- Optimized compliance processes and reduced audit preparation time.
- Coordinated annual audit plans with internal and external auditors, successfully achieving certifications such as FedRAMP, ISO 27001, and SOC2, maintaining 100% compliance.
- Acted as the security lead for IT and business projects, ensuring the integration of NIST 800-171, ISO 27001, and SOC2 security frameworks into project lifecycles.
- Streamlined the approval process for significant change requests by developing and managing documentation.
- Achieved a first-pass success rate in audit submissions by gathering, assessing, and mapping evidence to compliance standards.
- Enhanced security controls by supporting third-party assessments and managing remediation tasks.
- Ensured all departments met stringent federal standards for FedRAMP compliance, contributing to increase in customer trust.
- Enhanced and contributed to revenue growth through strong compliance assurances, supporting sales and customer activities such as RFPs, contracts, and assessments.
Driving Growth Through Trust: Transforming Sales with Safebase.io Implementation
As Senior Security Compliance Engineer, I led the transformation of the Security Sales Enablement Pipeline:
- (Challenge) In 2021, we faced growing complexity in managing customer trust and compliance documentation, with increasing demands for transparency. The manual process for sharing security documents caused delays, impacting our ability to close deals quickly and maintain competitive growth.
- (Context) I collaborated with Security, Sales, and Legal teams to address the issue. Close cooperation was essential, as each played a key role in delivering the needed transparency. As we scaled, rising client inquiries made manual processes unsustainable.
- (Action) I implemented Safebase.io, an automated platform for sharing our Trust Center and security documents in one place. This let clients access needed documents easily, reducing sales friction. I worked with Security and Sales to ensure the platform provided up-to-date, compliant reports like SOC 2 and ISO 27001. We tracked engagement metrics to assess effectiveness and made updates based on feedback.
- (Result) The implementation of Safebase.io dramatically streamlined our document sharing process and improved deal velocity, resulting in year-over-year growth in security-impacted revenue (customers using safebase) and customer engagement metrics:
-
- 2021, we secured $863K from 107 deals, averaging $8,068 per deal.
- 2022, we increased this to $1.46M, with an average of $13,800 across 106 deals.
- 2023, $1.9M from 146 deals, reflecting strong growth in volume and revenue.
- 2024 (as of October), we have already reached $1.92M across 152 won deals.
- Document engagements surged from 52 in 2021 to 513 in 2022, then to 2,190 in 2024.
Mitigating Risk with Precision: Reducing Vulnerabilities for Enhanced Security Compliance
As Senior Security Compliance Engineer, I led a comprehensive vulnerability remediation initiative under the TX-RAMP compliance framework:
- (Challenge) In July 2024, I was tasked with improving the security posture of our organization as part of the TX-RAMP Plan of Action and Milestones (POAM) initiative. At the start of the process, we identified 214 open vulnerabilities, including 91 high and critical vulnerabilities that posed significant risk to operations.
- (Context) I collaborated with cross-functional teams, including IT security, compliance, and operational departments, in an environment requiring stringent adherence to state-level compliance standards. Our goal was to remediate vulnerabilities without disrupting service delivery or exceeding budgetary constraints.
- (Action) I spearheaded a comprehensive remediation strategy by prioritizing vulnerabilities based on risk impact. My approach included coordinating remediation tasks, assigning clear ownership, and integrating automated tools to monitor progress. I implemented weekly review sessions to ensure transparency, providing leadership with real-time insights on our progress. I also ensured that teams had the resources and guidance needed to meet aggressive remediation deadlines.
- (Result)
- By October 2024, we successfully reduced the total number of open vulnerabilities from 214 in July to just 1 in October.
- Notably, we achieved a 100% reduction in high and critical vulnerabilities, completely eliminating the 91 high-risk items identified in July.
- This outcome substantially improved our compliance standing with TX-RAMP and strengthened our organization’s overall risk management posture.
From Chaos to Clarity: Streamlining Evidence Collection for Framework Compliance
As Senior Security Compliance Engineer, I spearheaded the creation of AuditBuddy, an automated solution for evidence collection and management designed to fill critical gaps left by existing compliance tools:
- (Challenge) As our organization scaled, we faced increasing challenges in collecting and managing compliance evidence across multiple cloud platforms and security tools. Traditional tools like Vanta fell short in gathering certain evidence types, particularly for frameworks like FedRAMP and CIS. This gap hindered our ability to maintain continuous compliance transparency and traceability, while also making audits more labor-intensive.
- (Context) I led the development of AuditBuddy, an open-source tool designed to automate the collection, management, and tracking of compliance evidence. I worked closely with security, DevOps, and compliance teams to design a solution capable of gathering evidence that existing tools were not built to collect, such as complex data from cloud platforms and security configurations.
- (Action) I built AuditBuddy to automate evidence collection using APIs and SDKs from various cloud providers and security tools. The system integrates into CI/CD pipelines, allowing users to specify their target framework (e.g., FedRAMP, CIS) in a GitHub Action workflow. I developed control mapping logic to dynamically determine the type of evidence needed based on the framework and control being assessed. This data is extracted, formatted into populations, configurations, rules, and samples, and committed to the repository for full traceability and transparency during audits. The tool also ensures that evidence is continuously updated and available for audits, reducing manual interventions.
- (Result) The implementation of AuditBuddy streamlined the evidence collection process, closing the gap left by tools like Vanta. It significantly reduced the time spent on manual evidence collection, while enhancing audit transparency and traceability. By providing automated evidence collection and formatting, we ensured that compliance data was consistently accurate and readily available, improving overall audit readiness and compliance standing across frameworks.