Areas of Expertise
• Emerging security threats
• Penetration testing and vulnerability assessments
• Executive security training
• Risk-based security planning
• PCI compliance

Certifications
CISSP - (ISC)² Certified Information Systems Security Professional
NSA IAM - National Security Agency Infosec Assessment Methodology
NSA IEM - National Security Agency Infosec Evaluation Methodology
PCI QSA (Former) - Payment Card Industry Qualified Security Assessor
PCI ASV (Former) - Payment Card Industry Approved Scanning Vendor
CISA (Former) - ISACA Certified Information Systems Auditor

Selected project highlights
• Completed password cracking research project demonstrating that over two thirds of long and complex passwords that should take up to 15 years to crack via brute force methods can be found in under 48 hours due to frequently used password patterns
• Demonstrated security risks to a global investment firm by exploiting network and application vulnerabilities over the Internet as well as by physically infiltrating offices and datacenters in US, Ireland, and Italy.
• Lead consultant on a project to bring a large healthcare IT service provider into PCI compliance for the first time via scope reduction and remediation of compliance gaps.
• Assisted an insurance company in drastically reducing PCI scope through segmentation of networks, tokenization of cardholder data, and outsourcing of processing functions.

Experience
Director of Product Management – Threat Intelligence
NTT Security - Omaha, NE - Jan 2017-Present
Moved to help NTT Security extend its lead in integrated security services by identifying and driving improvements, new technologies, and other enhancements to the Threat Intelligence Platform and services. Interaction with enterprise customers and the NTT OpCo partners to understand requirements and needs, engineering to prioritize and develop the right features, and sales and marketing to bring those features successfully to market.
• Direction, productization, and full lifecycle management of threat intelligence-related products and features
• Market and customer analysis, feature requirements development, business case, collateral, and positioning of all management interfaces and functions
• Customer engagement and relationship development for product evangelism, and requirement gathering
• Feature and service prioritization and trade-off decision-making

Director of Threat and Vulnerability Analysis
NTT Com Security/NTT Security - Bloomfield, CT - Aug 2015-Jan 2017
Moved to increase focus on threat and vulnerability research, whitepaper development, and presenting at conferences while still supporting pre-sales engineering for assessment services.
• Performed research resulting in whitepapers on password cracking and the applicability of password cracking technology to stored payment card data
• Presented at RSA Conference, DefCon Crypto and Privacy Village, and InfoSec World Conference

Director of Assessment Services
Integralis/NTT Com Security - Bloomfield, CT - Feb 2010-Jul 2015
Promoted to manage broader growing assessment capabilities including Vulnerability Scanning and Penetration Testing (renamed Offensive Security), Incident Response, and GRC including PCI, ISO-27000 series, and HIPAA compliance. Expanded role in presales engineering for these practice areas as well as tracking emerging threats and vulnerabilities, communicating with the media, and presenting at major conferences internationally.
• Manage Offensive Security, Incident Response, and GRC teams
• Manage presales and delivery on large projects and key client accounts including initial PCI compliance effort and QSA assessment of major medical billing provider
• Presented emerging security threats and industry trends to clients and at security conferences including Computerworld Security Summit Singapore, US Secret Service Electronic Crimes Task Force meeting in San Francisco, Black Hat Briefings USA, ISSA International Conference, and InfoSec World Conference
• Interviewed on CBS Evening News on the Target breach
• Quoted or interviewed by USA Today, CNN Money, NBC News, CSO Magazine, CIO Magazine, US News and World Report, The Verge, PC Magazine, and SC Magazine
• Monthly column in Wall Street & Technology

Managing Security Consultant
Integralis - East Hartford, CT - Apr 2008-Jan 2010
Promoted to manage the growing Vulnerability Scanning and Penetration Testing team while supporting presales engineering for these projects. Started PCI QSA assessment practice, supporting both presales engineering and delivery for these types of projects as well.
• Managed Vulnerability Assessment, Penetration Testing, and PCI Compliance resources
• Developed standardized methodologies, pricing models, Statement of Work, and Proposal content for scoping and delivering work

Security Consultant
Integralis - East Hartford, CT - Dec 2005-Mar 2008
Moved from the “Activis” managed security side of the business to the “Integralis” system integration and consulting side of the business as a security consultant. Initially supported security hardware and software installations and upgrades. Went on to start the vulnerability scanning and penetration testing practice.
• Deployed hundreds of firewalls, IPS, proxies, and 2 factor authentication systems based on Checkpoint, Proventia, BlueCoat, and RSA SecureID
• Conducting vulnerability scans and penetration tests of customer systems
• Conducting vulnerability assessments of customer environments in support of compliance requirements

Developer
Activis - Theale, Berkshire, UK - Feb 2003-Dec 2005
Brought to UK to design and implement a new core scanning engine for an existing cloud-based email anti-virus and anti-spam platform. Trained frontline personnel on new system and provided development level support on an ongoing basis before managing transition to another core scanning engine.
• Reverse engineered mail scanning engine registry-based configuration system in order to enable its use within a multi-tenant cloud-based system
• Designed and implemented backend cloud services, web-based client frontend and support interface
• Managed deployment of scanning infrastructure across 3 countries
• Trained and provided development support for frontline support personnel in US, UK, and DE

Managed Security Engineer
Activis - East Hartford, CT - Aug 2001-Feb 2003
Hired as an engineer as a Security Operations Engineer for a Managed Security Service providing support for firewall and IPS managed service customers including monitoring system status, conducting routine maintenance, coordinating deployments and upgrades, and providing support services to clients.
• Developed scripts to automate maintenance activities that were previously done manually, reducing required effort from 10+ hours to ~30 minutes

Operations Engineer
Streemail.com – North Adams, MA - Aug 2000-Aug 2001
Brought on to a growing dot com startup with an email-based news distribution platform. Initial responsibilities included liasing between system administrators and developers in order to support the existing primary distribution system. Responsibilities expanded to architecting a new distribution system that could handle growing traffic requirements.
• System administration, support, and development in a Linux/Apache/MySQL/PERL environment
• Designed and implemented new core email sending system functionality
• Worked on deep optimization of SMTP in order to maximize ability to send large numbers of emails in a short period of time with minimal resource utilization
• Designed APIs for and supported development of content creation modules for email sending system