Carl Almond's Resume

Carl Almond
Tampa, Florida
carl@carl.net | carl.net | LinkedIn

SUMMARY

Global security leader enabling the secure strategic transformation of the world's top companies. Through consistently executing global initiatives across thousands of clients that drive security and privacy, enabling secure organizational growth and profitability, realizing significant measurable improvements to security and privacy, leading global teams to top performance, achieving technological innovation, and producing industry-leading secure client experiences. Leveraging my 20+ years of experience to drive the implementation of initiatives across two billion dollars yearly in direct customer projects in 28 countries, verticals including financial, insurance, banking, medical, health and life sciences, utilities, oil and gas, retail, manufacturing, electronics, satellite, service providers, payroll, legal, and government.

 SKILLS

Secure Software Development | PaaS, SaaS, IaaS | Security Frameworks including ISO 27001, SOX, NIST-CSF, CIS, COBIT, PCI-DSS, OWASP, HIPAA | Incident Response | Data Breach Remediation | Risk Analysis and Risk Management | Vendor / Client Portfolio Management | Security Architecture | AI Security | Cybersecurity | Audit and Assessment | Business Continuity | Strategic & Operational Planning |Mergers, Acquisitions, and Integration | Business Process Reengineering | Automation | Organizational Change Leadership | Collaborative Business Relationships

 SELECTED ACHIEVEMENTS

• Led the creation of our Secure Software Development Lifecycle (SDLC) Policy covering all internal and external application development.
• Regularly defend the organization and clients from private and nation-state actors by identifying, responding to, and mitigating security incidents.
• Define and ensure the implementation of security requirements for all Application development and infrastructure work globally, including SaaS, PaaS, IaaS, hybrid, and onsite.
• Apply baseline security to all cloud-based platforms.
• Certified the organization and the CDP program under ISO 27001, effectively running two separate ISMS.
• Architected, built, and defended an internet voting system for the US DOD, providing secure and anonymous registration and voting to US military and overseas citizens.
• Act as CISO and CSO for multiple clients and lead the Area ISO program globally.
• Wrote the organization's first cloud computing security white paper.

 PROFESSIONAL EXPERIENCE

Avanade, Tampa, Florida                                                                                                                                  07/2011 – Current

Sr. Director Asset and Data Protection / Client Security

Lead a 59-person global security team operating in 28 countries, protecting the organization's 50,000 employees and 2 billion in client revenue. Strategic programs I lead include:  

• Client Data Protection (CDP) – CDP implements an ISO 27001 certified Information Security Management System (ISMS) on over 500 client engagements (including Application Development, Infrastructure, Outsourcing, Cloud Technologies (SaaS, IaaS, PaaS), and IT security), ensuring that all aspects of people, processes, and technology are delivered securely to our clients with a strong emphasis on secure application development including mandated static code analysis. CDP also helps the organization meet our regulatory compliance requirements globally by providing strong cyber security to every client project.
• Avanade Asset Protection (AAP) – AAP provides a central reporting location for all incidents of all types globally for all 50,000 employees and clients. The team handles incident intake, triage, management, and closure. If the incident is client-related, the team works with the client team to ensure the incident is resolved, the client is happy with the resolution, and any lessons learned are worked back into the global CDP program to protect the entire organization.
• Client Security (GCIS) – Provide a one-stop shop for all internal and client questions regarding security and privacy. Answer client security questionnaires and audit requests from 60 percent of our clients. Develop policies, including our SDLC policy, Data Security policy, and related standard operating procedures (SOP).
• ISO Program – Lead the Area ISO program, providing field CISOs to each Area. Each field CISO is entrusted with representing the organization and the global CISO to our clients and leading security within their Area.
• Security Posture Scorecard (SPS) – SPS secures all of our cloud infrastructure globally by using industry-leading tools to measure the security compliance of each cloud instance and its sub-components. Known vulnerabilities are identified (vulnerability assessments) and remediated to reduce the overall risk to Avanade and our clients using multiple security tools (SEIM, IDS/IPS, firewalls, WAF, EDR/MDR/XDR, IRM, AV, penetration testing/remediation tools).
• Business Continuity Program (BCP) – Lead the Avanade BCP program, providing resiliency for the entire organization, including establishing and operating Business Impact Analysis (BIA), yearly business continuity planning, risk assessment, and continuity strategy for the business as a whole and the parts deemed strategically necessary. Client BC plans are included in this program but are operated under CDP.
• Disaster Recovery program (DR) – Lead the global DR program as a component of the BCP program. Manage and operate our DR program for our internal and cloud-based IT.
• M&A Security – Assess the security as part of the early Mergers and Acquisitions (M&A) process. After purchase, mitigate the issues found as part of the assessment stage. Set the security standards required for all new M&A targets.
• Physical Security – Lead the physical security program at the organization, including badge readers, badges, door locks, office design, location assessments, guards, and emergency response.
• Executive Protection – Lead the Executive Protection program, providing proactive risk analysis of executive locations, travel, and reactive solutions/protection strategies as needed. Assess which executives need protection based on their risk profiles and organizational value.
• Health and Safety – Lead the Global Health and Safety program, providing for the assessment of hazards to employees, correcting hazards, providing training and education, establishing policies and procedures, incident investigation, reporting on accidents, and ensuring compliance with regulations.
• Information Security Management System (ISMS) – Led the establishment of our first ISMS and GRC program globally, including getting the organization and our CDP program certified under ISO 27001, setting up our first risk management program and our first vendor management program, and establishing policies to drive our overall security stance internally and on client-facing projects.
• HIPAA – Built out the organization's first HIPAA compliance program for the organization and our client projects in conjunction with our privacy attorneys and acted as the organization's first HIPAA Security Official.
• Internal Security Operations/SOC – One year stint leading the internal security operations team. Providing management of the security of our IT infrastructure and related components (SIEM, Intrusion Detection systems (IDS)/Intrusion Prevention systems (IPS), firewalls, WAF, EDR, MDR/XDR, IRM, AntiVirus (AV), vulnerability assessment/penetration testing/remediation tools, and data loss prevention (DLP)).

Avanade, Tampa, Florida                                                                                                                                  03/2010 – 06/2011

Sr. Director ASR

Determine the issues surrounding Avanade's Short-Term Resources (ASR) workforce and redesign the service in response to strategic business objectives and in partnership with Human Resources (HR). Develop hiring processes and procedures (resource management / resource allocation / performance evaluations) to allow the organization to fulfill the North American consulting practices' need for short-term consultants. Manage/supervise 50 direct reports and from 150 to 300 contractors. Oversee the recruiting function to provide short-term workers to the business as needed.

Avanade, Tampa, Florida                                                                                                                                  11/2001 –02/2010

Sr. Director Americas Security Practice

Provide direction for the Americas Avanade security organization. Activities include determining the client's need for security solutions and then working to create and communicate those solutions, securing client information assets based on the organization's requirements, IT governance, and providing internal and external security training. Projects include working with client executive leadership to understand how IT can facilitate their business goals, mentoring client's teams, acting as the Chief Security Officer (CSO/CISO) for organizations in transition, helping clients understand and implement security governance, perform risk assessments, creating organizational security best practices, develop security policies, assess and enhance IT operations, secure system architecture design, assessment of Information Technology infrastructures and network security, network infrastructure redesign, design/implementation of new secure infrastructures, policy design and compliance, operations management improvements to increase the overall security stance, Identity and Access Management (IAM) projects, and vulnerability and security assessments. Management duties include mentoring technologists, developing the careers of direct reports, client satisfaction, developing and managing vendor relationships, assisting sales through the acquisition of clients, and creating statements of work.

Thrupoint, Tampa, Florida / Brussels, Belgium / Edinburgh, Scottland                                           03/2000 – 10/2001

Senior Internetwork Solutions Engineer

Design, secure, and install clients' Internetwork infrastructure projects. Including the roles of Lead Designer/Technician, Lead Security Engineer, project manager, and educator.     

• Re-architect the network and security design for the largest satellite network operator in Europe.
• Redesign and implement the network of one of the largest banks in the UK.
• Redesign the IP and routing architecture of the largest intercontinental backbone network provider in the world.
• Architect and deploy the infrastructure for a large financial services startup.

 EDUCATION

Master of Science in Information Technology
American Public University, Charles Town, West Virginia
graduated 2017

Bachelor of Science in Information Technology
Capella University, Minneapolis, MN
graduated 2009

CERTIFICATIONS

C|CISO – Certified Chief Information Security officer
CISM – Certified Information Security Manager
CISSP – Certified Information Systems Security Professional
CEH – Certified Ethical Hacker
CISA – Certified Information Systems Auditor
CRISC – Certified in Risk and Information Systems Control
CCFE – Certified Computer Forensics Examiner
GCFE – GIAC Certified Forensics Examiner
CHFI – Computer Hacking Forensics Investigator
CASP+ – CompTIA Advanced Security Practitioner
SSCP – Systems Security Certified Practitioner
CCSP – Certified Cloud Security Professional
PECB ISO 27001 Lead Auditor
PECB ISO 27001 Lead Implementer
PECB ISO 27005 Lead Risk Manager
CAISP – Certified AI Security Practitioner

MEMBERSHIPS

FBI InfraGard
Information Systems Audit and Control Association (ISACA)
International Information System Security Certification Consortium (ISC2)
International Association of Computer Investigative Specialists (IACIS)
Information System Security Association (ISSA)
American Society for Industrial Security (ASIS)
Florida Association of Licensed Investigators (FALI)

 PATENTS

US20060041516 – Dynamic auditing of electronic elections
US20060041514 – Secure internet transactions on unsecured computers
US20060031116 – Fully electronic identity authentication