MICHAEL O. ADDO-YOBO
Master of Business Administration; B.Sc. Computer Science/Mathematics
CISM, CCISO, CGEIT, CISA, CRISC, CCSFP, PMP, MBCP
**** **** ****** ****, ******** TX, 75071 ******@***.*** Phone: 214-***-**** TRANSFORMATIVE CHIEF INFORMATION SECURITY OFFICER (CISO) & IT RISK LEADER Professional Summary/Highlights
• 25+ years of accomplished professional and leadership experience, saving multiple organizations millions of dollars in security and IT risk related costs by applying trusted, innovative, business aligned strategies and tactics.
• 16 years of cumulative experience as a Substantive/Interim/Acting Chief Information Security Officer (CISO) at multiple organizations within the Banking/Finance/Insurance/FinTech, Healthcare, Technology, Consumer Business sectors.
• 14 years of Big 4 Cybersecurity & IT Risk Advisory consulting experience.
• Multi-certified with globally recognized Cybersecurity, IT Governance, Risk & Compliance Management certifications.
• Expertise in Cybersecurity, Digital Trust/Defense in Depth Practices, Privacy, IT Governance, Risk & Compliance, Due Diligence, Continuity/Recovery, directing and overseeing over 400+ strategic projects and initiatives globally.
• Leading edge experience with multiple industry standards/frameworks (e.g., ISO-27001, NIST CSF, ISA-62443, ISO- 20000, DRII, COBIT, ITIL, SANS, CSA)
• Leading edge experience with regulatory requirements including FFIEC/FDIC, PCI-DSS, GDPR, CCPA, FedRAMP, CMMC, RMF/DoD, SOX, GLBA, NYDFS, HIPAA, HITRUST, DORA, NIS II, among others.
• Technically astute with exposure to various computing and IoT platforms and systems (e.g. Azure, AWS, Windows/UNIX, IoT Products Devices/Components, Network, Infrastructure, Applications, Security Tools/Utilities
(e.g., Alert Logic, Cylance, Solar Winds, Altiris, Rapid7, Qualys), GRC Tools (RSA Archer, ServiceNow), etc., etc.
• Positive change agent, results focused, recognized as a strong advocate for value creation and initiative-taking risk mitigation.
• Thought leader and speaker at multiple conferences and seminars on a wide range of technology risk management topics. Industry Experience & Proficiency
• Professional Services/Consulting; Banking & Financial Services / Insurance; Fin-Tech; Mergers & Acquisitions; Healthcare / Health-Tech; Technology; Consumer Business (Manufacturing, Distribution & Retail); Oil & Gas / Energy; Mining; Public Sector / GovTech
Leadership & Management Skills & Competencies:
• Strategic Planning & Management
• Budget & Cost Management
• Customer/Partner Relationship Management
• Talent, Team & Resource Management
• Out-Sourcing/Co-Sourcing/In-Sourcing
• Due Diligence
• Technology Enablement/Automation
• Artificial Intelligence (AI)
• Program Governance, Oversight & Monitoring
• Executive Reporting, Metrics & Analytics
• Risk & Control Management
• Policy/Regulatory Compliance Management
• Project/Portfolio Management
• Organizational Change & Communication
Technical Skills & Competencies:
• Cybersecurity / Digital Trust Management
• Governance, Risk & Compliance
• Network, Infrastructure, Application Security
• Endpoint / Mobile / IoT Computing & Security
• Security Tools/Systems
• Incident Response, Forensics, Crisis Management
• Business Continuity/Resilience Management
• Vendor/Third Party Security Management
• Controls Attestations & Due Diligence
• Data Analytics & Problem Solving
• Cloud Computing/Platforms (AWS, Azure)
• Cloud / Data Center Operations
• Application Software Development / SDLC
• Enterprise Applications
• IT Service Delivery & Operations
• IT Process Optimization / Remediation
• Effective Written/Spoken Communications
Professional Experience:
Mar 2022 – Present Caterpillar Inc.
Global Head, Enterprise Cybersecurity Governance & GRC Strategy Irving, TX
• Authoritative source governing enterprise cybersecurity structures, standards, measures, workflows, program metrics and reporting with leadership and oversight responsibility for GRC strategy, enterprise cybersecurity policy, standards, controls, metrics, and reporting.
• Authored, directed, and oversaw the design and successful implementation of an enterprise cybersecurity governance framework for the global enterprise that incorporates the body of policies, standards, attestation processes, controls compliance and remediation monitoring/tracking, persona groups for strategic oversight and monitoring and technology enablement of the above with ServiceNow.
• Designed and oversaw the implementation of strategic and operational metrics and measures for enterprise cybersecurity.
