Melissa Dyer, CISM

20+ years of progressive leadership roles within Cyber Security, Information Technology, Information Security, Privacy, Risk & Compliance, and IT Management. Self-motivated, strategic enabler with a proven track record of building high-performing security teams for Global firms, as well as development and implementation of strategically aligned, comprehensive enterprise information security programs (SecOps, Engineering, Vulnerability Management, and proactive threat detection, Privacy, Third-party risk, Business Continuity, Regulatory Compliance, Security Awareness, and Identity Management). With a majority of my career in highly regulated industries, such as financial services, and inclusive of federally funded government compliance at Higher Ed institutions (CMMC, FISMA, FedRAMP, DFARS). Repeated success in strategic relationships with vendors and resource planning (financial, operational, and technical) to ensure operational excellence and deliver successful strategic or operational projects. Proven record of building strategic partnerships across all levels of the firm or institution in support of the mission of the organization and IT/Information Security programs, and adept at communicating at any and all levels of the organization. Knowledgeable it security professional with several years of experience designing and implementing security solutions in high-availability environments. Skilled in threat detection and incident response, as well as adept at delivering strong risk management practices to safeguard sensitive information and systems integrity.

• ISACA (New England Chapter/Boston)
• Executive Women's Forum (Boston Chapter). An Association for Information Security, Risk and Privacy Professionals

• CISM – Certified Information Security Manager (ISACA)
• Certified Six Sigma DFSS/Greenbelt
• SSC Certified Lean Practitioner
• Bryant University PMI Project Management Certificate Program (2013)

• Northeastern University, Boston MA/Global Campuses, GLOBAL DIRECTOR – INFORMATION SECURITY, PRIVACY & IDENTITY MANAGEMENT (Acting Deputy CISO), 04/2022, Present, Reporting to the Chief Information Security Officer, and responsible for oversight of Identity and Access Management (IAM), Security Operations, Risk and Compliance, Consulting and Awareness, and Privacy for the Global University. Building trust within the community, providing Security and Identity Management services that are not only secure, efficient and frictionless but which meet the business needs of the University Community. Reporting directly to CISO, providing strategic direction and establishing roadmaps which shape the future of Information Security, Privacy and Identity Management services for the Global University. Provide leadership and mentoring to a team of 20+ Security and Identity Management professionals, and team/program managers as direct reports and dotted line collaborators. Serve as Deputy CISO when Chief Information Security Officer is absent or unavailable, to ensure continuity of leadership across Office of Information Security, Infrastructure and Networking teams under the purview of the Chief Information Security Officer and ensure availability to Senior University Leadership for issues or escalations. Position myself as a champion and change agent to promote the technological, policy and organizational changes needed to secure a growing, network and infrastructure, building resilience, and fostering innovation and adaptability within a complex, changing and maturing environment. Establish and sustain partnerships with peers and executive leadership within Information Technology, other schools within the University, and across technical and administrative teams within all mission areas such as Research, Teaching and Education, Faculty Affairs, and Administrative Services. Direct Interface with Northeastern Police Department, external law enforcement local and federal agencies for reported incidents and investigations. Manage departmental budget, develop Business Cases in alignment with strategic roadmap and obtain approval and funding from Executive Finance Team. Engage vendors in support of technical project support, as well as Managed Service Contracts., Modernization of Identity and Access Management platforms, including a reduction of technical debt and continued direction towards cloud-native (Azure AD) which enables integrations, efficiency and improvement of customer experience and continues our maturity towards Zero-Trust principals and frictionless/Password-less experience., Built and matured a CMMC (Cybersecurity Maturity Model Certification) program and strategy towards obtaining Level 2 certification across several CUI environments (in progress), including GCC HIGH which will maintain and continue to attract DoD related contracts in support of the University’s Research mission. This program ensures that Northeastern can continue to attract Government (DoD) research contracts which provide significant funding for the University., Promoted alignment to NIST 800-171 standards and utilization of GCC High tenant for piloting Zero-Trust principals and Azure capabilities for Identity and Security controls such as Conditional Access., Collaborate with Cloud Services team on the establishment of Cloud Governance, including the development of Documented Polices, and assurance that services align to security/NIST standards in addition to providing ease of use, scalability and accessibility., Building a resilient and proactive posture through the implementation of Sentinel SOAR platform and expansion of Microsoft Defender (Endpoint, Cloud and Identity) for increased visibility, log correlation, and workflows which feed alerts and events into newly established MDR-SOC Managed services., Maturing of the Vulnerability Scanning Program to ensure coverage of scanning (Tenable and Defender) across the ever-expanding Global University