Bob Spratt
Details
1989 : 1993
Ensured high performance, productivity and security while prioritizing customer service and employee development.
Responsible for instituting and leading CVS Health's Information Security Risk Management program based on NIST 800-37.
Established governance for Cyber Risk by creating an oversight model, steering committee, and program charter to define clear roles and provide an anticipatory process to minimize information security risk.
Designed and implemented the Information Security Steering committee as a focal point for reporting information security risks and information security performance metrics to senior leadership.
Created and implemented a risk-based approach to Information Security risk management by standardizing and streamlining Key Risk Indicators (KRI) metrics and monitoring lifecycle processes with guidelines for data collection and defined risk thresholds.
Designed and implemented a robust automated cyber risk architecture (Data Model) to enable real-time ingestion, creating risk dashboards based on asset criticality.
Designed and created a proactive process that includes business context to effectively drive key strategic decisions.
Established the Cloud Security governance team to provide a roadmap for a secure, multi-cloud environment by facilitating a risk-based approach to security control enforcement.
Developed and enforced cloud foundational controls to promote secure cloud adoption.
Enforced automated solutions to build, deploy, and enforce cloud controls at scale, resulting in a secure cloud footprint with a reduced risk profile.
Created the Security Risk Advisory team to provide a systematic approach to project/product security, starting at the proposal stage and continuing throughout the project lifecycle.
2018 : Present
CVS Health
Lead Director Security Risk Management
Responsible for the management, development and institutionalization of CVS Health’s Information Security Risk Management Program and Information Security Risk Advisory Services.
-Developed and implemented an effective end-to-end risk assessment program, including IT Controls adequacy and effectiveness evaluation and regulatory impact.
-Facilitated and documented business line risk responses to identified risks.
-Rolled out a Process, Risk and Control (eGRC) Framework that created transparency to security related risks and introduced a data driven, risk based approach to decision making
-Summarized compliance risk by technology, ownership, application, and VP POC.
-Created the Security Risk Advisory team program to provide a systematic approach to project security, starting at the point of proposal, continuing to estimation, and throughout the project lifecycle. The goal of the program was to ensure projects address the following
-All applicable Laws & Regulations
-Contractual Obligations
-Vulnerabilities that pose a threat to company assets and reputation
-Incorporated security checks into each phase of the software development lifecycle.
-Implemented “Shift-Left” Strategy for XP, Agile and Scrum development
-Achieved .008 Defect density per 10,000 LOC for XP, Agile and Scrum efforts
-Implemented 2,457,519 CIS policy compliance controls on over 8,000 hosts
2013 : 2018
CVS Health
Sr. Manager Information Security Risk Management
Implemented the Client Audit Response Team responsible for managing and responding to audits, assessments, or compliance reviews conducted by CVS Pharmacy Benefit Manager clients to demonstrate CVS Health was effectively address audit requests and demonstrating compliance with relevant standards, regulations, and contractual obligations.
Key responsibilities of a Client Audit Response included :
-Preparation : Preparing for upcoming audits or assessments by gathering necessary documentation, evidence, and information related to compliance requirements.
-Coordination : Coordinating with various departments or teams within the organization to collect and organize the required data and responses.
-Communication : Serving as a point of contact for auditors or assessors and facilitating communication between the auditing party and the organization.
-Documentation : Maintaining records of audit findings, responses, and corrective actions taken to address identified issues or gaps.
-Corrective Actions : Developing and implementing corrective action plans to address non-compliance issues or deficiencies identified during audits.
-Compliance Monitoring : Continuously monitoring and improving the organization's compliance posture to prevent recurring issues.
-Reporting : Providing regular updates and reports to senior management on the status of audit responses and compliance efforts.
-Training and Awareness : Ensuring that employees are aware of compliance requirements and providing training as necessary.
-Policy and Procedure Development : Collaborating with other departments to develop or update policies, procedures, and controls to align with audit and compliance requirements.
2011 : 2013
CVS Health
Senior Security Advisor
Information security Advisor for Dell @ the BCBSRI account.
Responsible for Vendor diligence on behalf of Dell ensuring all procedures across all platforms were compliant with BCBSRI Information security standards.
Project lead in HITRUST validation for Dell on the BCBSRI account.
Manager of the security administration team.
Project manager for implementing the Courion IDM solution which incorporated compliance management, user provisioning, role management and password management.
Responsible for the Computer Security Incident Response team.
2010 : 2011
Dell Services
Information Security Advisor
Dell Information systems services competency lead to provide IT leadership on a core System replacement project from a Mainframe based claims system to new JAVA based Service Oriented Architecture.
Responsibilities included leading and coordinating a team of associates and consultants to implement Sun Java Composite Application Platform Suite to develop a service-oriented architecture to replace the antiquated Mainframe system.
Responsible for the coordination, integration and development of new environment working as liaison between development, UNIX, Intel, LAN/WAN, Information Security, and DBA teams to achieve project deliverables.
2008 : 2010
Dell
Infrastructure Solutions Competency Lead - CISSP, CEH
Skills
Agile Methodologies, Analysis, Application Security, Business Communications, Business Continuity, CISSP, Cloud Computing, Cloud Security, Compliance, Compliance Management, Continuous Improvement, Continuous Integration and Continuous Delivery (CI/CD), Cross-functional Team Leadership, Cryptography, Cyber Security Risk, Cybersecurity Tools, Disaster Recovery, Google Cloud Platform (GCP), Governance, HIPAA, Incident Management, Information Security, Information Security Management, Innovation Development, Integration, Internal Audits, ISO 27001, Issue Management, IT Security Policies & Procedures, Leadership, Mergers & Acquisitions (M&A), Network Security, NIST 800-53, Payment Card Industry Data Security Standard (PCI DSS), Penetration Testing, Project Management, Public Speaking, Regulatory Compliance, Risk Assessment, SDLC, Secure Code Review, Security, Security Architecture Design, Security Audits, Security Awareness, Software Documentation, SSAE 16, Vendor Management, Vulnerability Assessment, Vulnerability Management, CAPM, DNS, VMware, IT Audit, PCI DSS, Microsoft Certified, Windows Server, ITIL, Virtualization, CISA, IT Service Management, PMP, Firewalls, IT Operations, IT Strategy, BMC Remedy, Servers, Citrix, Data Center, Unix, IT Management, SOA, Enterprise Architecture, Microsoft Certified Professional
About
I am a proven leader of change and connection with over 25 years of experience in the healthcare sector. I currently manage and have designed enterprise-level strategic solutions for a Fortune 4 company that addressed mission-critical business needs, including Security Risk Management, Cloud Security, Project/Product Security, Client Audit, and compliance. Throughout my career, I have streamlined technical solutions that combine a keen understanding of business needs and successfully advised and implemented secure methods of implementation. I have successfully established strong healthcare information management and information security foundations upon which to build strategic technology solutions within the healthcare industry. I have worked with chief executives, customers, and peers to transform performance and outcomes at the enterprise level while reducing operational costs.
Profile Photo
