Security leader responsible for developing security program that passed nine annual SAS-70/SSAE-16 SOC-1 Type II audits
25 years in infosec and compliance (GLBA, ISO 27000, Sarbanes Oxley, PCI, FFIEC, PIPEDA)
35 years building complex network security designs and implementations with an emphasis on high-availability and security
19 years experience in leadership including owning a network integration firm, leading threat research team, ensuring profitability for consulting division and leading IT Ops team
22 years experience in web application security analyzing, auditing and meeting OWASP and WASC requirements
Proven writer and speaker in infosec topics including 150+ security articles, media interviews, 200+ public talks, and published book.
Author, IT Security Risk Control Management: An Audit Preparation Plan, Pub Oct 2016
Cybersecurity governance and compliance for B2B processing $110B in transactions in 40+ countries and territories and 140+ currencies
Lead 7-person global team managing Customer Assurance, Cybersec & Third-party Risk, Technical and business process redesign to meet compliance & risk objectives
Ensure compliance with global cybersecurity financial regulations including PCI DSS, GDPR, PSD2-SCA, NYDFS, FFIEC, DORA, MAS, and SOC1,2 audits
Manage cyber-risk management, business continuity, vendor risk, customer assurance, and security awareness for 2500 employees and contractors
AI/ML risk & policy including AI Governance Framework, Risk assessment, and Security training
One of the founders and team lead for F5 Labs, the 5-person team of threat researchers
Developed first annual Application Protection Report from multiple data sources and created annual process to handoff as an ongoing series.
Conducted numerous interviews of CISOs, CTOS, and tech leaders to produce case studies, tutorials, and best practices.
Wrote data analysis code and developed process for large scale honeypot data for sales and on-going threat reports.
Mentored and ran F5 Labs internship resulting in published research and new open source security tools
Created, expanded, and curated CISO-to-CISO, F5 Labs information source for Security Leaders
Speaking, writing, podcasting, and support of strategic sales efforts
Principal Threat Researcher Evangelist: 2016-2020, Director: 2020+
In charge of security and compliance for 4 Linedata offices and 4 ASP hosting data centers for financial services companies.
Design and execute three SSAE 16 SOC1 and SOC2 audits for 2 data centers
Hire and manage information security staff that oversee corporate and hosted security as well as manage compliance projects
Primary lead for customer security inquiries and all external audits
Responsible for security and compliance at Lending & Leasing division by ensuring continued passing annual SSAE-16 SOC-1 Type II audits and zero breaches
Headed security and compliance for new mobile financial services product offering
Developed internal security tool which was later packaged and sold as a product add-in for customers
Promoted security offerings by publishing magazine articles, giving press interviews, and presenting at financial industry conferences
Enhanced sales by briefing customers on security, privacy and compliance assurance programs
Managed infrastructure team responsible for highly available, highly secure financial services hosting environment
Led multi-year sustained web application security project that boosted organization to 100% OWASP compliance and zero security flaws. Reduced vulnerability fix time 400%, faster than industry avg.
Guided IT operations team through passing Verizon Cybertrust / ISO 27001 certification for three years in a row
Managed special security projects to meet customer requirements for security and international compliance including database encryption, PCI compliance, and privacy audits
In charge of security and compliance for a financial services ASP that hosts several top 50 global banks
Change leader in creating a ground-up comprehensive new security program that eliminated customer audit deficiencies and successfully passed SAS-70 Type 2 audit
Reduced operational expenses by over 20% by creating new change control processes, reducing vendor expenses, and developing new cross-platform change monitoring software with scripting tools
Worked directly with the IT operations team to identify and resolve security incidents including interfacing with law enforcement, customers and auditors
Led information security management systems practice within NCA Professional Services
Performed pre-sales consulting and fulfillment for ISO 27001 certification projects
Designed methodologies for policy development, and service fulfillment for consulting engagement teams
Developed new customer offering for risk assessment based on Failure Mode Effects Analysis
Headed long-term security project for a large-scale e-commerce firm for PCI remediation
Designed and maintained risk assessment and ISMS implementation sub-practices
Engineered and implemented large-scale satellite-based VPN & firewall infrastructure
Performed on-site security inspections and redesigns for financial service firms
Civilian undercover operative in FBI Operation Flyhook that led to conviction of two Russian hackers
Created and expanded vulnerability assessments and penetration testing business services - performed assessments for national retailers, banks, financial services firms, energy utilities, and e-tailers
Participated in and contributed to creation of intellectual property and new consulting services, security products, and customer offerings
Performed security analysis and due-diligence review for third-party service providers, outsourcers, and financial services firms
Designed and implemented a nation-wide secure highly-available POS system with 300 remotely managed firewalls, VPNs and Firewall management system
Acted as primary responder in a variety of security incidents including rogue sysadmin, large scale malware outbreaks, e-banking breach
Many projects performing risk analysis, technical architecting, installation, integration, and support for HIPAA, Sox, PCI, GLBA, and NERC regulated organizations
Maintained and secured all internal, external LAN, WAN and Internet data communications
Designed, built and maintained Internet security for BECU's first web banking offering
Demonstrated assurance through on-going internal and external technical audits.