network as well as implementation of Nucleus for integrations with ServiceNow ticketing and CMDB., Built a robust SOC-Security Operations program, with the utilization of BlueVoyant managed services in support of 24/7 SOC coverage and escalation., Rollout of Microsoft’s Azure ARC Connected Machine agent across all University Windows and Linux servers including the newly acquired California campuses. This platform provided management and visibility to on premise and cloud server resources from a single pane of glass, and which leverages our current SCCM for Windows and Redhat satellite for RHEL systems., Built trust within the community and promote the Office of Information Security as a ‘trusted advisor’ through awareness events and training (such as October Cyber Security Month and events throughout the year). In addition, utilize various consultative opportunities to understand business objectives and translate requirements into secure, scalable, flexible solutions., Refined Service catalog, and web presence for Office of Information Security and IAM services to ensure that they are easily understood and readily accessible to the community within the ServiceNow platform., Implementation of Grouper, which provides a centralized platform for role-based access management efficiency, enhancing auditability of access, assurance of deprovisioning, with self-service capability thereby reducing workload on customer service, application support and IAM teams., Strengthened the Office of Information Security’s partnership with Office of General Council to mature the Privacy program within the University, through development of mature Privacy investigation processes and Policies, as well as development of Privacy-by-Design principals, and establishment of the Privacy Center of Excellence (COE) with stakeholders from various departments across the University., Assured execution of deliverables that facilitated the smooth integration of any newly acquired colleges/institutions (such as Mills, Oakland CA) into the NU Global infrastructure, and the integration within Security and Identity Management systems and platforms., Reduced Attack Surface & Exposure reduction related to LSAAS (Windows Local security authority) through implementation of a GMSA (Groups Managed Service Accounts) for on-prem AD environment and removing the risk of having statically defined passwords for service accounts, ensuring password rotation, and ensure these are not stored on system itself., Increased transparency of AWS events into SOC, by onboarding AWS CloudTrail and GuardDuty logs into Sentinel (SQS Queue/Event Notifications from S3 bucket) which brings in AWS audit and data event logs into centralized SIEM., Progress on a multi-phased initiative which will revamp Privileged Identity Governance for staff which will utilize cloud-native accounts, ensure consistency across our tenants such as with standards naming convention, and consistent enforcement of policies, such as MFA, and use of BitWarden., Redesign of Firewall request process which ensures there is a workflow for Office of Information oversight and approvals, and ServiceNow integration, for assignment to Network team for implementation., Establishment of the Office of Information Security – Information Security Standards committee, which serves to bring together key stakeholders from across the University and spanning the Global campuses for the purpose of ensuring awareness of key Information Security initiatives, changes to standards and policy, impacts of regulatory requirements and dissemination of key information on security issues which are not confidential in nature. This committee also includes the establishment of Global Campus Information Security Officers which help to field issues relative to their Campus locations, inform & bring forward questions or issues relative to their Campus’ constituents and serve as advocates for Information Security standards and best practices.
• Harvard Medical School, Boston, MA, IT PROGRAM MANAGER - INFORMATION SECURITY AND INFRASTRUCTURE, 10/2019, 04/2022, Partnership & collaboration (dotted line to) CISO, as well as Deputy CIO, and CIO, to set strategic direction, design solutions and provide direct leadership of large scale, complex projects within a portfolio of Infrastructure, Digital Transformative, and Information Security & Compliance initiatives with school-wide and/or university-wide community impact. Provided leadership to the ongoing development and delivery of a comprehensive School information security and data privacy defense-in-depth strategy that protects information assets, aligns with and supports risk posture, and meets applicable compliance and regulatory requirements. Manage all aspects of the project portfolio throughout project lifecycles to ensure completion within the defined scope, quality, time and cost restraints. Use knowledge of strategic mission and priorities to set and validate project portfolios as well as balance resourcing and associated work activities. Contributed to the annual and multiyear Infrastructure and Information Security capital planning, and budget in alignment and support of Information Security and Infrastructure program strategic initiatives. Established and sustained partnerships with peers and executive leadership within HMS, Harvard University and other schools within the University, and across technical and administrative teams within all mission areas such as Research, Teaching and Education, Faculty Affairs, and Administrative Services. Lead Information Security, and Data Privacy policy development in collaboration with CISO and Policy Working Team members from across the mission areas of the school. Development of business cases, and proof-of-concepts to support the selection of appropriate technology and Information Security technologies, which meet security control objectives. Assessed and improved operational processes to sustain infrastructure and security program objectives, as well as ensure the adoption of new policy, processes or technology. Facilitation of steering, and executive governance committees leveraging discussions for decision-making, approval of Security Policy, change management, and communications requirements. Development and dissemination of executive level reporting, information security compliance metrics, which measure the school’s achievement of Dean and/or Provost direction and requirements. Staff management of a team of staff including recruitment, development and mentoring, performance management and promote an inclusive and innovative work environment. Direct support of Information Security remediation activity tracking and associated metrics for Vulnerability, Patch and Threat Management activities, and efforts for elimination of infrastructure technology debt (EOL/EOS assets)., Development, approval and published a catalog of new information security policies in support of school and University level security directives and strategy., 2-Factor verification/2FA implementation for HMS Office 365 individual and departmental accounts utilizing DUO (approx.13,000 accounts), which included robust communication and awareness activities and alignment with Service Desk support., Assisted with coordination of an onsite Asset Inventory and to baseline assessments of our asset risk posture which also provided data for the establishment of a ServiceNow CMDB, and greatly assisted with Security Compliance metrics., Application Security: Assessment and implementation of additional security controls such as 2-Factor verification for Enterprise applications. This work uncovered a poorly configured application which provided unauthenticated access to student data within a particular application. With engagement of product owners and vendor development, we were able to reconfigure the application and remediate the risk by assure authentication standards were in place., Remediation of EOL/EOS assets and establishment patching and vulnerability management operational processes., Operational support for remediation of associated security incidents and risks, Implementation of Network Access Control (Cisco ISE/Secure W2/802.1X) which increased transparency into the number and types of devices connecting to the HMS wired and wireless networks, as well as ensure compliance with required security baseline and prevent control unrestricted access. This effort greatly assisted the ability to identify, remediate and inventory all devices that connect to the HMS wired and wireless network., Security Awareness Training program rollout (KnowB4 platform), Implementation of Protected Cloud (AWS) and On-prem secure enclaves with FISMA Low and Medium controls in support of Research initiatives (NIH and NHLBI, multi-institutional research collaborations).
• State Street Corporation, Quincy, MA, VICE PRESIDENT, ENTERPRISE BUSINESS SERVICES - PROCUREMENT & SOURCING TECHNOLOGY OPERATIONS, 07/2018, 10/2019, Direct business operations and establish strategic initiatives of procurement and technology operations function across India, China, Poland, and UK. Utilized risk and control frameworks subject to IT processes to analyze gaps in enterprise-wide controls, such as Third-Party risk and develop roadmaps that avoid reputational, technology, or security risks. Ensured continuous process improvement initiatives by implementing LEAN principles, identifying flaws, and providing corrective action plans. Enforced a Global Operations Model relating to procurement operations Third Party risk processes and policies. Ensured compliance with data privacy and regional regulatory requirements while engaging with EMEA and APAC outsourcing offices to identify and mitigate risks for all projects. Trained and coached staff with an aim to enhance capabilities at individual as well as group levels and improve overall organizational efficiencies. Streamlined processes and accomplished up to 30% reduction in average cycle time for risk reviews. Recognized for completing all projects within budget and agreed service levels. Managed multiple, large-scale, cross-functional project teams. Successfully led and implemented key technologies on global level, such as digital transformation and cloud security.
• State Street Corporation, Quincy, MA, VICE PRESIDENT | PROGRAM MANAGER, GLOBAL TECHNOLOGY SERVICES - SECURITY ENGINEERING, 11/2015, 07/2018, Delivered program oversight by devising as well as implementing an effective Project Management Governance Program to achieve established goals and sustain operational efficiency. Managed the team which deployed AZURE AD across the Global footprint and established associated processes that ensured appropriate identity governance and hygiene/maintenance. Incorporated strategic planning initiatives, allocated resources, forecasted expenses, and developed departmental budgets. Internal and external audit response. Provided robust support in conducting regulatory agency audits on security technology and controls and ensured seamless delivery of operations and closure of major findings to exceed or meet target timelines. Liaised with key stakeholders across the Global environment to deploy a for Follow the Sun framework with a focus on increasing responsiveness and reducing delays for security issues and operational maintenance. Managed contracts with vendors and ensured favorable terms to establish a long-term business relationship and avoid additional costs. Promoted transparency of Security Engineering initiatives by creating a Project Governance framework and database to ensure visibility and coordination across technology division to ensure appropriate strategic, capital and resource planning. Resource management and team mentoring to ensure effective utilization of resources and timely delivery of services to business partners.
• Citizens Bank/Citizens Financial Group, Providence, RI, CORPORATE SECURITY & RESILIENCY – STRATEGY TEAM, VICE PRESIDENT, LEAD/PRINCIPAL SECURITY ARCHITECT INFRASTRUCTURE VULNERABILITY ASSESSMENT TEAM | AVP, SENIOR INFORMATION SECURITY PROFESSIONAL, 10/2011, 11/2015, Coordinated the establishment of security standards, operational processes and managed partnerships with enterprise security and technology teams to ensure alignment with security and resiliency strategy. Promoted Agile/Lean/Six Sigma principles to raise awareness and improve processes by reducing variation and eliminating waste. Hands on daily support for scanning of internal and third-party assets for vulnerabilities or compliance risk against hardening standards (using Qualys, Symantec ESM and Tenable), and review of reports as well as documentation and escalation of risk issues for remediation assurance. Review and revise policy and standards for Vulnerability & Compliance Scanning program. Collaborated with finance department to track budgets and manage security vendor contracts. Identified potential risk to the business and reported to key stakeholders to support data-driven decision-making process. Ensured operational stability of security solutions and engaged managed service vendor support when required. Trusted advisor to business units providing recommendations on security controls, technology or process improvements, and upgrades that would reduce risk. Increased vendor collaboration and third party’s enrollment in vendor scanning program by 42% in 2012. Empowered the team with efficient process that would assist with assessing compliance issues and reduce information security incidents. Implemented new security infrastructure, working closely with technical support teams. Effectively managed Digital Transformative program for Enterprise File Storage and collaboration (BOX).
• Bank of America, Providence, RI, Technical Manager-Sr. Information Security Engineer, Supplier Security Assessment Team, 09/2000, 10/2011, Progressive Management Roles: Technical Manager-Sr. Information Security Engineer, Supplier Security Assessment Team Vice President, Manager Endpoint Security Governance and Vulnerability Scanning Team Vice President, Senior Manager Business Continuity/Project Delivery Management of a distributed technical team responsible for supporting security policy, governance and providing technical expertise for the following technologies/security functions: Endpoint Security Governance, Anti-virus/malware and Anti-Spyware, Remote Desktop Policy Enforcement (RDPE) Personal Firewall/Host level sensitive Data controls, Mobile Device Security, Application Vulnerability Scanning, Endpoint Vulnerability Scanning. Led the design, implementation and management of the Enterprise Resiliency Associate Training Portal, through cross-team partnership and coordination of training programs with internal business support partners and external vendors. Member of the Enterprise Desktop Governance Policy Committee, representing Vulnerability Management/Information Security. Approval/reject authority for requested policy changes. Assessed policy change and gaps impacts against Information Security strategic initiatives. Regulatory reviews, internal or external audit preparation and response. Design and adoption of a process Control Maturity Assessment model within the Vulnerability management team. Initiated and implemented an endpoint security governance model providing oversight of endpoint security controls and compliance assurance across the enterprise which assisted with identifying risks in coverage provided operational efficiency, and alignment with business needs. Initiate remediation activities and invoke the CSIRT/Cyber Security Incident Response process, when necessary, in response to security incidents. Post-Mortem analysis of incidents to identify root cause and identify strategies which would proactively defend against future threats. Led an enterprise-wide rollout of endpoint security tools to provide proactive and real-time monitoring, as well as enhanced reporting capabilities and malicious activity response. Including architecture/infrastructure design, agent configuration and deployments. Led an initiative to develop an innovative secure laptop platform/build for use by Bank executives and associates conducting business at the Bank of America sponsored locations in Beijing during the 2008 summer Olympics. Utilized defense-in-depth methodology, several layered security controls as well as virtual technology to address the cyber threats associated with this specific international environment. Merger and acquisition related large-scale infrastructure conversions and standardization of security products and services. Implementation of best of breed technologies that would provide enhanced enterprise immunity and resiliency against emerging risks. Technologies such as Network Access Control, Sensitive Data Loss, Peripheral Device controls and enhanced Centralized Endpoint Management. Responsible for Business Continuity strategy and development of the operational/BAU process for analysis of Global application recoverability gaps. Alignment with Business Continuity testing programs and procedures to analyze end-to-end recoverability capabilities.