Career Accomplishments I have demonstrated skills and success in developing and managing a consulting p ractice and security services division with continuous year-over-year growth of revenue, gross margin, and market share. Over my career, I have managed multipl e service creation/development organizations and the associated operations teams for these high availability, security critical applications, networks, and syst ems. In creating the blueprint and executing against a forward-looking business strategy, I provided essential leadership resulting in the leading pure-play se curity consultancy with the highest client satisfaction in the entire security a nd risk management consulting industry (Forrester WAVE 2007 & 2008). I applied my over twenty years of experience working as the Global Senior Product Manager and as a Senior Practice Manager in the context of multiple global consultancies , as well as my experience as a security operations manager and a consultant, to create effective strategies, enterprise security and data protection programs, governance models, and a set of effective, proven business and security processe s that are in use hundreds of Fortune 2000 companies today. At VeriSign, I assisted in Managing/Managed InfoSec Professional Services practi ce growth from $18M to $48M over four years with addition of only twenty five he ad count (Global Security Consulting Services had over three hundred employees globally) and created and introduced ten new service offerings reflective of evo lving Best Practices and four new services that integrated offerings across all related company product/service divisions globally. Currently, my sole proprietor corporation, Inceptara LLC, has been used to provi de a vehicle for me to consult and, ironically, to place well known CISO/CSO res ources in new positions. The corporation is being used to provide transitional income for the period between the end of VeriSigns Security Services a year ago and when I take a permanent position. Professional Profile I have over 20 years of professional information security experience working on projects for hundreds of clients, including over half of the Fortune 50 companie s and almost one third of the Fortune 500 in a variety of key vertical markets. My specializations include: * Practice Management Senior Product Manager for VeriSign Global Security Consu lting responsible for methodology development, process improvement, performance metrics, and product development resulting in practice growth of up to ten perce nt year over year for four years. * Operations and Service Management Designed and managed creation, QA, pilot te sting and early adopter program for blended security services that mixed dataflo ws from three security services units Managed Security Services (MSS), Global S ecurity Consulting, and iDefense Security Intelligence and processed this data to provide advanced services and web portal/applications. * Regulatory Compliance VeriSign representative to BITS, HITRUST ACC; Nationall y recognized compliance expert, extensive risk assessment experience, recognized introducer of the Unified Approach to Compliance concept as a key player in the HIMSS Risk Management Alliance 2002 * Risk Assessment and Risk Management Program Development Developed and impleme nted enterprise risk management programs, risk analysis tools, and risk assessme nt methodologies currently in use at numerous Fortune 500 companies * Third Party Assessment methodologies and programs Developed TPA programs for numerous Fortune 500 clients and, in partnership with Goldman-Sachs, developed a nd introduced the TPA program to BITS, HITRUST * IP Protection Programs Developed and implemented programs that combine data d iscovery and detailed controls processes with DLP, TPM and DRM technologies to p rotect intellectual property or regulated data * Security Consulting Training Programs Managed or created and then delivered a ll training in both the technical and the business aspects of operating a profit able security consultancy. All training sessions were recorded for later indivi dual use * Industry Analyst POC Developed strategy and responses for the Forrester WAVE for Security Consulting for every year it has been available and continue to int erface regularly with key industry analysts With VeriSign, I was one of five voting members on the HITRUST Alternate Control s Committee with approval/denial authority for any proposed CSF alternate contro l. This position provided a unique business opportunity and an opportunity for influencing standards in healthcare compliance. I previously served as VeriSign s practice SME for IP protection policies, frameworks and Digital Rights Managem ent/Technical Protection Measures (DRM/TPM) and have worked extensively with mul ti-national high tech corporations in securing corporate IP both onsite and afte r provision to