Profiles search

CAROLYN RYLL, CISSP, CRISC, CDPSE, MBA, MSCS

Information Technology and Risk Management Leader | Governance, Risk and Compliance (GRC) | Application Security / Software Security
Saint Paul, MN, United States

Details

Experience: Lead a diverse and remotely situated software security function across the US and India focused on application security assessment and prevention of unintended and/or maliciously embedded vulnerabilities in Wells Fargo’s most critical applications. Direct front-end process streams and back-end technology and infrastructure consisting of vendor and proprietary software. Built out new validation review team, new Infrastructure, Technology & Reporting unit, and support for vendor relationship management, integrated risk management, innovation and machine learning with a push to shift-left, and malicious code detection capabilities.

• Keynote Speaker for Wells Fargo Virtual Security Day 2021 (Emerging Risk) and Wells Fargo Virtual Security Day 2020 (Effective Risk Management).

• Chaired Wells Fargo Minneapolis Chapter of Women in Technology (WiT) (2-year term)

2014 : Present

Wells Fargo

VP/Information Security Leader, Software Security

Senior Security Manager, Ciber's Global Security Practice (Security Consulting Services)

Managed, built out, implemented cross-domain information security risk exams in multiple industries (financial services, healthcare, Federal, State and Local government, retail, education), helping clients secure critical information assets. Evaluated 40+ organizations encapsulating small- to large-scale teams, assessing clients through Red Team exercises for applications, networks, databases, physical pen testing, social engineering; conducted control framework (NIST, HIPAA, ISO) assessments, security architecture review, security program assessments, and more.

• Involved in contracting/negotiations, and proposal/statement-of-work (SOW) response contributing to closure of 25+ new deals.

• Aligned CIBER for expansion into new customer space, developing new evaluation processes to capitalize cross-selling and delivery between CIBER’s ERP (SAP, Lawson, Oracle) and Security strategic divisions. Enhanced Ciber’s application security practices to include support for automated dynamic scanning and pen-testing to enhance quality of service offerings.

• Keynote Speaker for Webinar “Securing Your Constituents and Institutional Information” hosted by Ciber Global; ERP Security by Example, Alliance Conference; ERP Security by Example, USM Regional Oracle/PeopleSoft Conference; Web Applications and Best Practices for Secure Web Apps, CCHE CIO Security Forum.

Security Manager, North America Operations

Led a virtually situated global team (US, India, Poland) and as direct report to the CISO. Built new enterprise security program in compliance with Corporate and Federal standards (ISO/IEC 27001/27002, HIPAA, Safe Harbor, FERPA, PCI-DSS, NIST 800-53). Built cross-border security framework in North America and Poland.

• Rolled out Archer’s eGRC cloud platform (Policy, Compliance, Vendor, Risk, Enterprise Mgmt.), to streamline governance of the program through one centralized solution.

2004 : 2014

Ciber Global

Senior Security Manager

Information security management of governance, risk and compliance (GRC) for Deluxe Corporate and its subsidiaries and vendors in Canada, Ukraine, Ireland, Philippines, China, India, building area in compliance with Corporate and Federal standards, collaborating with Internal Audit, Legal, Privacy, Environmental Safety, HR, Finance, Sourcing to reduce security risk for Financial and SMB (small and medium sized business) sectors.

Developed and managed enterprise information security GRC initiatives including :

• Regulatory Compliance including Sarbanes-Oxley (SOX), PCI-DSS (Payment Card Industry Data Security Standards), HIPAA (Health Insurance Portability and Accountability Act), FFIEC, Safe Harbor.

• Vendor Risk Management for new and continuing vendors, including due diligence reviews, contract evaluation (MSA/SOW/RFP), standardizing contract security language, to include third-party vendors and fourth-party vendors working to limit risk brought on through unknown dependencies.

• Customer Risk Management including oversight of SSAE 16 SOC 2 evaluation efforts.

• Policies, Standards, Procedures definition and mapping to ISO/IEC 27001/27002, PCI DSS, FFIEC, GLBA and other applicable standards and regulations with adherence to Federal and State Laws and contract requirements.

• New Acquisition security governance integration to enable a secure on-boarding process.

• Security training and awareness, training across all functions and levels of Deluxe.

