Frederick Langston, CISSP

Principal, Inceptara LLC

Career Accomplishments
I have demonstrated skills and success in developing and managing a consulting p
ractice and security services division with continuous year-over-year growth of
revenue, gross margin, and market share. Over my career, I have managed multipl
e service creation/development organizations and the associated operations teams
for these high availability, security critical applications, networks, and syst
ems. In creating the blueprint and executing against a forward-looking business
strategy, I provided essential leadership resulting in the leading pure-play se
curity consultancy with the highest client satisfaction in the entire security a
nd risk management consulting industry (Forrester WAVE 2007 & 2008). I applied
my over twenty years of experience working as the Global Senior Product Manager
and as a Senior Practice Manager in the context of multiple global consultancies
, as well as my experience as a security operations manager and a consultant, to
create effective strategies, enterprise security and data protection programs,
governance models, and a set of effective, proven business and security processe
s that are in use hundreds of Fortune 2000 companies today.
At VeriSign, I assisted in Managing/Managed InfoSec Professional Services practi
ce growth from $18M to $48M over four years with addition of only twenty five he
ad count (Global Security Consulting Services had over three hundred employees
globally) and created and introduced ten new service offerings reflective of evo
lving Best Practices and four new services that integrated offerings across all
related company product/service divisions globally.
Currently, my sole proprietor corporation, Inceptara LLC, has been used to provi
de a vehicle for me to consult and, ironically, to place well known CISO/CSO res
ources in new positions. The corporation is being used to provide transitional
income for the period between the end of VeriSigns Security Services a year ago
and when I take a permanent position.
Professional Profile
I have over 20 years of professional information security experience working on
projects for hundreds of clients, including over half of the Fortune 50 companie
s and almost one third of the Fortune 500 in a variety of key vertical markets.
My specializations include:
* Practice Management Senior Product Manager for VeriSign Global Security Consu
lting responsible for methodology development, process improvement, performance
metrics, and product development resulting in practice growth of up to ten perce
nt year over year for four years.
* Operations and Service Management Designed and managed creation, QA, pilot te
sting and early adopter program for blended security services that mixed dataflo
ws from three security services units Managed Security Services (MSS), Global S
ecurity Consulting, and iDefense Security Intelligence and processed this data
to provide advanced services and web portal/applications.
* Regulatory Compliance VeriSign representative to BITS, HITRUST ACC; Nationall
y recognized compliance expert, extensive risk assessment experience, recognized
introducer of the Unified Approach to Compliance concept as a key player in the
HIMSS Risk Management Alliance 2002
* Risk Assessment and Risk Management Program Development Developed and impleme
nted enterprise risk management programs, risk analysis tools, and risk assessme
nt methodologies currently in use at numerous Fortune 500 companies
* Third Party Assessment methodologies and programs Developed TPA programs for
numerous Fortune 500 clients and, in partnership with Goldman-Sachs, developed a
nd introduced the TPA program to BITS, HITRUST
* IP Protection Programs Developed and implemented programs that combine data d
iscovery and detailed controls processes with DLP, TPM and DRM technologies to p
rotect intellectual property or regulated data
* Security Consulting Training Programs Managed or created and then delivered a
ll training in both the technical and the business aspects of operating a profit
able security consultancy. All training sessions were recorded for later indivi
dual use
* Industry Analyst POC Developed strategy and responses for the Forrester WAVE
for Security Consulting for every year it has been available and continue to int
erface regularly with key industry analysts
With VeriSign, I was one of five voting members on the HITRUST Alternate Control
s Committee with approval/denial authority for any proposed CSF alternate contro
l. This position provided a unique business opportunity and an opportunity for
influencing standards in healthcare compliance. I previously served as VeriSign
s practice SME for IP protection policies, frameworks and Digital Rights Managem
ent/Technical Protection Measures (DRM/TPM) and have worked extensively with mul
ti-national high tech corporations in securing corporate IP both onsite and afte
r provision to third-parties. I developed the Enterprise Security Certification
program for VeriSign, as well as our Application Security Program Management of
fering, and our Retail Security Services offering.
