Fattis is available for hire
Hire FattisFattis N. Mann
Verified Expert in Engineering
Information Security Executive and Developer
Location
Orlando, FL, United States
Toptal Member Since
February 10, 2023
Fattis is one of the most talented and seasoned information security executives in the market today. Having worked as a vCISO and a BISO director of business enablement and resilience for a Fortune 500, he brings together solid project management, communication, and documentation skills, specifically leveraging cybersecurity in business settings. Fattis is CAP, CDPSE, CISSP, and CRISC certified and is highly effective in communicating cybersecurity to both technical and non-technical staff.
Information SecuritySecuritySecurity ArchitectureWeb App SecurityApplication SecurityWeb SecurityCloud SecurityCloud ArchitectureCloudflareCybersecurityNetwork SecurityDevOpsAWS HAAmazon Web Services (AWS)Mobile SecurityAzure SecurityDesktop SupportSecurity ComplianceCertified Information Systems Security Professional (CISSP)
Portfolio
Computer Data Services, LLC
Cybersecurity, Database Security, IT Security, Security, Application Security...
Science Applications International Corporation (SAIC)
CISO, Governance, Risk, Compliance, Teams, Zoom, ISO 27002, ISO 27001...
JetBlue
CISO, BIA, Risk, PCI, Disaster Recovery Plans (DRP), PCI Compliance...
Experience
Availability
Part-time
Preferred Environment
Windows, Zoom, Teams, CISO, ISO 27001, Information Security, Cybersecurity, IT Security, Compliance, Security, Certified Information Systems Security Professional
The most amazing...
...project I've led involved building a BISO team, aligning 60 champions across nine BUs to help the enterprise accept the use of disruptive security technology.
Work Experience
IT Security Engineer/Consultant for a Social Help Platform
2023 - 2023
Computer Data Services, LLC
- Conducted a security risk assessment of the Social Help Platform which was a review of the as -is network, application, third party IVR and database security controls.
- Identified data base service account access risks, website security controls enhancements, access and authorization administration risks and made recommendations for remediation.
- Provided organizational security strategy and initiative roadmap components to drive an audit once and report many attestations to customers and business partners.
Technologies: Cybersecurity, Database Security, IT Security, Security, Application Security, Amazon Web Services (AWS), Interactive Voice Response (IVR), MySQLdb, .NET, VPN, Azure, Security Architecture, People Management, Architecture, Cloud Architecture, DevOps, Certified Information Systems Security Professional, Network Security, Leadership, Azure Cloud Security, Cloudflare, Azure Network Security Groups
Cybersecurity and Business Resilience Director
2013 - 2023
Science Applications International Corporation (SAIC)
- Built the first Business Information Security Office (BISO) team to manage cybersecurity. Although we were a Windows endpoint and an Azure platform standard enterprise, we evaluated and deployed MacOS endpoints and AWS as BU/department standards.
- Integrated the business resilience and disaster recovery teams to align cybersecurity with a budget of $4.7 billion in the defense and civilian sector and $2.7 billion in national security and space.
- Deployed secure technologies to transform the 27,000-member workforce from 80% on-site to remote, post-COVID, reducing the brick-and-mortar footprint recurring investment by $20 million without compromising company and customer data or health.
- Sourced positions for the BISO team to represent cybersecurity on in-process reviews (IPRs) for all programs above $750 million to $1 billion in contract values.
- Promoted better cyber hygiene through cybersecurity communication, awareness, resilience, and training.
- Launched the first governance, risk, and compliance (GRC) organization, integrating former internal audit and cyber compliance personnel and functions.
- Led the security integration team through the $2 billion Scitor M&A to perform post-acquisition security network connectivity.
- Introduced a SOX monitoring solution to the risk management team and directed the review of all legacy SAIC applications. Insourced incident response (CIRT), security operations center (SOC), and SOX monitoring functions from Leidos Cyber BU to SAIC.