third-parties. I developed the Enterprise Security Certification program for VeriSign, as well as our Application Security Program Management of fering, and our Retail Security Services offering. In addition, I have been conducting ISO 27001/27002, PCI, HIPAA, GLBA and other compliance engagements since 1998. I am a frequently quoted Risk Management and Information Security expert in the press and speak frequently on the subject. I personally developed and launched the services currently offered by VeriSign f or assessment of regulatory compliance, risk management, and IP protection. Experience VeriSign, Inc. (known pre-March 2004 as Guardent, Inc.) Senior Global Product Manager, Global Security Consulting 2006 to 2009 Senior Practice Manager, Global Security Consulting 2005-2006 Senior Principal Consultant, Global Security Consulting 2000 to 2005 * Product and Practice Management with 10% growth year-over-year and up to 38% g ross margin * Product Marketing liaison * Regulatory Compliance Practice Lead * Certification Offering Practice Lead * IP Protection Framework design * Risk management program design and risk assessment methodologies * Performance and management of Network Security Assessments * Firewall, VPN and encryption technology solution implementation * Design and performance of regulatory compliance assessments and remediation im plementations. * Management of enterprise security initiatives and programs. Richey Systems Inc. Senior Network Engineer 1999 to 2000 I managed projects for global Fortune 500 and mid-tier clients entailing the de sign and implementation of such network security solutions as firewalls, audits, authentication servers, remote access systems, security policy development, dis aster recovery, TCP/IP network design and optimization, PKI design and implement ation, encryption systems, VPNs, and HIPAA assessments. * HIPAA Practice Lead * Host, server, and network design and security assessment * Active Directory/LDAP security assessment and design assessment * Risk management program design and risk assessment methodologies * Performance and management of Network Security Assessments * Firewall, VPN and encryption technology solution implementation * Management and performance of vulnerability assessments (penetration testing) * Design and performance of regulatory compliance assessments and remediation im plementations. * Management of enterprise security initiatives and programs. IBM, Inc. Security Consultant 1998 to 1999 I was an Engagement Manager on a variety of projects ranging from host security and e-commerce security to external intrusion testing. His clients ranged from healthcare providers to international finance corporations and banks. * HIPAA Practice Lead * Host, server, and network design and security assessment * LDAP security assessment and design assessment * Performance and management of Network Security Assessments * Firewall and encryption technology solution implementation * Management and performance of vulnerability assessments (penetration testing) * Design and performance of regulatory compliance assessments and remediation im plementations. Network Commerce, Inc. (sold to ShopNow.com in 1999) Security Consultant/Principal Partner 1990 to 1998 In partnership with ex-JPL computer security experts, we created one of the fir st information pure-play security consultancies and Managed Security Services co mmercial offerings in existence. Our clients ranged from defense contractors and manufacturers to international finance corporations and banks. * Security services design, creation and management of development and operation s * Hand-programmed firewall development (pre-commercial firewall era) * Remote firewall management (pre-MSS era) * Content monitoring (pre-content monitoring era) * Policy framework development * Host, server, and network design and security assessment * LDAP security assessment and design assessment * Performance and management of network security assessments * Firewall and encryption technology solution implementation * Management and performance of vulnerability assessments (penetration testing) 1985 1990 Engineering/Environmental Geologist * City of Los Angeles City Geologist: Lead effort to bring computers to City o f Los Angeles Department of Public Works; developed and initiated environmental engineering program * Earth Technology Corporation Chief Geologist/Manager, Commercial Division: M anaged national environmental engineering group * Roy F. Weston, Inc. Principal Geologist III: Managed Lockheed Burbank Plant environmental demolition, still the largest environmental demolition project in U. S. history Skills * Practice Management * Product development and management * BU performance metrics and process optimization * Practice management * Enterprise Security Certification * Design and performance of regulatory compliance assessments and