Profiles search
Erika Root
Information Security Risk Management
Charlotte, NC, United States
Details
Education:
Bachelor of Science (B.S.)
Accounting Information Systems
Virginia Tech
1995 : 1999
Accounting Information Systems
Virginia Tech
1995 : 1999
Experience:
2023 : Present
Marriott International
Sr. Director Information Security Risk
• Accountable leader for strategy, budget, and operational performance for the Risk Management, Security Awareness and Security Governance and Compliance areas
• Hired, trained, and managed the remote information security risk management department, increasing from 2 to 9 security professionals in 2 years
• Migrated the organization from a compliance-based security controls checklist mindset to a security risk assessment process
• Oversaw the implementation of new security risk assessment software to automate and drive consistency in the risk management process
• Managed annual information security budgets, third party vendors and projects required to expand and mature risk management capabilities across the System
• Leveraged the NIST Cybersecurity Framework to assess maturity of the company's information security program, used to support budget and resource requests
• Accountable for re-writing the company's information security policies and procedures utilizing the industry-standard HITRUST controls framework
• Collaborated with Supply Chain, Enterprise Program Management Office, and Information Technology to ensure new technologies support minimum security requirements
• Designed and delivered the company's third party risk management program
• Established and oversaw the organization's enterprise-wide PCI-DSS program, focused on scope and risk reduction techniques
• Defined and implemented risk management key performance indicators (KPIs) and key risk indicators (KRIs) to focus resources on the highest risk areas
• Accountable for the company's overall annual security awareness program, leveraging actual security incidents as educational material and focused on critical user groups
• Defined and delivered the company's phishing awareness program, including reporting results and a step-up education approach for individuals exhibiting high risk behavior (repeat clickers)
2017 : 2023
Trinity Health (HQ Michigan)
Director Information Security Risk Management
• Accountable leader for strategy, budget, and operational performance for 55 security professionals
• Implemented monthly security-related key performance indicators to monitor progress and assist in identifying areas of improvement.
• Implemented a continuous monitoring program to determine effectiveness of business customer’s compliance requirements, including PCI-DSS, HIPAA, and SOC 1 reporting.
• Managed the SOC1 reporting for Time Warner Cable’s wholly-owned hosting provider and provided consultative support to secure and protect customer data
• Maintained the organization’s security reference architecture, evidencing the deployment of various security tools in use to protect the environment
• Oversaw the implementation of an Identity and Access Management solution to function as the source of record for what systems individuals have access to, report when terminated employees continue to maintain access, and assist with periodic user access reviews
• Provided oversight and leadership to the Access Management team responsible for provisioning and de-provisioning user access to Corporate-wide applications/systems. Improved the team’s service level objective (SLO) from 10 days to 3
• Developed and facilitated a central user access review process, used to validate users’ entitlements in support of the organization’s SOX requirements
• Designed and delivered the company’s security awareness program, including both company-wide and department-specific materials where needed
• Established the company’s first phishing education program to increase awareness across the employee population
2014 : 2017
Charter Communications (Formally Time Warner Cable)
Senior Director, Information Security
• Delivered and managed the company’s Payment Card Industry Data Security Standard (PCI DSS) compliance program as the company’s Internal Security Assessor (ISA)
• Designed a repeatable process to manage ongoing compliance across 20+ divisions disbursed across the United States.
• Provided on-going guidance, support and training to business and IT owners to maintain compliance with the PCI DSS and IT SOX requirements
• Accountable for reporting PCI DSS results to Acquiring Banks, Card Brands, and leadership on a quarterly basis
• Managed annual SOX IT testing and developed Audit Committee reporting on results
2009 : 2014
Time Warner Cable
Director, Internal Controls Compliance
• Maintained a diverse client base, included manufacturing, energy, financial services, public sector, and telecommunications industries
• Leveraged project management skills to ensure multiple projects and diverse teams operate under strict timelines and budget
• Managed 14,000 hours of staff/manager time and $13 million revenue
• Instructed and mentored up to 10 direct reports on up to 4 concurrent projects related to IT risk and controls
• Achieved significant improvement in team productivity and deliverables through on-going staff training and mentoring
• Nominated by Deloitte Partner group as a member of the Focus Forward program, a career-enhancing curriculum for high performing Managers
• Promoted and improved continuing education as a Southeast Learning Advisory Board member
• Volunteered as a Practice Office Reviewer to confirm project teams were following Deloitte policies and procedures
• Successfully completed a 2007 Sarbanes-Oxley AS/5 PCAOB inspection with minimal audit comments
1999 : 2009
Deloitte & Touche
Enterprise Risk Services Senior Manager
Marriott International
Sr. Director Information Security Risk
• Accountable leader for strategy, budget, and operational performance for the Risk Management, Security Awareness and Security Governance and Compliance areas
• Hired, trained, and managed the remote information security risk management department, increasing from 2 to 9 security professionals in 2 years
• Migrated the organization from a compliance-based security controls checklist mindset to a security risk assessment process
• Oversaw the implementation of new security risk assessment software to automate and drive consistency in the risk management process
• Managed annual information security budgets, third party vendors and projects required to expand and mature risk management capabilities across the System
• Leveraged the NIST Cybersecurity Framework to assess maturity of the company's information security program, used to support budget and resource requests
• Accountable for re-writing the company's information security policies and procedures utilizing the industry-standard HITRUST controls framework
• Collaborated with Supply Chain, Enterprise Program Management Office, and Information Technology to ensure new technologies support minimum security requirements
• Designed and delivered the company's third party risk management program
• Established and oversaw the organization's enterprise-wide PCI-DSS program, focused on scope and risk reduction techniques
• Defined and implemented risk management key performance indicators (KPIs) and key risk indicators (KRIs) to focus resources on the highest risk areas
• Accountable for the company's overall annual security awareness program, leveraging actual security incidents as educational material and focused on critical user groups
• Defined and delivered the company's phishing awareness program, including reporting results and a step-up education approach for individuals exhibiting high risk behavior (repeat clickers)
2017 : 2023
Trinity Health (HQ Michigan)
Director Information Security Risk Management
• Accountable leader for strategy, budget, and operational performance for 55 security professionals
• Implemented monthly security-related key performance indicators to monitor progress and assist in identifying areas of improvement.