In addition, I have been conducting ISO 27001/27002, PCI, HIPAA, GLBA and other
compliance engagements since 1998. I am a frequently quoted Risk Management and
Information Security expert in the press and speak frequently on the subject.
I personally developed and launched the services currently offered by VeriSign f
or assessment of regulatory compliance, risk management, and IP protection.
Experience
VeriSign, Inc. (known pre-March 2004 as Guardent, Inc.)
Senior Global Product Manager, Global Security Consulting 2006 to 2009
Senior Practice Manager, Global Security Consulting 2005-2006
Senior Principal Consultant, Global Security Consulting 2000 to 2005
* Product and Practice Management with 10% growth year-over-year and up to 38% g
ross margin
* Product Marketing liaison
* Regulatory Compliance Practice Lead
* Certification Offering Practice Lead
* IP Protection Framework design
* Risk management program design and risk assessment methodologies
* Performance and management of Network Security Assessments
* Firewall, VPN and encryption technology solution implementation
* Design and performance of regulatory compliance assessments and remediation im
plementations.
* Management of enterprise security initiatives and programs.
Richey Systems Inc.
Senior Network Engineer 1999 to 2000
I managed projects for global Fortune 500 and mid-tier clients entailing the de
sign and implementation of such network security solutions as firewalls, audits,
authentication servers, remote access systems, security policy development, dis
aster recovery, TCP/IP network design and optimization, PKI design and implement
ation, encryption systems, VPNs, and HIPAA assessments.
* HIPAA Practice Lead
* Host, server, and network design and security assessment
* Active Directory/LDAP security assessment and design assessment
* Risk management program design and risk assessment methodologies
* Performance and management of Network Security Assessments
* Firewall, VPN and encryption technology solution implementation
* Management and performance of vulnerability assessments (penetration testing)
* Design and performance of regulatory compliance assessments and remediation im
plementations.
* Management of enterprise security initiatives and programs.
IBM, Inc.
Security Consultant 1998 to 1999
I was an Engagement Manager on a variety of projects ranging from host security
and e-commerce security to external intrusion testing. His clients ranged from
healthcare providers to international finance corporations and banks.
* HIPAA Practice Lead
* Host, server, and network design and security assessment
* LDAP security assessment and design assessment
* Performance and management of Network Security Assessments
* Firewall and encryption technology solution implementation
* Management and performance of vulnerability assessments (penetration testing)
* Design and performance of regulatory compliance assessments and remediation im
plementations.
Network Commerce, Inc. (sold to ShopNow.com in 1999)
Security Consultant/Principal Partner 1990 to 1998
In partnership with ex-JPL computer security experts, we created one of the fir
st information pure-play security consultancies and Managed Security Services co
mmercial offerings in existence. Our clients ranged from defense contractors and
manufacturers to international finance corporations and banks.
* Security services design, creation and management of development and operation
s
* Hand-programmed firewall development (pre-commercial firewall era)
* Remote firewall management (pre-MSS era)
* Content monitoring (pre-content monitoring era)
* Policy framework development
* Host, server, and network design and security assessment
* LDAP security assessment and design assessment
* Performance and management of network security assessments
* Firewall and encryption technology solution implementation
* Management and performance of vulnerability assessments (penetration testing)
1985 1990 Engineering/Environmental Geologist
* City of Los Angeles City Geologist: Lead effort to bring computers to City o
f Los Angeles Department of Public Works; developed and initiated environmental
engineering program
* Earth Technology Corporation Chief Geologist/Manager, Commercial Division: M
anaged national environmental engineering group
* Roy F. Weston, Inc. Principal Geologist III: Managed Lockheed Burbank Plant
environmental demolition, still the largest environmental demolition project in
U. S. history
Skills
* Practice Management
* Product development and management
* BU performance metrics and process optimization
* Practice management
* Enterprise Security Certification
* Design and performance of regulatory compliance assessments and remediation im
plementations
* IP Protection plans, programs, and technologies
* Host, server, and network design and security assessment
* Risk management program design and risk assessment methodologies
* Performance and management of Network Security Assessments
* Firewall, VPN and encryption technology solution implementation
* Management of enterprise security initiatives and programs systems, languages,
applications (LDAP), firewalls, etc.
