Craig Walker

Spearheaded eight concurrent annual SOC 1 and SOC 2 Type 2 audits, achieving zero findings for the last two years, demonstrating a mature and effective control environment.

· Developed and implemented the company's formal Information Security Risk Management (ISRM) program from the ground up, aligning strategies with ISO 27005 and business objectives.

· Managed the end-to-end Third-Party Risk Management (TPRM) program for over 130 vendors, using ZenGRC and continuous monitoring tools (BitSight, FortifyData) to reduce supply chain risk.

· Authored and enforced key governance documentation, including the corporate Information Security Risk Management Policy, Third-Party Risk Management Policy, and Incident Response Plan.

· Served as a key escalation point in a 24/7 on-call rotation, providing expert incident response for critical threats escalated by SOC partners (Sophos, Rapid7).

· Reduced organizational risk posture by managing the vulnerability remediation lifecycle, prioritizing patching based on Nessus and Rapid7 scan data, and reporting progress to leadership.

· Implemented and configured Microsoft 365 Data Loss Prevention (DLP) policies, successfully classifying and protecting sensitive company data across the enterprise.

· Established a robust compliance program by mapping all security controls to ISO 27002 and NIST CSF, ensuring adherence to ISO, PCI DSS, and GDPR regulations.

· Led annual SOC 2 Type 2 audits, client security assessments, and penetration tests, consistently meeting all compliance and client requirements.

· Architected and deployed a new "need-to-know" security model, tightening perimeter defenses and enhancing endpoint protection with new IDS, anti-ransomware, and DLP solutions.

· Created documentation based on COBIT, NIST, SOC, and ISO 2700x.

· Managed all vendor relationships and service level agreements (SLAs), ensuring optimal performance and cost-effectiveness of security solutions.

· Team building, mentoring, coaching, and motivation of IT staff.

· Facilitated communication with clients and executives.

· Improved the company's security awareness by launching a formal training program, resulting in a 30% reduction in phishing simulation click-rates over two years.