Provided highest escalation support position for 1,000+ node financial network
Ran technical and business operations for 3 employee systems integration firm
Company specialized in LAN integration and Internet connectivity for CPAs, Tax Attorneys
Provided design, project management, cabling, OS migration, software conversion, training
Lead manager for 150 CPAs on Netware LAN of Windows and Mac hosts
Sysadmin for Academic Support dept. Managed Dec PDP-11/44, SCO Unix and Novell Netware
InfraGard Member Alliance, Executive board, 2001-2012 Seattle, 2017-2023 Delaware, Treasurer 2018-2023, InfraGard Sector Chief Financial Services 2015-2023
ISC2 Delaware Chapter, President 2021+, Membership Chair 2019-2021
MITRE AI Common Weakness Enumeration (CWE) working group for CWE-1426, Working group participant
Cyber Finance Working Group (CFWG) as part of the Executive Partnership for Integrated Collaboration with the FBI Washington Field Office - 2020+.
FBI Citizen's Academy, class of 2006
University of Washington,Information Assurance certificate program, advisory board(2005-present)
University of Washington, Certificate program in Information Systems Security, advisory board (2006-present)
University of Washington, IT Audit certificate program, advisory board (2012-2014)
HoneyNet Project - Pacific Northwest Chapter, Member 2012-present
Richard Hugo House, Board member (2005-2010)
Dept. Homeland Security, Northwest Warning, Alert, and Response Network, advisory board member (2002-2004)
US Secret Service, Seattle Electronic Crimes Task Force, consultant (2000-2004)
Washington Software Alliance Security SIG, speaker and participant (2000-2004)
Web Application Security Consortium, contributing author
Society of Information Risk Analysts, Professional Member
OWASP Mobile Top Ten 2015, Reviewer
Bachelor of Arts: Lib. Studies - Information Technology, University of Hawaii, 1990.
Certificate in Data Communications, University of Washington, May 1999.
AI Governance Professional , 2025+
ISO 27001 Lead Auditor, International Register of Certificated Auditors, 2006
Novell Certified IntraNetware Administrator, 1998
Cisco Certified Network Associate, 1998
Microsoft Certified System Engineer, 1997
Certified Computing Professional in System Management, 1992
F5 Labs blogger, 2017+, 150+ articles, sole author on 30+
F5 Application Protection Reports, a year-long multi-source research project, 2018-2021
Helpnet Security columnist, 2017-2018
Dark Reading partner's perspective columnist, 2017-2018
IT Security Risk Control Management: An Audit Preparation Plan, Oct 2016 from Apress IT books
Cyber-security: withstanding the new reality, LeasingLife, April 2016
Can Outsourcing Handle Cybersecurity's Complexity?, Money Management Magazine, Jan 2015
TabbForum: Staying Ahead of the Looming InfoSec Crunch, 2014
Equipment Leasing & Finance - Cybersecurity: Managing the risk when you need to share your data with others, 2013 issue
Virus Bulletin - Successes and failures apprehending malware authors, 2010
HCL Comminique - Information Systems Risk Management - The Challenges, 2009
Microsoft IT Infrastructure Threat Modeling Guide - Technical reviewer, 2009
STart Magazine - START Arcade Three Games in One - Vol. 3 No. 12, 1089
SIRAcon2024 - The Risks that I Missed, Aug 2024
ISC2 Security Congress 2023 - Fixing Inconsistent and Incompatible GRC, Oct 2023
SIRAcon2023 - From Confusion to Control: Rebuilding a Muddled Risk Management System, May 2023
(ISC)2 Security Congress 2022 - Mentoring Cybersecurity Interns, Oct 2022
(ISC)2 Security Congress 2021 on Data Science in Cybersecurity, Oct 2021
OWASP 20th anniversary conference talk on 4 years of web attacks, Oct 2021
F5 Financial Services Symposium - Challenges for 2022 and Beyond , Sep 2021
DevCentral Connects: An Inside Look at Threat Research at Cyentia, Jun 2021
LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
Secure Delaware 2020 - "How did the Pandemic Change Cybersecurity", Oct 2020
DevCentral Connects - F5 Labs Edition, May 2020
LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
2019 Central Ohio InfoSec Summit: What do when your company tells you they're making a mobile app , May 2019
SiraCon 2019: Lessons Learned in the 2018 App Protect Report, May 2019
