I reported my first security vulnerability to my high school’s system administrators when I was 16. Since then I have worked in IT, formally or informally, for nearly 20 years. The last 9 years I have been in the information security and IT risk management field. Without going into too much detail, I’ve done just about everything infosec-related, such as IT audits, risk assessments, vulnerability assessments, penetration tests, social engineering, security training, security consulting, governance reviews, and even regulatory examination… almost exclusively in financial institutions. Plus, I’ve managed both technical and non-technical teams.
I am a corner case. I exist at the intersection of IT, risk management, information security, audit, governance, and regulatory compliance. This skill set makes me highly qualified. I’m the person you can bring in to create your information security program and ensure it complies with all applicable standards and regulatory statutes. Or bring me into your existing information security program, and I can get it running smoothly and keep it running.
I am a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), and a Certified Information Systems Security Professional (CISSP). In addition, I have a number of technical certifications.
But what I’m good at and what I have a passion about is bridging the gap between technologists and the rest of the world. I excel at helping non-experts understand the technical or regulatory issues that apply to them. I see the world as a set of interconnected systems. This helps me to synthesize information across domains.
I believe that we cannot take the human entirely out of the security loop, so we must design security with humans in mind. This includes using automation as well as psychology and UX design.
I have a breadth of experience, but one thing I strongly believe is that I do not have all the answers; no one does. I do know all of the right questions to ask, though. And I think that is the most important part of information security and risk management.
The words, thoughts, and opinions on this site (and any other in my control) are my own. They do not reflect the views and opinions of any of my employers–past, present, or future.