Profiles search
Don McKeown
Information Security Architecture & Consulting
Burlington, MA, United States
Details
Education:
Post-baccalaureate certificate
Business
The Wharton School
BA
Major : Psychology; Minor : Business Administration
La Salle University
MBA
Bentley University
Bentley College - Elkin B. McCallum Graduate School of Business
Business
The Wharton School
BA
Major : Psychology; Minor : Business Administration
La Salle University
MBA
Bentley University
Bentley College - Elkin B. McCallum Graduate School of Business
Experience:
2022 : Present
Viatris
Manager, Information Security Architecture
- Built the CE threat modeling program. Key accomplishments include : developed and teaches a threat modeling course; rolled out an enterprise grade threat modeling tool (IriusRisk) that utilizes SSO and integrates with Jira; collaborated with IriusRisk to create a custom questionnaire to set required threats/countermeasures from the ASVS.
- Primary author of the first Wolters Kluwer threat modeling standard.
- Maturing CI/CD code scanning (static code analysis, open-source scanning). Key improvements include collaborating on automating the creation of Jira tickets for findings and dashboards for senior management. In addition, I used code defect metrics to drive educational and remediation efforts.
- Runs and is maturing the Security Champion program, which is a group of twenty engineers that serve as security consultants for their teams.
- Taught a course in static code analysis.
- Consults for technical and business teams across a wide range of teams and technologies. Examples include : assisted teams with assessing compliance with key management standard; implemented MFA for AWS; consulted on a security bastion host architecture; advised on purchasing an enterprise password manager; advised on a variety access management issues.
- As a member of Wolters Kluwer Application Security Task force, I advised on application security initiatives and standards.
- Conducted vulnerability scanning; helped teams interpret findings and advised on remediation.
- Managed pen testing- assisted Engineering teams with scoping tests and interpreting results.
2018 : 2022
Wolters Kluwer Health
Information Security Manager
- Conducted annual risk assessments.
- Drafted new, comprehensive set of security policies; led organizational review and approval process; collaborated with Communication team to publish policies on Intranet.
- Collected all evidence required for LogMeIn's first SOC2 Type 1 attestation.
- Consulted with Sales regarding security queries from current and prospective customers.
2016 : 2018
LogMeIn
Senior Information Security Risk Analyst
Program Management :
- Developed policy and process for enterprise-wide application and infrastructure penetration testing program to ensure that stakeholders understood roles and responsibilities, that all findings were addressed in a timely manner, and that lessons learned were integrated into risk management system.
- Managed annual penetration testing.
- Developed incident metrics based on VERIS framework.
- Guided the implementation of a system to manage Java versions on endpoints; offered users the option to remove Java, upgrade to latest version, or request a previous version.
- Wrote high level plan to implement data leakage prevention (DLP).
Risk Management :
- Ran information risk management lifecycle
- Revised risk assessment procedure to obtain more accurate and consistent likelihood scores.
- Consulted with technical and business stakeholders on risks in new information system implementations.
- Analyzed external and internal incident data to produce threat profiles; reported analysis to executive information security committee
End User Awareness :
- Conducted end user awareness training; contributed to regular revision of training materials.
- Replaced existing annual required employee information security training with new training (SANS Securing the Human) that taught employees more relevant, realistic threat scenarios.
Information Security Governance :
- Developed Information Security Management System (ISMS) policy based on ISO 27001.
- Revised ISMS policy to drive the program from a compliance to a risk based security program.
- Prepared and delivered periodic security reviews to executive information security committee.
- Annually revised key program level policies.
2012 : 2016
athenahealth
Senior Information Security Program Analyst
Wrote an ISO 27001 information security management system (ISMS) to formalize governance, organizational responsibilities, risk management, and a continuous improvement process.
Researched information security measurement.
2012 : 2012
athenahealth
Intern, Information Security Services
Viatris
Manager, Information Security Architecture
- Built the CE threat modeling program. Key accomplishments include : developed and teaches a threat modeling course; rolled out an enterprise grade threat modeling tool (IriusRisk) that utilizes SSO and integrates with Jira; collaborated with IriusRisk to create a custom questionnaire to set required threats/countermeasures from the ASVS.
- Primary author of the first Wolters Kluwer threat modeling standard.
- Maturing CI/CD code scanning (static code analysis, open-source scanning). Key improvements include collaborating on automating the creation of Jira tickets for findings and dashboards for senior management. In addition, I used code defect metrics to drive educational and remediation efforts.
- Runs and is maturing the Security Champion program, which is a group of twenty engineers that serve as security consultants for their teams.
- Taught a course in static code analysis.
- Consults for technical and business teams across a wide range of teams and technologies. Examples include : assisted teams with assessing compliance with key management standard; implemented MFA for AWS; consulted on a security bastion host architecture; advised on purchasing an enterprise password manager; advised on a variety access management issues.
- As a member of Wolters Kluwer Application Security Task force, I advised on application security initiatives and standards.
- Conducted vulnerability scanning; helped teams interpret findings and advised on remediation.
- Managed pen testing- assisted Engineering teams with scoping tests and interpreting results.
2018 : 2022
Wolters Kluwer Health
Information Security Manager
- Conducted annual risk assessments.
- Drafted new, comprehensive set of security policies; led organizational review and approval process; collaborated with Communication team to publish policies on Intranet.
- Collected all evidence required for LogMeIn's first SOC2 Type 1 attestation.
- Consulted with Sales regarding security queries from current and prospective customers.
2016 : 2018
LogMeIn
Senior Information Security Risk Analyst
Program Management :
- Developed policy and process for enterprise-wide application and infrastructure penetration testing program to ensure that stakeholders understood roles and responsibilities, that all findings were addressed in a timely manner, and that lessons learned were integrated into risk management system.
- Managed annual penetration testing.
- Developed incident metrics based on VERIS framework.
- Guided the implementation of a system to manage Java versions on endpoints; offered users the option to remove Java, upgrade to latest version, or request a previous version.
- Wrote high level plan to implement data leakage prevention (DLP).
Risk Management :
- Ran information risk management lifecycle
- Revised risk assessment procedure to obtain more accurate and consistent likelihood scores.
- Consulted with technical and business stakeholders on risks in new information system implementations.
- Analyzed external and internal incident data to produce threat profiles; reported analysis to executive information security committee
End User Awareness :
- Conducted end user awareness training; contributed to regular revision of training materials.
- Replaced existing annual required employee information security training with new training (SANS Securing the Human) that taught employees more relevant, realistic threat scenarios.
Information Security Governance :
- Developed Information Security Management System (ISMS) policy based on ISO 27001.
- Revised ISMS policy to drive the program from a compliance to a risk based security program.
- Prepared and delivered periodic security reviews to executive information security committee.
- Annually revised key program level policies.
2012 : 2016
athenahealth
Senior Information Security Program Analyst
Wrote an ISO 27001 information security management system (ISMS) to formalize governance, organizational responsibilities, risk management, and a continuous improvement process.
Researched information security measurement.
2012 : 2012
athenahealth
Intern, Information Security Services
Company:
Viatris
Years of Experience:
24
Skills
Business Process, CISSP, HITRUST, Information Security, Information Technology, ISO 27001, MBA, Project Management
About
Seasoned, broadly experienced information security leader with expertise in consulting, training, policy/standards development, application security, vulnerability management, risk management, governance, and compliance; experience with maturing security programs in fast-growing healthcare and technology companies; relentlessly seeks to learn and grow.
Security management | leadership | cybersecurity | DevSecOps
Profile Photo
