Curriculum Vitae - Experience

 
  1. Partner with the leadership team, sales and marketing, to envision and develop a go to market strategy for security and compliance service offerings

  2. Identify and evolve new security and compliance consulting opportunities; assist with scoping, proposal development, project management plans, pricing and costing models, and prospective customer presentations/discussions

  3. Extensive experience leading security and compliance design workshops, in partnership with internal and external client stakeholders and technical SMEs, a consensus builder

  4. Service delivery track record of being able to operate at all levels of an organization, such as: board of directors, executive leadership teams, operations management, internal audit, and tactical technical levels, as well as, experience working in multiple vertical markets

  5. Led multiple annual pre-registration and internal audits as the lead internal auditor

  6. Versed in Open Compliance and Ethics Group (OCEG) Governance, Risk, and Compliance (GRC) maturity modeling, architectures, and best practices, as well as, the Unified Compliance Framework (UCF) Common Controls Hub and control harmonization

  7. Performed hundreds of security and compliance gap assessments for clients using various industry maturity models, frameworks and standards, such as: Carnegie, Gartner, and CobiT maturity models… SOX, GLBA, HIPAA, NIST CSF and SP 800-53, ISO-27001, PCI-DSS, CIS Top Controls and Configuration Benchmarks, and much more

  8. Recognized for writing clear and compelling deliverables that include specific, tailored, and actionable advice and recommendations (note: award winning published author since 2008)

  9. Guide and advise clients on redesigning their security and compliance policies, standards, baselines, guidelines, processes, procedures, and detailed work instructions, aligning them with legal, regulatory and contractual requirements, as well as, business goals and objectives

  10. Performed numerous business impact and risk assessments of internal and external clients

  11. Experienced and formally trained on business continuity and disaster recovery processes

  12. Led CompuCom’s security and compliance design and implementation for its first successful ISO-20000 registration, which included alignment with ITIL, ISO-27001, and many other international standards, laws, regulations, and contractual requirements

  13. Led numerous consulting engagements for assessing, designing, and implementing security and compliance technical controls, such as: firewalls, intrusion prevention systems (IDS/IPS), data center security (DCS) and endpoint protection solutions (EPS), email and network security gateways, VPNs, advance threat protection (ATD/ATP), endpoint detection and response (EDR), security event and incident management (SEIM), data loss prevention (DLP) and data meta tagging, access controls, permissions, and authorizations, network and system vulnerability scanners, configuration checkers, and much more


POINTS WORTH NOTING



Security Strategy: See and understand security concerns others may not see. Translate complex cyber security topics to business audiences. Helped hundreds of companies successfully align their security strategy, people, processes, technology and culture. Extensive experience with security technology implementations that decrease the time to detect indicators of compromise using infrastructure and endpoint security instrumentation and decrease the time to respond to events with artificial intelligence and automation.


Cybersecurity Thought Leader: Personally led hundreds of security workshops, providing needed security education and knowledge transfer. Helped numerous organizations improve the maturity and quality of their Security Management processes and controls, security.


“C” Suite and Board of Director Communication: Well-versed in many communication tools. Skilled in keeping the message short and to the point. Advised various Executive Committees and Board of Directors on risk issues that are related to information security and recommended actions in support of their organization’s wider risk management program.


Complex Security Topic Translation to Business Audiences: Led professional security practices performing security-consulting engagements across multiple vertical markets. Honed skills in translating complex cyber security topics to business audiences.


Enterprise Information Security: Experience as a ISO/IEC-27001 Lead Auditor of security, with extensive knowledge of industry frameworks and architectures, standards, benchmarks, guidelines and best practices. Significant professional consulting experience working with organizations from small to medium size businesses (SMB) to large global enterprise companies.


Emerging Security Threats: Active board member of the local FBI InfraGard chapter for protecting our nation’s critical infrastructure. Maintain frequent contact with security industry leaders, numerous early warning systems, as well as receive alerts and notifications of critical infrastructure threats. Led global threat intelligence networks, databases and threat feeds.


Consensus Builder: Assisted organizations to build and document consensus, such as, but not limited to: interactive onsite or remote consensus building workshops, information security management forums or steering committees, information security management system (ISMS) benchmarks and more.


Executive Collaboration: Worked with corporate officers, legal counsel, human resources, and facilities / physical security relative to difficult security and privacy issues. Worked with executive teams to inform them of current and future risks, understand their perspectives on organizational risk, risk decisions and priorities, compliance requirements, security budget and more.


