Raymond A. Pompon, CISSP

• Security leader responsible for developing security program that passed nine annual SAS-70/SSAE-16 SOC-1 Type II audits/li> 
• 25 years in infosec and compliance (GLBA, ISO 27000, Sarbanes Oxley, PCI, FFIEC, PIPEDA)
• 34 years building complex network security designs and implementations with an emphasis on high-availability and security
• 19 years experience in leadership including owning a network integration firm, leading threat research team, ensuring profitability for consulting division and leading IT Ops team
• 22 years experience in web application security analyzing, auditing and meeting OWASP and WASC requirements
• Proven writer and speaker in infosec topics including 150+ security articles, media interviews, 200+ public talks, and published book.
• Author, IT Security Risk Control Management: An Audit Preparation Plan, Pub Oct 2016

Professional Experience 

Cyber Security Program Director Convera - 2022 to Present

• Manage cybersecurity programs and policies for B2B processing $110B in transactions in 40+ countries and territories and 140+ currencies 
• Run Governance, Risk, and Compliance program for a 6-person team under the CSO
• Ensure compliance with global cybersecurity financial regulations including GDPR, PSD2, NYDFS, FFIEC and SOC1 Type 2 audit
• Manage cyber-risk management, business continuity, vendor risk, customer assurance, and security awareness for 2000 employees and contractors

Director F5 Labs, Threat Intelligence F5 Networks - 2016 to 2022

• One of the founders and team lead for F5 Labs, the 5-person team of threat researchers
• Developed first annual Application Protection Report from multiple data sources and created annual process to handoff as an ongoing series.
• Conducted numerous interviews of CISOs, CTOS, and tech leaders to produce case studies, tutorials, and best practices.
• Wrote data analysis code and developed process for large scale honeypot data for sales and on-going threat reports.
• Mentored and ran F5 Labs internship resulting in published research and new open source security tools
• Develop and define content for CISO-to-CISO, F5 Labs information source for Security Leaders
• Speaking, writing, podcasting, and support of strategic sales efforts
• Principle Threat Researcher Evangelist: 2016-2020, Director: 2020+

Head of Information Security, North America and Asia, Linedata - Sep 2016 to Dec 2016

• In charge of security and compliance for 4 Linedata offices and 4 ASP hosting data centers for financial services companies.
• Design and execute three SSAE 16 SOC1 and SOC2 audits for 2 data centers
• Hire and manage information security staff that oversee corporate and hosted security as well as manage compliance projects
• Primary lead for customer security inquiries and all external audits

Director of Security, Linedata Lending and Leasing (formerly CapitalStream) - 2013 to 2016

• Responsible for security and compliance at Lending & Leasing division by ensuring continued passing annual SSAE-16 SOC-1 Type II audits and zero breaches
• Headed security and compliance for new mobile financial services product offering
• Developed internal security tool which was later packaged and sold as a product add-in for customers
• Promoted security offerings by publishing magazine articles, giving press interviews, and presenting at financial industry conferences
• Enhanced sales by briefing customers on security, privacy and compliance assurance programs

Director of Security and Infrastructure, HCL CapitalStream - 2008 to 2013

• Managed infrastructure team responsible for highly available, highly secure financial services hosting environment
• Led multi-year sustained web application security project that boosted organization to 100% OWASP compliance and zero security flaws. Reduced vulnerability fix time 400%, faster than industry avg.
• Guided IT operations team through passing Verizon Cybertrust / ISO 27001 certification for three years in a row
• Managed special security projects to meet customer requirements for security and international compliance including database encryption, PCI compliance, and privacy audits

Security Officer, CapitalStream - 2007 to 2008

• In charge of security and compliance for a financial services ASP that hosts several top 50 global banks
• Change leader in creating a ground-up comprehensive new security program that eliminated customer audit deficiencies and successfully passed SAS-70 Type 2 audit
• Reduced operational expenses by over 20% by creating new change control processes, reducing vendor expenses, and developing new cross-platform change monitoring software with scripting tools
• Worked directly with the IT operations team to identify and resolve security incidents including interfacing with law enforcement, customers and auditors

ISMS Manager, Network Computing Architects - 2006 to 2007 

• Led information security management systems practice within NCA Professional Services
• Performed pre-sales consulting and fulfillment for ISO 27001 certification projects
• Designed methodologies for policy development, and service fulfillment for consulting engagement teams
• Developed new customer offering for risk assessment based on Failure Mode Effects Analysis
• Headed long-term security project for a large-scale e-commerce firm for PCI remediation
• Designed and maintained risk assessment and ISMS implementation sub-practices

Internet Security Consultant, Creation Logic - 2005 to 2006 

• Engineered and implemented large-scale satellite-based VPN & firewall infrastructure
• Performed on-site security inspections and redesigns for financial service firms

Senior Security Architect, Conjungi Networks - 2000 to 2005 

• Civilian undercover operative in FBI Operation Flyhook that led to conviction of two Russian hackers
• Created and expanded vulnerability assessments and penetration testing business services - performed assessments for national retailers, banks, financial services firms, energy utilities, and e-tailers
• Participated in and contributed to creation of intellectual property and new consulting services, security products, and customer offerings
• Performed security analysis and due-diligence review for third-party service providers, outsourcers, and financial services firms
• Designed and implemented a nation-wide secure highly-available POS system with 300 remotely managed firewalls, VPNs and Firewall management system 
• Acted as primary responder in a variety of security incidents including rogue sysadmin, large scale malware outbreaks, e-banking breach
• Many projects performing risk analysis, technical architecting, installation, integration, and support for HIPAA, Sox, PCI, GLBA, and NERC regulated organizations

Network & Data Security Analyst, Boeing Employees Credit Union -1997 to 2000

• Maintained and secured all internal, external LAN, WAN and Internet data communications
• Designed, built and maintained Internet security for BECU's first web banking offering
• Demonstrated assurance through on-going internal and external technical audits.
• Provided highest escalation support position for 1,000+ node financial network

Founder, Minuet - 1994 to 1997 

• Ran technical and business operations for 3 employee systems integration firm
• Company specialized in LAN integration and Internet connectivity for CPAs, Tax Attorneys
• Provided design, project management, cabling, OS migration, software conversion, training

Senior Technology Specialist, KPMG Peat Marwick; -1991 to 1994 

• Lead manager for 150 CPAs on Netware LAN of Windows and Mac hosts

Systems Technician, Chaminade University - 1990 to 1991 

• Sysadmin for Academic Support dept. Managed Dec PDP-11/44, SCO Unix and Novell Netware

Affiliations 

• FBI, Seattle, Delaware InfraGard Member Alliance, executive board, 2001-2012 Seattle, 2017-2023 Delaware, Treasurer 2018-2023, InfraGard Sector Chief Financial Services 2015-2023 
• ISC, Delaware Chapter, Membership Chair 2019+
• Cyber Finance Working Group (CFWG) as part of the Executive Partnership for Integrated Collaboration with the FBI Washington Field Office - 2020+.
• FBI Citizen's Academy, class of 2006
• University of Washington,Information Assurance certificate program, advisory board(2005-present)
• University of Washington, Certificate program in Information Systems Security, advisory board (2006-present)
• University of Washington, IT Audit certificate program, advisory board (2012-2014)
• HoneyNet Project - Pacific Northwest Chapter, Member 2012-present
• Richard Hugo House, Board member (2005-2010)
• Dept. Homeland Security, Northwest Warning, Alert, and Response Network, advisory board member (2002-2004)
• US Secret Service, Seattle Electronic Crimes Task Force, consultant (2000-2004)
• Washington Software Alliance Security SIG, speaker and participant (2000-2004)
• Web Application Security Consortium, contributing author
• Society of Information Risk Analysts, Professional Member
• OWASP Mobile Top Ten 2015, Reviewer 

Education 

• Bachelor of Arts: Lib. Studies - Information Technology, University of Hawaii, 1990.
• Certificate in Data Communications, University of Washington, May 1999.

Certifications 

• Certified Information Systems Security Professional, 2008+
• AWS Certified Solutions Architect, Associate Level, 2016
• GIAC Law of Data Security & Investigations (GLEG), 2015
• ISO 27001 Lead Auditor, International Register of Certificated Auditors, 2006
• Novell Certified IntraNetware Administrator, 1998
• Cisco Certified Network Associate, 1998 
• Microsoft Certified System Engineer, 1997
• Certified Computing Professional in System Management, 1992

Notable publications 

• F5 Labs blogger, 2017+, 150+ articles, sole author on 30+
• F5 Application Protection Reports, a year-long multi-source research project, 2018-2021
• Helpnet Security columnist, 2017-2018
• Dark Reading partner's perspective columnist, 2017-2018
• How to Select the Right Cybersecurity Career Path, 2021
• IT Security Risk Control Management: An Audit Preparation Plan, Oct 2016 from Apress IT books
• Cyber-security: withstanding the new reality, LeasingLife, April 2016
• Can Outsourcing Handle Cybersecurity's Complexity?, Money Management Magazine, Jan 2015
• TabbForum: Staying Ahead of the Looming InfoSec Crunch, 2014
• Equipment Leasing & Finance - Cybersecurity: Managing the risk when you need to share your data with others, 2013 issue
• Virus Bulletin - Successes and failures apprehending malware authors, 2010
• WebsenseConnect Newsletter - Reprint from Security Blog - Ten ways to build/improve your infosec career, 2009
• HCL Comminique - Information Systems Risk Management - The Challenges, 2009
• Microsoft IT Infrastructure Threat Modeling Guide - Technical reviewer, 2009
• STart Magazine - START Arcade Three Games in One - Vol. 3 No. 12, 1089

Speaking (selected)

• ISC2 Security Congress 2023 - Fixing Inconsistent and Incompatible GRC, Oct 2023
• SIRAcon2023 - From Confusion to Control: Rebuilding a Muddled Risk Management System, May 2023
• (ISC)2 Security Congress 2022 - Mentoring Cybersecurity Interns, Oct 2022
• (ISC)2 Security Congress 2021 on Data Science in Cybersecurity, Oct 2021
• OWASP 20th anniversary conference talk on 4 years of web attacks, Oct 2021
• F5 Financial Services Symposium - Challenges for 2022 and Beyond , Sep 2021
• DevCentral Connects: An Inside Look at Threat Research at Cyentia, Jun 2021
• LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
• Secure Delaware 2020 - "How did the Pandemic Change Cybersecurity", Oct 2020
• DisasterZone Podcast: Cybersecurity in a Pandemic, Oct 2020
• DevCentral Connects - F5 Labs Edition, May 2020
• InfoSecurity Magazine Online Summit - Putting People First: Dealing with Team Burnout and Mental Health - Conference Panel, Apr 2021
• LevelUp Cyber Podcast - Cybersecurity Skills Gap Say What w/F5 Networks Team , Dec 2020
• Blackhat USA 2018 - How Applications Are Attacked - an In-Depth Data-Driven Analysis (Sponsored), Aug 2019
• 2019 Central Ohio InfoSec Summit: What do when your company tells you they're making a mobile app , May 2019
• SiraCon 2019: Lessons Learned in the 2018 App Protect Report, May 2019
• Shared Assessments Summit 2019: Third Party Trust, May 2019
• Smart Campus Summit 2019, Oct 2019
• Reboot - 20th Annual Privacy and Security Conference - Panel: Shining a Light on the Encryption Debate, Feb 2019
• IP Expo Europe: Cyber Security Keynote, Oct 2018
• F5 Agility 2018 - Deception as Defense and Super-NetOps,Aug 2018
• Blackhat USA 2018 - How Applications Are Attacked - an In-Depth Data-Driven Analysis (Sponsored), Aug 2018
• Swimming in a Sea of Enemies, The Dilemmas of the Threat Researcher, RSA, 4/18/18
• The Evolving Role of CISOs and Their Importance to the Business, Moderator F5 webinar, 2017
• Red Sky Conference: Threat Intelligence. 2017
• Cloud Security Alliance - Webinar - Leveraging the Power of Threat Intelligence, 2017
• Reboot 18th Annual Privacy and Security Conference, 2017
• Cyber-Security: How Financial Institutions Can Withstand the New Reality, ELFA Annual Convention 2016 
• Third Party Risk Assessment Exposed, Society of Information Risk Analysts: SiRAcon 2015
• University of Washington Tacoma, Masters in CyberSecurity Leadership, Kickoff speaker for 2014-15 cohort 
• The Cloud and Big Data 2014: Payment Card Data in the Cloud
• ELFA Operations and Technology Conference - Cybercrime: How to Protect Yourself Personally and Commercially, 2013
• Cascadia IT Conference 2013 - Into the Breach - Transitioning into an Infosec Career, 2013
• Source Seattle, "Building an empirical security program", 2011
• VB2010, 20th Annual Virus Bulletin International Conference, 2010
• Hugo House's writers' conference: Finding Your Readers in the 21st Century, 2010
• Toorcamp hacker conference, "Deception defense" 2009 
• University of Washington, I-School, Information Assurance Program (2005-12)
• University of Hawaii at Manoa, ICS Grey Hats
• Seattle University, Albers School of Business
• King County Bar Association 
• Law Seminars International: Advanced Data Security
• Secure World Expo 2002, 2008
• American Society for Industrial Security (ASIS)
• Washington Society of CPAs
• Co-chair, Law Seminar - Trade Secrets Litigation Trends and Dealmaking Tips, June 30, 2003
• NCA Security & Technology Conference 2009-2010
• FBI ANSIR, Awareness of National Security Issues and Response 