• Secure Software Development Lifecycle (Secure SDLC) definition mapping to BSIMM, NIST, OWASP, SANS/CWE.

• Records Information Management onsite and offsite secure destruction process.

• Archer eGRC rollout (Policy, Compliance, Vendor, Risk, proprietary Records Information Management) (Winner of RSA Archer 2012 Innovation Award).

• Collaborated with Enterprise Risk Council (ERC); Privacy Council; Incident Response Working Group; Vendor Governance Sub-Committee of the ERC; Data Center Integration Working Group.

2010 : 2012

Deluxe Corporation

Director of Security Governance, Risk and Compliance (GRC)

Built the foundation of the Clinical Care Systems Product Security Department, structuring composition in compliance with both Corporate and Federal governance, increasing government compliance and improved public perception while reducing risk in critical clinical care systems.

• Collaborated with Product Security Officer and key stakeholders across clinical care business unit to develop Product Security Risk Assessment methodology and training adapting risk assessment methods to unique challenges of product security in the healthcare industry, mapping governance controls of FDA, HIPAA, BS7799, and ISO/IEC 17799 using SEI’s OCTAVE threat modeling and NIST risk management guidelines.

• Built product security incident & risk response team and related procedures that work proactively with deep-dive security industry analysis and research and weekly collaboration of findings, progressing FDA-restricted response time.

• Analyzed security architecture and performed forensics of medical systems and embedded applications and web servers designing secure remediation strategies.

• Published security documentation and white papers for medical devices in the form of SSAAs (System Security Authorization Agreement) that enabled completion of the DIACAP process for federal customers’ C&A activities.

2003 : 2004

Philips Medical Systems (Consultant)

Managing Product Security Consultant, Medical Devices

Analyzed and designed customer care and billing system for cable, multi-service operators, and ISPs. Rational Rose, RUP, UML, Visio, C++, Sun Solaris (UNIX), Windows 2000, SQL, Oracle, CMM.

2001 : 2002

CSG Systems, Inc.

Business Systems Analyst
Company: Wells Fargo

About

Trustworthy, collaborative and innovative information security and risk management leader. Extensive experience building small to large-scale successful teams in physical and virtual settings, driving key initiatives, facilitating critical change for multi-million-dollar and multi-billion-dollar organizations. Highly adaptable with a strong record of success across industries in auditing, delivering, enhancing comprehensive cybersecurity architecture frameworks. Adept at identifying needs, constraints, process improvements, opportunities. Influence leadership and culture while supporting business needs, progressing company objectives, building value proposition, developing differentiated offerings and scalable solutions.



• Built out and led new Validation Review unit, Integrated Risk Management function, Malicious Code Detection capability, Mergers/Acquisitions review capability, Divestiture review capability, Machine Learning function oriented to SAST analysis, and process improvements to automate previously manual methodologies, to protect Wells Fargo’s most critical applications and sensitive information from insider threat and external digital attacks.

• Built out and led new enterprise information Governance, Risk and Compliance unit to reduce security risk for Financial and SMB (small and medium sized business) sectors at Deluxe Corp.

• Built foundation of the Philips Healthcare Clinical Care Systems Product Security Department, structuring composition in compliance with Corporate and Federal governance for critical clinical care systems.

• Evaluated 40+ organizations encapsulating small- to large-scale teams, assessing clients through Red Team exercises for applications, networks, databases, physical pen testing and social engineering; conducted policy framework and control framework (NIST, HIPAA, ISO, etc.) assessments, security architecture review, comprehensive security program assessments, and more.



Skills:

Strategic Planning | Leadership & Motivation | Talent Management

Team Development | Coaching & Mentorship | DE&I Enablers

Management & Governance | Performance Metrics | Program Development

Organizational Restructuring | Change Management | Cross-functional Collaboration

Budgeting | Forecasting | Negotiation & Deal Structuring | Cost Control

Compliance | Information Security | Application Security | Vulnerability & Threat Management

Control Mapping | Risk Assessment | Threat Modeling | Risk Management | Risk Mitigation

Operational Risk | Customer Risk | Merger, Acquisition & Divestiture Risk | Third Party & Fourth Party Vendor Risk