Summary
Overview
Work History
Education
Skills
Professional Organizations
Certification
Timeline
Generic

THOMAS GARRUBBA

Bridgeville,PA

Summary

I am an internationally recognized thought leader, lecturer, commentator and blogger on business, cyber and privacy risk with more than 25 years’ experience in cyber, privacy, enterprise risk governance and compliance, audit, and consulting. I have had published thought leadership pieces and have been solicited for comment in various business and security journals including Forbes.com, Bloomberg, The Washington Examiner, Yahoo Finance, SC Magazine, Computer Weekly, CIO Magazine, The Huffington Post, Corporate Compliance Insights, Future of Outsourcing Magazine, Government Health IT, ISACA, Risk.net, and numerous other trade publications. I was the author for the chapter on “Third Party Risk Management” for the Risk.net book “Cyber Risk”, and have been a featured guest on numerous business and security podcasts, and I host the weekly LinkedIn thought leadership video series “TPRM Tidbits”.

Overview

27
27
years of professional experience
5
5
Certification

Work History

Director of Third Party Risk Management (TPRM) Services

Echelon Risk + Cyber, LLC
06.2022 - 01.2024
  • I assisted clients in strategy, optimization, and stabilization of their third party vendor risk assessment programs
  • Some of the items I assisted with them included: Identified and roadmaped their vendor risk maturity, Identified their inherent/exposure risk and the residual risk following third party risk assessments, Close out open/contingent items post-assessment, Liaise with audit and regulators as to a client’s existing TPRM state, Educate clients formally (via the CTPRP and CTPRA certifications) and consult them on their unique challenges
  • I was responsible for managing the entire client engagement throughout its lifecycle including budgeting and staffing.

Vice President, Co-Chief Information Security Officer (CISO), Educator, Subject Matter Expert

The Santa Fe Group/The Shared Assessments Program
09.2014 - 06.2022
  • The Shared Assessments Program is a member-driven organization focused on standardization of third party and supply chain risk practices
  • My responsibilities include: Providing Strategic Guidance and Thought Leadership, Provider of Thought Leadership, Instructor for our Certification Programs, Provide Consultation to Companies, Established and managed our Member Relations Outreach (MRO) Program.

Senior Privacy Manager

CVS Health
- 09.2014
  • I volunteered to develop, implement and manage their “Vendor Assessment Program”
  • This program was recognized by outside agencies as a world-class third party risk management program.

Global IT Audit Manager

HJ Heinz Company (Kraft/Heinz)
12.2005 - 04.2007
  • I provided the management role in supporting Executive and IT Senior Management, the Audit Committee, and external auditors in the technology assurance of mission critical information systems and components for the global enterprise.

Assistant Vice-President, Project Leader

Mellon Financial Corporation (BNY Mellon)
08.2004 - 12.2005
  • Lead or participated in numerous reviews including mainframe, infrastructure, midrange system, database, business contingency and disaster recovery planning (BC/DR), capacity planning, and segregation of duties.

Senior Technology Auditor III

Ernst & Young LLP
03.2003 - 08.2004
  • Consulted with executive and senior management levels in identifying and assessing controls for compliance to Sarbanes-Oxley Act
  • Lead staff in the assessment of controls to client IT processes including strategy, application, operating system, database, and IT general controls assessments in both internal and external staffing functions.

IT Staff Auditor

PWC, LLP
04.1998 - 03.1999
  • Conducted IT general controls and application reviews.

IT Staff Auditor/Senior Auditor

PNC Bank
09.1996 - 04.1998
  • Conducted IT general and application controls reviews.

Education

MS, Information Systems Management -

Robert Morris University
01.2003

BSBA, Finance -

Robert Morris University
01.1994

Skills

  • Risk Management
  • Staff Management & Development
  • Project Management
  • Business Development
  • Operations Management
  • Creativity and Innovation
  • Charismatic Leader
  • Crisis Management
  • Verbal and Written Communication
  • Contract and Vendor Management
  • Supply Chain Management
  • Partnerships and Alliances

Professional Organizations

  • Information Systems Audit and Control Association (ISACA), 1996
  • International Association of Privacy Professionals (IAPP), 2011
  • The Shared Assessments Program, 2011
  • Civil Air Patrol – US Airforce Auxiliary, 2018
  • InfraGard (Public/Private Partnership with the FBI), 2016
  • Financial Services Sector Coordinating Council (FSSCC), 2015
  • Forbes Technology Council, 2020
  • The Open Compliance and Ethics Group (OCEG), 2021

Certification

CISA (Certified Information Systems Auditor), 2001

CRISC (Certified in Risk and Information Systems Control), 2011

CIPT (Certified Information Privacy Technologist), 2011

CTPRP (Certified Third-Party Risk Professional), 2015

CTPRA (Certified Third-Party Risk Assessor), 2020

Timeline

Director of Third Party Risk Management (TPRM) Services

Echelon Risk + Cyber, LLC
06.2022 - 01.2024

Vice President, Co-Chief Information Security Officer (CISO), Educator, Subject Matter Expert

The Santa Fe Group/The Shared Assessments Program
09.2014 - 06.2022

Global IT Audit Manager

HJ Heinz Company (Kraft/Heinz)
12.2005 - 04.2007

Assistant Vice-President, Project Leader

Mellon Financial Corporation (BNY Mellon)
08.2004 - 12.2005

Senior Technology Auditor III

Ernst & Young LLP
03.2003 - 08.2004

IT Staff Auditor

PWC, LLP
04.1998 - 03.1999

IT Staff Auditor/Senior Auditor

PNC Bank
09.1996 - 04.1998

Senior Privacy Manager

CVS Health
- 09.2014

MS, Information Systems Management -

Robert Morris University

BSBA, Finance -

Robert Morris University

· Information Systems Audit and Control Association (ISACA) – Member; 1996

o CISA (Certified Information Systems Auditor), 2001

o CRISC (Certified in Risk and Information Systems Control), 2011

· International Association of Privacy Professionals (IAPP) – Member; 2011

o CIPT (Certified Information Privacy Technologist), 2011

· The Shared Assessments Program – Member; 2011

o CTPRP (Certified Third-Party Risk Professional), 2015

o CTPRA (Certified Third-Party Risk Assessor), 2020

· Civil Air Patrol – US Air Force Auxiliary – Member; 2018

o 1LT; Finance Officer of Squadron 603 (Pittsburgh)

· InfraGard (Public/Private Partnership with the FBI) – Member; 2016

· Financial Services Sector Coordinating Council (FSSCC) – Member; 2015

· Forbes Technology Council – Member; 2020

· The Open Compliance and Ethics Group (OCEG) – Member; 2021

THOMAS GARRUBBA