Vulnerability Assessments, Penetration Testing, Standards and Guidelines, Security Certifications, PCI DSS Compliance Assessments, PA DSS Compliance Assessments, Web Application Security, Managing Teams, Mentoring Junior Consultants
As Senior Manager (Global Information Security & Fraud) at HSBC, my primary area of responsibility is securing globally deployed corporate banking applications and preventing fraud. Previously, I managed a global information security team that provided security design consulting and performed risk assessments on globally deployed applications.
I started and managed the application security/PCI compliance practices at two organizations prior to joining HSBC and was a co-founder of a security services company, based in California. I have interacted extensively with clients (management and technical) and managed vendor and client relationships.
My experience includes 5 years of enterprise application development and since 2001, performing threat modeling, penetration tests and vulnerability assessments, developing secure coding guidelines and delivering security training in addition to performing PCI-DSS and PA-DSS assessments.
I am a Certified Information Systems Auditor (CISA), an ex-PCI Qualified Security Assessor (PCI-QSA), ex-Payment Application QSA (PA-QSA) and an IBM Certified Specialist (IBM Rational AppScan).
Senior Manager (Global Information Security & Fraud Risk), HSBC Bank Plc.
September 2014 – Present
- Develop strategy for securing commercial/corporate banking products/infrastructure and preventing fraud for all online, mobile and Host2Host channels.
- Manage all product and program risks, including risk associated with fraud, data management, technology.
- Analyze the results of penetrations tests, design reviews, source code reviews and other security tests. Decide on remediation and risk acceptance based on business risk appetite and security requirements.
- Ensure compliance with security related regulatory requirements in all countries commercial banking products operate in.
- Provide recommendations to senior management on the bank’s security posture.
- Ensure appropriate security/fraud incident handling response as part of global team.
- Identify and prioritize security and fraud controls to be implemented. Balance budget and security requirements.
- Provide guidance to technology teams implementing security and fraud controls.
- Implemented an Early & Continuous Security Engagement model that resulted in significant reduction in the number and severity of security defects in the corporate payment platform.
- Reduced the open risk register items by over 65%, with no High risk items and only 20% medium risk items remaining within the first 12 months.
- Created a cyber security risk matrix to identify risks and existing controls based on the NIST Cyber Security Framework. Significant contributor to gap remediation efforts.
- Provided significant input to the External Hosting (Cloud) security policy.
- Drove regulatory compliance projects on OTP security and ensured on-time completion of all requirements.
- Currently driving several initiatives in the security and fraud space Biometrics, Anomaly Detection, User Behavior Analysis, Network enhancements, Mobile Security, etc.
Manager, Global Information Security & Risk, HSBC Bank Plc.
June 2012 — August 2014
I managed a global team of Security Consultants that worked with software development teams to ensure security risk was managed appropriately for all group-wide applications. This entailed understanding the functionality provided by applications, reviewing architecture and design, identifying the data that is handled, performing threat modeling, evaluating the risks and recommending mitigating controls/solutions.
I was responsible for the security of several core banking applications that handle billions of dollars in transactions and customer/employee facing Mobile applications. A key task was to explain the security risks to the business, enabling them to make informed decisions on mitigation and risk acceptance. This required finding the right balance between the need for security and functionality.
Managerial responsibilities included supervising other security engineers, ensuring risk assessments are delivered on time and mentoring junior engineers.
- Performed security reviews on internet and mobile applications (architecture and design)
- Created/Reviewed security policies and procedures
- Increased efficiency of risk assessment engagements
- Researched new attack vectors and mitigating solutions
- Provided guidance to regional security teams
- Provided analysis/opinions to senior management/project teams on “hard-to-solve” problems
- Engaged with development teams and promote secure design/development early in the SDLC
- Contributed to group-wide security policies, standards and processes
- Championed the adoption of industry standard encryption algorithms across the group resulting in several regions world-wide upgrading to stronger algorithms
- Implemented process changes that resulted in improving on-time completion of security review engagements from about 25% to about 98% within one year
- Championed the need for security consultants to engage with development teams earlier in the life cycle resulting in a significant reduction in the number of issues raised at the risk assessment and security testing stages
- Cross-trained security consultants across application streams resulting in increased productivity
- Contributed to expansion of world-wide regional security teams by developing screening processes and interviewing candidates
Manager – Security Services and Compliance, SPIguard Security Solutions, Inc.
December 2009 – May 2012
I managed security services and the PCI DSS/PA DSS compliance practices at SPIguard, which included managing the consulting team, services and delivery for clients. My role required close interaction with both technical and management client personnel through all stages of the engagement.
In addition to performing PCI assessments and PA DSS validations, I also managed the development of several online products.
- Added new security services (Threat modeling/Penetration testing/Security Risk Assessments) to the company’s portfolio
- Doubled revenues by streamlining processes, increasing client satisfaction and response times
- Created and refined processes for performing PCI and PA DSS compliance verification efficiently
- Created and delivered PCI DSS and PA DSS awareness courses
- Designed online tools for managing ongoing PCI compliance management
- Delivered presentations on security topics at industry events
- Redesigned the company website and made it easier to use, in addition to other internal improvements
Co-Founder/VP Services, AppSec Consulting, Inc.
May 2005 — December 2009
My primary responsibility was managing engagements and ensuring on-time/on-budget service delivery. I was also responsible for identifying what services to deliver and create processes and procedures for successful delivery of those services. Another significant responsibility was managing the training practice; developing and delivering security courses for web application developers and QA engineers. I designed and developed an online platform to deliver training that is still in use.
I also performed application risk assessments, penetration tests and security certifications in addition to PCI DSS assessments.
- Set up the application security practice (primary business)
- Set up and managed the company’s infrastructure for the first 4 years of the company’s existence
- Identified and implemented cost saving measures which were very important to a self-funded start up company
- Set up and managed training services. Developed and delivered training courses for clients. Managed the conversion of all courses to online format for scalability
- Designed and developed a Learning Management System (LMS) to host online training courses. Features included user tracking and reporting, bookmarking, auto-resume and automated registrations
- Designed and managed development of an online application that enabled clients to verify skills of contractors and employees. Features included randomized questions and customizable tests
- Developed and refined processes for application security assessment engagements
Sr. Security Consultant, Port2Web/SiegeWorks
December 2001 — April 2005 (3 years 5 months)
I contributed significantly to starting and building the application security practice at SiegeWorks. My responsibilities included performing penetration tests and vulnerability assessments for various Fortune500 clients. Since the application security practice was new at SiegeWorks, I also created all related procedures and checklists. Many of my engagements involved creating platform specific secure coding guidelines and standards. I also developed and delivered courses on secure web application development for developers. Part of my responsibilities involved identifying security tools and evaluating them.
- Created procedures and processes associated with performing penetration testing and vulnerability assessments
- Created checklists for providing security certifications to clients’ software
- Standardized threat modeling and vulnerability rating methods to promote consistency
- Designed an online asset management system and oversaw development
- Spoke on web application security at various industry events
Sr. Software Engineer, ITC, IT Solutions
July 1996 — December 2001 (5 years 6 months)
I developed client-server and web applications on various platforms for international clients. The applications included online credit card approval and credit card monitoring systems, order entry and asset management systems. I performed code-reviews to identify performance bottlenecks and security issues. I also helped develop a hotel management system that was sold as a product.
I have a Master’s degree in Computer Applications and a Bachelor’s degree in Computer Science.
My interests include security, technology, electronics, computers and software. I am also interested in martial arts and am training in Aikido, a Japanese martial art.