Cross-functional
In order to persuade people, I usually focus on building a foundation of trust first and foremost and develop a view from others that I was a person of Consistency.
ELEVATOR PITCH
I'm responsible for driving Security initiatives and creation, updating, tracking, and managing of the security policy life-cycle and its associated activities and also responsible for the integration and adoption of GRC tool across functional teams and maintaining control framework documentation across the security program.
I lead the maturing of the compliance posture through gap assessments and managing internal and interfacing with external auditors in managing ongoing compliance and audits, as well as driving the evidence collection process.
I also lead the customer security program, which includes the completing of customer security questionnaires and getting on any customer calls when is required.
I lead and manage security training and phishing campaigns through KnowBe4 to mitigate social engineering attacks.
Extra Training for Software Engineers Secure Code Warrior
Situation:
We faced a challenge in meeting PCI DSS requirements, which mandated that our developers undergo secure code training. However, the software engineers felt burdened by what they perceived as an excessive amount of infosec training compared to the rest of the organization. This resistance threatened to impact compliance and overall team morale.
Task:
My task was to find a solution that would ensure compliance with PCI DSS requirements while addressing the concerns of the engineering team regarding the frequency and volume of training.
Action:
To resolve this issue, I initiated a dialogue with the engineering team to understand their concerns and work towards a compromise. After discussions, we developed a strategy where secure code training modules were required to be completed every four months instead of every three months, as was previously required. This adjustment provided a balance between maintaining compliance and reducing the perceived training burden on developers.
Result:
The positive impact of this decision was quickly evident. We observed a reduction in vulnerabilities identified during in-house web application penetration testing conducted by our application security engineer. Additionally, this approach ensured that our developers stayed current with secure coding practices, thereby minimizing the risk of security breaches and safeguarding our customers' data. The compromise not only met PCI DSS requirements but also improved team productivity, job satisfaction, and overall sense of security. Going forward, we will continue to engage with our developers in a collaborative manner to address any concerns and maintain a strong security posture.
= Requiring Labeling Documents, Spreadsheets, and etc in Google when creating a new file.
Effect: Entire Organization
When creating a document employees would be require to label it Public, Restricted, Confidential, Internal Use Only. Each label has a retention policy attached to it.
Problem: We have a data classification policy and procedures for audit purposes, but not actually doing what you say you are in the policy and procedures is a no-no.
Resistance/Disagreements: Some of the leadership had concerns that it would add extra work for the employees
Action:
Result
Creation of a Quarterly Security & Compliance Report that would be sent to the executive leadership and have the report review
Situation:
We encountered a challenge where people in our organization were not adequately aware of security and compliance news, which was a concern for our security posture. This lack of awareness could lead to misalignment and potential risks if employees were not informed about critical security and compliance updates.
Task:
To address this challenge, I needed to create a solution that would make security and compliance news transparent and accessible across the organization, ensuring that everyone, from top to bottom, stayed informed.
Action:
I decided to create a report that showcased the state of our security and compliance efforts. This report would be distributed regularly to ensure that all employees were kept up-to-date. However, we faced resistance from some members of the security team who were concerned about the additional workload required to compile and maintain the report. To overcome this, I implemented a strategy that involved breaking down the work into smaller, manageable tasks. We prioritized starting the report at the beginning of each quarter and ensured its completion by the end of the quarter. This approach distributed the workload evenly and made the process more manageable for the team.
Result:
As a result of this approach, we observed significant improvements in security awareness throughout the organization. Department heads gained a better understanding of the scope of security and compliance work, and they provided positive feedback on the report's content. Executive leadership and managers also appreciated the depth of information presented in the reports, acknowledging the hard work being done in the area of security and compliance. The regular production and distribution of the security and compliance report have been instrumental in raising awareness across the organization, and we plan to continue developing this approach to keep security and compliance awareness at the forefront.
= Implementation of Tines & n8n Automation Tools
Effect: Security and Infrastructure
Problem: Many process with onboarding and offboarding that seem to have to many manual tasks that we needed to do that could be smoothed out via automation tools.
Resistance/Disagreements:
Action:
Result
DefectDojo
Situation:
We faced a significant challenge with vulnerability triaging in Jira, which required extensive customization of Jira screens, workflows, and automations. This not only led to extra maintenance but also resulted in wasted time. However, there was resistance from the Product and Engineering teams to implementing an additional tool for managing these types of tickets, as they were concerned it would add complexity and require personnel to learn something new.
