KPMG International Services Limited (KPMGI)
Associate Director, Senior AppSec & Cloud Security Architect
GISG AppSec - October 2023 - Present
As a Senior Security Architect, I specialize in offering comprehensive security consultation to Solution Teams across our global organization, ensuring all proposed solutions meet stringent security standards. My role involves conducting thorough reviews encompassing alignment with security requirements, design scrutiny, and threat modeling, crucial for guiding solutions through the security assessment review phase. I prioritize design reviews guided by Zero Trust principles, security best practices, and organizational mandates.
I am deeply involved in developing and enhancing service deliverables, particularly focusing on the security aspects of IaaS, PaaS, and SaaS services, with a strong emphasis on cloud technologies. Collaboration with organizational solution owners and project teams is integral to delivering robust and scalable security strategies.
Recognized as a Subject Matter Expert in cloud technologies and security, I actively facilitate knowledge dissemination within various departments of the organization.
In my capacity as a Senior Security Architect, I champion global organizational infrastructure services and solutions, ensuring adherence to established standards while supporting rigorous audit processes for security and compliance. Furthermore, I am committed to promoting cybersecurity awareness by developing and delivering training materials that imbue a security-focused perspective, thereby bolstering solution-building efforts.
Associate Director, GISG Assessment Manager
GISG Security Management - October 2022 - October 2023
As a Senior Security Engineer, I oversaw the framework for conducting and monitoring security and compliance assessments. I played a key role in developing strategies and roadmaps for assessments, including architecting, building, and managing the organization's Information Security Boundaries Assessment Program. I also contributed to the implementation, maintenance, and enhancement of relevant technology solutions, as well as overseeing support resources. Additionally, I managed the maintenance and improvement of the framework, materials, processes, and procedures for the organization's information security boundaries assessments.
Associate Director, Global Cloud Security Guardrails (GCSG) Assessments Manager
GISG Security Management - June 2022 - October 2022
As a Senior Security Engineer, I spearheaded the design and administration of a framework for automating monitoring and executing assessments of cloud platforms against the organization’s Global Cloud Security Guardrails (GCSG) and overseeing the monitoring of the overall risk treatment plan. I implemented automated monitoring utilizing the organization’s ServiceNow IRM for GCSG alongside cloud-native tools of organizational Cloud Platforms (Azure, AWS, or GCP). I oversaw the maintenance and improvement of the GCSG program framework, materials, processes, and procedures, including managing the GCSG Code Repository for disseminating automation code across the organization and providing final approval for code releases. Additionally, I contributed subject matter expertise to overarching efforts for GCSG automation, encompassing deployment, monitoring, and assessment.
SynoTek, LLC
Chief Information Officer (CIO) / Principal Consultant
10/2013 to 6/2022
As a principal consultant, I contributed to the development of solutions for GRC implementation. I oversaw and monitored the execution of assessments of information systems against various GRC frameworks and facilitated overall risk management. I conducted gap analyses and assessments across multiple frameworks. Additionally, I provided guidance for GRC Automation for Cloud Platforms (Azure, AWS, and GCP) using cloud-native tools.
During my tenure, the GRC frameworks I worked with included:
Federal Risk and Authorization Management Program (FedRAMP)
Federal Information Systems Management Act (FISMA)
National Institute of Standards and Technology (NIST) Risk Management.
Framework (NIST RMF).
National Institute of Standards and Technology (NIST) Cybersecurity
Framework (NIST CSF).