Enterprise IT Risk Management: Developed, implemented and monitored a comprehensive enterprise information security and risk management program.  The program included the process of planning, organizing, leading and controlling risk management activities, defining and documenting legal, regulatory and contractual security requirements, performing business impact and risk assessments, applying methods for limiting and managing different levels of risks tolerance and exposure.


Global Regulatory Compliance: Well-versed in security control harmonization and the tools from the Unified Compliance Framework. Assisted clients to harmonize their security processes and controls, implemented scoped statement of applicability documents, and more.


Security Management Program Development: Implemented and improved the lifecycle of client’s information security management system/program (ISMS). Developed tools and methodologies used during professional engagements for measuring and benchmarking the maturity of security processes and controls across global organizations. Performed many professional ISMS benchmark engagements for large global enterprise organizations. Strategically road mapped short, medium and long-term plans, level of work effort, resource requirements and costing, and then successfully executed to plan, on time and on budget.


Business Unit Collaboration: Experienced in articulating security requirements and soliciting business unit collaboration on global, regional and local policies, standards, benchmarks, guidelines, processes and procedures. Well versed on how to document roles and responsibilities across a global organization; such as, how to identify who is accountable, responsible, consulted, informed, sponsors, and supports various security controls, based upon well-defined scopes and statements of applicability, memorandums of understanding, operational level agreements, service level agreements and under pinning contracts.


Business Analysis: Developed, provided knowledge transfer and directed technical teams of numerous organizations in how to implement continuous process and operational improvements in their security management systems.


Security Awareness: Worked with human resources and legal teams to ensure compliance with legal and regulatory requirements, as well as, maintain end-user security awareness and understanding via customized communication tools, learning management system training systems, strategically positioned posters and plaques, security tip newsletters and more.


Security Policies / Security Procedures: Designed security policy architecture and flow.  Formulated and wrote policy content, compliance mapping and linking, reviews and approvals, access and permission controls. Created security processes and procedures with decision points, inputs, outputs, documentation requirements and compliance mapping and linking.  Used the Unified Compliance Framework.


Budgeting: Established resource staffing requirements and project budgets on a weekly basis for service engagements. Worked with clients across North America to provide security solutions to solve their problems in a cost effective manner.  Delivered services and implemented technologies per the terms and budget of contractual agreements.


Data Privacy: Leveraged cryptography technologies for data at rest and in motion; the application of masking, controlling access to, minimize exposure by devaluing the data through encryption and tokenization and more.


Gap Analysis: Performed gap assessments including: legal, regulatory, and contractual requirements assessments; business impact and risks assessments; network vulnerability, application static binary and dynamic secure coding practices, and manual penetration test assessments; information security management system (process and control) maturity benchmarking assessments; compliance gap assessments; configuration benchmark assessments; and more.


Incident Response: Experienced with Security Information Event Management (SIEM) technologies.  Performed forensic analysis, recovery and reviews of lessons learned. Skilled in instrumenting the network infrastructure, and endpoint systems, with technology that reduces the time to detect indicators of compromise, gather evidence, and to respond to incidents.  Strategically applied artificial intelligence and automation to minimize impacts.


Business Continuity and Disaster Recovery Planning: Helped numerous organizations with strategic vision and evolution by developing and designing high availability, capacity, business continuity and disaster recovery plans for their critical IT assets.  Orchestrated periodic testing and demonstrated recovery using various scenarios.


Data Governance: Assisted numerous clients with creating well-written policies, highlighting data sensitivity for end-user awareness, applying appropriate processes and technologies for inventorying what data is stored where, applying the right data classification and meta-tagging, sensitivity handling while in transit and at rest, data loss prevention, reduction of sensitive data sprawl, retention requirements, permission and access management, authenticity, non-repudiation, chain of custody, data integrity, much more.

 

Andrew R. Reese


Mobile: (717) 395-3063


Links to more detail:

  1. CV Overview

  2. CV Education

  3. CV Experience

  4. Security Tips

  5. My Security Pledge


Page (Down) or (Up)

Role: Security and Compliance Practice Leader           January 2005 – November 2019

Managing Principal                                          May 2016 – November 2019

Principal Consultant                                         January 2005 – May 2016

CompuCom Systems, Inc.                            Remote