Task:
My task was to find a solution that would streamline vulnerability triaging without adding unnecessary complexity for the Product and Engineering teams, while also addressing the inefficiencies caused by using Jira alone.
Action:
To address this issue, I proposed the implementation of DefectDojo, a tool specifically designed to manage application security programs and maintain product and application information throughout the development pipeline. I presented the benefits of DefectDojo to the stakeholders, explaining how it could triage vulnerabilities and push findings to Jira only when a specific vulnerability needed to be fixed. Additionally, I highlighted how DefectDojo refines vulnerability data using various algorithms and enriches it with metrics that make the information accessible to non-technical personnel across the organization. Despite initial resistance, I worked closely with the teams to demonstrate how DefectDojo would complement, rather than complicate, their existing processes.
Result:
The implementation of DefectDojo significantly improved our vulnerability triaging process. It allowed the Security and Product teams to interface with enriched metrics that enabled faster and more efficient triaging of vulnerabilities compared to handling them solely through Jira. The use of DefectDojo has enhanced the performance of our team and enabled us to maintain a high level of security and compliance in our applications. Over time, the Product and Engineering teams recognized the value of DefectDojo, and their initial concerns were alleviated as they saw the improvements in workflow efficiency and data clarity.
Using a Github and Pull Requires for Meeting Documentation & Minutes
Situation:
I encountered a challenge related to SOC 2 and ISO 27001 requirements for documenting security and leadership meetings. These standards required evidence of security decisions made during meetings, but tracking down meeting notes from executive leadership calendars was time-consuming, and using Google Docs for this purpose was inadequate. There was no organized way to document the decision tree related to items discussed during these meetings, complicating compliance efforts.
Task:
I needed to develop a more efficient and organized method to document and track security and leadership meetings, ensuring that all discussions and decisions were properly recorded and accessible for compliance audits.
Action:
To address this issue, I implemented the use of GitHub repository pull requests for finalizing meeting minutes. This approach required every team member to review and approve the pull request before merging it into the repository. This method ensured that everyone in the security team was informed about the discussions and decisions made during meetings. Despite some initial resistance and disagreements from team members who were unfamiliar with GitHub or viewed it as additional work, I provided the necessary training and support to help them adapt to the new process.
Result:
As a result of this project, every meeting minute now has a change log using Git, providing clear evidence that all team members have verified and approved the content. The pull request and merge process also introduced an official sign-off, ensuring a more organized and structured approach to documenting security and leadership meetings. This streamlined the process of documenting these meetings, made it easier to ensure that everyone on the team was on the same page, and helped us meet compliance requirements more effectively. Despite the initial resistance, the team eventually adapted to the new process, recognizing its benefits for maintaining compliance and transparency.
Customer Security Assurance Overhaul
Situation:
When I joined FormAssembly, there was no defined process in place for handling customer security requests. The security team was burdened with time-consuming tasks, manually managing requests for security and compliance documents via Asana tasks and email. This inefficiency created a bottleneck in the sales cycle and led to long, repetitive security questionnaires that took hours to complete.
Task:
I was tasked with finding a solution to streamline this process, improve efficiency, and reduce the time spent on customer security inquiries and document handling.
Action:
To address these challenges, I explored various options and selected FormAssembly's Safebase to implement as our security portal solution. I led the implementation process and provided comprehensive training to our sales and partnership teams on how to effectively use the tool. Additionally, I integrated a built-in NDA clickwrap to further streamline the process.
Result:
The implementation of Safebase resulted in a significant improvement in our processes. We reduced the sales cycle by an average of 4 days and cut down the time spent on customer questionnaires from 8 days to just 2 days. Our security portal received over 3,400 views, served over 85 customer accounts, and facilitated the download of approximately 400 documents. The streamlined NDA process reduced back-and-forth communication time from 2 days to just 24 hours. Overall, the project enhanced efficiency, productivity, and the overall security process for our customers.
Deployment & Implement GRC Tool - ControlMap
Situation:
As the person responsible for managing multiple compliance frameworks and audits at FormAssembly, I was faced with the challenge of handling these complex processes without the support of a GRC (Governance, Risk, and Compliance) tool. The lack of a centralized system made the task overwhelming and time-consuming.
