VP & CISO, Allegiant Travel Company, 2020 to Present
Strategic Technical Vision Realignment: Evaluated, designed, and executed a realigned information security short-term and long-term risk-based strategy focused on business enablement and culminating in a zero-trust architecture, updating board quarterly and CEO monthly. Led reputation overhaul of department, formed effective business relationships, and developed inter-department trust.
Crisis Leadership: Led information security, compliance, risk, privacy, and security operations programs including firewalls, identity and access management, and DevSec during COVID crisis. Managed risk mitigations during transition to work from home and met all business objectives despite constrained resources. Helped position Allegiant as the first cash flow positive airline post-crisis.
Departmental Development: Expanded security and compliance program from 16 team members into a cohesive 35 member team; incorporated AI and process efficiency to triple department productivity.
Resource Allocation: Managed initial 13 MM total budget, grown to 22 MM. Leveraged personal network to discover best in class customer identity technology, reducing project costs by 53%, and laid groundwork for next generation application features to drive differentiation while meeting regulatory compliance.
Information Security / Regulatory: Developed a view of IT risks within the broader context of the enterprise risk management framework. Collaborated with Chief Legal Officer to build full corporate risk program. Implemented enterprise cybersecurity strategies for corporate IT asset protection, operational, and governance programs to comply with applicable laws, including emerging privacy laws.
Distributed Teams: Designed remote distributed team environment, focused on collaboration and driving deliverables to accepted timelines. Embedded a security champion on each persistent team, created systems to train and reward security champions, aligning performance review metrics with hygienic security practices. Implemented coaching techniques to promote engagement and assist with team building.
Best in Class Application Security Program: Formed a scalable world class application security program, allowing business to double persistent teams to meet projected expansion plans. Increased release rate from 30 releases a year to 250 releases a year over 22 persistent teams, without any known security vulnerabilities.
Managing Leaders: Worked in a supportive way to help management teams drive objectives and employee growth, tailoring strategies to the needs of the individual person and the goals of the organization. Utilize a servant leadership mindset to manage daily operations, service delivery, and up-times.
Technology Evangelism: Recognized as CISOs Connect Top 100 CISOs of 2020 and 2021. Spoke in multiple conferences on leading edge technologies, talent vacancy and retention within industry, active and practical approaches to management, and the importance of emotional intelligence among leadership.
Interim CISO, UTC Aerospace Systems, 2017 to 2019
IT and Product Strategic Planning: Evaluated, designed, and executed IT short-term and long-term strategy. Developed innovative problem-solving approaches using secure SDLC concepts and OWASP. Implemented security testing and product improvements for product development and implementation. Increased quality and drove down DevOps timeline to least viable product by aligning technology and business strategies to ensure effective, secure, reliable, and efficient delivery of technology development and product security.
Technical Vision: Led brainstorming sessions to incorporate emerging technology trends and original ideas, create new solutions, discover business opportunities, improve current products, and assist with research initiatives within the ERP, CRM, infrastructure, data breach response, SSO, SAML, RBAC, and security program systems.
Corporate Governance Mapping: Organized analysis of all applicable laws and directives affecting business units and then mapped the applicable policies and standards, including firewalls, intrusion detection/prevention systems (IDS/IPS), vulnerability management/scanning (Nessus, Qualys, Rapid7), Web Application Firewalls (WAF), wireless LAN, NAC, Data Loss Prevention (DLP), DDoS Mitigation, WAN security, SIEM (SEIM, Splunk), content filtering, cloud security gateways, secure proxies, IAM, malware protection and crypto solutions, to define gap analysis and prioritize projects in order to implement controls and strengthen security posture.
Leadership and Coaching: Regularly mentored junior team members to help establish career direction and increase job satisfaction. Incorporated volunteer work to help build team skill sets, confidence, and experience. Strove to help build the best team possible through talent development and servant leadership.
Cloud Computing: Assisted in the development of cloud security framework strategy including the architecture for moving functionality to the cloud and the use of Microsoft Azure, Amazon Web Services (AWS), and other cloud-based utilities using SaaS (Software as a Service), IaaS, PaaS, and traditional cloud services.
Customer Interaction: Handled all compliance and security-based customer interactions including due diligence. Drove customer satisfaction in compliance and security matters such as DFARs, FIPS, NIST, VPN, OWASP top 10, GDPR, CCPA, PIPEDA, FCC, FDIC, FTC, CFPB, SEC, FINRA and Privacy.
Risk Identification: Conducted ISO, NIST, CSA CCM, outside vendor/3rd party and SOX gap analysis and identified major risks with network design, policy, process, and applications. Defined and implemented risk mitigation strategies. Aligned security policies utilizing penetration assessments and security architecture review.
Security Metrics: Defined a set of data-driven measures from within the cyber-security program inclusive of security operations, security engineering, risk management, policy and compliance-based metrics.
Information Security / Regulatory: Developed a view of IT risks within the broader context of the enterprise risk management framework. Implemented enterprise cybersecurity strategies for corporate IT asset protection, operational, and governance programs to comply with applicable FTC, Sarbanes Oxley (SOX), HIPAA, HITRUST, PCI-DSS, FAA, CIS CSC, FISMA, SSAE 16 SOC 2 and U.S. State, Chinese, and EU (European Union) Laws.
Threat Management and Risk Assessment: Developed a view of IT risks within the broader context of the enterprise risk management framework. Evaluated complex requirements and communicated inherent security risks and solutions to business stakeholders. Developed strategies to mitigate IT risks to acceptable levels through security threat modeling and advanced threat protection.
Translate Technical Topics to Non-Technical Audiences: Regularly presented and communicated with executives, management, customers, public, and individual contributors to explain the technical vision, strategic direction, and methodology in easy to digest ways and specifically designed for the audience receiving the message.
