Raymond A. Pompon, CISSP
- Security leader responsible for developing security program that passed nine annual SAS-70/SSAE-16 SOC-1 Type II audits/li>
- 25 years in infosec and compliance (GLBA, ISO 27000, Sarbanes Oxley, PCI, FFIEC, PIPEDA)
- 34 years building complex network security designs and implementations with an emphasis on high-availability and security
- 19 years experience in leadership including owning a network integration firm, leading threat research team, ensuring profitability for consulting division and leading IT Ops team
- 22 years experience in web application security analyzing, auditing and meeting OWASP and WASC requirements
- Proven writer and speaker in infosec topics including 150+ security articles, media interviews, 200+ public talks, and published book.
- Author, IT Security Risk Control Management: An Audit Preparation Plan, Pub Oct 2016
Professional Experience
Cyber Security Program Director Convera - 2022 to Present
- Manage cybersecurity programs and policies for B2B processing $110B in transactions in 40+ countries and territories and 140+ currencies
- Run Governance, Risk, and Compliance program for a 6-person team under the CSO
- Ensure compliance with global cybersecurity financial regulations including GDPR, PSD2, NYDFS, FFIEC and SOC1 Type 2 audit
- Manage cyber-risk management, business continuity, vendor risk, customer assurance, and security awareness for 2000 employees and contractors
Director F5 Labs, Threat Intelligence F5 Networks - 2016 to 2022
- One of the founders and team lead for F5 Labs, the 5-person team of threat researchers
- Developed first annual Application Protection Report from multiple data sources and created annual process to handoff as an ongoing series.
- Conducted numerous interviews of CISOs, CTOS, and tech leaders to produce case studies, tutorials, and best practices.
- Wrote data analysis code and developed process for large scale honeypot data for sales and on-going threat reports.
- Mentored and ran F5 Labs internship resulting in published research and new open source security tools
- Develop and define content for CISO-to-CISO, F5 Labs information source for Security Leaders
- Speaking, writing, podcasting, and support of strategic sales efforts
- Principle Threat Researcher Evangelist: 2016-2020, Director: 2020+
Head of Information Security, North America and Asia, Linedata - Sep 2016 to Dec 2016
- In charge of security and compliance for 4 Linedata offices and 4 ASP hosting data centers for financial services companies.
- Design and execute three SSAE 16 SOC1 and SOC2 audits for 2 data centers
- Hire and manage information security staff that oversee corporate and hosted security as well as manage compliance projects
- Primary lead for customer security inquiries and all external audits
- Responsible for security and compliance at Lending & Leasing division by ensuring continued passing annual SSAE-16 SOC-1 Type II audits and zero breaches
- Headed security and compliance for new mobile financial services product offering
- Developed internal security tool which was later packaged and sold as a product add-in for customers
- Promoted security offerings by publishing magazine articles, giving press interviews, and presenting at financial industry conferences
- Enhanced sales by briefing customers on security, privacy and compliance assurance programs
Director of Security and Infrastructure, HCL CapitalStream - 2008 to 2013
- Managed infrastructure team responsible for highly available, highly secure financial services hosting environment
- Led multi-year sustained web application security project that boosted organization to 100% OWASP compliance and zero security flaws. Reduced vulnerability fix time 400%, faster than industry avg.