• Implemented a continuous monitoring program to determine effectiveness of business customer’s compliance requirements, including PCI-DSS, HIPAA, and SOC 1 reporting.
• Managed the SOC1 reporting for Time Warner Cable’s wholly-owned hosting provider and provided consultative support to secure and protect customer data
• Maintained the organization’s security reference architecture, evidencing the deployment of various security tools in use to protect the environment
• Oversaw the implementation of an Identity and Access Management solution to function as the source of record for what systems individuals have access to, report when terminated employees continue to maintain access, and assist with periodic user access reviews
• Provided oversight and leadership to the Access Management team responsible for provisioning and de-provisioning user access to Corporate-wide applications/systems. Improved the team’s service level objective (SLO) from 10 days to 3
• Developed and facilitated a central user access review process, used to validate users’ entitlements in support of the organization’s SOX requirements
• Designed and delivered the company’s security awareness program, including both company-wide and department-specific materials where needed
• Established the company’s first phishing education program to increase awareness across the employee population
2014 : 2017
Charter Communications (Formally Time Warner Cable)
Senior Director, Information Security
• Delivered and managed the company’s Payment Card Industry Data Security Standard (PCI DSS) compliance program as the company’s Internal Security Assessor (ISA)
• Designed a repeatable process to manage ongoing compliance across 20+ divisions disbursed across the United States.
• Provided on-going guidance, support and training to business and IT owners to maintain compliance with the PCI DSS and IT SOX requirements
• Accountable for reporting PCI DSS results to Acquiring Banks, Card Brands, and leadership on a quarterly basis
• Managed annual SOX IT testing and developed Audit Committee reporting on results
2009 : 2014
Time Warner Cable
Director, Internal Controls Compliance
• Maintained a diverse client base, included manufacturing, energy, financial services, public sector, and telecommunications industries
• Leveraged project management skills to ensure multiple projects and diverse teams operate under strict timelines and budget
• Managed 14,000 hours of staff/manager time and $13 million revenue
• Instructed and mentored up to 10 direct reports on up to 4 concurrent projects related to IT risk and controls
• Achieved significant improvement in team productivity and deliverables through on-going staff training and mentoring
• Nominated by Deloitte Partner group as a member of the Focus Forward program, a career-enhancing curriculum for high performing Managers
• Promoted and improved continuing education as a Southeast Learning Advisory Board member
• Volunteered as a Practice Office Reviewer to confirm project teams were following Deloitte policies and procedures
• Successfully completed a 2007 Sarbanes-Oxley AS/5 PCAOB inspection with minimal audit comments
1999 : 2009
Deloitte & Touche
Enterprise Risk Services Senior Manager
Company:
Marriott International
Years of Experience:
25
Spoken Language:
English
Skills
Auditing, Business Process Improvement, CISA, Enterprise Risk Management, Executive Reporting, Governance, Information Security, Information Security Management, Information Technology, Internal Audit, Internal Controls, IT Audit, KPI Reporting, Leadership, Management, NIST, Payment Card Industry Data Security Standard (PCI DSS), Phishing, Project Management, Risk Assessment, Risk Management, Sarbanes-Oxley, Sarbanes-Oxley Act, Security Awareness, Third Party Risk Management (TPRM), Enterprise Risk, Business Process
About
A proven information security and compliance director with over 20 years of experience and continued professional growth in various industries, including telecommunications and healthcare. A results-focused leader known for building solid relationships with teams and business partners across large complex organizations to align information security with business strategy. Excels in collaborative environments where employees are empowered to drive continuous improvement.
Profile Photo
