Cal is responsible for both global delivery and development of service offerings related to information security and privacy programs. This specifically includes directing our work in program governance and control assessments, improvement strategies and deployment architecture and communicating security status and goals effectively to operational and Board audiences.
Prior to joining Protiviti in September 2008, Cal was with IBM Corporation for 30 years and led their global Security and Privacy Services team from its creation in 1998 until 2008.
Cal has worked with clients of all sizes in a wide variety of industries providing a broad array of information security and risk management services. His expertise includes developing and evaluating comprehensive information security strategies and programs, data privacy and compliance program design and assessments, incident response planning and execution, and security architecture services.
- Managed the evaluation of the security organization, program and infrastructure of a global financial services organization. The deliverables included the reduction of support cost by 7%, the improvement of enterprise threat identification and analysis as well as the rationalization of tools supporting that analysis.
- Led the work with a global Financial Services company to define internal compliance with over 2000 security controls. During this engagement, it became clear that ownership for specific control compliance was incomplete and that there was no clear linkage between the controls and the variety of enterprise business and regulatory requirements. Cal’s team was successful in establishing ownership and a priority scheme for remediation which tied to business priorities.
- Led the work for a Global Investment Management firm to develop a security program that would meet the requirements of financial services regulators but also be accepted by their leadership who did not want the program to constrain their flexibility and responsiveness to the client. The deliverable provided a detailed set of recommendations, their projected cost and a prioritized timeline.
- Led the work with a U.S.-based Investment Management firm to define and implement an effective risk management program that rationalized security controls across the myriad regulatory compliance requirements they have. The work consisted of leading an initial workshop to ensure a focus on their primary threats as well as develop a comprehensive inventory of regulations they needed to conform to. The team then assisted the client in standardizing control definitions and audit procedures to be used in automating the auditing and reporting of control status. We have partnered with this firm in the integration of this work into the tool they chose for the automation.
- Led a team who supported a large, US-based, small business lender to evaluate the adequacy of their information security program. After reviewing the advantages of several industry frameworks, we leveraged the NIST Cybersecurity Framework as the basis for the assessment. We provided a baseline of their information security control posture, a definition of their desired state along with recommendations to achieve it as well as an insightful benchmark against several competitors. Our work included communicating the results to the client’s board of directors and supporting them in several follow-on sessions.
- In response to a FFIEC mandate, worked with a Fortune 50 Financial Services organization to respond to, and satisfy, new security program requirements. The work included building a clear baseline of current program processes and controls and defining actionable recommendations and an implementation plan to upgrade the program for all gaps found.
Areas of Expertise
- Security Policy and Process Development
- Threat Definition and Risk Analysis
- Security Architecture Design and Implementation
- Identity Management Planning and Implementation
- Federated Identity Management Governance
- Data Privacy Program Design and Assessment
- Data Loss Prevention
- PCI Planning, Evaluation, and Implementation
- Intrusion Detection, Penetration Testing Services
- Forensics and Incident Response Services
- Security Metric Development (for Board and operational levels)
- Sensitive Data Management
- Financial Services
- Hospitality and Retail
- Process Manufacturing
- Technology / Media
- Public Sector / Government
- BSBA, Bucknell University
Professional Memberships & Certifications
- HITRUST CSF Assessor (Certified Common Security Framework Practitioner: CCSFP)