• Planned, directed and oversaw the design and implementation of AI initiatives to support Cybersecurity Governance, Risk and Compliance operations.
• Managed and oversaw offshore and near-shore teams and operations supporting cybersecurity program oversight and monitoring.
• Directed and oversaw the transformation of enterprise cybersecurity policy, standards, processes & procedures to align with structure and objectives of the enterprise cybersecurity governance framework and its inherent provisions.
• Directed the design, development, and implementation of the Unified Cybersecurity Controls Framework (UCCF), covering thirty-eight (38) cybersecurity related regulatory obligations across the global enterprise (e.g., PCI-DSS, FFIEC, CMMC, NYDFS, GDPR, Security Laws of Indonesia, China, Japan, India, Mexico, Brazil, etc.,) and eight (8) adopted standards (e.g., ISO-27001/2, ISA-62443, NIST CSF 2.0, SOC II, CIS Cloud Controls …)
• Accelerated executive/leadership visibility into enterprise-wide cybersecurity maturity, performance/value, risk, compliance, and resource utilization through the establishment of the Enterprise Cyber Steering Committee, Tactical Work Groups, and associated collaboration/oversight processes.
• Established a cybersecurity PMO to oversee multiple cybersecurity projects, including the implementation of an enterprise GRC tool (ServiceNow-IRM)
• Established the Global Enterprise Cyber Steering Committee, Divisional/Functional Tactical working Groups to facilitate collaboration and visibility into cybersecurity operations, initiatives and outcomes.
• Directed the enhancement and maturity of enterprise risk and compliance management processes and practices. Jun 2019 – Mar 2022 Technology Risk Advisors, Inc. Managing Director, Cyber Security & IT Risk Advisory Allen, TX
• Directed and oversaw multiple security/compliance programs and IT risk assessments at multiple client organizations.
• Served as Virtual/Interim CISO at multiple organizations across, helping them identify, prioritize, and resolve a wide variety of strategic cybersecurity, regulatory compliance, and IT risk related business challenges.
• Established security functions for multiple organizations, supporting recruitment of security executives, management personnel and staff.
• Directed and oversaw the establishment of security governance frameworks for various enterprises including the development and implementation of enterprise security policy, standards, processes, procedures, controls, reporting metrics, operating model, tools/systems.
• Directed and oversaw multiple projects to build and implement enterprise security and privacy programs (for regulatory compliance purposes or otherwise) leveraging applicable standards, and compliance frameworks (e.g., ISO-27001/2, HITRUST, PCI-DSS, FFIEC, NAIC, SOC, HIPAA, GDPR, NY SHIELD, CMMC, CJIS, FedRAMP, RMF/DoD)
• Directed and oversaw security program design and implementation projects to enable numerous service providers achieve Authority-to-Operate (ATO) status with various US federal government agencies.
• Led the selection, implementation, and management of various security threat monitoring, DLP and SIEM tools/ systems
(e.g., Cylance, Qualys, Rapid7, LogRhythm, CrowdStrike, AlertLogic, SolarWinds, Altiris, Spirion) at various client organizations.
• Designed and directed implementation of multiple security incident response planning, implementation, exercising as well as breach response/forensics projects.
• Directed the implementation of security awareness and training programs or courses tailored to stakeholders across multiple organizational hierarchies (e.g., executives, line managements, staff, contractors)
• Oversaw the development and implementation of business continuity and disaster recovery plans and programs leveraging industry standards (e.g., ISO-22301, DRII)
• Directed and oversaw the conduct of various vulnerability scanning and penetration testing projects for compliance and non-compliance purposes using tools like Nessus, AlertLogic, MetaSploit, Xray.
• Oversaw the implementation of GRC software/tools (e.g., HyperProof, RSA Archer), designing and automating operational workflows, alerts, and reporting requirements.
• Provided thought leadership, industry insights and experience on current and emerging security/GRC/resilience topics. Feb 2021 – May 2021 City of Riverside, California
Chief Information Security Officer (CISO) Riverside, CA
• Accountable for organization-wide cyber security, privacy, governance, risk, and compliance management
• Created a formal enterprise security strategy and program to encompass sixteen (16) security program domains.
• Served as the executive contact for all security related decisions, including setting expectations for data protection, risk mitigation and security related contractual obligations and RFPs with vendors/third party providers.
• Responsible for third party provider security related obligations, network, infrastructure, applications, and endpoint security, as well as risk identification/mitigation with all IT related development, implementation, and transformation initiatives/projects
• Responsible for all security governance initiatives – policy, standards, processes, procedures, controls, metrics, operating model, team members
• Directed and oversaw security staff in performing various management and operational activities to harden computing resources and build overall security resilience.