Smart Campus Summit 2019, Oct 2019
IP Expo Europe: Cyber Security Keynote, Oct 2018
F5 Agility 2018 - Deception as Defense and Super-NetOps,Aug 2018
Blackhat USA 2018 - How Applications Are Attacked - an In-Depth Data-Driven Analysis (Sponsored), Aug 2018
Swimming in a Sea of Enemies, The Dilemmas of the Threat Researcher, RSA, 4/18/18
The Evolving Role of CISOs and Their Importance to the Business, Moderator F5 webinar, 2017
Cloud Security Alliance - Webinar - Leveraging the Power of Threat Intelligence, 2017
Cyber-Security: How Financial Institutions Can Withstand the New Reality, ELFA Annual Convention 2016
Third Party Risk Assessment Exposed, Society of Information Risk Analysts: SiRAcon 2015
University of Washington Tacoma, Masters in CyberSecurity Leadership, Kickoff speaker for 2014-15 cohort
Cascadia IT Conference 2013 - Into the Breach - Transitioning into an Infosec Career, 2013
Source Seattle, "Building an empirical security program", 2011
VB2010, 20th Annual Virus Bulletin International Conference, 2010
Hugo House's writers' conference: Finding Your Readers in the 21st Century, 2010
University of Washington, I-School, Information Assurance Program (2005-12)
University of Hawaii at Manoa, ICS Grey Hats
Seattle University, Albers School of Business
King County Bar Association
American Society for Industrial Security (ASIS)
Washington Society of CPAs
Co-chair, Law Seminar - Trade Secrets Litigation Trends and Dealmaking Tips, June 30, 2003
NCA Security & Technology Conference 2009-2010
FBI ANSIR, Awareness of National Security Issues and Response
Russian Hackers Documentary, IMDB entry
Operation Flyhook, Part 1, Malicious Life Podcast interview - Nov 2021. Part 2
Experts reflect on how you can be cyber smart for Cybersecurity Awareness Month 2021Security IT Summit UK, Oct 2021
Majority of largest cybersecurity incidents in last 5 years hit web apps, AME Info, Oct 2021
New twist on DDoS technique poses threat to CSP networks, SC media, Sep 2021
Mental Health Awareness Week: Tech industry experts discuss experiences supporting employees over the past year, Digitalisation World, May 2021
Survey reveals Latin America’s cybercrime map, Intelligent CIO, June 2021
Financial Services Organisations Increasingly Prone To Authentication And DDoS Attacks, InfoSecurity Buzz, May 2020
COVID-19 Sparks Big DDoS & Password Login Attacks Surge, IT in the Supply Chain, June 2021
FCC Addresses Robocalling, But Questions Remain, ThreatPost, Nov 21, 2018
#IPEXPO: What Threat Intel Teaches Us About App Security, Infosecurity magazine, Oct 9, 2018
Apps are gateway to business data for cyber attackers, Computer Weekly, Oct 9, 2018
PrescribeWellness Attains Service Organization Control Type II (SOC 2) Compliance, BusinessWire 6/26/18
US-version Silk Road: Is PHL ready for Internet's dark side?, Business Mirror Philippine, 2/5/18
Radio interview - A Tale From the Early Days Of Busting Hackers, KNKX (NPR affiliate) Sound Effect, 1/13/18
This Week in Enterprise Tech 262: Phishers of Men, This Week in Enterprise Tech, Oct 2017
Hacker Lexicon: What Is DNS Hijacking?, Wired Magazine, Sept 2017
Cyberattack scramble, Seattle Times, May 2017
Linedata's Cybercrime Fighter, GARP Risk Intelligence, July 2015
Data Breaches Changing Security Vendor Roles, Money Management Magazine, Jan 2015
Attacker That Sharpened Facebooks Defenses, New York Times, 2010
Credit card for $2, expert for $7810, VirusBuster, 2010
Intrusion Prevention: A Lock To Dominate The New Year, CRN, 2004
`Worm' shuts down Comcast Internet subscribers, King County Journal, 2003
2nd City Sketch with Dave Beck, KUOW radio interview, 2002
Microsoft stresses risk management - Experts warn the Internet is full of holes, King County journal, 2002
SonicWall Zeros In On SMBs, CRN, 2002
Microsoft: We Were Watching Hackers, Associated Press, 2001
MS Hacker's Shorter Stay, Associated Press, 2000
Hackers motivated by greed, revenge, Seattle Times, 2000
Is any business truly safe?, Seattle Times, 2000
Gov't official outlines cyberdefense plan - CNN, 1999
Creator and artist, Heidi Geek Girl Detective
Literary Producer Scavenging the Future- Richard Hugo House & Scifi Museum, 2005
Security blogger at http://assumebreach.blogspot.com/
@ 2024 Raymond Pompon Contact Me