Center for Medicare & Medicaid Services (CMS) Minimum Acceptable Risk
Standards for Exchanges (MARS-E)
Health Information Portability and Accountability Act (HIPAA) Security Rule
(HSR)
Department of Commerce Privacy Shield
Cloud Security Alliance (CSA)
International Organization for Standardization (ISO) 27000 Series
General Data Protection Regulation (GDPR)
Center for Internet Security (CIS) Benchmarks
Center for Internet Security (CIS) Critical Security Controls
Defense Information Systems Agency (DISA) Security Technical
Implementation Guide (STIGS)
Information Technology Infrastructure Library (ITIL)
Control Objectives for Information and Related Technologies (COBIT)
Payment Card Industry Data Security Standards (PCI-DSS)
Company Link…
IBM Watson Health
Compliance and Security Manager
12/2020 to 2/2022
In my role as a senior security and compliance manager, I delivered customer-facing technical leadership within a data warehouse implementation team. My responsibilities included overseeing the security (RBAC, LDAP, DBMS, networking) and compliance (NIST, HIPAA, SSAE16, MITA) components of the solution. I effectively communicated these aspects to both technical and non-technical stakeholders. Additionally, I collaborated on new opportunities organization-wide to ensure adherence to security and compliance requirements.
Key Responsibilities:
Participated in requirements and design sessions to ensure compliance with applicable State and Federal regulations in solution architecture.
Supported and maintained security policies/configuration for DBMS, applications, systems, etc., in both on-premise and cloud-hosted solutions, including encryption keys, access controls, and database audit logging.
Configured, tuned, and reviewed security logs (e.g., central systems logging, database logging) to enhance anomaly detection and reduce false positives.
Conducted vulnerability security scans of systems to identify and rectify infrastructure security issues in servers and databases.
Developed and maintained security plans, procedures, and other necessary documentation.
Evaluated new platforms and tools in the industry, providing recommendations for their incorporation into current and future projects.
Advised management by creating scorecards and reports displaying our risk profile, facilitating informed decision-making.
Offered proactive analysis and options for implementing regulatory requirements from CMS regarding the system's operations.
Maintained communication with customers regarding new CMS rules, organizing meetings to present findings and facilitate feedback for CMS, while proposing solutions for implementing the rules (controls) in the system.
Company Link…
Collab9, LLC
Chief Information Security Officer (CISO)
10/2016 to 09/2020
As a senior-level executive at Collab9, LLC, a FedRAMP Authorized Unified Communications as a Service (UCaaS) solution provider, I spearheaded the delivery of a secure cloud-based communication solution integrating voice, video, web conferencing, messaging, mobility, and customer care. My mission was to align business objectives with security initiatives, ensuring the adequate protection of information assets and technologies. I managed all aspects of the CISO role, leveraging various information security frameworks and the globally accepted project management framework of PMI. Additionally, I fulfilled the role of Collab9 Privacy Officer.
In my capacity within the Collab9 Secure UC environment, FedRAMP Authorization Boundary, and HIPAA environment, I assumed the following additional roles:
Senior Information Security Officer (SISO):
I was responsible for executing the Chief Information Officer’s security duties and served as the primary liaison between the Chief Information Officer and Federal Agency’s Authorizing Officials, Information System Owners (ISO), and Information System Security Officers.
Information System Security Officer (ISSO):
I ensured the maintenance of appropriate operational security posture for information systems, closely collaborating with the ISO. I acted as a principal advisor on all security matters, technical and otherwise, pertaining to information systems. Additionally, I served as an alternate Information System Security Engineer, conducting vulnerability scans, monitoring alerts from IPS and SIEM, and performing audit log reviews.
Information Security Architect (ISA):
I ensured that information security requirements essential for protecting the organization’s core missions and business processes were adequately addressed across enterprise architecture, including reference models, segment and solution architectures, and resulting information systems supporting those missions and processes.
Accomplishments:
Successfully conducted FedRAMP Continuous Monitoring Annual Assessments for the years 2017, 2018, and 2019.
Completed HIPAA Security Rule Assessment in 2018.
Led Gap Analysis from FedRAMP Moderate to FedRAMP High, CJIS, DoD IL5, and IRS 1075 compliance.
Digital Management, Inc.
Information System Security Manager, Contractor for the U.S. Department of the Interior (DOI) Office of Chief Information Officer (OCIO)
05/2015 to 10/2016
Information System Security Officer (ISSO) for Department of Commerce (DoC), 6/201616 - 10/2016
Information System Security Officer proficient in developing and maintaining Continuous Monitoring Plans (CMP). Skilled in executing activities outlined within the CMP to ensure robust security measures.