- Guided IT operations team through passing Verizon Cybertrust / ISO 27001 certification for three years in a row
- Managed special security projects to meet customer requirements for security and international compliance including database encryption, PCI compliance, and privacy audits
Security Officer, CapitalStream - 2007 to 2008
- In charge of security and compliance for a financial services ASP that hosts several top 50 global banks
- Change leader in creating a ground-up comprehensive new security program that eliminated customer audit deficiencies and successfully passed SAS-70 Type 2 audit
- Reduced operational expenses by over 20% by creating new change control processes, reducing vendor expenses, and developing new cross-platform change monitoring software with scripting tools
- Worked directly with the IT operations team to identify and resolve security incidents including interfacing with law enforcement, customers and auditors
- Led information security management systems practice within NCA Professional Services
- Performed pre-sales consulting and fulfillment for ISO 27001 certification projects
- Designed methodologies for policy development, and service fulfillment for consulting engagement teams
- Developed new customer offering for risk assessment based on Failure Mode Effects Analysis
- Headed long-term security project for a large-scale e-commerce firm for PCI remediation
- Designed and maintained risk assessment and ISMS implementation sub-practices
Internet Security Consultant, Creation Logic - 2005 to 2006
- Engineered and implemented large-scale satellite-based VPN & firewall infrastructure
- Performed on-site security inspections and redesigns for financial service firms
Senior Security Architect, Conjungi Networks - 2000 to 2005
- Civilian undercover operative in FBI Operation Flyhook that led to conviction of two Russian hackers
- Created and expanded vulnerability assessments and penetration testing business services - performed assessments for national retailers, banks, financial services firms, energy utilities, and e-tailers
- Participated in and contributed to creation of intellectual property and new consulting services, security products, and customer offerings
- Performed security analysis and due-diligence review for third-party service providers, outsourcers, and financial services firms
- Designed and implemented a nation-wide secure highly-available POS system with 300 remotely managed firewalls, VPNs and Firewall management system
- Acted as primary responder in a variety of security incidents including rogue sysadmin, large scale malware outbreaks, e-banking breach
- Many projects performing risk analysis, technical architecting, installation, integration, and support for HIPAA, Sox, PCI, GLBA, and NERC regulated organizations
- Maintained and secured all internal, external LAN, WAN and Internet data communications
- Designed, built and maintained Internet security for BECU's first web banking offering
- Demonstrated assurance through on-going internal and external technical audits.
- Provided highest escalation support position for 1,000+ node financial network
Founder, Minuet - 1994 to 1997
- Ran technical and business operations for 3 employee systems integration firm
- Company specialized in LAN integration and Internet connectivity for CPAs, Tax Attorneys
- Provided design, project management, cabling, OS migration, software conversion, training
Senior Technology Specialist, KPMG Peat Marwick; -1991 to 1994
- Lead manager for 150 CPAs on Netware LAN of Windows and Mac hosts
- Sysadmin for Academic Support dept. Managed Dec PDP-11/44, SCO Unix and Novell Netware
Affiliations
- FBI, Seattle, Delaware InfraGard Member Alliance, executive board, 2001-2012 Seattle, 2017-2023 Delaware, Treasurer 2018-2023, InfraGard Sector Chief Financial Services 2015-2023
- ISC, Delaware Chapter, Membership Chair 2019+
- Cyber Finance Working Group (CFWG) as part of the Executive Partnership for Integrated Collaboration with the FBI Washington Field Office - 2020+.
- FBI Citizen's Academy, class of 2006
- University of Washington,Information Assurance certificate program, advisory board(2005-present)
