Management Objectives
Collaborated with the Internal Audit team in refining the control Objectives to accommodate COBIT 2019mandates.
PCI – DSS Premium Architect – PCI DSS 4.0 CoE Build– (A major Credit Card Issuer –Grand Rapids, Michigan, USA)
Lead a team of 14 members to Strategize, Design, Architect and Establish - Enterprise-wide Risk assessment, to drive PCI-DSS Control requirements through a PMO office and govern Technology Risk Management & Control Information Systems across different geographies to facilitate PCI – DSS compliance in Phases.
My Responsibilities:
Governance – Tracking - Reporting of PCI DSS 4.0 Compliance
Collaborated with the Process Control Owners in refining the control Objectives to accommodate 4.0 mandates.
Identify Delta from 3.2, Measure the Gaps, Define the current constitution vs efforts required, engage asset owners
Reproduce the Tokenization effort in the UK-EU geo as used case for other regions.
Application Risk assessment and Data protection
Assess Control Gaps; Establish Control Owner connects, Report Gaps, Highlight Vulnerabilities, to strategize mitigation step
System Controls, Access & PAM related controls integrated with change were prioritized.
Created Repeatable, sustainable PCI process and procedures.
.August 2014 – March 2020 - Tata Consultancy Services Lead Consultant Cyber security & Compliance
Lead Consultant GRC, Vendor Risk Assessment & Process Governance – Large Insurance Company, Syracuse, New York
Assessing the current strengths and weakness of Information Security Risk Assessment process of third party vendors through a TPRM process. ● Vendor adherence to SSAE 16 SOC 2 type 2 report, analyzing the risk acceptance level in conjunction with compensating controls.
●Assessing vendor managed controls impacting NYSDFS compliance.
●Works with team members, Legal, IT Architects and Business l to identify areas of improvement in the contract process and implements necessary changes.
●Review of vendor security controls and processes (PEN TEST Results, Data Lifecycle Encryption,) ● Categorized vendors on risk levels based on products and services supported.
●Categorized vendors based on handling of classified data to define risk levels.
●Report findings and discuss risk issues with internal contract management team inclusive of the legal
●Impart knowledge and provide training to AXA – TCS team in the space of SOX to enhance awareness of ITGC they operate and maintain.
Audit Compliance & Process Excellence Manager – Energies & Utilities Co, Long Island, New York
●Oversee the tracking and management to closure of SOX audit issues and compliance investigations.
● Mapped the NERC-CIP controls with SOX ITGC from a Control Management Standpoint
● Developed systems to identify critical and non-critical cyber assets.
●Developed process framework for Access and monitoring of ERP assets and integrated it with the On-site command center functions.
●Defined MSP operational responsibilities at a system and process level
●Identified potential footprint for the Managed Service Provider in the NERC-CIP data handling.
●Analyze risk trends and have an oversight on third party risk to initiate risk response process.
●Assisted in root cause analysis and corrective actions.
●Provided expert advice to Vulnerability management headed by CISO office.
●Designed and developed a Vulnerability Handling Matrix and prioritized vulnerabilities through CISO oversight.
●Work with CISO, third party vendor and client to manage the IT and other vulnerabilities.
●Provided IT Vulnerability information to Senior Leadership and Stakeholders.
●Lead a team of 20 people from different verticals to manage External Vulnerability and internal vulnerabilities identified through Qualys and Securicon.
●Assessed the current Vulnerability management process, identified areas of improvement, designed and proceduralized new process.
●Managed operational security metrics and compliance reports.
Project Lead – Compliance – A Major Supplier of Energies and Utilities for the state of California - San Dimas, California
Transitioning the infrastructure services of the client to Managed Service (Integrating Service Management processes, Tools and other Infrastructure Services with the Regulatory requirements like SOX, NERC-CIP, SSAE16.
●Developed Systems and Processes for the management of NERC – CIP and SOX controls.