• Responsible for the implementation and sustainment of various security tools (CrowdStrike, LogRhythm, Spirion) and compliance management tools (e.g., HyperProof)
• Oversaw an annual budget/spend of over $10M in various security related initiatives. Sep 2018 – Jun 2019 BDO LLP USA – Managing Director, Cybersecurity Advisory Dallas, TX
• Served as an Executive Advisor to C-Suite across multiple enterprises on challenges and pursuits relating to enterprise, IT Governance, Compliance, Risk and Cyber Cybersecurity.
• Appointed as the National Cybersecurity Practice Leader for the Healthcare Industry, directing and overseeing go-to- market and client service delivery initiatives for clients within the industry.
• Oversaw the planning, conduct and completion of various IT and security risk assessments and security compliance audits related to HITRUST, HIPAA, SOC, NIST CSF, ISO-27001, PCI and more.
• Oversaw the development of security policy, standards, processes, unified controls, KPIs/KRIs and other reporting metrics for client organizations across multiple industry segments.
• Directed delivery of security compliance remediation projects towards achievement Authority-to-Operate (ATO), CMMC, RMF/DoD and other US federal government security mandates.
• Built enterprise security and privacy programs (for regulatory compliance purposes or otherwise) leveraging applicable standards, and compliance frameworks (e.g., ISO-27001/2, HITRUST, PCI-DSS, FFIEC, SOC, HIPAA, GDPR, CMMC)
• Directed the selection and implementation of threat detection and vulnerability management tools, appliances, and monitoring procedures to proactively identify and neutralize security threats, remediate known vulnerabilities, and support on-going security operations, (e.g., Rapid7, Nessus, AlertLogic).
• Directed client organizations in planning and coordinating security breach response and recovery efforts, collaborating closely with legal firms and regulators as applicable.
• Oversaw the implementation of awareness and training strategies and initiatives tailored to various client stakeholder groups across, facilitating the establishment of a security-conscious culture.
• Developed enterprise business continuity and disaster recovery plans and programs for various client organizations leveraging industry standards (e.g., ISO-22301, DRII)
• Oversaw the successful implementation of multiple vulnerability scanning and penetration testing projects involving internal and external server, application and endpoint hosts for compliance and non-compliance purposes. Mar 2015 – Sep 2018 Coalfire Systems Inc. Dallas, TX Managing Principal, Cyber Risk Advisory
• Executive Advisor to C-Suite across multiple enterprises on challenges and pursuits relating to enterprise, IT Governance, Compliance, Risk and Cyber Cybersecurity that advance realization of business strategy and bottom-line.
• Managed, mentored and oversaw work and career progression of a team of 12 advisory consulting personnel focused on services essential to the success of CISOs across multiple enterprises in diverse industry segments.
• Held multiple Interim Chief Information Risk and Cybersecurity Officer (CISO) roles at multiple enterprises to direct and oversee the effective resolution of multiple strategic and tactical challenges, elevate risk awareness et al.
• Achieved a corporate award for strategic
• Created/Sponsored Coalfire’s CISO Roundtable Series that engages CISOs across multiple industries to discuss and strategize on challenges and opportunities in the industry.
• Directed the delivery of various cybersecurity projects to build an enterprise security program for a government contractor to achieve Authority-to-Operate (ATO) status with the US Department of Defense (DoD)
• Directed and oversaw the delivery of a wide variety of cybersecurity projects for organizations across multiple industry groups.
Aug 2010 – Mar 2015 Deloitte & Touche LLP Dallas, TX Management Consultant, Security & Privacy
• Advised C-Suite at multiple enterprises on matters related to IT strategy, operations, risk and information cybersecurity compliance programs and implementation of adopted standards and best practices (e.g., ISO-27000/2, ITIL, COBIT).
• Oversaw multiple teams in performing audits and assessments related to compliance with various regulations and standards (e.g., Dodd-Frank, NIST-800-53, ISO 22301/27001-2, GLBA, Patriot Act, HIPAA, PCI, Joint Commission, FISMA, FINRA, SOX …), providing consulting guidance and industry insights in the mitigation of compliance risks,
• Managed multiple projects to assess/audit the design, implementation and operating effectiveness of IT controls and guide remediation efforts, consistently achieving low to insignificant risk ratings post-remediation.
• Accelerated executive reporting of technology risks, significantly raising executive awareness at multiple enterprises where such practices were non-existent.