- University of Washington, Certificate program in Information Systems Security, advisory board (2006-present)
- University of Washington, IT Audit certificate program, advisory board (2012-2014)
- HoneyNet Project - Pacific Northwest Chapter, Member 2012-present
- Richard Hugo House, Board member (2005-2010)
- Dept. Homeland Security, Northwest Warning, Alert, and Response Network, advisory board member (2002-2004)
- US Secret Service, Seattle Electronic Crimes Task Force, consultant (2000-2004)
- Washington Software Alliance Security SIG, speaker and participant (2000-2004)
- Web Application Security Consortium, contributing author
- Society of Information Risk Analysts, Professional Member
- OWASP Mobile Top Ten 2015, Reviewer
Education
Certifications
- Certified Information Systems Security Professional, 2008+
- AWS Certified Solutions Architect, Associate Level, 2016
- GIAC Law of Data Security & Investigations (GLEG), 2015
- ISO 27001 Lead Auditor, International Register of Certificated Auditors, 2006
- Novell Certified IntraNetware Administrator, 1998
- Cisco Certified Network Associate, 1998
- Microsoft Certified System Engineer, 1997
- Certified Computing Professional in System Management, 1992
Notable publications
- F5 Labs blogger, 2017+, 150+ articles, sole author on 30+
- F5 Application Protection Reports, a year-long multi-source research project, 2018-2021
- Helpnet Security columnist, 2017-2018
- Dark Reading partner's perspective columnist, 2017-2018
- How to Select the Right Cybersecurity Career Path, 2021
- IT Security Risk Control Management: An Audit Preparation Plan, Oct 2016 from Apress IT books
- Cyber-security: withstanding the new reality, LeasingLife, April 2016
- Can Outsourcing Handle Cybersecurity's Complexity?, Money Management Magazine, Jan 2015
- TabbForum: Staying Ahead of the Looming InfoSec Crunch, 2014
- Equipment Leasing & Finance - Cybersecurity: Managing the risk when you need to share your data with others, 2013 issue
- Virus Bulletin - Successes and failures apprehending malware authors, 2010
- WebsenseConnect Newsletter - Reprint from Security Blog - Ten ways to build/improve your infosec career, 2009
- HCL Comminique - Information Systems Risk Management - The Challenges, 2009
- Microsoft IT Infrastructure Threat Modeling Guide - Technical reviewer, 2009
- STart Magazine - START Arcade Three Games in One - Vol. 3 No. 12, 1089
Speaking (selected)
- ISC2 Security Congress 2023 - Fixing Inconsistent and Incompatible GRC, Oct 2023
- SIRAcon2023 - From Confusion to Control: Rebuilding a Muddled Risk Management System, May 2023
- (ISC)2 Security Congress 2022
- Mentoring Cybersecurity Interns, Oct 2022
- (ISC)2 Security Congress 2021 on Data Science in Cybersecurity, Oct 2021
- OWASP 20th anniversary conference talk on 4 years of web attacks, Oct 2021
- F5 Financial Services Symposium - Challenges for 2022 and Beyond , Sep 2021
- DevCentral Connects: An Inside Look at Threat Research at Cyentia, Jun 2021
- LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
- Secure Delaware 2020 - "How did the Pandemic Change Cybersecurity", Oct 2020
- DisasterZone Podcast: Cybersecurity in a Pandemic, Oct 2020
- DevCentral Connects - F5 Labs Edition, May 2020
- InfoSecurity Magazine Online Summit - Putting People First: Dealing with Team Burnout and Mental Health - Conference Panel, Apr 2021
- LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
- Blackhat USA 2018 - How Applications Are Attacked - an In-Depth Data-Driven Analysis (Sponsored), Aug 2019
- 2019 Central Ohio InfoSec Summit: What do when your company tells you they're making a mobile app , May 2019
- SiraCon 2019: Lessons Learned in the 2018 App Protect Report, May 2019
- Shared Assessments Summit 2019: Third Party Trust, May 2019
- Smart Campus Summit 2019, Oct 2019
- Reboot - 20th Annual Privacy and Security Conference - Panel: Shining a Light on the Encryption Debate, Feb 2019
- IP Expo Europe: Cyber Security Keynote, Oct 2018
- F5 Agility 2018 - Deception as Defense and Super-NetOps,Aug 2018
- Blackhat USA 2018 - How Applications Are Attacked - an In-Depth Data-Driven Analysis (Sponsored), Aug 2018
- Swimming in a Sea of Enemies, The Dilemmas of the Threat Researcher, RSA, 4/18/18
