Mark Castagneri
Verified Expert in Engineering
Cybersecurity Specialist and Developer
Arvada, CO, United States
Toptal member since January 4, 2023
Mark is a risk assessor, program manager, security operations engineer, and architect with over 10 years of experience implementing risk reduction initiatives. He has a deep understanding of various security frameworks and tools. Mark has successfully developed budgets, risk-informed roadmaps, and project plans and has led multidisciplinary teams to effectively reduce risks and demonstrate compliance with standards, as confirmed by 3rd-party auditors.
Portfolio
Experience
Availability
Preferred Environment
IT Security, Security Management, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Amazon Web Services (AWS), Azure Active Directory, Architecture, Budgeting, Cryptocurrency Wallets, GRC
The most amazing...
...cybersecurity program I've implemented from the ground up was for a US company operating in eight states, subsequently certified by external auditors.
Work Experience
Experienced InfoSec Engineer
DynamoFL, Inc
- Collaborated with the CIO to assess the current security state posture of CI/CD AI development environment.
- Provided an improvement roadmap specific to the existing application stack to bring their Dev/Sec/Ops CI/CD process to the next level in terms of security and continuous vulnerability management.
- Provided a threat model for the industry vertical, mapping current and applicable malware types to the CIS CSC and SOC2 safeguard controls that prevent or reduce impact.
Full-stack System Architect
Zee Source
- Performed a platform risk assessment, identified risks, and prioritized risk reduction using the current threat landscape for this business vertical.
- Developed a risk reduction roadmap (plan of action and milestones) with specific best practice tasks defined in order of maximum risk reduction.
- Informed the principal of compliance obligations and prepared FFIEC and HIPAA deliverables designed to demonstrate to prospective customers best practice security measures commensurate with the inherent risk level.
- Provided risk reduction actions using cloud-native AWS tools, simplifying the path forward execution plan.
- Assessed the platform and prepared inherent risk assessment reports supporting FFIEC and HIPAA security framework requirements.
Director, IT Security and Risk
Friday Health Plans
- Developed and presented the IT security roadmap approved by the board.
- Selected security tools for endpoint protection, secure configuration, and vulnerability, patch, certificate, and incident management.
- Hired staff and managed the program phase one completion.
- Implemented a third-party vendor security risk assessment and management process and procedure in collaboration with Legal and Compliance.
- Managed the selection process of security tools, evaluating technology candidates in terms of ROI, application stack compatibility, company staff expertise, and ease of implementation.
- Spearheaded a project to implement software development security, assessing code and recommending risk reduction actions.
Security Compliance Program Manager
Oracle
- Acted as the FedRAMP compliance program manager and participated in the team that achieved the Provisional Authority to Operate (P-ATO) as assessed by third-party auditors.
- Prepared sections of the system security plan, the plan of action and milestones, and continuous monitoring program documents.
- Finalized vulnerability monitoring technologies and processes.
National Cybersecurity Lead
Brown and Caldwell
- Developed a national cybersecurity practice program.
- Assessed the program to US government CMMC requirements for Controlled Unclassified Information (CUI).
- Completed a risk assessment and improvement plan of action and milestones, enabling the continuation of government contracts.
Associate Director, Cybersecurity GRC
Cognizant
- Performed risk assessments and chaired the executive risk management meeting to evaluate and disposition cyber risks to the company.
- Managed the US-based and offshore risk assessment team.
- Created a risk ranking and disposition tool enabling effective risk review and acceptance.
- Developed a vendor risk management program and procedure.
Cybersecurity Program Manager
Xcel Energy
- Performed operational security risk assessments for assets and networks.
- Built and maintained the security architecture in collaboration with regional administrators.
- Developed and delivered security awareness training.
- Acted as the corporate liaison officer to external, third-party auditors.
- Created and managed compliance roadmaps and project plans.
- Implemented a compliant operational security program with no findings as assessed by three successive third-party audit teams.
- Developed staff and equipment resource plans supporting organization's budget.
Experience
Healthcare Security Program Implementation
• Developing current state and future state architecture diagrams.
• Preparing the policy, procedures, risk reduction roadmaps, budget, and ROI prioritized plans presented to and approved by the board.
• Integrating with the IT architecture group for security initiatives, hiring team members, and tracking the completion of risk reduction objectives.
• Establishing a third-party contractor security assessment and risk reduction program.
• Assessing, contracting, and managing security vendors, implementing applications targeted to roll out and track compliance for essential risk-reducing security controls.
• Organizing disaster recovery/business continuity and incident response activities.
RESULTS
1) Achieving Phase I 35% risk reduction goals, as quantified by ROI.
2) Implementing tools for automated incident response, vulnerability management, and endpoint protection controls.
3) Fulfilling the board reviews of the budgets, roadmaps, and quarterly progress presentations
Operating Technology (OT) Security Program Management
SIGNIFICANT BENEFITS
1) Demonstrated to regulators compliance to security requirements (a fine is levied if there are non-compliance issues).
