Big Company
Director of Information Security
Avoiding “conflict of interest”. I do Director of Information Security stuff for a great company.
Kaspersky Labs
Head of Information Security, North America
Performed Risk Assessment and Gap Analysis then created Information Security program. Responsible for policies; procedures; awareness; compliance with local and international laws; pen testing; Incident Response;
Business Continuity Planning and Disaster Recovery. All functions relating to implementation of ISO 27000 series.
Management of projects involving complex international data privacy laws. Worked with international colleagues to write global Information Security policies and global incident response plan. Worked with business units on all continents to achieve objectives.
Reviewed proposed changes to networking infrastructure. Designed security for isolation of virus lab. Approval of all new web-based projects. Security analysis of proposed vendor solutions.
Spent several weeks living and working in Moscow on a yearly basis. Worked with HQ to resolve international managerial and technical issues. As English is the language of business, and I was the only “native” English speaker in the group, I wrote all international Information Security documents.
Inappropriately discussing my ideas for the future of Information Security with Eugene Kaspersky at summer party. Moscow 2011.
Monster Worldwide
Information Security Officer (CISO before “C” was used)
Responsible for the creation and maintenance of all Monster security policies and procedures. Lead Monster’s risk assessment effort.
Managed government audit of all policies and procedures against NIST guidelines. Lead compliance efforts for PCI, Mass Privacy Law and other required standards. Managed staff responsible for review of log files and the creation of procedures as needed.
Monster Government Solutions
Information Security Officer (CISO before “C” was used)
Assumed the role of Information Security Officer for Monster’s other company, “Monster Government Solutions”. Managed IT staff responsible for networking equipment as well as firewalls, F5s and an assortment of hardware (and software). Security framework used was 800-53 Rev. 3.
WGBH Educational Foundation
Information Security Officer (CISO before “C” was used)
Performed Risk Assessment and Gap Analysis. Created Information Security program. Interfaced with all departments to communicate
compliance requirements. Designed plans for compliance with relevant standards (PCI, HIPAA and emerging standards). Wrote all IT policies; created employee awareness program; designed log correlation system as well as intrusion detection system; vendor management. Wrote BCP (Business Contingency Plan)
GTECH Corporation
Enterprise Information Security Manager
Managed Staff responsible for Information Security and Networking Operations. Served as Project Manager. Managed Information Security budget. Aligned security with business goals.
Designed and built an online secure coding/application security training program. Reviewed proposed changes to network architecture. Configured firewall; intrusion detection devices; network monitoring system.
Fidelity Investments
Senior I.T. Risk Manager
Architected and supported enterprise-wide B2B security initiative (including project management and oversight). Major contributor to the secure coding initiative.
Managed staff responsible for assisting development groups throughout the organization in securing their applications. Participated in policy exception committee meetings; emergency response team; security awareness program; certificate management; policy review and many other information security initiatives. Designed and coded a complex authentication system using customized certificate fields (as described in PKCS) for legacy systems.
ZSQUAD Consulting LLC
Co-Founder/Principal Consultant
Engagements have included the following: Information Security program creation; intrusion detection systems; intrusion prevention systems; log management; infrastructure device monitoring;
firewall configuration, desktop security; secure wireless; PKI; biometric devices; wireless security; encryption; SIEM; penetration testing; risk assessments; secure coding programs and information security awareness campaigns.
PCI Security Standards Council
Qualified Security Assessor
Interesting Story: I was introduced to a guy that ran a consulting company. He had just got a government contract to do PCI Audits on several military bases. Any store that processes a large number of credit
cards must be certified by the Payment Card Industry by having a PCI audit. PCI audits must be done by people that have passed the Qualified Security Accessor certification. He was unable to find anyone to perform this work. There was a QSA exam the following week. He asked me if I thought I could pass it. I told him that I knew nothing about PCI and the other people taking the exam had probably worked with the material for years. He informed me that there was a four-day review class before the exam and asked if I wanted to try. I did not have a fulltime job at the time so I figured “Why Not?”. I flew to Canada (where the review was taking place) a few days later.
The material was not difficult as I likely had the most Information Security experience of anyone there. But, there was a lot of PCI trivia to memorize. After class, others went out for dinner and to clubs. I went back to my hotel and studied. Four days later, I was a QSA. A few days after that, I was auditing a Marine base in Georgia. My first task was to disassemble a gas pump and figure out what version of the software it was running. That wasn’t on the exam!
