Verified Expert in Engineering
Cybersecurity Specialist and Developer
Mark is a risk assessor, program manager, security operations engineer, and architect with over 10 years of experience implementing risk reduction initiatives. He has a deep understanding of various security frameworks and tools. Mark has successfully developed budgets, risk-informed roadmaps, and project plans and has led multidisciplinary teams to effectively reduce risks and demonstrate compliance with standards, as confirmed by 3rd-party auditors.
IT Security, Security Management, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Amazon Web Services (AWS), Azure Active Directory, Architecture, Budgeting
The most amazing...
...cybersecurity program I've implemented from the ground up was for a US company operating in eight states, subsequently certified by external auditors.
Full-stack System Architect
- Performed a platform risk assessment, identified risks, and prioritized risk reduction using the current threat landscape for this business vertical.
- Developed a risk reduction roadmap (plan of action and milestones) with specific best practice tasks defined in order of maximum risk reduction.
- Informed the principal of compliance obligations and prepared FFIEC and HIPAA deliverables designed to demonstrate to prospective customers best practice security measures commensurate with the inherent risk level.
- Provided risk reduction actions using cloud-native AWS tools, simplifying the path forward execution plan.
- Assessed the platform and prepared inherent risk assessment reports supporting FFIEC and HIPAA security framework requirements.
Director, IT Security and Risk
Friday Health Plans
- Developed and presented the IT security roadmap approved by the board.
- Selected security tools for endpoint protection, secure configuration, and vulnerability, patch, certificate, and incident management.
- Hired staff and managed the program phase one completion.
- Implemented a third-party vendor security risk assessment and management process and procedure in collaboration with Legal and Compliance.
- Managed the selection process of security tools, evaluating technology candidates in terms of ROI, application stack compatibility, company staff expertise, and ease of implementation.
- Spearheaded a project to implement software development security, assessing code and recommending risk reduction actions.
Security Compliance Program Manager
- Acted as the FedRAMP compliance program manager and participated in the team that achieved the Provisional Authority to Operate (P-ATO) as assessed by third-party auditors.
- Prepared sections of the system security plan, the plan of action and milestones, and continuous monitoring program documents.
- Finalized vulnerability monitoring technologies and processes.
National Cybersecurity Lead
Brown and Caldwell
- Developed a national cybersecurity practice program.
- Assessed the program to US government CMMC requirements for Controlled Unclassified Information (CUI).
- Completed a risk assessment and improvement plan of action and milestones, enabling the continuation of government contracts.
Associate Director, Cybersecurity GRC
- Performed risk assessments and chaired the executive risk management meeting to evaluate and disposition cyber risks to the company.
- Managed the US-based and offshore risk assessment team.
- Created a risk ranking and disposition tool enabling effective risk review and acceptance.
- Developed a vendor risk management program and procedure.
Cybersecurity Program Manager
- Performed operational security risk assessments for assets and networks.
- Built and maintained the security architecture in collaboration with regional administrators.
- Developed and delivered security awareness training.
- Acted as the corporate liaison officer to external, third-party auditors.
- Created and managed compliance roadmaps and project plans.
- Implemented a compliant operational security program with no findings as assessed by three successive third-party audit teams.
- Developed staff and equipment resource plans supporting organization's budget.
Healthcare Security Program Implementation
• Developing current state and future state architecture diagrams.
• Preparing the policy, procedures, risk reduction roadmaps, budget, and ROI prioritized plans presented to and approved by the board.
• Integrating with the IT architecture group for security initiatives, hiring team members, and tracking the completion of risk reduction objectives.
• Establishing a third-party contractor security assessment and risk reduction program.
• Assessing, contracting, and managing security vendors, implementing applications targeted to roll out and track compliance for essential risk-reducing security controls.
• Organizing disaster recovery/business continuity and incident response activities.
1) Achieving Phase I 35% risk reduction goals, as quantified by ROI.
2) Implementing tools for automated incident response, vulnerability management, and endpoint protection controls.
3) Fulfilling the board reviews of the budgets, roadmaps, and quarterly progress presentations
Operating Technology (OT) Security Program Management
1) Demonstrated to regulators compliance to security requirements (a fine is levied if there are non-compliance issues).
2) Raised awareness through training of the nature and frequency of cyber security threats and how to prevent them.
3) Developed and implemented a secure architecture for more than 15 facilities; established the template, and review and approval process for annual updates.
Risk Assessment for Health Insurance Organization
• Defined scope and presented duration and time commitment to executive management.
• Led a team to assess the current risk state of operations and systems.
• Prioritized findings in terms of those tasks that retire the most risk for the healthcare industry, based on the current threat landscape.
• Reviewed findings with involved management and developed response plans.
• Achieved approval of plans by involved management and executives.
• Published results with task completion dates coordinated with line management.
• Developed a prioritized risk management plan based on the organization's current state and bounced off the current malware threats.
• Raised awareness among operating teams of the security risks and what to do about them.
• Used AWS Security tools to evaluate cloud implementations for well-architected standards and compliance with CIS, AWS, and HIPAA security frameworks.
Evaluated and Selected Endpoint Detection and Incident Response Security Tools
Results were presented to top executives for approval and budget reconciliation. ROI was calculated for short-listed candidates to facilitate successful executive budget approval.
Developed and Implemented Vulnerability Management and Secure Configurations Program
Managed Governance, Risk, and Compliance Program for a Major Multinational Unit
KEY BENEFITS ACHIEVED
• Established a forum for senior management to understand and address security risks to their operations.
• Provided a process to methodically list, rank, and take specific actions to reduce identified risks.
Disaster Recovery/Business Continuity Program Development
• Updated the BR/BC plan.
• Developed RTO and RPO objectives for all critical processes.
Developed and Implemented Incident Response Process and Procedure
HIPAA Compliance, DevSecOps, Web Architecture, Penetration Testing
QualysGuard, Windows, Amazon Web Services (AWS), Azure, Ubuntu Linux, Oracle, WordPress, Amazon EC2, SharePoint
IT Security, Security, Cybersecurity, Network Security, Insurance
Database Security, Azure Active Directory, Amazon S3 (AWS S3), PostgreSQL
Office 365, Environmental Science, Mathematics, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Roadmaps, Budgeting, Value at Risk, Technical Program Management, Risk Models, Web Security, Network Architecture, Application Security, IoT Security, Compliance, Vulnerability Assessment, Endpoint Security, Traffic Monitoring, IT Projects, Risk Management, Operational Technology (OT), NIST, Backup & Recovery, Business Continuity, Third-party Management, Vulnerability Identification, Cloud, Technical Writing, Architecture, Security Policies & Procedures, Security Management, Networks, SecOps, Data-level Security, Security Architecture, Backups, Policy Development, Policies & Procedures Compliance, IT Management, SOC 2, Security Audits, CISO, CISSP, Computer Security, Windows 10, SaaS Monitoring, Disaster Recovery Plans (DRP), Incident Response, SIEM, Authentication, TCP/IP, Cisco, GDPR, PCI, Cloud Security, Data Security, Mobile Security, ISO 27001, ISO 27002, Privacy, Cloud Architecture, CA Network & Systems Management (NSM), Data Privacy, Operational Technology Security, Veeam, HIPAA Electronic Data Interchange (EDI), International Data Privacy Regulations, Identity & Access Management (IAM), SonicWall
Master's Degree in Environmental Engineering
Colorado School of Mines - Golden, Colorado, USA
Bachelor's Degree in Physics
University of Colorado Denver - Denver, CO, USA
AWS Certified Cloud Practitioner
CISSP – Certified Information Systems Security Professional