SUMMARY:
Highly accomplished and results-driven Cybersecurity Executive with 25+ years of progressive leadership experience in developing, executing, and overseeing robust global cybersecurity programs. Proven ability to act as a strategic partner to the CISO, managing enterprise-wide cyber risk, leading security operations, and ensuring stringent compliance within complex, highly regulated environments. Expertise spans strategic program development, global compliance adherence (GDPR, HIPAA, CCPA, NIST), advanced risk management, security architecture, and building and mentoring high-performing security teams. Passionate about safeguarding critical information assets and enabling business objectives through a proactive and integrated security approach.
In the Navy, Mr. Lopez, managed the overall IT security program in support of SOUTHCOM (Plan Colombia), Operation Enduring Freedom, Iraqi Freedom, Global War on Terrorism, Counter Terrorism, and Detainee Operations that included the analysis of security shortfalls and regularly presenting briefings and recommendations to senior leadership and auditors.
EDUCATION:
Adjunct Professor (Cybersecurity/MIS Program), Bowie State University, Bowie MD - Present
M.S. Master of Business Administration (MBA), DeVry University, Arlington VA, 2/12
M.S. Management Information Systems (MIS), Bowie State University, Bowie MD, 5/08
B.A. Communications, Trinity International University, Miami, FL, 5/01
CERTIFICATIONS AND TRAINING:
Certified Chief Information Officer (CCIO), National Defense University (NDU)
Project Management Professional (PMP) PMI # 430368, Villanova University
DOD 8140 – IAM III, Certified Information Security Manager (CISM), 1630829
Certified AWS Cloud Practitioner
ITIL 2011 – Certification# 0232071501QG4F
Governance, Risk, and Compliance Conference, Miami FL, 2023
KEY SKILLS & COMPETENCIES:
Cybersecurity Strategy & Leadership: Global Program Development, Strategic Planning & Execution, Executive Advisory, Vision & Roadmap Definition.
Governance, Risk & Compliance (GRC): Enterprise Risk Management (ERM), Risk Assessment & Mitigation, Incident Response Frameworks, Audit Management, Policy & Standards Development, GDPR, HIPAA, SOX, PCI DSS.
Security Operations & Management: SOC Oversight, Incident Response (IR), Threat Intelligence, Threat Hunting, Vulnerability Management, Security Monitoring.
Security Architecture & Engineering: Secure Cloud Design (AWS, Azure, GCP), Network Security, Application Security, Data Security (DLP, Encryption), Identity & Access Management (IAM), Security Tool Implementation.
Global Compliance & Regulatory Affairs: Adherence to International Data Protection Laws, Industry-Specific Regulations, Compliance Reporting.
Team Leadership & Development: Building & Mentoring High-Performing Teams, Talent Acquisition, Performance Management, Professional Development Programs.
Stakeholder Engagement: Executive Communication, Cross-Functional Collaboration, Business Unit Partnership, Vendor Management.
Budget & Resource Management: Financial Planning, Forecasting, Resource Allocation, Optimization of Security Investments.
Innovation & Continuous Improvement: Driving Security Transformation, Adapting to Emerging Threats, Process Optimization.
EXPERIENCE:
Federal Cybersecurity Director / Sr. Information Security Officer – CRG, LLC
{Client}: Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) (Oct 2016 – Present)
Assisted the CIO and CISO in defining and executing the global cybersecurity strategy across diverse all DHS business units, 40% increase in security maturity scores globally.
Oversaw daily security operations, including SOC management and incident response functions, resulting in a 20% reduction in Mean Time to Respond (MTTR) to critical incidents.
Managed enterprise-wide cybersecurity risk assessments and developed comprehensive mitigation plans, effectively reducing identified high-risk vulnerabilities by 30%.
Led the development and implementation of a comprehensive cybersecurity strategy for a major federal agency, resulting in a significant reduction in security incidents and improved compliance with federal regulations (e.g., NIST 800-53, FedRAMP).
Built and managed a high-performing team of cybersecurity professionals, fostering a culture of collaboration, innovation, and continuous improvement.
Spearheaded the adoption of Zero Trust security principles and implemented advanced security technologies to enhance threat detection and response capabilities.
Design cloud infrastructure (DHS CISA AWS LZ IaaS/SaaS/PaaS), virtual private cloud, virtual private network, relational database to meet customer security controls requirements
Establish corporate cloud computing architecture policies and standards in compliance with appropriate security levels and governance in accordance with best practices from the National Institute of Standards and Technology (NIST), Federal Information Security Management Act (FISMA), Federal Information Processing Standard (FIPS), Office of Management and Budget (OMB) and Federal Risk and Authorization Management Program (FedRAMP).
Federal Cybersecurity Director/Sr. Subject Matter Expert (SME), CRG LLC
{Client}: Pension Benefit Guaranty Corporation (PBGC), Wash D.C. (Aug 2020 – Oct 2021)
Provided C-SCRM awareness training to the Federal Government Procurement Department for Contracting Officers (Cos) and Contracting Officer Representatives (CORs).