- The Evolving Role of CISOs and Their Importance to the Business, Moderator F5 webinar, 2017
- Red Sky Conference: Threat Intelligence. 2017
- Cloud Security Alliance - Webinar - Leveraging the Power of Threat Intelligence, 2017
- Reboot 18th Annual Privacy and Security Conference, 2017
- Cyber-Security: How Financial Institutions Can Withstand the New Reality, ELFA Annual Convention 2016
- Third Party Risk Assessment Exposed, Society of Information Risk Analysts: SiRAcon 2015
- University of Washington Tacoma, Masters in CyberSecurity Leadership, Kickoff speaker for 2014-15 cohort
- The Cloud and Big Data 2014: Payment Card Data in the Cloud
- ELFA Operations and Technology Conference - Cybercrime: How to Protect Yourself Personally and Commercially, 2013
- Cascadia IT Conference 2013 - Into the Breach - Transitioning into an Infosec Career, 2013
- Source Seattle, "Building an empirical security program", 2011
- VB2010, 20th Annual Virus Bulletin International Conference, 2010
- Hugo House's writers' conference: Finding Your Readers in the 21st Century, 2010
- Toorcamp hacker conference, "Deception defense" 2009
- University of Washington, I-School, Information Assurance Program (2005-12)
- University of Hawaii at Manoa, ICS Grey Hats
- Seattle University, Albers School of Business
- King County Bar Association
- Law Seminars International: Advanced Data Security
- Secure World Expo 2002, 2008
- American Society for Industrial Security (ASIS)
- Washington Society of CPAs
- Co-chair, Law Seminar - Trade Secrets Litigation Trends and Dealmaking Tips, June 30, 2003
- NCA Security & Technology Conference 2009-2010
- FBI ANSIR, Awareness of National Security Issues and Response
Media
- Russian Hackers Documentary, IMDB entry
- Operation Flyhook, Part 1, Malicious Life Podcast interview - Nov 2021. Part 2
- Experts reflect on how you can be cyber smart for Cybersecurity Awareness Month 2021Security IT Summit UK, Oct 2021
- Majority of largest cybersecurity incidents in last 5 years hit web apps, AME Info, Oct 2021
- New twist on DDoS technique poses threat to CSP networks, SC media, Sep 2021
- Mental Health Awareness Week: Tech industry experts discuss experiences supporting employees over the past year, Digitalisation World, May 2021
- Survey reveals Latin America’s cybercrime map, Intelligent CIO, June 2021
- Financial Services Organisations Increasingly Prone To Authentication And DDoS Attacks, InfoSecurity Buzz, May 2020
- COVID-19 Sparks Big DDoS & Password Login Attacks Surge, IT in the Supply Chain, June 2021
- FCC Addresses Robocalling, But Questions Remain, ThreatPost, Nov 21, 2018
- #IPEXPO: What Threat Intel Teaches Us About App Security, Infosecurity magazine, Oct 9, 2018
- Apps are gateway to business data for cyber attackers, Computer Weekly, Oct 9, 2018
- PrescribeWellness Attains Service Organization Control Type II (SOC 2) Compliance, BusinessWire 6/26/18
- US-version Silk Road: Is PHL ready for Internet's dark side?, Business Mirror Philippine, 2/5/18
- Radio interview - A Tale From the Early Days Of Busting Hackers, KNKX (NPR affiliate) Sound Effect, 1/13/18
- This Week in Enterprise Tech 262: Phishers of Men, This Week in Enterprise Tech, Oct 2017
- Hacker Lexicon: What Is DNS Hijacking?, Wired Magazine, Sept 2017
- Cyberattack scramble, Seattle Times, May 2017
- Linedata's Cybercrime Fighter, GARP Risk Intelligence, July 2015
- Data Breaches Changing Security Vendor Roles, Money Management Magazine, Jan 2015
- Attacker That Sharpened Facebooks Defenses, New York Times, 2010
- Credit card for $2, expert for $7810, VirusBuster, 2010
- Intrusion Prevention: A Lock To Dominate The New Year, CRN, 2004
- `Worm' shuts down Comcast Internet subscribers, King County Journal, 2003
- 2nd City Sketch with Dave Beck, KUOW radio interview, 2002
- Microsoft stresses risk management - Experts warn the Internet is full of holes, King County journal, 2002
- SonicWall Zeros In On SMBs, CRN, 2002
- Microsoft: We Were Watching Hackers, Associated Press, 2001
- MS Hacker's Shorter Stay, Associated Press, 2000
- Hackers motivated by greed, revenge, Seattle Times, 2000
- Is any business truly safe?, Seattle Times, 2000
- Gov't official outlines cyberdefense plan - CNN, 1999
Other
@ 2024 Raymond Pompon Contact Me