remediation im plementations * IP Protection plans, programs, and technologies * Host, server, and network design and security assessment * Risk management program design and risk assessment methodologies * Performance and management of Network Security Assessments * Firewall, VPN and encryption technology solution implementation * Management of enterprise security initiatives and programs systems, languages, applications (LDAP), firewalls, etc. Education and Professional Licenses * B. S. 1981, Geology, University of Southern California * Completed all coursework for M.S. in Geochemistry, 1985 Eastern Washington Uni versity * Certified Information Systems Security Professional (CISSP) Professional Presentations and Papers * Webcast: Managing Application Security Programmatically: Learn How to Increa se Security and Compliance and Reduce Business Risk, All While Lowering Applicat ion Security Program Costs, June 24, 2009 Co-present with Chenxi Wang, PhD. Prin cipal Analyst, Forrester Research * Webcast: Data-centric Risk Analysis: Tracking Risk throughout the Data Lifecyc le, February 24, 2009 * Gartner Video Production with John Pescatore on Risk Management: http://www.it briefingcenter.com/programs/gartner_8635_verisign.htm (link expired, presentatio n copy on request) * Los Angeles Technology Forum: Data Protection - Security from the Inside Out, December 2, 2007 * Panel Moderator: Third Party Assessment in a Global Market, June 8, 2006 - Cor nerstones of Trust ISSA Bay Area Regional Security Conference * Panelist: CyberSecurity Summit, May 11, 2006 GTC West ISSA Sacramento Regiona l Security Conference * Panelist: Risk Management, April 12, 2006 - Second Annual ISSA Northwest Regio nal Security Conference * Gartner IT Security Summit, June 3, 2005 - Optimizing Security Compliance Toda y and Tomorrow * TEPR 2004, May 23, 2004 Assessing HIPAA Compliance. * HIMSS 2004, February 28, 2004 Maximizing your compliance through the Unified Approach * ISSA presentation, Seattle Chapter, March 17, 2003 (Almost) Free Security Ass essment Tools for Windows 2000. * ISSA presentation, InfoSeCon 2002, September 17, 2002 - Taming the HIPAA Monst er: What to look for in an effective HIPAA Security Compliance program. * ISACA presentation, March 17, 2001 - Evaluating Secure Network Connections: Kn owing What to Look for in a Secure Business VPN/RAS Architecture. * Richey Systems/Secure Computing HIPAA Seminar, August 22-23, 2000 Conducting an effective HIPAA Compliance Program (two-day program). Representative Projects * National Fortune 50 Financial Services Company o Assessed Risk Management program along with procedures, processes, and Risk As sessment tools to be used to manage risk across the corporation. Developed norm alization algorithm for correlating risk across technical, process, and operatio nal risk management groups. This enabled effective communication of results to management. * Multiple Fortune 500 Semiconductor Manufacturers o Developed complete IP lifecycle management systems and framework. Worked with representatives from EMEA and APAC to develop a global set of TPMs and transpor table controls as well as a policy and delivery framework to protect critical in formation assets. * Fortune 50 manufacturer in the Aerospace Industry o On-site engagement manager for a team of six VeriSign consultants. Designed a Shared Extranet Architecture to be implemented as a standard collaborative netw ork space among numerous client business partners. Created the Windows 2000 har dening procedures for various server classes. Designed a Microsoft Windows 2000 -based VPN architecture utilizing RRAS/L2TP over IPSec servers, Microsoft PKI, S afeWord Strong Authentication. Assisted in perimeter network and DMZ design and design improvements. * Fortune 50 Software Company with global presence o Developed Risk Management program along with procedures, processes, and Risk A ssessment tools to be used to manage risk across the corporation. Developed two tiered risk assessment tools Initial self-service risk assessment tools, along with in depth Risk Assessment tools for use by Corporate Security. * Large Prescription Drug Insurer o Conducted one of the first known HIPAA assessments in 1998 for a large insuran ce provider specializing in prescription drug plans for a client base over 5 mil lion policy holders. End to end HIPAA assessment activities ranging from secure application assessment, network and host security, physical security, and PKI i nfrastructure design. * Large Regional Hospital and University o Conducted HIPAA assessment and remediation for a hospital and associated unive rsity with 24 regional locations. End to end HIPAA assessment activities rangin g from network and host security, physical security, and administrative security for both the hospital and an open university network. References References will be provided on request.