Authored and published EO 14028, NIST 800-161 Cybersecurity Supply Chain Risk Management (CSCRM), IS Contingency Plan, Strategy, Implementation plans and procedures.
Team CRG worked with the Prime Contractor Softech, LLC development teams to address security issues and requirements proactively, working directly with the PBGC Office of Information Technology to upgrade systems by implementing and maintaining security controls.
Determined security violations and inefficiencies by conducting periodic audits and work directly with the government COR and PBGC Security Operations Center within the agency.
Developed RMF security assessment & authorization ATO documentation in support of Operations & Maintenance, and Continuous Diagnosis & Mitigation Phase of PBGC SDLC, aligning with FISMA/NIST & Enterprise Performance Life Cycle Framework.
Provided training webinars and conference calls for PBGC clients needing assistance interpreting preliminary vulnerability assessment audit findings and/or to prepare for formal FISMA audits, annual risk assessments, and contingency planning exercises.
Installed NetSparker cloud, Web Inspect for software input data integrity.
Assisted in transitioning Trusted Agent to RSA Archer in DevOps for future implementation of the automated security assessment authorization system.
Cybersecurity Director/Executive Risk Controls Advisor, CRG LLC
{Client}: Fiserv, Inc., Coral Springs, Florida (Apr 2018 – Aug 2020)
Professional Cybersecurity leader and auditor. Certified CISM, passion for finance and banking IT, well versed in government contracting and internal IT Security support. Excels at creating high functioning team environments with customers, suppliers, and employees. An out of the box thinker able to translate technical information for non-technical customers or executives. Consistently able to bring tough projects in on time and on budget with maximum efficiency and effectiveness
As a Sr. Cybersecurity Advisor/SME for the CISO at Fiserv lead the IT Security Compliance program for the Latin American and Caribbean Region. As Sr IT Security leader and liaison between auditors; completed over 15 comprehensive reviews for the organizations’ data security controls with executive teams, internal stakeholders, PCI auditors, audit firms (Deloitte/KPMG) providing IT Audit training with recommendations, direction and development for the LATAM region IT Audit and Cybersecurity Program.
Ensured consistent compliance with global data protection regulations GDPR, CCPA, NIST CSF and industry-specific standards, successfully navigating 10 external audits with zero critical findings.
Scheduled and coordinated over 15 annual PCI Audits with LATAM Auditors for access to people and resources to perform reviews with (0) PCI DSS findings
Assessed and remediated over 25 Point of Sale (POS) vulnerable applications after implementation with the technical vulnerability management teams during PCI quarterly scans
Completed over 10 comprehensive documentation reviews, technical evidence for the organizations’ data security controls with senior management teams, internal stakeholders, SOX auditors, audit firms (KPMG) in scoping SOX environments and evaluating those environments against SOX
SailPoint IAM System Lead for LATAM Employee Lifecycle management of over 200 privilege user system engineers, developers, network engineers, and system administrators.
SailPoint Compliance Management in the Fiserv LATAM Region (Brazil, Argentina, Panama, Colombia):
Tracked, enforced, and certified access across the enterprise
Authorizing Official Representative/ Sr. Information Security Officer (SISO), CRG LLC
{Client}: DoD Threat Reduction Agency (DTRA), Ft. Belvoir VA (Nov 2016 – Apr 2018)
Led, managed, and mentored a global team of 70 information security professionals, fostering a culture of continuous learning and high performance.
Managed the cybersecurity budget of over $125M annually, optimizing expenditures to achieve maximum security ROI for U.S. DoD NIST RMF Cyber Support Services Contract.
Collaborated extensively with IT, business units, and external partners to integrate security best practices into all aspects of the organization, from product development to operational processes.
Directed the implementation and optimization of key security technologies, including DoD DIACAP transition to NIST RMF framework, SIEM/SOAR platforms, and EDR Solutions.
Advised the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) on
comprehensive cyber security strategies and planning for the Department of Defense CIO getting to green (GTG) and Scorecard Program.
Lead and manage over 50 contractors on independent verification and validation (IV&V) consultants on the DIACAP/RMF transition programs and projects.
Develop performance metrics to measure the Department’s cyber risks, security requirements, identify quantifiable outputs, and establish goals that enable effective measurement for the Department’s Enterprise.
Present to leadership and other government officials on cyber/information security and privacy matter pertaining to the Risk Management Framework (RMF) Lifecycle.
Collaborates with Enterprise Security Operation Directors, Managers, and Supervisors to oversee the evaluation and implementation of tools and applications required to investigate anomalies and respond to remediate incidents.
Ensure the implementation of cyber security incident response projects and security solution implementations, such as Trusted Internet Connection (TIC), Vulnerability and Patch Management.
Transitioned over 185 Information Systems to Defense Information Assurance & Certification Accreditation Program (DIACAP) to Risk Management Framework (RMF) in the eMASS DISA enterprise, six (6) months ahead of project schedule. Awarded Leadership Team Award and Letter of Commendation from the Secretary of Defense.
