Marc Menninger, CISSP, CRISC
Details
Mathematics and Computer Science
University of Tampa
1988 : 1991
AstrumU®
Information Security Officer
I am privileged to serve as the President of the Puget Sound Chapter of ISACA, an international organization of information security and audit professionals. Our chapter has more than 1000 members in the Puget Sound area, and we meet monthly from September through May.
2023 :
ISACA Puget Sound Chapter
President
Led the implementation of the first enterprise-wide cybersecurity program.
• Developed the annual budget and championed security initiatives including user training and awareness, multi-factor authentication, endpoint encryption, and other security technologies; wrote and published security policies, standards, and procedures.
• Planned and managed security department processes and practices to align with business goals and objectives.
• Instituted and chaired the Information Security Steering Committee (ISSC) consisting of company executives and directors.
• Implemented DevSecOps processes and practices to integrate security throughout the product and operations lifecycles.
• Provided coaching, direction, and leadership support to team members to achieve business results and improve security.
• Chaired corporate Coronavirus Pandemic Response Team to ensure timely and appropriate actions were taken by the company to protect people and business.
2019 : 2023
A Place for Mom
Director of Cybersecurity
Responsible for all aspects of information security including strategy, policies, governance, technology, risk management, and team development. Built an ISO 27001-compliant information security program to continuously improve Lighthouse's security posture. Achieved ISO 27001, HIPAA, and SOC 2 Type 2 third-party certifications of the security program. Provided guidance and counsel to the CIO and led all IT security-related projects. Identified and recommended solutions to mitigate enterprise risks. Partnered with IT operations teams and business leaders on security initiatives.
• Recruited and managed security team (security engineer, security analyst, and compliance analyst) responsible for implementing, monitoring, and maintaining enterprise security
• Drove the completion of the Business Impact Analysis (BIA), working with business leaders to identify and prioritize key business functions
• Implemented first LMS-based awareness training, leading the company to 100% completion of security awareness training
• Wrote Business Continuity and Disaster Recovery Plans in conjunction with IT and other business leaders
• Managed security budgets and vendor relationships
• Provided security training to new hires and mentorship to staff who expressed an interest in security
• Conducted enterprise risk assessments and delivered findings to steering committee
• Cultivated a culture of security awareness and mindfulness across the enterprise
2014 : 2019
Lighthouse eDiscovery
Senior IT Security Manager
Responsible for security program governance, benchmarking, and analytics. Developed, implemented, and validated PEMCOs Security Incident Response Plan. Led the vulnerability management and enterprise security training programs.
• Wrote corporate information security policies and standards in alignment with business strategies and objectives
• Coordinated with executives and business units prior to the roll-out of PEMCO's first Acceptable Use Policy (AUP) to help create broad support for the policy
• Led initiative to create the first dataflow diagram identifying how customer private information flowed through systems and whether applied security controls complied with the Payment Card Industry Data Security Standard (PCI DSS)
• Implemented and maintained the enterprise security awareness and training program leveraging an online learning management system (LMS)
• Led CompTIA Security+ training courses—helped 14 employees get their Security+ certifications
2004 : 2014
PEMCO
Information Security Risk Manager
Skills
Business Continuity, Business Intelligence, Business Strategy, Certified in Risk and Information Systems Control (CRISC), CISSP, Cloud Security, Computer Security, Consulting, Cybersecurity, Data Center, Data Security, Director of Information Security, Disaster Recovery, Enterprise Risk Management, Enterprise Software, Entrepreneurship, Executive Management, Firewalls, Governance, Incident Response, Information Security, Information Security Management, Information Technology, ISO 27001, IT Management, IT Strategy, Leadership, Management, Mentoring, Networking, Network Security, PCI DSS, Penetration Testing, Program Management, Project Management, Public Speaking, Risk Assessment, Risk Management, Security, Security Audits, Security Awareness, Security Information and Event Management (SIEM), Security Management, Security Policy, SEO, Strategic Planning, Threat & Vulnerability Management, Training, Vulnerability Assessment, Vulnerability Management
About
Security leader with 15+ years of practical enterprise security experience including strategy, policies, governance, technology, risk management, and team development. I have a proven track record of success in strengthening the security posture of the organizations that I serve.
KEY ACCOMPLISHMENTS
• Planned, developed, and implemented company-wide information security program from scratch based on ISO 27001 security framework
• Led successful completion of multiple third-party penetration tests and ISO 27001, HIPAA, and SOC 2 Type 2 audits
• Wrote and implemented new information security policies, procedures, and standards in alignment with ISO 27001
• Instituted and chaired the Information Security Steering Committees (ISSC) consisting of company executives and directors
• Directed the implementation of the company's first Security Information and Event Management (SIEM) system
CERTIFICATIONS & ASSOCIATIONS
• Certified Information Systems Security Professional (CISSP) since 2000
• Certified in Risk and Information System Controls (CRISC)
• ISACA Board Member
• Seattle SecureWorld Expo Advisory Council
• Rotary International member since 2008
INDUSTRY EXPERIENCE
• Federal, financial, and technology background
• ISO 27001-aligned information security program development and management
• Security project management
• Governance, Risk and Compliance (GRC)
• ISO 27001, PCI DSS, SOC 2, HIPAA, FedRAMP, and GLBA compliance gap analysis
• Security policy and standards development
• Vulnerability management
• Network security audit and assessment
• Security training and awareness
Profile Photo
