Richard J Barilla
Details
Master of Business Administration - MBA, Finance and Information Systems, New York University - Leonard N. Stern School of Business, 2002-2005
Ph.D. Program, Technology and Knowledge Management, Innovation, New York University - Polytechnic School of Engineering, 2010-2012
Doctor of Professional Studies (D.P.S.) in Computing, Computer and Information Systems Security / Information Assurance, Pace University, 2013-2020
Accountable for the Day-to-Day Operational Management of the Global IT Security Program and Technology / Infrastructure
Assembled a Distributed SIRT of Software and DevOps Engineers, Product Managers, Security, Privacy, Fraud Risk Analysts
Managed Security Operations, Governance Planning, Engineering Integrations, Security Metrics, and Risk (OKR / KPI / KRI)
Advised Executive Leadership on CCPA/GDPR Regulations, PCI-DSS Compliance, Cyber Insurance and Product Roadmaps
Executed 3rd Party Vendor Risk Assessments and Negotiated Vendor Contracts, MSAs, SOWs & Data Protection Agreements
Led Engineering & Threat Intelligence Meetings to Continuously Drive Infrastructure Scanning / Vulnerability Remediations
Resolved DMARC-SPF-DKIM Email Flows; Blocked Volumetric Web Attacks (DDoS) and API Abuse Patterns and Tactics
Benchmarked Application Security Controls vs. OWASP / CWE, PCI, BSIMM, MITRE, CIS 20, NIST CSF, SOC 2 Type II
Head of Fraud; Investigated Account Takeovers and Fraudulent Activity with Customer Service and Fraud Operations Teams
Vice President of Application Security Risk, MUFG, 2017-2019
Cyber Application Risk Team Lead for 2nd Line of Defense’s Information Risk Management
Application Risk Assessments, IT Security Controls, Cyber Policy, Procedures, and Standards
Benchmarked App Security Program vs. OWASP Top 10, BSIMM Framework, SANS/CIS Top 20
Partnered w/ Development for Application Coding Reviews and Bug, Defect Remediation Plans
Evaluated Software Security Tools for CI / CD Pipeline Integration
Created a DevSecOps Model and Awareness Culture, Authored Splunk SIEM Application Rules, Performed Risk Assessments & Prioritized Application Controls
Created a Development and Operations Remediation Process for Application Vulnerabilities
Maintained the Enterprise Information Security Application Risk Profile DevSecOps Teams
Head of Information Security and PCI-DSS Compliance Program, Tourneau, 2016-2017
Chief Incident Responder and Technical ISO for Cyber Security Risks, Threats and Incidents
Evaluated and Deployed APT, Anti-Malware, Endpoint Protection, Threat Intelligence, FortiSIEM
Created Security Operations and Engineering with NETENG, SYSENG, Helpdesk, Retail Teams
Partnered with VP of Technology for Cyber Security Tabletop and Threat Hunting Exercises
Reverse Engineered Malware, Performed Forensics, Remediated Exploits via Penetration Tests
Mentored the IT Leadership across Retail / Corporate Lines for Cyber Security Compliance
Vice President - GRC, ISO27001 Policy and Program, Internal Audit & Risk Review, Citi, 2011-2015
Managed & Coordinated ISO 27001 Information Security Risk Operating Committee for GHIS
Validated the Cyber Intelligence Center’s Controls, Metrics, and Statistics on Emerging Threats
Peer-Reviewed with Regulatory & Legal on SOW Negotiations, Contracts, and 3rd Party SLAs
Identified Regional & Sector Control Gaps & Weakness for Information Security Governance
Enhanced Process Knowledge Sharing Between Information Risk and Compliance Groups
Generated Security Threat and Risk Landscape and Attack Campaigns to the Chief IS Officer
Conducted the Annual Global Perimeter Network Audit as Lead SME for Security Operations
Bolstered the 2011 Citi Funds Trading Review with Network Resiliency Scenarios and Mock-ups
Advised of Privacy and Electronic Messaging Retention Controls According to SEC / GLBA / FSA
Assessed the Application Security Monitoring Posture in Support of E-Commerce / Mobile Reviews
Performed Gap Analyses with Internal Audit & Risk Control Groups vs. FFIEC / ISO27001 / COBIT5.0
Owner / Cyber Risk Specialist - Director, Antifragile Innovation LLC, 2013-2013
Information Security and Risk Management Program Development
Research Specialist - Privacy, Identity, Authentication, Non-Repudiation
3rd Party Relationship Management / Security Vendor Contract (Master / Service-Level / Data Processing Agreements) Redlining and Negotiations
Security Operations, Threat Intelligence, Vulnerability Remediation, Engineering Integrations, Data Governance and Budget Planning
Cloud, Social, Mobile, Internet of Things, Distributed & Open-Source Systems
Secure SDLC, Software Security Framework, Secure Controls Framework, CCPA / GDPR Controls Development
Manager of Security Technology and Engineering, Brown Brothers Harriman, 2007-2011
Established the Security Engineering & Operations Teams (Infrastructure, Vendors, Policy/Program)
Managed the Cyber Project Management & Security Department’s Budget (~$5 Million) for the ISM Technology Division
Created and Executed the Global Security Incident Response Team Charter as Lead Incident Handler and Cyber Threat Hunter
Project Led Cross-Teams of Information Assurance Specialists & Engineers Throughout the Security Development Lifecycle
Drafted Risk Management Centric Business Proposals Highlighting Security Controls & Countermeasures (NIST 800-53)
Architected the Product Roadmap for Security Event Management, Data Loss Prevention & Database Compliance Monitoring
Conducted Architectural Penetration Tests and Risk Assessments of Critical Client-Facing Applications and Internet Portals
Provided Subject Matter Expertise on Secure Software Artifacts Including Application Design, Coding, Testing, and Auditing
Performed Cost-Benefit Decision Analysis and Root Cause Analysis for Risk-Based IT Control Selection & Optimization
Created the Firm's 1st Software Security Group and Governance Model for Application Assurance and Risk Acceptance
Senior Security Operations Analyst, Lehman Brothers, 2005-2007
Lead the 24x7 Incident Response Team as Subject Matter Expert on Malicious Code and Attacks
Engineered Change Controls, Process Improvement, Asset Management, and Access Control Policy
Managed the Vulnerability Management Program, Patch / Hotfix Deployment and Day-Zero Threat Operated the Firm's Behavioral Intrusion Detection System and Application Web Proxy Security Policy
Monitored Key Risk Indicators (KRIs) and Created Correlation Rules for SIEM and Behavioral IDS
Senior Malware and Security Researcher, Computer Associates, 2000-2005
Last Line of Defense for Virus Infection and Network Worm Propagation Customer Response
Researched Undocumented Internals of OS kernels, the Java Virtual Machine, and .NET CLR
Pinpointed Web and Application Vulnerabilities and Devised Exploits and Byte-pattern Signatures
Developed Internal White-hat CLI Security Tools and Virtualized Environments for Malicious Code
Reverse Engineered Viruses, Trojans, Worms with In-memory Disassembly Analyses of EXE / PE Files
Designed and Developed a Win32 CLI Console Antivirus System-Cure Tool and GUI in C++/ MFC
Triaged Malware Infections in Virtual Labs for Client Requests for Root Cause Analysis and Recovery
Skills
Applications and Infrastructure: DataGrail – Data Theorem – DataDome – Duo – Bromium – Slack – Tenable – Amazon AWS Carbon Black – SonicWall – Google – WireShark – LastPass – Mimecast – VirtualBox – OpenPGP – OpenVPN – Datadog – ZenGRC
PKI – PerimeterX – Elastic Graylog – Fastly VCL – Kali Linux – ZenDesk – Foxpass – KnowBe4 – Rapid7 – SentinelOne – Qualys Ninjio – Palo Alto – Fiddler – Github – Sift Science – Splunk – Dmarcian – Synopsys – Forcepoint – Proofpoint – Kubernetes – BitSight Sourcefire – Ping Identity – FortiNet – Metasploit – CrowdStrike – ServiceNow – Tanium – ZeroFOX – HackerOne – Microsoft – JIRA
Coding: Node.js | C | Java / J2EE | SQL/no-SQL | Python | PowerShell, Windows API | VPC | JSON | SAML/OAuth | REST / GraphQL
Certifications: CISSP (2006, exp.) ● CEH (Certified Ethical Hacker, 2006) ● CISM (2008, exp.) ● GREM (GIAC Reverse Engineering Malware, 2009) ● CSSLP (Certified Secure Software Lifecycle Professional, 2010, exp.) ● CFE (Certified Fraud Examiner, 2012) ● ITIL Foundations Service Management (2018) ● SANS SEC545 (Cloud Security Architecture & Operations, 2019)
Expertise: Non-Repudiation Trust Models, Asset-Based Risk Management, Metrics and Heuristics, Antifragile Systems, Complexity
About
CISM | CISSP | GREM (GIAC Reverse Engineering Malware)
CEH (Certified Ethical Hacker) | CFE (Certified Fraud Examiner, 12/2011)
CSSLP (Certified Secure Software Lifecycle Professional) | ITIL Core Foundations
--Professional Experience--
Leadership | Decison-Making | Data Protection | Privacy| Change, Identity, and Access Management | Project & Technical Program Management | Head of Engineering | Threat Intelligence-Defense-MITRE-Intrusion Prevention | Security Incident Response (CSIRT) / SIEM | Software Security, Application Security, Secure Systems SDLC | Business Operations | Vendor Evaluation | Contract Negotiations | Vulnerability and Configuration Management | Compliance, Audit, and Risk Management | Technology Governance | Data Loss Prevention | Asset Classification | Cryptography | Control Selection, Optimization, Risk Mitigation | Code Analysis / Reverse Engineering Malware | Attack & Threat Modeling / Penetration Testing | Exploitation | Antifragile and Complex Systems | Heuristics | Time Management
--Research / Academia--
Non-Repudiation and Authenticatio, Privacy, Anonymity, and Identity | Asset-Based Risk Management | Probability | Decentralized Trust Models | Cryptocurrency Algorithms | Internet of Things | Big Cyber Data Analytics | Blockchain Applications | Antifragile Systems
--Screenwriting--
Profile Photo