2) Raised awareness through training of the nature and frequency of cyber security threats and how to prevent them.
3) Developed and implemented a secure architecture for more than 15 facilities; established the template, and review and approval process for annual updates.
Risk Assessment for Health Insurance Organization
HIGHLIGHTS
• Defined scope and presented duration and time commitment to executive management.
• Led a team to assess the current risk state of operations and systems.
• Prioritized findings in terms of those tasks that retire the most risk for the healthcare industry, based on the current threat landscape.
• Reviewed findings with involved management and developed response plans.
• Achieved approval of plans by involved management and executives.
• Published results with task completion dates coordinated with line management.
ACHIEVEMENTS
• Developed a prioritized risk management plan based on the organization's current state and bounced off the current malware threats.
• Raised awareness among operating teams of the security risks and what to do about them.
• Used AWS Security tools to evaluate cloud implementations for well-architected standards and compliance with CIS, AWS, and HIPAA security frameworks.
Evaluated and Selected Endpoint Detection and Incident Response Security Tools
Results were presented to top executives for approval and budget reconciliation. ROI was calculated for short-listed candidates to facilitate successful executive budget approval.
Developed and Implemented Vulnerability Management and Secure Configurations Program
Managed Governance, Risk, and Compliance Program for a Major Multinational Unit
KEY BENEFITS ACHIEVED
• Established a forum for senior management to understand and address security risks to their operations.
• Provided a process to methodically list, rank, and take specific actions to reduce identified risks.
Disaster Recovery/Business Continuity Program Development
KEY IMPROVEMENTS
• Updated the BR/BC plan.
• Developed RTO and RPO objectives for all critical processes.
Developed and Implemented Incident Response Process and Procedure
Education
Master's Degree in Environmental Engineering
Colorado School of Mines - Golden, Colorado, USA
Bachelor's Degree in Physics
University of Colorado Denver - Denver, CO, USA
Certifications
AWS Certified Cloud Practitioner
AWS
CISSP – Certified Information Systems Security Professional
(ISC)²
Skills
Tools
LibreOffice, Sentinel, GCP Security, McAfee
Paradigms
HIPAA Compliance, DevSecOps, Web Architecture, Penetration Testing, DevOps
Platforms
QualysGuard, Windows, Amazon Web Services (AWS), Azure, Ubuntu Linux, Oracle, WordPress, Amazon EC2, SharePoint, Rapid7, AWS Lambda, Docker
Industry Expertise
Cybersecurity, Network Security, Insurance
Storage
Database Security, Azure Cloud Services, Azure Active Directory, Amazon S3 (AWS S3), PostgreSQL, Amazon DynamoDB
Languages
Bash, Java, JavaScript, HTML, CSS
Frameworks
Vanilla JS
Other
Office 365, Environmental Science, Mathematics, Complex Problem Solving, Certified Information Systems Security Professional, Risk Assessment, Business Transformation Program Management, Information Security, IT Project Management, Roadmaps, Budgeting, Value at Risk, Technical Program Management, Risk Models, Web Security, Network Architecture, Application Security, IoT Security, IT Security, Compliance, Vulnerability Assessment, Endpoint Security, Traffic Monitoring, IT Projects, Risk Management, Operational Technology (OT), NIST, Backup & Recovery, Business Continuity, Third-party Management, Security, Vulnerability Identification, Cloud, Technical Writing, Architecture, System Security, Security Management, Networks, SecOps, Data-level Security, Security Architecture, Backups, Policy Development, Policies & Procedures Compliance, IT Management, SOC 2, Security Audits, CISO, CISSP, Computer Security, Managed Security Service Providers (MSSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), GRC, Documentation, Business Continuity Planning (BCP), Threat Modeling, SaaS Security, Consulting, Auditing, Healthcare, Data Risk Assessment (DRA), FedRAMP, ISO Compliance, Compliance, Insurance, Windows 10, SaaS Monitoring, Disaster Recovery Plans (DRP), Incident Response, SIEM, Authentication, TCP/IP, Cisco, GDPR, PCI, Cloud Security, Data Security, Mobile Security, ISO 27001, ISO 27002, Privacy, Cloud Architecture, CA Network & Systems Management (NSM), Internet Security, Data Loss Prevention (DLP), Bitdefender, CI/CD Pipelines, OWASP, Virtualization, AI Security, Data Privacy, OT Security, Veeam, HIPAA Electronic Data Interchange (EDI), International Data Privacy Regulations, Identity & Access Management (IAM), SonicWall, Cryptocurrency Wallets, Endpoint Management, AWS Cloud Security, Data Transformation, Security Compliance, Security Program Development, Vulnerability Management, Cloud Migration, WordPerfect, Data Breach Response, Security Breach Consulting, Artificial Intelligence (AI), Kubernetes Operations (kOps)
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring