Director of Product Security with extensive experience in Product/Application Security, IT and Cloud Vulnerability Management, GRC, Product Management, and Software Development Harold Toomey CISSP, CISA, CISM, CRISC, CGEIT 4701 Forest Cove Dr. McKinney, TX 75071-8041 Harold@Toomey.org M: (801) 830-9987 I am looking to build and manage another agile product and application security program as I did at Intel and McAfee. As a finisher, I have run over 100 marathons in the past 7 years. I am a certified CISSP, CISA, CISM, CRISC, and CGEIT. I am expert in ISO 27001/27002, NIST SP 800-53, FedRAMP, PCI DSS, and ITIL. I am an ISSA Senior Member, a scoutmaster, and a veteran. I am currently a Principal Security Architect and Team Lead with experience in product/application security, information security technologies, enterprise product management, software development, and electrical & computer engineering. I started my career coding enterprise security software solutions (Dev), then transitioned to interfacing with customers and convincing engineers what to build (PM), and finally focused on securing products and enterprise solutions in IT Operational, Public Cloud, and DevSecOps environments. SPECIALTIES • Product Security, DevSecOps (SDL, PSIRT, CNA) • Vulnerability Management (CISM, AWS) • Information Security (CISSP) • Governance, Risk and Compliance (CGEIT) • Regulatory, Policy Compliance, Audit (CISA, ISO 27001/27002) • Enterprise Risk Management (CRISC, FAIR) • Enterprise IT Services (ITIL v3) TOP SKILLS • Strategic Planning and Execution • Highly Organized • Train and Mentor • Team Leadership & Management • Attention to Detail EDUCATION • Preparing for a PhD in Applied Mathematics • MS Electrical and Computer Engineering, Brigham Young University, 3.69, 1989 • BS Electrical and Computer Engineering, Brigham Young University, 3.70-Cum Laude, 1988 CERTIFICATIONS • CISSP, CISA, CISM, CRISC, CGEIT, ITIL v3, NSA IAM, PSIRT, CNA, CVSS • Security product certifications from McAfee, Symantec, AXENT, and ISS (IBM) EXPERIENCE Sr. Security Architect & Acting Director McAfee LLC 2017 - Jan 2019 • McAfee LLC's Vulnerability Management team technical lead. • Focused on the processes and activities to ensure our software products, IT applications, IT enterprise, and public cloud services (AWS, Azure) do not contain exploitable conditions. • I managed a worldwide satellite team of 110+ software security architects and 40+ Enterprise IT engineers to help them proactively find and fix vulnerabilities in source code, products, servers, and cloud (AWS, Azure) before hackers can find and exploit them. • Owned the Spectre/Meltdown vulnerability (Feb 2018) as PSIRT Lead for all McAfee. Responsibilities: • Managed a satellite team of 110+ Software Security Architects (SSA) and Engineers (SSE) • Managed a satellite team of 40+ Enterprise IT Patch Engineers • Enterprise Vulnerability Management (patching) • Agile Security Development Lifecycle (SDL) • Product Security Maturity Model (PSMM) • Product Security Incidence Response Team (PSIRT) • Product security tools (SAST, IAST, DAST, fuzz testing, vulnerability scans, pen testing, CASB, etc.) • Security training program • Privacy support • Security architecture reviews and threat modelling • Vulnerability Management program operations (websites, email DLs, policies, procedures) • Managed 3rd party vendors/open source • Metrics • Certification support Standards Body Memberships: • Common Vulnerability and Exposure (CVE) Numbering Authority (CNA) • Common Vulnerability Scoring System (CVSS) Special Interest Group (SIG) • CPVSS SIG - CVSS extension for Privacy Sr. Product Security Architect Intel Corporation 2015 - 2017 • I developed, published, and maintained the Agile Security Development Lifecycle (SDL) which was audited and approved by Intel for the Intel Security Group (ISecG) to use instead of Intel's waterfall SDL. • Mentored product development teams in Security Architecture, Design Reviews, and Threat Modeling, and all aspects of the SDL. • As PSIRT Manager I successfully kept Intel from any negative press from externally reported security product vulnerabilities Principal Product Security Architect McAfee, Inc. 2012 - 2015 • While on McAfee Inc.'s Product Security Group I managed a worldwide satellite team of 120+ software security architects (Product Security Champions) to help them proactively find and fix vulnerabilities in source code and products before hackers could find and exploit them. • I also led the incident response process (PSIRT) when a vulnerability was discovered in shipping products. Responsibilities: • Managed a satellite team of 120+ Software Security Architects (SSA) and Engineers (SSE) • Agile Security Development Lifecycle (SDL) • Co-created the Product Security Maturity Model (PSMM) • Built the Product Security Incidence Response Team (PSIRT) from scratch • Product security tools (SAST, IAST, DAST, fuzz testing, vulnerability scans, pen testing) • M&A source code reviews Standards Body Memberships: • CVE Numbering Authority (CNA) • CVSS Special Interest Group (SIG) • CPVSS SIG - CVSS extension for Privacy Senior IT Security Engineer McAfee, an Intel Company 2010 - 2012 • I was a key contributor in obtaining McAfee's first ISO 27001 certifications. • Security policy expert. I defined the corporate policy management process and created the McAfee policy intranet site. My name is on 150+ McAfee policies. • Conduct compliance audits for PCI DSS, SOX 404 & 302, and ISO 27001 ISMS. • Launched a corporate-wide security awareness and training program. Network Product Manager McAfee, Inc. 2009 • Successfully integrated the Endeavor Security acquisition into McAfee, including people, products and processes. • Managed an advanced network malware detection solution, Network Threat Response (NTR), including working with Dell to deliver McAfee branded hardware appliances ahead of schedule. • Helped generate $4M in revenue within the first year, more than paying for the acquisition. Group Product Manager McAfee, Inc. 2006 - 2009 • Successfully led the acquisition and integration of both Citadel Software (2007) and Preventsys (2006) into McAfee to put McAfee on the IT GRC product map. • Led the creation of McAfee Policy Auditor 5 on ePO 4, touted as the poster child for tight ePO integration and exceeding FY 2008 sales goals. • Nicknamed “Dr. Compliance” by my management team. • Broke new ground by hiring and successfully managing a team of product managers in India which delivered top-notch competitive analysis in the risk and compliance space. • Became the resident expert in organizing both steering committee meetings as well as customer advisory councils. Senior Product Manager Symantec Corporation 2001 - 2006 • Managed the product team for all security policy content for Enterprise Security Manager (ESM) introducing application, database, Web server, and firewall checks while supporting 50+ operating system platforms. • Contributed to a sustained double-digit annual growth rate over seven (7) years. • Addressed product security and breach notification protocols. • Initiated development of best practice security policies covering ISO 17799, HIPAA, SOX, FISMA, NIST, Basel II and other regulations and standards, producing at least two new regulatory policies each quarter. • Delivered a near flawless six (6) year track record of shipping on-time quarterly security content via LiveUpdate as well as bi-weekly patch content. • Regularly interfaced with the security officers of dozens of Fortune 100 companies, learning “what keeps them up at night”, and addressing their feedback with product enhancements. Technical Product Manager AXENT Technologies 1998 - 2001 • Managed network and host-based vulnerability scanners from cradle to grave, filling gaps in the product portfolio and generating $3M revenue annually. • Frequent presenter at vender and security conferences, trade shows, and universities. • Designed and implemented an externally-facing Web site to download NetRecon and issue license keys, logging over 10,000 downloads over a two (2) year period. • Conducted in-depth competitive intelligence reconnaissance, raising both eyebrows and the bar. VP of Engineering CallWare Technologies, Inc. 1994 - 1998 • Pioneered unified messaging by seamlessly integrating networked computers (NetWare and Windows) with PBX telephone systems while developing the industry’s first Windows-based client to display and manage voicemail messages similar to email. • Rapidly promoted from Senior Software Engineer to Development Team Leader, to Director of Development, then to VP of Engineering where I built and managed a team of 17 software development engineers. • Extensive programming using C/C++ for telephony applications. Network Software Engineer Novell, Inc. 1992 - 1994 • Developed Novell’s upgrade and migration products as well as core NetWare utilities for NetWare 4.x using C/C++. Designed and coded the user interface for Novell’s directory services management tools. • Promoted from Software Engineer III to Development Manager. Managed a development team of six (6) software engineers for the NetWare operating system. • Earned NetWare 4 CNA, CNE and ECNE (Master CNE) certifications. Systems Engineer/Officer U.S. Air Force 1989 - 1992 • Commissioned Air Force officer (Captain), honorable discharge, SECRET security clearance, Commendation Medal. • Supervised eight (8) engineers and directed all graphics programming for real-time flight simulations. • Programmed in C, Ada, and FORTRAN on UNIX workstations. Developed TCP/IP and UDP network drivers as well as real-time graphical avionics consoles. • System Administrator for UNIX workstations in a classified environment. LEADERSHIP AND TRAINING • Scoutmaster, Boy Scouts of America, 2016 - present • President, ISSA North Texas Chapter, 2013 • Vice President, ISSA North Texas Chapter, 2012 • Board of Directors, ISSA Utah Chapter, Education and Seminar Director, 2005 & 2006 • McAfee Emergency Response Team, certificate of proficiency, 2011-2018 • McAfee VirusScan and ePolicy Orchestrator Training, McAfee, Inc., 2008 • Pragmatic Marketing Certified, Pragmatic Marketing, 2006 & 1999 • Professional Presenter Training, Blue Streak, 2003 • Wood Badge, Boy Scouts of America, 2001 • XP Immersion Training, Object Mentor, Inc., (agile programming methodology), 2001 • Real-World Project Management, Fred Pryor Seminars, 2000 WHITE PAPERS • See my publications at http://www.toomey.org/harold/resume/publications.html. EMPLOYER AWARDS • Intel “Above and Beyond Execution” Group Recognition Award, 1Q 2016 • McAfee Certificate of Recognition, 10 Years of Dedicated Service, 2016 • Symantec A++ Award • CallWare 5.1 Extra Miler Award • Novell Employee of the Month • U.S. Air Force Commendation Medal and Company Grade Officer of the Quarter • BYU ROTC Distinguished Technical Graduate • BSA Eagle Scout with silver palm and Wood Badge for the 21st Century MISCELLANEOUS • Held a SECRET security clearance • Microsoft Office 365 expert • Working towards my PhD in Applied Mathematics • Travelled to 27 different countries on five (5) continents, including North, Central and South America, Europe, Africa, Asia, Japan • Speak English, Afrikaans, some German, some Spanish, and eight (8) computer programming languages REFERENCES • References: http://www.toomey.org/harold/resume • Publications: http://www.toomey.org/harold/resume/publications.html • LinkedIn: https://www.linkedin.com/in/htoomey/ • Facebook: https://www.facebook.com/htoomey • Twitter: https://twitter.com/htoomey • WyzAnt: https://www.wyzant.com/Tutors/CalculusTutor Rev. 190205