Deputy Chief Information Security Officer (CISO)
U.S. Navy, Navy Engineering Logistics Office (NELO), Washington, DC (Nov 2015 – Nov 2016)
Managed a team of over 60 government and contractor professionals in a combination of direct and matrix reporting structures.
Managed the cybersecurity budget of over $150M annually, optimizing expenditures to achieve maximum security ROI for U.S. Department of Navy Special Access Program, NELO.
Provided expertise in high availability, contingency planning, COOP, disaster recovery and automated provisioning.
Designed solutions various deployment models (Private, Public, Community and Hybrid) cloud service models including Infrastructure as a Service (IaaS), Platform as a service (PaaS), Software as a Service (SaaS) and emerging cloud services to optimize the essential characteristics of cloud computing for FedRAMP in AWS and Azure cloud environments.
Advised on over 10 storage and security solutions to securely store data in multi-tenancy
Environments for the Joint Task Force environments for DoD.
Advises the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) on comprehensive cyber security strategies and planning for the Department of the Navy Special Access Programs (SAP).
Oversees and execute managerial authority over federal and contract staff that executes the Department’s implementation of the National Institute of Standards and Technology (NIST) Risk Management Framework.
Develop performance metrics to measure the Department’s cyber risks, security requirements, identify quantifiable outputs, and establish goals that enable effective measurement for the Department’s Enterprise.
Identifies critical success factors (CSFs), monitor risks, and ensure regular and effective communication with internal/external stakeholders to ensure effective and compliant management.
Present to leadership and other government officials on cyber/information security and privacy matters.
Provides guidance for business continuity and disaster recovery (BC/DR) initiatives, policies, and procedures to ensure continued operation of services across the Department.
Sr. Information Security Officer (SISO) / Sr. Application Security Officer
Department of State (State Department), DS-CTO, Rosslyn, VA (Nov 2012 – Nov 2015)
Managed and led a team of over 25 government and contractor professionals in a combination of direct and matrix reporting structures.
Managed the cybersecurity budget of over $75M annually, optimizing expenditures to achieve maximum security ROI for Diplomatic Security Bureau Office of the CTO.
Reported regularly on security posture, key metrics, and strategic initiatives to senior leadership and the Board of Directors, ensuring informed decision-making.
Drove continuous improvement and innovation within the security program, proactively adapting to emerging threats and technological advancements.
Led the cybersecurity strategy for the Diplomatic Security Bureau, ensuring the protection of U.S. diplomats, to over 450 embassies, and sensitive information systems worldwide.
Developed and implemented a new cybersecurity framework to address the unique challenges of operating in diverse and often hostile environments.
Spearheaded initiatives to secure critical infrastructure, protect sensitive data, and educate diplomats about cybersecurity threats and best practices.
Played a key role in mitigating a major cyberattack targeting U.S. embassies, preventing data breaches, and enhancing international collaboration on cybersecurity.
Successfully defended against 7500 cyberattacks; Secured over 400+ embassies in over 120 countries
Worked with developers in testing migrating and implementing Software:
Ensure compliance with DS CTO policy and standards/regulations (FISMA/NIST/CIS/FAM/FAH) on providing gap analysis on current security policies which include asset classification, security controls, incident management, vulnerability management plans were mitigated at the acquisition or operational and maintenance levels of the SDLC.
Provides oversight in implementing comprehensive risk management strategies, ensuring alignment with the Department’s risk management policy, for continuous monitoring, security data analysis, and Federal Risk Authorization Management Program (Fed RAMP) cloud sponsorships.
Provides guidance for business continuity and disaster recovery (BC/DR) initiatives, policies, and procedures to ensure continued operation of services across the Department.
IT Security Operations Program Manager/Sr. Associate/Principal Security Architect
Booz Allen Hamilton, McLean, VA (Nov 2006 – Nov 2012)
Led the development and implementation of a comprehensive cybersecurity strategy for a major federal agency, resulting in a significant reduction in security incidents and improved compliance with federal regulations (e.g., NIST 800-53, FedRAMP).
Built and managed a high-performing team of cybersecurity professionals, fostering a culture of collaboration, innovation, and continuous improvement.
Provided expert guidance to senior leadership on cybersecurity risks, mitigation strategies, and emerging threats.
Developed and revised existing security policies, processes, and procedures; utilizing NIST's "Risk Management Framework" (SP 800-37) and "Recommended Security Controls for Federal Information Systems" (SP 800-53).
Interacted with product designers and developers to analyze security features of products, identify security improvements or enhancement capabilities, and recommend modifications.
Conducted technical risk assessments of applications, and analyzing and mitigating system vulnerabilities
Evaluated web-based applications, databases such as Oracle 10 and 11g, SQL Servers, Drupal, and COTS systems for security vulnerabilities and implementing realistic mitigating strategies
Prepared systems security accreditation paperwork for systems audited against FISMA standards.