• Oversaw multiple projects to advise enterprises on technology risk matters re clating to the procurement and implementation of various SaaS and IT infrastructure solutions (e.g., SAP, Oracle Financials, PeopleSoft, EPIC, Cerner)
• Managed multiple engagements to develop and implement various IT operational policies, standards, procedures, operating models, and performance indicators/metrics leveraging industry frameworks such as ISO 22301, NIST-800-53
• Directed and oversaw multiple large engagements to design and implement operational strategies, optimized business processes and controls aimed at increasing efficiency, effective governance, and performance delivery.
• Managed multiple teams in the design, development, and implementation of multiple resilience programs (e.g., emergency management, business continuity, disaster recovery, incident management) for multiple clients across multiple industries, consistently exceeding executive sponsor expectations. Feb 2010 – Aug 2010 Independent Executive Consultant Allen, TX IT Governance, Cybersecurity, Risk & Control
• Managed a small team of six (6) in multiple audits of the design, implementation, and operating effectiveness of application controls at BlueCross BlueShield of North Carolina, presenting findings/recommendations to executives. Feb 2009 – Jan 2010 Manulife Financial/John Hancock Toronto, ON Director, IT Risk Management (Corp. & Reinsurance Divisions)
• Directed and managed IT risk for the Corporate and Reinsurance Divisions and a key member of Global IT Risk Management and Governance Council senior IT management team
• Managed a team of fifteen (15) in the planning, design, development and implementation of divisional IT risk management strategy and programs, leveraging frameworks such as COBIT, ITIL, ISO-27001/2, ISO-20000, CIO Framework.
• Managed the design, implementation and tracking of compliance with multiple IT policies, standards, processes, and procedures (e.g., IT Security, Incident/Problem/Change Management, Application Development & Support and Disaster Recovery)
• Oversaw risk management activities relating to the qualification, selection, and implementation of a global HRMS solution and a global Vendor/Contracts Management System solution among other enterprise/global gated projects. Solutions reviewed included SAP, Workday, Celestica, Upside, in a SaaS/Cloud Computing Environment.
• Oversaw the effective remediation of multiple IT audit, risk, and compliance issues, dropping the number of pending issues by over 90% in less than 1 year.
• Responsible for third party contract reviews, due diligence, and SAS70/Section 5970 (SOC1/SOC2) reviews from a technology risk management standpoint.
• Responsible person for multiple IT Internal Audit client accounts, overseeing multiple teams in the planning and delivery risk and compliance assessment projects in areas including IT strategic alignment, information cybersecurity, outsourcing, application systems development, acquisition and implementation of software, IT service level management, business.
• Managed the development of business continuity and disaster recovery programs for the divisions in line with business tolerance limits and approved standards.
2004 – 2009 Deloitte & Touche LLP Toronto, ON
Senior Manager, Enterprise Risk Services
• Key member of the Senior Management Team for the IT Governance and Risk Management Service Line and responsible lead for business continuity and disaster recovery service offering
• Responsible person for multiple IT Internal Audit client accounts, overseeing multiple teams in the planning and delivery risk and compliance assessment projects in areas including IT strategic alignment, information cybersecurity, outsourcing, application systems development, acquisition and implementation of software, IT service level management, business continuity, network cybersecurity and other areas of IT.
• Managed multiple projects helping multiple large enterprises in the adoption and implementation of IT frameworks and standards such as ISO-17799/27001/20000, BSI Standards, ITIL, COBIT, Standards from the UPTIME Institute, Compliance (e.g., Sarbanes Oxley)
• Managed multiple business continuity and disaster recovery service offering initiatives including – strategic pursuits, intellectual property development, eminence building, staff hiring and professional development and delivery of multiple Business Continuity, IT Service Continuity and Disaster Recovery Planning programs for a wide variety of clients.
• Oversaw the internal development of a professional services framework that integrated IT processes with IT control frameworks leveraging ITIL and COBIT) to support effective IT Governance and Compliance.
• Delivered ITIL Foundations Certification Training to Deloitte staff, consistently achieving 90%+ student pass rate. Education
- Master of Business Administration (MBA) - 2007
- Bachelor of Science in Computer Science/Mathematics - 1991 Professional Designations/Certifications
- Certified Chief Information Security Officer (CCISO) - Candidate - 2025
- Certified HITRUST Common Cybersecurity Framework Professional (CCSFP) - 2018
- Certified Information Cybersecurity Manager (CISM) - 2015
- Project Management Professional (PMP) - 2011
- Certified in Risk & Information Systems Control (CRISC) - 2011
- Master Business Continuity Professional (MBCP) - 2009
- Certified in the Governance of Enterprise IT (CGEIT) - 2009
- COBIT/Val-IT Foundations Certificate - 2007
- ITIL Foundations Certificate - 2006
- Certified Information Systems Auditor (CISA) - 2005 References: Available: upon request