Talent profile avatar

Governance, Risk, and Compliance Lead; non-profit executive; intent-based leader; community builder; teacher; improviser

Skills

CISACISMCISSPComplianceCRISCGovernanceNIST FrameworksRisk analysisRisk managementSecurity analysisSecurity Impact AnalysisVendor managementVulnerability management

Bio

I presently manage a team of six analysts working in the GRC space at a higher-ed institution. My team essentially serves as security consultants for the entire university across a minimum of 13 different areas of regulatory compliance (the largest/busiest areas being PCI DSS, HIPAA, FERPA, and now CUI / CMMC) and we use new projects as hooks to instill security best practices early in a project/technology lifecycles.

We keep ourselves busy handling first and third party risk assessments and making recommendations to the enterprise about our findings so they can make informed decisions. We recently revamped - from the ground up - our vulnerability management program using a game plan I devised (with insight from our CISO); it is still a work in progress.

We serve as subject matter experts on security awareness training matters and provide our input to our dedicated IT training team on topics which we should be covering. We are charged with policy interpretation, policy enforcement, and policy writing and service in those matters as needed.

Using intent-based leadership, I am able to temporarily manage our Security Operations & Engineering teams and our Incident Response team when those respective leaders are absent.

I have a small background in Journalism, which is what I originally went to school for, but wound up being conferred a degree in Telecommunication with a specialization in Information Systems and Technology Management.

I spent approximately 14 years bouncing back and forth between Unix/Linux administration and Windows administration. I helped manage the software stack for the public computer labs. I administered print services for large swaths of campus. I used to maintain the central mail system for the university.

After all those years as a sysadmin, I made a move over to the Internal Audit department as an IT auditor. While security & privacy had always been a passion of mine and I brought those matters to the table during systems planning, I consider my time as an auditor as my first real entry into the information security field. Of course, audit deals primarily in risk management, but they also are not allowed to actually implement the mitigating controls they recommend.

After two years of audit work, I made the move over to GRC. During my team on the team as both an analyst and a leader, I have been a part of two large scale events and utilized my communication skills to help influence matters in the right direction. I've helped with budget planning, building strategic roadmaps, influencing vision, and exercised extreme ownership. I've now spent nine years working in infosec and cannot imagine doing anything else beyond growing my career in this space. I can hold my own with CISOs and aiming my career in that direction.

I am an Infragard member. I held (past tense) the following certifications: CISA, CISSP, CISM, CRISC. I spent some time at Go! Comedy in Detroit, Michigan honing my improvisation skills which I feel are quite needed in a field that is ever-changing, and sometimes at a moment's notice.

I am a big believer in community and giving back and as such I have volunteered my time with a local organization called #misec, including directing the Lansing area chapter for a period of four and a half years - this included scheduling speakers, holding regular social gatherings, designing and writing the newsletter, and continually selling our field as a place to start or continue a career. Eventually, with the aid of two fellow members, we turned #misec into an official non-profit and I serve as an Executive Director with them.

I've taught introductory security to college students in a few different classes and I've presented at #misec Lansing a few times on topics such as "What can GRC do for you?" and "Should I get certified in... or not?" as well as spoken at the former Converge Detroit conference, and BSides Detroit. Recently, I have become an organizer for the inaugural #misecCON happening this November.

Location

Lansing, Michigan, US Flag of

Last updated about 3 weeks ago