Mark Castagneri, Developer in Arvada, CO, United States
Mark is available for hire
Hire Mark

Mark Castagneri

Verified Expert  in Engineering

Cybersecurity Specialist and Developer

Location
Arvada, CO, United States
Toptal Member Since
January 4, 2023

Mark is a risk assessor, program manager, security operations engineer, and architect with over 10 years of experience implementing risk reduction initiatives. He has a deep understanding of various security frameworks and tools. Mark has successfully developed budgets, risk-informed roadmaps, and project plans and has led multidisciplinary teams to effectively reduce risks and demonstrate compliance with standards, as confirmed by 3rd-party auditors.

Portfolio

DynamoFL, Inc
Information Security, Amazon Web Services (AWS)...
Zee Source
Web Security, Cloud Security, Java, PostgreSQL, JavaScript, HTML, CSS...
Friday Health Plans
Web Security, Network Architecture, Application Security, Authentication...

Experience

Availability

Full-time

Preferred Environment

IT Security, Security Management, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Amazon Web Services (AWS), Azure Active Directory, Architecture, Budgeting, Cryptocurrency Wallets, GRC

The most amazing...

...cybersecurity program I've implemented from the ground up was for a US company operating in eight states, subsequently certified by external auditors.

Work Experience

Experienced InfoSec Engineer

2024 - 2024
DynamoFL, Inc
  • Collaborated with the CIO to assess the current security state posture of CI/CD AI development environment.
  • Provided an improvement roadmap specific to the existing application stack to bring their Dev/Sec/Ops CI/CD process to the next level in terms of security and continuous vulnerability management.
  • Provided a threat model for the industry vertical, mapping current and applicable malware types to the CIS CSC and SOC2 safeguard controls that prevent or reduce impact.
Technologies: Information Security, Amazon Web Services (AWS), Managed Security Service Providers (MSSP), Vulnerability Management, Threat Modeling, CI/CD Pipelines

Full-stack System Architect

2023 - 2023
Zee Source
  • Performed a platform risk assessment, identified risks, and prioritized risk reduction using the current threat landscape for this business vertical.
  • Developed a risk reduction roadmap (plan of action and milestones) with specific best practice tasks defined in order of maximum risk reduction.
  • Informed the principal of compliance obligations and prepared FFIEC and HIPAA deliverables designed to demonstrate to prospective customers best practice security measures commensurate with the inherent risk level.
  • Provided risk reduction actions using cloud-native AWS tools, simplifying the path forward execution plan.
  • Assessed the platform and prepared inherent risk assessment reports supporting FFIEC and HIPAA security framework requirements.
Technologies: Web Security, Cloud Security, Java, PostgreSQL, JavaScript, HTML, CSS, Vanilla JS, Amazon Web Services (AWS), Security, IT Security, CA Network & Systems Management (NSM), Documentation, Threat Modeling, SaaS Security, GCP Security, Consulting, Auditing, Healthcare, DevOps

Director, IT Security and Risk

2021 - 2022
Friday Health Plans
  • Developed and presented the IT security roadmap approved by the board.
  • Selected security tools for endpoint protection, secure configuration, and vulnerability, patch, certificate, and incident management.
  • Hired staff and managed the program phase one completion.
  • Implemented a third-party vendor security risk assessment and management process and procedure in collaboration with Legal and Compliance.
  • Managed the selection process of security tools, evaluating technology candidates in terms of ROI, application stack compatibility, company staff expertise, and ease of implementation.
  • Spearheaded a project to implement software development security, assessing code and recommending risk reduction actions.
Technologies: Web Security, Network Architecture, Application Security, Authentication, Cybersecurity, Azure Active Directory, Windows, Technical Writing, IT Security, Architecture, Security Policies & Procedures, Windows 10, Office 365, Mathematics, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, QualysGuard, Amazon Web Services (AWS), Azure, Sentinel, Roadmaps, Budgeting, Value at Risk, Bash, Technical Program Management, Risk Models, Data Privacy, Compliance, Endpoint Security, Traffic Monitoring, SaaS Monitoring, IT Projects, Risk Management, NIST, Backup & Recovery, Backups, Business Continuity, Disaster Recovery Plans (DRP), Veeam, Incident Response, Third-party Management, SIEM, Security, Vulnerability Identification, Cloud, Network Security, TCP/IP, Networks, SecOps, DevSecOps, Data-level Security, GDPR, Security Architecture, HIPAA Compliance, PCI, Web Architecture, WordPress, Data Security, SOC 2, Security Audits, Mobile Security, Amazon S3 (AWS S3), Amazon EC2, HIPAA Electronic Data Interchange (EDI), CISO, Insurance, Privacy, CISSP, Database Security, Cloud Architecture, Computer Security, Identity & Access Management (IAM), SonicWall, CA Network & Systems Management (NSM), Azure Cloud Services, Endpoint Management, Managed Security Service Providers (MSSP), AWS Cloud Security, Data Loss Prevention (DLP), Data Transformation, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), Threat Modeling, SaaS Security, Auditing, Healthcare, DevOps, AWS Lambda, Amazon DynamoDB, Bitdefender, McAfee, OWASP, Cloud Migration, Virtualization, Compliance, Insurance

