Summary
Overview
Work History
Education
Skills
Certification
Timeline
Sara Gaylord

Sara Gaylord

Piedmont,OK

Summary

Encouraging manager and analytical problem-solver with talents for team building, leading and motivating, as well as excellent customer relations aptitude and relationship-building skills. Proficient in using independent decision-making skills and sound judgment to positively impact company success. Dedicated to applying training, monitoring and morale-building abilities to enhance employee engagement and boost performance. 21 years of Information Security experience and 11 years in management roles.

Overview

21
21
years of professional experience
5
5

Certifications

Work History

Senior IT Risk Analyst

ABM
04.2024 - Current
  • • Guiding Legal, technical teams and business units to advance compliance for federal contracts, including CMMC and NIST RMF.
    • Developing policies, procedures, standards, and framework cross-walks for the adoption of ISO 27001 and 27005.
    • Establishing strong working relationships with external partners, promoting collaboration and information sharing to tackle common IT risk challenges.
    • Evaluating third-party vendor risks, providing recommendations to minimize possible negative impacts on company operations.
    • Recommending improvements in security systems and procedures.
    • Collaborating with peers and management to establish KPIs for risk management reporting and scorecards for internal and third-party risk.
    • Building productive working relationships with Procurement and Legal to ensure that contracts and service level agreements contain adequate security and risk language.
    • Developing goals and strategies for future IT risk assessment activities, establishment and maintenance of a comprehensive IT Risk Register, and enhanced risk reporting based on aggregate risk.
    Recommending ongoing training and awareness to educate stakeholders regarding risk management, security by design, privacy by design, and industry best practices.

Staff Security Risk Specialist

Okta
03.2023 - 04.2024
  • Engaged with stakeholders, from executive leadership to individual contributors, to execute the annual risk assessment.
  • Developed short-term goals and long-term strategic plans to improve risk control and mitigation.
  • Promoted enterprise-level risk management practices and helped instill strong culture focused on protective policies and procedures.
  • Reviewed contracts and agreements to identify potential risks and ideal mitigation strategies.
  • Taught employees how to control risks at front line.
  • Reviewed and corrected risk and issue registries to ensure completeness and accuracy of data.
  • Established KPIs and developed reports for stakeholders and leadership to provide clear insight into Okta's risk posture.
  • Aligned risks and issues to newly-issued consolidated control library to ensure appropriate reporting and prioritization.
  • Developed and tracked issue and risk mitigation plans, in partnership with stakeholders, to resolution.

GRC Specialist

Gong.io
08.2021 - 03.2023
  • Engaged with stakeholders including Legal, Executives, IT, Developers, and Internal Audit to develop a central control library for the enterprise.
  • Performed gap analyses to ensure compliance with international privacy laws and regulatory requirements.
  • Partnered with Internal Audit to position Gong for IPO.
  • Established an enterprise-wide risk quantification procedure and built a centralized risk registry.
  • Assumed primary responsibility for all privacy and security awareness training, including the development of specialized HIPAA training and deployment of all security awareness training.
  • Coordinated with data science and development teams to reduce data redundancy and establish comprehensive data disposition and sanitization procedures.
  • Mentored junior team members, fostering professional growth through guidance on best practices in the industry.

Manager, IT GRC and Enterprise Data Governance

Paycom
02.2016 - 08.2021
  • Developed a strong security culture focused on employee engagement, collaboration, and continuous learning opportunities.
  • Championed diversity and inclusion efforts within the workplace, resulting in an inclusive environment that fostered creativity and innovation among employees from various backgrounds.
  • Mentored junior team members for career advancement, fostering a pipeline of future leaders within the organization.
  • Expanded the compliance portfolio to include industry-leading certifications.
  • Designed and implemented processes to provide project oversight for third-party and internal development teams, insuring privacy and security by design.
  • Reviewed contracts and advised Legal regarding security and privacy language.
  • Engaged in calls with clients to provide assurance regarding enterprise security and privacy programs.
  • Established a risk and criticality-based business continuity and disaster recovery program to minimize disruption in the event of an incident.
  • Managed internal and external audits for IT, development, and other technical teams.
  • Established KPIs and wrote and presented executive summaries and reports for the Board and executive leadership.
  • Developed and managed the program budget for training, tools, and audits.
  • Identified and recommended remediation measures for data sanitization, redundancy, and destruction concerns.
  • Implemented a framework for measuring risk across the enterprise and prioritizing projects by risk and system criticality.
  • Selected and implemented tools for GRC and privacy governance compliance (GDPR/CPAA).
  • Assumed responsibility for the Security Awareness Program, including ongoing phishing campaigns and quarterly training.
  • Developed and deployed customized training as appropriate for CPAA, GDPR, and HIPAA.
  • Collaborated with Incident Response and Application Security Teams to brief executive management on emerging threats.
  • Established a risk management program for internal and external risk management; including insider threat management, vendor assessments, HR processes, and project risk mitigation.

Senior IT Risk Analyst

Devon Energy
12.2013 - 02.2016
  • Oversaw the growth and execution of the IT Risk Program as the Program Lead.
  • Assisted in developing business continuity plans, ensuring minimal disruption during disaster recovery scenarios.
  • Evaluated third-party vendor risks, providing recommendations to minimize possible negative impacts on company operations.
  • Collaborated with stakeholders to develop strategic plans for managing emerging technology risks effectively.
  • Updated IT governance framework regularly to address evolving organizational needs and industry best practices effectively.
  • Maintained an up-to-date knowledge base of relevant threat intelligence, sharing insights with colleagues to inform decision-making processes.
  • Streamlined risk reporting by automating processes and improving communication channels between departments.
  • Integrated vulnerability management data into risk reporting to provide criticality-based KPIs to management.
  • Conducted ongoing assessments to ensure compliance with US and Canadian privacy requirements.
  • Partnered with Incident Response to integrate incident documentation into the GRC tool, reducing documentation time and ensuring completeness of documentation.
  • Developed customized risk assessments for specialized use cases, including a risk assessment for determining risk presented by outside legal counsel.
  • Executed annual risk assessment with stakeholders to document risk appetite and identify emerging risks across the enterprise.
  • Evaluated and selected a tool for conducting phishing campaigns and managed all phishing activities.
  • Created annual Security Awareness Week curriculum and training events, in addition to ongoing training courses, to drive a strong security culture.

Information Assurance, Personnel Security Manager

Defense Information Systems Agency
10.2003 - 12.2009
  • Managed sensitive investigations into internal security breaches with discretion and professionalism, minimizing damage to agency reputation.
  • Assisted in the development of emergency response plans related to potential personnel security issues or threats within the workplace environment.
  • Streamlined the onboarding process for new employees, ensuring proper security clearances were obtained in a timely manner.
  • Partnered with Incident Response and DISA JAG and OIG to facilitate the investigation of security incidents and evidence gathering for DoD investigations.
  • Served as the site project manager for DISA NARA Compliance initiative, developing strategies to ensure compliance with DoD records management requirements.
  • Oversaw security compliance measures for 4,500+ servers and classified and unclassified systems.
  • Ensured compliance with DoD requirements for the construction and security of two new Classified Open Storage Areas within the facility.
  • Delivered security awareness and classified data handling training for new employees and cleared visitors.
  • Verified 100% compliance with the DoD and U.S. Cyber Command (CYBERCOM) Vulnerability Management standards.
  • Developed documentation for site accreditation, including a complete rewrite of the Site Security Plan and the creation of a site System Administration Guide; this documentation resulted in DISA OKC receiving the only full accreditation awarded during the transition from DITSCAP to DIACAP standards.
  • Oversaw the day-to-day operations of the Physical Security Team.

Education

Masters of Legal Studies - Cybersecurity And Data Privacy Law

Cleveland State University, Cleveland, OH
12.2023

MBA - Information Systems Management

Western Governors University, Salt Lake City, UT
07.2016

Skills

  • Strategic Planning
  • Stakeholder Communication
  • Privacy and Security by Design
  • Compliance Monitoring
  • Business Continuity and Disaster Recovery
  • IT and Third Party Risk Assessment and Management
  • Control Analysis and Standardization
  • Audit Planning and Management
  • Information Assurance and Governance
  • Vulnerability Assessment and Management
  • Policy and Standards Development and Implementation
  • ISO 27001, 27002, 27005, 27017, 27018, and 22301
  • SOC 2, SOX, HIPAA, HITRUST, WCAG, FedRAMP, FAIR, NIST RMF, NIST CSF
  • GDPR, PIPEDA, CPAA, BIPA, Other Legal and Regulatory Requirements

Certification

  • CISSP, ISC2 - 2011
  • CGEIT, ISACA - 2017
  • CRISC, ISACA - 2017
  • CCSP, ISC2 - 2018
  • CDPSE, ISACA - 2020
  • Member of InfraGard since 2014

Timeline

Senior IT Risk Analyst - ABM
04.2024 - Current
Staff Security Risk Specialist - Okta
03.2023 - 04.2024
GRC Specialist - Gong.io
08.2021 - 03.2023
Manager, IT GRC and Enterprise Data Governance - Paycom
02.2016 - 08.2021
Senior IT Risk Analyst - Devon Energy
12.2013 - 02.2016
Information Assurance, Personnel Security Manager - Defense Information Systems Agency
10.2003 - 12.2009
Cleveland State University - Masters of Legal Studies, Cybersecurity And Data Privacy Law
Western Governors University - MBA, Information Systems Management

Similar Profiles

CREATE PROFILE
Sara Gaylord