- Approved all program and developer-specific non-enterprise standard technology requirements by risk-based exception management and alternative architecture designs and implementations (e.g., micro-segmentation, NSVPNs, open source, sandboxes, et al.).
Technologies: CISO, Governance, Risk, Compliance, Teams, Zoom, ISO 27002, ISO 27001, Application Security, Information Security, Cybersecurity, IT Security, Security, Azure, AWS HA, MacOS, Amazon Web Services (AWS), Intrusion Prevention Systems (IPS), Web Security, Mobile Security, Google Cloud Platform (GCP), Intrusion Detection Systems (IDS), Java Security, React, Cloud Security, DDoS, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, People Management, Architecture, Cloud Architecture, DevOps, Certified Information Systems Security Professional, Network Security, Leadership, Azure Cloud Security, Cloudflare, Azure Network Security Groups
Senior PCI Security Consultant
2011 - 2013
JetBlue
- Addressed compliance issues, including the lack of an existing compliance program for managing credit card transaction processes. Conducted a risk assessment for the cardholder data environment (CDE) and defined the POS and device requirements.
- Defined the 21,000 node CDE by compiling the CDE's device inventory and pricing and budgeting security tools—enabling us to make purchases based on a CDE risk assessment and attestations of compliance from JetBlue business partners and suppliers.
- Developed a $3 million budget strategy for security tools. Secured $1.9 million in consultant fees, creating the 1st ROC and ending quarterly fines of up to $100,000 to VISA and MasterCard before the granting of a Trustwave quality security assessor.
- Completed monthly PCI DSS compensating control worksheets, self-assessment reports, and compliance requirement checklists until ROC was granted. Maintained PCI cyber activity/posture to support the company's first QSA-certified ROC.
Technologies: CISO, BIA, Risk, PCI, Disaster Recovery Plans (DRP), PCI Compliance, Vulnerability Management, Application Security, Information Security, Cybersecurity, IT Security, Compliance, Security, Intrusion Prevention Systems (IPS), Web Security, Mobile Security, Intrusion Detection Systems (IDS), Java Security, Cloud Security, DDoS, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, People Management, Architecture, Cloud Architecture, DevOps, Certified Information Systems Security Professional, Network Security, Leadership
Director, IT Security and Compliance
2006 - 2011
Broward Board of County Commissioners
- Oversaw IT security operations for a $3+ billion government organization. Delivered the 1st budget proposal for the county commissioner and the executive IT security and compliance program.
- Supported IT security and compliance initiatives for the above-mentioned project, impacting 84 agencies.
- Developed the 1st budget document ever submitted in Broward county to secure $2 million in funding and build the 1st IT security, compliance, and disaster recovery team. Became the FEMA-certified NIMS technology incident commander (aka the CISO).
- Collaborated with revenue-generating agency security teams to propose enterprise economies of scale for existing siloed multimillion-dollar budgets for airport and seaport security, water wastewater utility SCADA networks, and mass transportation.
- Resolved multiple conflicts and saved millions of dollars in McAfee and Microsoft tool procurements/investments for the county, including decreasing privileged accounts from over 20% to less than 6%—closer to the industry benchmark.
Technologies: CISO, BIA, Risk, HIPAA Compliance, PCI Compliance, Compliance, Risk & Compliance, Data, Disaster Recovery Plans (DRP), Networks, Desktop Support, Desktop App Design, Apps, HTML, IT, Java, Law, Oracle OSM, PCI, Application Security, Information Security, Cybersecurity, IT Security, Security, Intrusion Prevention Systems (IPS), Web Security, Mobile Security, Intrusion Detection Systems (IDS), Java Security, Cloud Security, DDoS, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, People Management, Architecture, DevOps, Certified Information Systems Security Professional, Network Security, Leadership
IT General Manager, Public Safety, Applications and CISO
1999 - 2005
City of Detroit
- Established and directed the IT department's 1st public safety division. Implemented a technology plan that targeted IT for law enforcement, public safety, and judicial information systems to sustain federal grant funding levels of over $20 million.