●Access Management Process Implementation (Design, Document, Train)
●Evaluate to assess Gaps in the Service Provider standards for SSAE-16 SOC1 reports.
●Assessed the current regulatory requirements of NERC-CIP
●Lead the MSP team to mitigate Cyber Security and Compliance 2017 Observations, Vulnerabilities on SOX Controls, General Controls (BCP, Operational and Governance), NERC/CIP Controls, Internal Audit Findings
●Evaluate and establish ITGC in the effectiveness of Security Operations, SIEM, NERC Security Incidents ● Oversee and monitor internal teams to provide governance and audit reports- weekly, monthly, and quarterly.
●Oversee General Operational Controls like BCP, operational data and System controls-
●Control Narratives for 3 domains that interface with SAP – GRC, ITSM and Non-SAP applications.
a)Control Processes and Narrative Documentations (SOX & NERC-CIP)
b)Review Controls Activity and Evidence Design with IT Compliance, SOX Testing, Internal Audit, Process Owners Controller Team, and
External Auditors
c)Key controls testing with control performers by doing a tabletop exercise with each Primary/Backup control contact.
d)Managed Service Provider were given training on SOX and detailed session on Train the Trainer (Control contact) to understand their responsibilities and obligation for each control in the 3 domains.
●Documented NERC-CIP controls and process documents with MSP responsibilities aligning with Client security mandates.
●Developed and managed a high level and detailed project plan for implementation of changes in the IT systems.
Network Security Project Manager – Large Aluminum Manufacturing Plant – New York, USA
Network Transformation of an Aluminum Plant through a Technology refresh. Extend the wireless coverage, Security controls and Access controls using converged plant wide ethernet, centralized tool to manage wireless and wired network, administrative, engineering and plant environment.
The Project was implemented in five (5) phases.
●High Level Design & Network Discovery
●Risk Management
●Low Level Design
●Implementation
●Document & Training
●FEB 2013 – JUN 2014: Qaknights.inc (Project Manager) Calgary, Canada
Significant Projects and Responsibilities: -
Provided advice and guidance to business partners and project teams, established systems, processes to manage integration, developed processes to complete transition by, adapting best practices and standards.
1.Engineering Document Management System for IDocz (As a Senior BA)
2.Bair Project for UFA (UNITED FARMERS OF ALBERTA) (Part of the Transformation program) (As a Senior BA)
●MAR 2012 – NOV 2012: INFOSYS (Lead Project Consultant) Calgary, Canada
Guided the design, planning, scheduling, and execution of IT Service Management (ITSM) Programs through a Global Delivery Model. This involved leading and coordinating offshore and onsite teams and if required business advisors with industry specialization. Performed cross functional activities to support the horizontal layers of Sales and Delivery across the four industry verticals as the SME in COBIT and ITIL. This was predominantly used for the preparation of Business Cases and Responses to RFP’s.
●JUL 2010 - MAR 2012: IBM (Project Lead Control Framework- Alberta Health Services) Calgary, Canada
Focused on the Merged IT services for Alberta Health services; Project Managed, Counselled, Advised, Facilitated and Trained Process assessment participants in adding value to the Control Framework. Interacted with Business unit leads, third party vendors, Business Analysts, Operation centre staff, Developers and various groups within the ITS department, Providing facilitated guidance in the integration of systems and processes. Post assessment - facilitated guidance for solutions implementation and establishing IT controls to comply with HIPPA, FDA and FOIP requirements and standards.
●JUN 2007 - APR 2009: Enerflex (Lead IT Governance & Control) Calgary, Canada
DEC 2005 - APR 2007: CompuCom (Technical Support Analyst) Toronto, Canada
SEP 2005 – NOV 2005: Bank of Montreal (Project Coordinator) Toronto, Canada
APR 1989 – MAR 2005: Emirates Airline (Senior Network Engineer) Dubai, UAE
Education
Postgraduate in Computer Application
Bachelor of Commerce
Managing Risk – Harvard Business School
Working Towards CISM
Contact this candidate