Security Compliance Program Manager

2018 - 2019
Oracle
  • Acted as the FedRAMP compliance program manager and participated in the team that achieved the Provisional Authority to Operate (P-ATO) as assessed by third-party auditors.
  • Prepared sections of the system security plan, the plan of action and milestones, and continuous monitoring program documents.
  • Finalized vulnerability monitoring technologies and processes.
Technologies: Oracle, Cybersecurity, Technical Writing, IT Security, Security Policies & Procedures, Vulnerability Assessment, Web Security, Windows 10, LibreOffice, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, QualysGuard, Compliance, Traffic Monitoring, IT Projects, Risk Management, NIST, Backups, Backup & Recovery, Disaster Recovery Plans (DRP), Security, Cloud, Network Security, TCP/IP, Cisco, Data-level Security, Security Architecture, Data Security, Security Audits, IT Management, CISSP, Database Security, Cloud Architecture, Computer Security, Managed Security Service Providers (MSSP), Data Loss Prevention (DLP), Security Compliance, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), SaaS Security, GCP Security, Auditing, FedRAMP, CI/CD Pipelines, ISO Compliance, OWASP, Virtualization

National Cybersecurity Lead

2017 - 2018
Brown and Caldwell
  • Developed a national cybersecurity practice program.
  • Assessed the program to US government CMMC requirements for Controlled Unclassified Information (CUI).
  • Completed a risk assessment and improvement plan of action and milestones, enabling the continuation of government contracts.
Technologies: IoT Security, Technical Program Management, Cybersecurity, Windows, Technical Writing, IT Security, Architecture, Security Policies & Procedures, Web Security, Windows 10, Office 365, Mathematics, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Roadmaps, Budgeting, Value at Risk, Risk Models, Network Architecture, Compliance, Operational Technology Security, Endpoint Security, Traffic Monitoring, IT Projects, Risk Management, Operational Technology (OT), NIST, Security, Network Security, TCP/IP, Networks, Security Architecture, Security Audits, CISO, Policy Development, Policies & Procedures Compliance, IT Management, CISSP, Computer Security, Identity & Access Management (IAM), CA Network & Systems Management (NSM), Data Loss Prevention (DLP), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), Threat Modeling, Consulting, Auditing, Virtualization

Associate Director, Cybersecurity GRC

2015 - 2017
Cognizant
  • Performed risk assessments and chaired the executive risk management meeting to evaluate and disposition cyber risks to the company.
  • Managed the US-based and offshore risk assessment team.
  • Created a risk ranking and disposition tool enabling effective risk review and acceptance.
  • Developed a vendor risk management program and procedure.
Technologies: IT Security, Technical Program Management, Data Privacy, Cloud, Cybersecurity, Windows, Technical Writing, Security Policies & Procedures, Vulnerability Assessment, Web Security, Windows 10, Office 365, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Amazon Web Services (AWS), Azure, Application Security, Compliance, Traffic Monitoring, SaaS Monitoring, IT Projects, Risk Management, Incident Response, Third-party Management, Security, Vulnerability Identification, Azure Active Directory, Network Security, Cisco, SecOps, Data-level Security, GDPR, Security Architecture, HIPAA Compliance, Cloud Security, Data Security, SOC 2, Security Audits, Mobile Security, ISO 27001, ISO 27002, Insurance, International Data Privacy Regulations, Privacy, Policies & Procedures Compliance, IT Management, Policy Development, CISSP, Database Security, Cloud Architecture, Computer Security, Identity & Access Management (IAM), Penetration Testing, SharePoint, Azure Cloud Services, Managed Security Service Providers (MSSP), Data Loss Prevention (DLP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), Threat Modeling, SaaS Security, Auditing, Healthcare, Bitdefender, CI/CD Pipelines, Compliance, Insurance