Media 

• Russian Hackers Documentary,  IMDB entry
• Operation Flyhook, Part 1, Malicious Life Podcast interview - Nov 2021. Part 2
• Experts reflect on how you can be cyber smart for Cybersecurity Awareness Month 2021Security IT Summit UK, Oct 2021
• Majority of largest cybersecurity incidents in last 5 years hit web apps, AME Info, Oct 2021
• New twist on DDoS technique poses threat to CSP networks, SC media, Sep 2021
• Mental Health Awareness Week: Tech industry experts discuss experiences supporting employees over the past year, Digitalisation World, May 2021
• Survey reveals Latin America’s cybercrime map, Intelligent CIO, June 2021
• Financial Services Organisations Increasingly Prone To Authentication And DDoS Attacks, InfoSecurity Buzz, May 2020
• COVID-19 Sparks Big DDoS & Password Login Attacks Surge, IT in the Supply Chain, June 2021
• FCC Addresses Robocalling, But Questions Remain, ThreatPost, Nov 21, 2018
• #IPEXPO: What Threat Intel Teaches Us About App Security, Infosecurity magazine, Oct 9, 2018
• Apps are gateway to business data for cyber attackers, Computer Weekly, Oct 9, 2018
• PrescribeWellness Attains Service Organization Control Type II (SOC 2) Compliance, BusinessWire 6/26/18
• US-version Silk Road: Is PHL ready for Internet's dark side?, Business Mirror Philippine, 2/5/18
• Radio interview - A Tale From the Early Days Of Busting Hackers, KNKX (NPR affiliate) Sound Effect, 1/13/18
• This Week in Enterprise Tech 262: Phishers of Men, This Week in Enterprise Tech, Oct 2017
• Hacker Lexicon: What Is DNS Hijacking?, Wired Magazine, Sept 2017
• Cyberattack scramble, Seattle Times, May 2017
• Linedata's Cybercrime Fighter, GARP Risk Intelligence, July 2015
• Data Breaches Changing Security Vendor Roles, Money Management Magazine, Jan 2015
• Attacker That Sharpened Facebooks Defenses, New York Times, 2010
• Credit card for $2, expert for $7810, VirusBuster, 2010
• Intrusion Prevention: A Lock To Dominate The New Year, CRN, 2004 
• `Worm' shuts down Comcast Internet subscribers, King County Journal, 2003
• 2nd City Sketch with Dave Beck, KUOW radio interview, 2002 
• Microsoft stresses risk management - Experts warn the Internet is full of holes, King County journal, 2002
• SonicWall Zeros In On SMBs, CRN, 2002
• Microsoft: We Were Watching Hackers, Associated Press, 2001
• MS Hacker's Shorter Stay, Associated Press, 2000
• Hackers motivated by greed, revenge, Seattle Times, 2000
• Is any business truly safe?, Seattle Times, 2000 
• Gov't official outlines cyberdefense plan - CNN, 1999

Other 

• Creator and artist, Heidi Geek Girl Detective
• Security blogger at http://assumebreach.blogspot.com/

@ 2024 Raymond Pompon Contact Me