- Managed recruiting, training, resource allocation, and employee assessment functions to transition police IT to central IT. Built and mentored cohesive, qualified teams to meet schedule and budget for forming the 1st IT public safety division.
- Upgraded police CAD applications and infrastructure on mirrored IBM pSeries fully redundant infrastructure and Oracle9i Real App Clustering (RAC) HACMP. The $10 million secure network architecture upgrades included Brocade switches and Shark SAN devices.
- Led the design and implementation of new Motorola 800Mhz digital radio systems for public safety and water departments worth $100 million. Established fleet maps and talk groups for the city's first 10-point DHS plan, 211 and 311 CRM.
- Managed security and app development teams as the 1st CISO, along with maturing QA. Supervised release testing for new applications by providing final approval for bug-free, fully functional city agency solutions.
- Circumvented manual installation of the Norton Antivirus (NAV) on 8,000 endpoints during the Nimda.E virus outbreak. Our CIRT analysis business case justified the purchase of the IBM Tivoli suite to automate and saved $500,000 on dealing with each device separately again.
Technologies: CISO, IBM SAN, Unisys Mainframe, Java, SecOps, Application Security, Information Security, Cybersecurity, IT Security, Compliance, Security, Web Security, Mobile Security, Intrusion Detection Systems (IDS), Cloud Security, DDoS, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, Architecture, DevOps, Leadership
Experience
Constitution of the First Business Information Security Office (BISO) for a Fortune 500 Company
Sourced the BISO with hand-picked cybersecurity practitioners who provided an alignment of the enterprise-compliant cybersecurity program and architecture for a government and publicly-traded company. They aligned the company's nine business units (BUs) and two sectors worth $7 billion in revenue with program-specific security, risk, and resiliency requirements.
Some of the program-specific security management goals and technical controls required:
• Building an enterprise cybersecurity champion program, leveraging 60 BU-assigned security champions to attend monthly sessions with security updates on business requirements per LOB
• Establishing developer or program-appropriate network micro-segmentations, leveraging software-defined data centers, VMs, and AD groups to enable the business-compelled exception management use of non-enterprise standard apps, open-source software, or unique internet URL access
• Developing a business resilience program, which involved conducting a business impact analysis (BIA) to determine the program app recovery time and point objectives (RTOs/RPOs) and developing and testing the disaster recovery plans (DRPs) for validation by tabletop, test, and exercise rehearsals
Some of the program-specific security management goals and technical controls required:
• Building an enterprise cybersecurity champion program, leveraging 60 BU-assigned security champions to attend monthly sessions with security updates on business requirements per LOB
• Establishing developer or program-appropriate network micro-segmentations, leveraging software-defined data centers, VMs, and AD groups to enable the business-compelled exception management use of non-enterprise standard apps, open-source software, or unique internet URL access
• Developing a business resilience program, which involved conducting a business impact analysis (BIA) to determine the program app recovery time and point objectives (RTOs/RPOs) and developing and testing the disaster recovery plans (DRPs) for validation by tabletop, test, and exercise rehearsals
Creation of a Cyber Program Risk-tracking Project to Report to the Risk Oversight Committee (ROC)
Developed a methodology for identifying which of the thousands of contracts had a contract line item number (CLIN) containing requirements for cybersecurity services. A cyber review is done to provide customers with information on these services' cyber hygiene and the health of contract performance.