Task:
I needed to find a solution that would streamline our compliance management, making it easier to manage multiple frameworks and audits while ensuring that we maintained the highest standards of security and compliance.
Action:
I conducted thorough research on various GRC tools available in the market, carefully comparing their features, functionality, and cost-effectiveness. After evaluating several options, I decided that ControlMap was the best fit for our needs. I then led the implementation of ControlMap across the company and trained our team members on how to effectively use the tool for managing compliance.
Result:
The implementation of ControlMap enabled FormAssembly to efficiently complete critical audits for SOC 2 Type 2, ISO 27001, and PCI DSS. This not only simplified our compliance management processes but also positioned us favorably with clients and prospects, including large corporations and government agencies that require these compliance standards. By achieving these certifications, we demonstrated our commitment to security, availability, and business integrity, giving our clients confidence in our ability to maintain high levels of security and compliance. The adoption of ControlMap significantly streamlined our compliance management and allowed our team to focus on other critical aspects of the business while ensuring that we continued to uphold the highest standards of security and compliance.
Decentralized of Policy & Procedures
Situation:
I identified an issue with policy management within the organization, where all policies were stored in Google Docs within Google Workspace. Co-workers would often make copies of these documents, making it challenging to verify which version was the most current. This inconsistency caused problems during policy reviews and audits, as it was difficult to ensure that the correct and most up-to-date policies were being used.
Task:
I needed to find a solution that would centralize policy management, making it easier for employees to access, track, and update policies while ensuring that the correct versions were used during audits and reviews.
Action:
To address this issue, I created a centralized policy portal in Atlassian Confluence. This portal consolidated all policies into one accessible space, eliminating the need for employees to search through multiple Google Docs. Additionally, the portal provided tools for managing and tracking policy changes, approvals, and updates, ensuring that all policies remained current and easily verifiable.
Result:
The implementation of the centralized policy portal in Atlassian Confluence significantly improved the organization's ability to locate and reference the most current policies during audits and reviews. Team members appreciated the ease of access and the time saved by having all policies in one place. This project streamlined policy management, improved efficiency, and ensured compliance across the organization.
FMLA Leave & Employee Access
Situation: In my previous role as a HR Operations Manager, I was faced with the challenge of determining whether to turn off an employee's email access during continuous Family and Medical Leave Act (FMLA) under the federal and state law.
Task: My task was to ensure that the employer's decision on whether to turn off email access during FMLA leave was in compliance with the law and in the best interest of both the employee and the employer.
Action: To address this challenge, I took the following steps:
Conducted research on the legal requirements regarding employee email access during FMLA leave.
Collaborated with IT Operations to understand the technical implications of turning off an employee's email access.
Consulted with Talent & Culture to understand their perspective on the matter.
Analyzed the potential risks and benefits of turning off email access during FMLA leave.
Came into an agreement with Talent & Culture and IT Operations that the employee's email access would only be turned off if they take more than three days of unpaid leave.
Result:
This agreement helped to reduce tensions between Talent & Culture and IT Operations, as Talent & Culture initially wanted to turn off all access for personnel, even if they only took one day of unpaid leave. The decision to turn off email access after three days of unpaid leave ensured compliance with FMLA regulations, while also allowing employees to receive important updates and communications from the company and avoiding isolating employees from the workplace. This solution also helped to maintain and promote a positive relationship between the company and its employees.
Resistance/Disagreements: Extra work for IT Operations and Security on managing access for even if a employee is on unpaid leave even for 1 day of leave.
Process for which every employee would need a new background every 5 years.
Effect:
Problem:
Resistance/Disagreements:
Action:
Result:
Organizations scope was not document within a define policy
The organizations scope was available as documented information within the Confluence Repository, however, an opportunity for improvement is to include it within a defined policy which was corrected during audit.
QUESTIONS FOR THEM
What is the most important quality to possess in this role?
What metrics or goals will my performance be evaluated against?
What are the current goals that the company is focused on, and how does this team work to support hitting those goals?
What gets you most excited about the company’s future?
How has the company changed since you joined?
Is there anything else I can provide you with that would be helpful?
Last updated