Information System Security Line of Business (ISSLoB) Operations Manager, 7/15 - 10/2016
Direct Reports = 7 telecommuting staff
As an Information System Security Manager, I effectively managed a Federal government security program, ensuring compliance with the NIST Risk Management Framework (RMF). I implemented the Project Management Institute, Inc. (PMI) Project Management Body of Knowledge (PMBOK) project management framework to ensure consistent and comprehensive engagement deliverables.
Key responsibilities included:
- Overseeing Security Assessment and Authorization (SA&A) activities.
- Developing and reviewing security documentation to ensure compliance with NIST and FISMA directives from OMB.
- Reviewing FedRAMP packages for Cloud Service Providers (CSP) and presenting findings during briefings to the Authorizing Official (AO).
- Providing support for the Cyber Security Assessment and Management System (CSAM), the client’s official FISMA reporting tool, including generating reports and ensuring compliance and consistency of federal government information systems.
IT Security Risk Management Lead, 5/15 - 7/15
Direct Reports = 10 telecommuting and on-site staff
As a Security Engineer I was the IT Security Risk Management Lead, I oversaw a team of risk management and compliance personnel, guiding them in various tasks including System Authorization and Accreditation (SA&A), Security Program Management, Security Metrics and Reporting, development and tracking of Plans of Action and Milestones (POA&M), as well as the development and tracking of Interconnection Security Agreements (ISA). Additionally, I coordinated Continuous Monitoring activities to ensure ongoing security effectiveness.
Company Link...
SAIC
Program Manager / Senior Project Manager
03/2011 to 5/2015
Senior Project Manager, SAIC - Cyber, Cloud and Data Science - 3/2011 - 5/2015
Comprehensive Robust Information Security (CRIS) Project for USDA/Forest Service
Direct Reports = 10 teleworkers
Team Lead Policy and Governance / Risk Management Framework (RMF)
Team Lead Security Operations
Vulnerability Scanning and Auditing, Enterprise Security Metrics Reporting, and Centralized Account Management (CAM)
As a Senior Security Architect and Senior Project Manager, I have leveraged my expertise to serve as the IT Security Subject Matter Expert (SME) and Task Lead, aligning project activities with key regulatory frameworks including OMB, DHS, NIST, FISMA, RMF, and Continuous Monitoring. I provided comprehensive briefings on potential impacts to agency operations, driving enterprise-wide planning and implementation efforts.
In my capacity, I effectively managed virtual teams, ensuring adherence to federal standards and agency requirements such as OMB, DHS, and US-CERT. I was dedicated to problem resolution and maintaining high levels of customer satisfaction for individual delivery orders. Additionally, I provided supervisory, technical, and administrative guidance to personnel to ensure task completion.
Recognizing the importance of ongoing training, I conducted comprehensive sessions on security program policies and procedures, fostering a culture of awareness and compliance. To streamline documentation and project management, I implemented SharePoint for documentation purposes and utilized Project Server with OLAP for efficient management of multiple projects.
One notable achievement includes leading a virtual team in the review, update, and delivery of over 3,400 pages of security documentation, along with training materials, within a tight 6-month project timeframe. This initiative underscored my ability to coordinate diverse resources towards achieving project objectives efficiently and effectively.
Program Manager, SAIC - Federal Civilian Customer Group - 11/2012 - 2/2014
Direct Reports = 57 on-site staff at multiple locations
Department of the Interior / Interior Business Center- IT Data Center, Systems Operation and Administration (SOA), Data Center Operations, Network Services, Database, Storage and Backup, System Software Administration, Applications Development and Administration and Enterprise Services
Department of Defense (DoD), Chemical Weapons Depot IT Support
GSA Accounting Office, Accounting and Financial Support
As a seasoned Program Manager, I spearheaded the successful implementation of targeted government contracts, orchestrating seamless planning, coordination, and execution of organizational efforts to competitively acquire and execute specific business ventures. I adeptly integrated diverse functions and activities essential for program performance, ensuring alignment with client requirements. I led program teams in defining and implementing technical baselines while upholding stringent quality standards for service delivery. My responsibilities extended to directing project team members, meticulously managing costs and schedules, ensuring contract adherence, and serving as the primary liaison with clients, project managers, task leaders, subcontractors, and other stakeholders. My role demanded effective communication and collaboration across all levels to drive program success.