The project involved:
• Creating the Epics hypothesis and Lean business case to present to the OCIO Intake Review Board for approval as a prioritized enterprise project
• Building a four-tiered priority system to determine the adverse impact of services disruption on the company or customer brand—priority tier one service being running the SOC, security tools and firewall administration, intrusion prevention/detection systems (IDS/IPS), and priority tier four being performing security awareness, training, or system patching
• Developing the template to conduct and report the results of cyber reviews to the BoD ROC
• Using ServiceNow tickets, searching for contracts in Oracle Fusion, and MS Dynamic PM databases and the CRM to flag PM status updates and identify anomalies
• Creating a list of tier 1-4 discovered contracted cyber services to create ready-accessible past-performance narratives for future proposal efforts
• Training PMs
The project involved:
• Creating the Epics hypothesis and Lean business case to present to the OCIO Intake Review Board for approval as a prioritized enterprise project
• Building a four-tiered priority system to determine the adverse impact of services disruption on the company or customer brand—priority tier one service being running the SOC, security tools and firewall administration, intrusion prevention/detection systems (IDS/IPS), and priority tier four being performing security awareness, training, or system patching
• Developing the template to conduct and report the results of cyber reviews to the BoD ROC
• Using ServiceNow tickets, searching for contracts in Oracle Fusion, and MS Dynamic PM databases and the CRM to flag PM status updates and identify anomalies
• Creating a list of tier 1-4 discovered contracted cyber services to create ready-accessible past-performance narratives for future proposal efforts
• Training PMs
Upgraded Seaport Law Enforcement Information Systems
I managed Port Everglades MOU support team service levels to maintain a $40 million security operations center (SOC). It involved an intelligent video surveillance system with 300 cameras connected by a separate campus fiber network fully monitored by Intrusion Protection/Detection System (IDS/IPS). Motorola Moto Mesh cameras and self-forming wireless network were integrated on campus, at each cruise line berthing station (as well as shipboard wireless), the harbormaster, and the port police vehicle fleet. I also built an alternate SOC at the emergency operations center (EOC) campus with cloud security and access to SaaS seaport applications, networks, and environments.
Skills
Frameworks
AWS HA, .NET
Paradigms
DDoS, DevOps, HIPAA Compliance
Platforms
Amazon Web Services (AWS), Azure, MacOS, Google Cloud Platform (GCP), Windows
Industry Expertise
Cybersecurity, Network Security
Other
Risk, CISO, BIA, Governance, Risk & Compliance, Compliance, Application Security, Information Security, IT Security, Security, Web Security, Intrusion Detection Systems (IDS), Cloud Security, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, Enterprise Architecture, People Management, Architecture, Cloud Architecture, Certified Information Systems Security Professional, Web App Security, Leadership, Azure Cloud Security, Cloudflare, Security Compliance, FedRAMP, SOX, IT Projects, Cloud, Proposals, ISO 27001, Intrusion Prevention Systems (IPS), Mobile Security, VMware VMotion, SOX Compliance, Teams, Technology, SecOps, Disaster Recovery Plans (DRP), Incident Management, Incident Response, PCI Compliance, Risk Models, Law, Writing & Editing, Economics, Statistics, IBM SAN, Unisys Mainframe, PCI, Vulnerability Management, Data, Networks, Desktop Support, Desktop App Design, Apps, IT, ISO 27002, Data Privacy, Privacy, Interactive Voice Response (IVR)
Libraries/APIs
Java Security, React
Languages
SQL, Java, HTML, BC
Tools
Zoom, Oracle OSM, VPN, Azure Network Security Groups
Storage
Database Lifecycle Management (DLM), Database Security, MySQLdb
Education
1991 - 1995
Bachelor's Degree in Criminal Justice
University of Baltimore - Baltimore, MD, USA
Certifications
DECEMBER 2022 - PRESENT
Certified in Governance, Risk and Compliance (CGRC)
(ISC)2
AUGUST 2020 - PRESENT
Certified Data Privacy Solutions Engineer
ISACA
OCTOBER 2011 - PRESENT
Certified Information Systems Security Professional (CISSP)
(ISC)2
JUNE 2011 - PRESENT
Certified in Risk and Information Systems Control (CRISC)
ISACA
Collaboration That Works
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
1
Share your needs
Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2
Choose your talent
Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3
Start your risk-free talent trial
Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.
Top talent is in high demand.
Start hiring