Ethical hacker with 21 years of security experience creating and managing security consulting services and teams, conducting pre-sales and delivery for major international clients, presenting complex security topics to board and C-level audiences, presenting security research at major industry conferences, and conducting interviews with news media.
Certifications
CISSP - (ISC)² Certified Information Systems Security Professional
NSA IAM - National Security Agency Infosec Assessment Methodology
NSA IEM - National Security Agency Infosec Evaluation Methodology
PCI QSA (Former) - Payment Card Industry Qualified Security Assessor
PCI ASV (Former) - Payment Card Industry Approved Scanning Vendor
CISA (Former) - ISACA Certified Information Systems Auditor
Skills
Service Development and Management
Founded penetration testing and compliance assessment practices and managed the delivery teams for those practices. Created the pricing models, delivery procedures, and report templates for these services.
Standardized legacy regional threat intelligence services for global delivery to create revenue opportunities in new markets. Designed new global threat intelligence capabilities and services to take advantage of new opportunities.
Designed a cloud based corporate email anti-spam/virus solution delivered via data centers in the US and Europe. Developed client documentation and procedures for support via Managed Security Services SOC personnel.
Penetration Testing
Conducted penetration tests for major corporate clients in the US and Europe including network layer, application layer, covert physical entry, and telephone, email, and in-person social engineering. Presented test results to technical, C-level and board level audiences.
GRC Assessment
Conducted PCI ASV scans and PCI QSA assessments. Worked with C-level and IT management personnel to plan and implement remediation of compliance gaps for both PCI-DSS and the HIPAA Security Rule.
Technical Pre-Sales
Performed technical pre-sales for penetration testing and compliance assessment projects at major global clients, successfully landing opportunities that were the largest for the company to that time.
Vulnerability Research
Created a company vulnerability disclosure policy. Conducted and assisted with research on software vulnerabilities and new attack methods. Documented and presented vulnerability research at major security conferences.
Threat Intelligence
Tracked threat actors to incorporate real-world attack tactics into penetration testing methodologies. Presented on emerging threats within the company, at conferences, and in interviews with news-media.
Experience
Integralis - East Hartford, CT / NTT Inc - Omaha, NE
Director of Product Management - Threat Intelligence — 2017-Present
- Standardize legacy regional threat intelligence services for global delivery.
- Design new global threat intelligence capabilities and services.
Director of Threat and Vulnerability Analysis — 2015-2017
- Develop process for disclosing vulnerabilities to vendors and the public.
- Work with Penetration Testing team to research vulnerabilities.
- Deliver whitepapers and presentations on emerging security threats.
- Present on emerging security threats at major industry conferences.
- Conduct interviews with national media on emerging security threats.
Director of Assessment Services — 2010-2015
- Manage Offensive Security and GRC Assessment teams.
- Manage pre-sales and delivery on large projects and key client accounts.
- Conduct network, application, social engineering, and covert entry tests.
- Conduct GRC assessments and provided remediation guidance.
- Present on emerging security threats at major industry conferences.
- Conduct interviews with national media on emerging security threats.
Managing Security Consultant — 2008-2010
- Create, grow, and manage Penetration Testing team.
- Conduct network, application, social engineering, and covert entry tests.
- Create GRC Assessment practice
- Develop processes, pricing, and templates for GRC Assessment services.
- Conduct PCI-DSS and HIPAA Security Rule compliance assessments.
- Create, grow, and manage GRC Assessment team.
Security Consultant — 2005-2008
- Deploy and upgrade firewalls, IPS, proxies, and 2FA systems.
- Conduct vulnerability scans of client systems.
- Create Penetration Testing practice.
- Develop processes, pricing, and templates for Penetration Testing services.
- Conduct network and application penetration tests.
Developer — 2003-2005
- Design and develop cloud based corporate email anti-spam/virus solution.
- Develop documentation and support procedures for cloud anti-spam/virus.
- Provide last-line support for cloud anti-spam/virus.
Managed Security Engineer — 2001-2003
- Monitor and manage clients’ firewalls, IPS, and other security devices.
- Developed scripts to automate nightly maintenance processes on client’s managed systems, freeing night shift personnel for emergency support tasks.
Streemail.com – North Adams, MA
Operations Engineer — 2000-2001
- System administration, support, and development in a Linux/Apache/MySQL/PERL environment
- Designed and implemented new core email sending system functionality
- Worked on deep optimization of SMTP in order to maximize ability to send large numbers of emails in a short period of time with minimal resource utilization
- Designed APIs for and supported development of content creation modules for email sending system