Company Link…
Aquila Business Services, LLC
Chief Information Officer (CIO)
4/2009 to 12/2012
As the Chief Information Officer, spearheaded comprehensive IT management and security initiatives for the company and its clientele. Oversaw the design and administration of Learning Management Systems (LMS) and led incident response efforts. Ensured strict adherence to Federal and state regulations alongside industry best practices, prioritizing governance, risk management, and compliance (GRC). Managed ongoing security assessments, testing, and audit processes for both the company and its clients. Proficient in security engineering, continuity planning, and IT security control management, with expertise extending to cloud service provider management (IaaS, SaaS, PaaS). Core competencies include audit management, security testing, and optimization of LMS platforms.
G&B Solutions, Inc.
IT Security Analyst
7/2008 to 3/2011
Senior Security Analyst, United States Department of the Interior (DOI), National Business Center (NBC).
Seasoned Senior Security Analyst with a proven track record of success in ensuring the efficacy and compliance of the DOI Certification & Accreditation (C&A) program with departmental standards and NIST Special Publication (SP) 800 series guidance. Proficient in managing IT security projects, conducting thorough assessments, and implementing robust security measures to safeguard systems and data. Adept at stakeholder engagement, project management, and driving significant reductions in security vulnerabilities.
Key Responsibilities and Achievements:
- Orchestrated comprehensive IT security projects to evaluate and enhance the security posture of systems, employing interviews, document validation, and security control testing methodologies.
- Ensured the currency and accuracy of system documents while liaising with system owners, developers, and technical staff to reinforce understanding of IT standards and policies.
- Developed and maintained project plans, schedules, and status reports, alongside managing project tracking spreadsheets to facilitate efficient project oversight.
- Conducted gap analysis of existing policies, practices, and procedures, aligning them with federal standards and regulations, including Security Technical Implementation Guides (STIG) and NIST SP 800-53.
- Executed crosswalk analysis of NIST SP 800-53, Rev 3, and the HIPAA Security Rule, facilitating compliance assessments and adherence to regulatory requirements.
- Spearheaded annual Internal Control Reviews (ICR) and Security Impact Assessments (SIA), as well as security walk-through assessments and penetration testing activities.
- Acted as the Security Point of Contact (SPOC) for the entire DOI/NBC Enterprise during United States Computer Emergency Readiness Team (USCert) briefings, providing expert guidance on vulnerability management and mitigation strategies.
- Designated Security Compliance Coordinator and Audit Liaison for a federal financial system with over 8,000 users, achieving 100% on-time deliverables and reducing audit/testing findings by 45%.
- Managed the Plan of Action & Milestones (POA&M) process, resulting in an 85% reduction of identified security vulnerabilities within a six-month timeframe.
- Developed bespoke tools for aiding automation in various tasks, including generating Nessus vulnerability scan reports, Cyber Security Assessment and Management (CSAM) reports, and Internal Control Review (ICR) templates for streamlined reporting.
Accomplishments:
- Successfully facilitated FISCAM audits, FISMA audits, Office of the Inspector General (OIG) reviews, and A-123 reviews as Audit Liaison, achieving 100% on-time deliverables and reducing audit/testing findings by 45%.
- Served as the Security Compliance Coordinator for a federal financial IT system, overseeing three deployments, including virtualization, and managing security for over 8,000 users.
- Acted as the Security Point of Contact (SPOC) for the entire Federal Enterprise during USCERT briefings, focusing on Microsoft vulnerabilities.
- Developed multiple automation tools, enhancing organizational efficiency and effectiveness in tasks such as generating vulnerability scan reports and conducting security assessments.