Education and Professional Licenses
* B. S. 1981, Geology, University of Southern California
* Completed all coursework for M.S. in Geochemistry, 1985 Eastern Washington Uni
versity
* Certified Information Systems Security Professional (CISSP)
Professional Presentations and Papers
* Webcast: Managing Application Security Programmatically: Learn How to Increa
se Security and Compliance and Reduce Business Risk, All While Lowering Applicat
ion Security Program Costs, June 24, 2009 Co-present with Chenxi Wang, PhD. Prin
cipal Analyst, Forrester Research
* Webcast: Data-centric Risk Analysis: Tracking Risk throughout the Data Lifecyc
le, February 24, 2009
* Gartner Video Production with John Pescatore on Risk Management: http://www.it
briefingcenter.com/programs/gartner_8635_verisign.htm (link expired, presentatio
n copy on request)
* Los Angeles Technology Forum: Data Protection - Security from the Inside Out,
December 2, 2007
* Panel Moderator: Third Party Assessment in a Global Market, June 8, 2006 - Cor
nerstones of Trust ISSA Bay Area Regional Security Conference
* Panelist: CyberSecurity Summit, May 11, 2006 GTC West ISSA Sacramento Regiona
l Security Conference
* Panelist: Risk Management, April 12, 2006 - Second Annual ISSA Northwest Regio
nal Security Conference
* Gartner IT Security Summit, June 3, 2005 - Optimizing Security Compliance Toda
y and Tomorrow
* TEPR 2004, May 23, 2004 Assessing HIPAA Compliance.
* HIMSS 2004, February 28, 2004 Maximizing your compliance through the Unified
Approach
* ISSA presentation, Seattle Chapter, March 17, 2003 (Almost) Free Security Ass
essment Tools for Windows 2000.
* ISSA presentation, InfoSeCon 2002, September 17, 2002 - Taming the HIPAA Monst
er: What to look for in an effective HIPAA Security Compliance program.
* ISACA presentation, March 17, 2001 - Evaluating Secure Network Connections: Kn
owing What to Look for in a Secure Business VPN/RAS Architecture.
* Richey Systems/Secure Computing HIPAA Seminar, August 22-23, 2000 Conducting
an effective HIPAA Compliance Program (two-day program).
Representative Projects
* National Fortune 50 Financial Services Company
o Assessed Risk Management program along with procedures, processes, and Risk As
sessment tools to be used to manage risk across the corporation. Developed norm
alization algorithm for correlating risk across technical, process, and operatio
nal risk management groups. This enabled effective communication of results to
management.
* Multiple Fortune 500 Semiconductor Manufacturers
o Developed complete IP lifecycle management systems and framework. Worked with
representatives from EMEA and APAC to develop a global set of TPMs and transpor
table controls as well as a policy and delivery framework to protect critical in
formation assets.
* Fortune 50 manufacturer in the Aerospace Industry
o On-site engagement manager for a team of six VeriSign consultants. Designed a
Shared Extranet Architecture to be implemented as a standard collaborative netw
ork space among numerous client business partners. Created the Windows 2000 har
dening procedures for various server classes. Designed a Microsoft Windows 2000
-based VPN architecture utilizing RRAS/L2TP over IPSec servers, Microsoft PKI, S
afeWord Strong Authentication. Assisted in perimeter network and DMZ design and
design improvements.
* Fortune 50 Software Company with global presence
o Developed Risk Management program along with procedures, processes, and Risk A
ssessment tools to be used to manage risk across the corporation. Developed two
tiered risk assessment tools Initial self-service risk assessment tools, along
with in depth Risk Assessment tools for use by Corporate Security.
* Large Prescription Drug Insurer
o Conducted one of the first known HIPAA assessments in 1998 for a large insuran
ce provider specializing in prescription drug plans for a client base over 5 mil
lion policy holders. End to end HIPAA assessment activities ranging from secure
application assessment, network and host security, physical security, and PKI i
nfrastructure design.
* Large Regional Hospital and University
o Conducted HIPAA assessment and remediation for a hospital and associated unive
rsity with 24 regional locations. End to end HIPAA assessment activities rangin
g from network and host security, physical security, and administrative security
for both the hospital and an open university network.
References
References will be provided on request.