Pioneering: Developed inventive methods to meet security and regulatory compliance goals while balancing international law in China, Russia, and European Union. Leveraged negotiation skills to drive down costs.
Internet of Things (IoT) Ecosystem: Architected and deployed innovative system of sensors and controls to monitor antiquated and next generation industrial control systems (ICS) during production, allowing for the collection of metrics and performance analytics to increase production efficiency and reduce factory operating costs.
Business Unit Collaboration: Developed strong collaborative relationships with enterprise-wide, multinational groups (Legal, Compliance, Business Development, Internal Audit, Physical Security, Application Development, Networking, Systems, etc.) highly integrated into the business, IT and IO departments. Earned the trust of the company’s leadership to become the “Go to Advisor” and the “Thought Leader” on information technology solutioning, technology selection, and regulatory topics.
CISO, Head of Information Security, Arby’s Restaurant Group, 2015 to 2017
Executive Management Collaboration: Routinely met with the Chief Legal Officer, Chief Information Officer, Chief Operations Officer, Chief Financial Officer, and Chief People Officer on the Executive Security Counsel to discuss information security concerns and direction.
Key Board Member: Chaired the Executive Security Counsel. Active member of Arby’s Policy Review Board, Change Management Board, and Enterprise Operational Risk Committee.
Board Presentations: Presented regularly to the Chief Information Officer, Senior Executives, and the Executive Security Counsel. Adapted presentation style to various audiences.
Increased Staff Job Satisfaction: Measurably improved staff job satisfaction by integrating career development initiatives with tangible deliverables within information security program. Hired, developed, and engaged all staff to help maximize performance.
Department Building: Developed, implemented, and monitored a comprehensive enterprise-wide information security program to protect electronic data resources. Built a technology strategy and roadmap including security operations center (SOC). Provided expert strategic and tactical security guidance. Hired/developed talent and modernized environment to support scalable growth and cost reduction.
DevOps: Worked with internal and outsourced development teams to assist in delivering the first Arby’s mobile app by driving down costs of time extensions and incorporating secure application design concepts to deliver a product within budget and on time.
Budget and Leadership: Directed an annual budget, staff, and a large outsourced security function. Prioritized projects, services, and systems with the greatest ROI.
Contract and Service Level Negotiation and Management: Collaborated with Procurement, Legal, and HR departments to review and negotiate all outside vendor contracts, information security policies, and employee policies to support acceptable security controls and adequate protection of customer information assets.
Disaster Recovery and Business Continuity Planning: Maintained business continuity plans for all applications and infrastructure. Drove planning and execution of enterprise-wide preparedness and recovery.
Technology Selection: Selected, implemented, and maintained key industry technology solutions within the retail industry. This included a full implementation of encryption on swipe, a mobile application deployment, register technology and time tracking, and multi-factor authentication.
Insurance Cost Reduction: Collaborated with the CIO and CFO to present security solutions to the Cyber Insurance company that when implemented, resulted in year-upon-year reductions in insurance premiums.
Global Regulatory Compliance: Implemented strategies for digital asset protection, operational, and governance programs to comply with applicable Payment Card Industry Data Security Standard (PCI-DSS) and U.S. State Laws.
CISO, Head of Information Security, Steritech, 2013 to 2015
Leadership: Managed project and teams to drive security initiatives for an international company of 1300 including: preparation of security assessment across corporate structure, development of security architecture, implementation of an security incident response program, a full physical security program, and development of an enterprise-wide employee security awareness program.
Security Strategy Planning: Developed and implemented long-term information security strategy and developed supporting corporate policies including: Acceptable Use Policy, BYOD, MDM, SSL, Security and Privacy, System Acquisition/Disposal, Patch Management, Testing, Sensitive Data Handling, Encryption Key Management, Physical Security, and Systems Access Control Procedures.
Cyber Security Budget and Leadership: Prioritized projects by balancing cost and risk. Developed and maintained yearly IT security budget, managed vendor relationships, and reduced costs.
Leadership Presentations: Advised executives to drive competitive business strategy with supporting goals, initiatives, and high impact projects ultimately leading to the sale of the company.
Information Security and Infrastructure Engineer, Tekelec / Oracle, 2006 to 2013
IT Strategy Planning: Responsible for recommending next-generation solutions, with cost analysis, for emerging IT issues. Conformed practices to ISO27001 framework; conducted yearly IT process audit for SOX compliance.
Risk Identification: Conducted SOX gap analysis and identified major risks with network design, policy, process, and applications. Defined and implemented mitigation strategies to protect information communications technology (ICT), address identified risks, and align to security policies, practices, and risk tolerance.
Mergers/Acquisitions/Divestiture: Assisted in the integration of multiple smaller companies. Assisted in the integration of organization into Oracle during merger.
People-centered Leadership: Matrix managed team of help desk and PC technicians.
Boards
JN Managed Services Inc. – Board of Directors Member, 2021 to Present JN Managed services is an early stage investment holdings startup specializing in the managed security services space.
AttackIQ – Board of Directors Member, 2020 to Present AttackIQ is a very late stage start up specializing in the collection of attack intelligence data for companies.
CionSystems Inc – Board of Advisors Member, 2019 to 2022 Cionsystems is a late stage startup specializing in enterprise level windows ID management and two factor authentication.
Certifications
Information Technology Infrastructure Library V3 Foundations (ITIL V3)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Management Professional (ISSMP)
Certified Information Security Manager (CISM)
Certified in Risk and Information Systems Control (CRISC)
Education
Master of Business Administration, MBA, Temple University
Master of Science in Information Security, East Carolina University
Bachelors of Science in Computer Networking, East Carolina University