Experienced Information Security Specialist with seventeen years of experience in various, technical, consulting, and educational roles, with a heavy focus on offensive security. Currently focused on shifting security to the left with collaborative, integrated, and innovative approaches to purple and red teaming.
Information Security Compliance Specialist
Aug 2016 - Present @ INTEGRIS Health
Don’t let the title fool you. Delivered collaborative purple team services informed form a red team background. Designed, developed, integrated, and executed repeatable MITRE ATT&CK based scenarios, leveraging hybrid cloud infrastructure and FOSS with an eye to automation and integration with blue team SIEM/SOAR platform and promoting a DevSecOps culture. Designed and executed attack simulations. Planned and executed application security assessments (DAST, SAST, IAST, manual code reviews), penetration tests, sSDLC improvements, scoped and managed third party penetration tests, and managed and deployed phishing simulation and security education programs (Cofense & PSAT/Wombat). Provided O365 security architecture guidance, cloud security strategy guidance, high complexity troubleshooting, and delivered on other natural intersections of my offensive security background with a traditional but mature corporate security program.
Dec 2015 - Present @ Independent Contracting
Executed and delivered varied information security services, largely penetration testing, for several clients.
Senior Security Consultant
May 2015 - Nov 2015 @ True Digital Security
Executed and delivered a variety of services including application code review, application penetration tests, network penetration tests, physical assessments, policy writing, and security program development. Responsible for managing existing clients and building new clientele in the Oklahoma City market.
eSecurity Staff Engineer (Contract)
Nov 2014 - Apr 2015 @ Seagate Technology
Developed new frameworks, processes, and communications for internal red team and threat intelligence programs. Championed risk management practices/ISMS utilizing ISO 27000/COBIT/NIST hybrid model with a GRC platform. Performed security reviews of new or updated critical local and cloud-based systems. Scoped and executed penetration and red teaming exercises.
Senior Security Consultant
Jun 2014 - Nov 2014 @ NETSource, Inc.
Provided pre-sales and post-sales support to existing clients for a wide variety of security appliances and software in a Sales Engineering role. Generated new client sales leads, while maintaining and growing existing client relationships. Created and delivered presentations on a variety of security topics. Executed and delivered penetration testing and application assessment services. Developed and delivered custom security policies for multiple clients.
April 2011 - Feb 2014 @ FishNet Security
Increased test scheduling flexibility, reduced travel, reduced customer cost, and increased billable hours for security assessments by creating a customized penetration testing platform that provided encryption, restoration, and plug-and-phone-home abilities that gave consultants simplified remote access to client networks, while preventing the co-mingling of sensitive data and provided a known good testing environment. Provided security services including internal and external vulnerability assessments, internal and external penetration tests, wireless vulnerability assessments and penetration tests, phishing attacks, phone based social engineering, in-person social engineering, physical security assessments, PCI related assessments, and full red team engagements. Created and peer reviewed reports that balanced executive level charts and verbiage with technical detail using both CVSSv2 and subjective risk rating approaches.
Information Security Engineer
Jun 2007 - Mar 2011 @ INTEGRIS Health
Delivered security assessments for web apps, binary apps (limited), host configuration assessments, and known vulnerability assessments in service of delivering risk assessment reports for new and existing systems. Operational responsibilities included IR lead, vulnerability management lead, and the daily management of nCircle IP360, nCircle SIH, SourceFire, Palo Alto NGFW, and MS PKI. Developed policy, standards, procedures, metrics, and reporting for risk management (general program documents), risk assessments, risk analysis, vulnerability assessments, vulnerability disclosure, application assessments, and host configuration assessments. Developed and delivered presentations on security awareness topics for general, IT, and executive audiences. Developed a security professional training program that included classes, reading lists, book clubs, and videos. Worked on DMZ and other network segmentation and security projects. Deployed and/or administered Cisco ASAs, Checkpoint FW, McAfee Enterprise, Microsoft PKI, Palo Alto, nCircle IP360, SourceFire, ArcSight, Imperva, LogLogic, Proofpoint, ActiveScout Edge, Packeteer, and other solutions.
Aug 2005 - Jun 2007 @ First American Professional Land Services
Created and updated security policies. Implemented vulnerability management and scanning program. Implemented user security education program and system hardening. Centralized logging. Maintained switches, routers, firewalls, servers, workstations, storage devices, remote users, load balances, and everything else.
University of Oklahoma - Computer Engineering
- Penetration Testing
- Vulnerability Assessment
- Application Security
- Purple Teaming
- Software Development
- Social Engineering
- Cloud Security
- CISSP - (ISC)²
- Security+ - CompTIA