Cybersecurity Program Manager

2007 - 2015
Xcel Energy
  • Performed operational security risk assessments for assets and networks.
  • Built and maintained the security architecture in collaboration with regional administrators.
  • Developed and delivered security awareness training.
  • Acted as the corporate liaison officer to external, third-party auditors.
  • Created and managed compliance roadmaps and project plans.
  • Implemented a compliant operational security program with no findings as assessed by three successive third-party audit teams.
  • Developed staff and equipment resource plans supporting organization's budget.
Technologies: Compliance, Technical Program Management, Operational Technology Security, Vulnerability Identification, Cybersecurity, Windows, Technical Writing, IT Security, Architecture, Security Policies & Procedures, Vulnerability Assessment, Windows 10, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Roadmaps, Budgeting, Value at Risk, Risk Models, Network Architecture, IoT Security, Endpoint Security, Traffic Monitoring, IT Projects, Risk Management, Operational Technology (OT), NIST, Backup & Recovery, Backups, Third-party Management, SIEM, Security, Authentication, Network Security, TCP/IP, Networks, SecOps, Security Architecture, Web Architecture, Security Audits, CISO, Policy Development, Policies & Procedures Compliance, IT Management, CISSP, Computer Security, CA Network & Systems Management (NSM), Intrusion Prevention Systems (IPS), Documentation, Business Continuity Planning (BCP), Threat Modeling, Auditing

Healthcare Security Program Implementation

Managed and led the IT security program development activities for a health insurance company, which included:

• Developing current state and future state architecture diagrams.
• Preparing the policy, procedures, risk reduction roadmaps, budget, and ROI prioritized plans presented to and approved by the board.
• Integrating with the IT architecture group for security initiatives, hiring team members, and tracking the completion of risk reduction objectives.
• Establishing a third-party contractor security assessment and risk reduction program.
• Assessing, contracting, and managing security vendors, implementing applications targeted to roll out and track compliance for essential risk-reducing security controls.
• Organizing disaster recovery/business continuity and incident response activities.

RESULTS
1) Achieving Phase I 35% risk reduction goals, as quantified by ROI.
2) Implementing tools for automated incident response, vulnerability management, and endpoint protection controls.
3) Fulfilling the board reviews of the budgets, roadmaps, and quarterly progress presentations

Operating Technology (OT) Security Program Management

Led the development and implementation of a federal cyber infrastructure protection (CIP) compliance program for a major utility operating in eight states. Working with involved departmental stakeholders to develop processes, I developed architecture templates and developed and approved architecture for multiple locations, wrote policy/procedure, and delivered security program training. The program was designed to NERC-CIP requirements and selected NIST 800-53 criteria. I led the completion of cyber vulnerability and risk assessment engineering studies for networks and control systems across the generating fleet. Liaison officer and subject matter expert to external audit teams. Three successive independent NERC-CIP regional compliance audits confirmed successful program management efforts with no findings.

SIGNIFICANT BENEFITS
1) Demonstrated to regulators compliance to security requirements (a fine is levied if there are non-compliance issues).
2) Raised awareness through training of the nature and frequency of cyber security threats and how to prevent them.
3) Developed and implemented a secure architecture for more than 15 facilities; established the template, and review and approval process for annual updates.

Risk Assessment for Health Insurance Organization

Scoped and socialized with management, performed risk assessment, prioritized resulting risks, and presented results to executive management.

HIGHLIGHTS
• Defined scope and presented duration and time commitment to executive management.
• Led a team to assess the current risk state of operations and systems.
• Prioritized findings in terms of those tasks that retire the most risk for the healthcare industry, based on the current threat landscape.
• Reviewed findings with involved management and developed response plans.
• Achieved approval of plans by involved management and executives.
• Published results with task completion dates coordinated with line management.

ACHIEVEMENTS
• Developed a prioritized risk management plan based on the organization's current state and bounced off the current malware threats.
• Raised awareness among operating teams of the security risks and what to do about them.
• Used AWS Security tools to evaluate cloud implementations for well-architected standards and compliance with CIS, AWS, and HIPAA security frameworks.

Evaluated and Selected Endpoint Detection and Incident Response Security Tools

Assessed and selected managed detection and response security tools, including network and application traffic monitoring and malware flagging. Evaluated ESET, SentinelOne Singularity, Microsoft Defender (Azure) Defender, Rapid7, and Coro technologies using return on investment (ROI) ranking criteria. The criteria for evaluation included ease of use, integration with the existing technology stack, use of latest-generation technology, estimated implementation costs, ongoing technical support needs, and acceptance by implementing staff. The phased approach included interviews with candidate companies, selecting finalists, and application testing during a trial period.

Results were presented to top executives for approval and budget reconciliation. ROI was calculated for short-listed candidates to facilitate successful executive budget approval.

Developed and Implemented Vulnerability Management and Secure Configurations Program

Selected, implemented, and assisted in the operation of tools (Qualys, CIS SecureSuite) to continuously identify and remediate security vulnerabilities. Managed involved systems administrators and security engineers to implement the project. Achievements included significant risk minimization through reducing the company malware attack surface, an updated architecture diagram, and a current device, operating system, and software inventory.

Managed Governance, Risk, and Compliance Program for a Major Multinational Unit

Hired the team and led the management of the security governance, risk, and compliance program for a business unit of a major multinational. Tasks included risk assessment, resultant risk ranking, and managing the risk acceptance process with executive management. I developed processes and procedures and was the primary author of risk assessment reports.

KEY BENEFITS ACHIEVED
• Established a forum for senior management to understand and address security risks to their operations.
• Provided a process to methodically list, rank, and take specific actions to reduce identified risks.

Disaster Recovery/Business Continuity Program Development

Collaborated with involved subject matter experts to determine critical business functions and prepare disaster recovery and business continuity program documents, including a list of critical applications and services, confirmation of organizations, and staff with program accountability. Consulted with leaders to develop recovery time objectives (RTO) and recovery point objectives (RPO) for all critical applications and services, and upgraded BU software and processes.

KEY IMPROVEMENTS
• Updated the BR/BC plan.
• Developed RTO and RPO objectives for all critical processes.

Developed and Implemented Incident Response Process and Procedure

Led the development of security incident response processes and procedures, engaging operations, legal, and compliance. The preparation procedure is based on best practices, upgraded backup tools, and functions to the current state. Supported ongoing incident response activities.
1989 - 1991

Master's Degree in Environmental Engineering

Colorado School of Mines - Golden, Colorado, USA

1984 - 1988

Bachelor's Degree in Physics

University of Colorado Denver - Denver, CO, USA

MARCH 2023 - PRESENT

AWS Certified Cloud Practitioner

AWS

OCTOBER 2014 - OCTOBER 2026

CISSP – Certified Information Systems Security Professional

(ISC)²

Tools

LibreOffice, Sentinel, GCP Security, McAfee

Platforms

QualysGuard, Windows, Amazon Web Services (AWS), Azure, Ubuntu Linux, Oracle, WordPress, Amazon EC2, SharePoint, Rapid7, AWS Lambda

Paradigms

HIPAA Compliance, DevSecOps, Web Architecture, Penetration Testing, DevOps

Storage

Database Security, Azure Cloud Services, Azure Active Directory, Amazon S3 (AWS S3), PostgreSQL, Amazon DynamoDB

Industry Expertise

Cybersecurity, Network Security, Insurance

Frameworks

Vanilla JS

Languages

Bash, Java, JavaScript, HTML, CSS

Other

Office 365, Environmental Science, Mathematics, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Roadmaps, Budgeting, Value at Risk, Technical Program Management, Risk Models, Web Security, Network Architecture, Application Security, IoT Security, IT Security, Compliance, Vulnerability Assessment, Endpoint Security, Traffic Monitoring, IT Projects, Risk Management, Operational Technology (OT), NIST, Backup & Recovery, Business Continuity, Third-party Management, Security, Vulnerability Identification, Cloud, Technical Writing, Architecture, Security Policies & Procedures, Security Management, Networks, SecOps, Data-level Security, Security Architecture, Backups, Policy Development, Policies & Procedures Compliance, IT Management, SOC 2, Security Audits, CISO, CISSP, Computer Security, Managed Security Service Providers (MSSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), Threat Modeling, SaaS Security, Consulting, Auditing, Healthcare, Data Risk Assessment (DRA), FedRAMP, ISO Compliance, Compliance, Insurance, Windows 10, SaaS Monitoring, Disaster Recovery Plans (DRP), Incident Response, SIEM, Authentication, TCP/IP, Cisco, GDPR, PCI, Cloud Security, Data Security, Mobile Security, ISO 27001, ISO 27002, Privacy, Cloud Architecture, CA Network & Systems Management (NSM), Internet Security, Data Loss Prevention (DLP), Bitdefender, CI/CD Pipelines, OWASP, Virtualization, Data Privacy, Operational Technology Security, Veeam, HIPAA Electronic Data Interchange (EDI), International Data Privacy Regulations, Identity & Access Management (IAM), SonicWall, Cryptocurrency Wallets, Endpoint Management, AWS Cloud Security, Data Transformation, Security Compliance, Security Program Development, Vulnerability Management, Cloud Migration, WordPerfect

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring