Mel Drews

SKILLS - click the links below for details on how I've used these to create value for my clients and employers

3rd Party Risk ManagementSecurity FrameworksIdentity and Access Management
Security ArchitectureSecurity AuditVulnerability Management
Application SecurityCloudGovernance, Risk, & Compliance
Regulatory MandatesNetwork SecuritySystem Hardening
Project ManagementPenetration TestingCoding and Scripting
Risk AssessmentSecurity ControlsLeadership

PROFESSIONAL CERTIFICATIONS (links are to Credly badge verifications)


Title: Manager Security Controls Validation
Company: Zoom Video Communications
Location: San Jose, CA - Remote
Dates: 10/2020 - 02/2024

Operating within a large scale SaaS environment primarily comprising AWS infrastructure and services with significant in-house datacenter functionality, and other cloud environments, I established, documented, and delivered the Offensive Security Controls Validation program within the Product Security / Assurance function. Using attacker tactics, techniques, and procedures, I was able to demonstrate any gaps in effectiveness and impacts of technical controls issues beyond just compliance. The program prioritized controls aligned to industry and internal security frameworks and regulatory mandates. I delivered executive-level reporting connecting findings to policies, standards, and attested controls. Managed related risks within the company GRC system and engaged risk owners for remediation and tracked efforts to resolution, resulting in reduced risk to Zoom and customers. Identified exploitable vulnerabilities in Zoom websites, applications, and APIs, pre- and post-market release, using web-based penetration testing approaches and worked with developers and external consultants to develop and test remedies. Coordination with team members to identify vulnerable segments of source code. Cross functional collaboration to develop and assess application security threat models. Owned and directed work performed by external security contractors. Ownership and delivery of Objectives and Key Results with subsidiary goals in support of executive initiatives. Responsible for driving process improvement across technology disciplines through stakeholder coordination. Support for executive-level decision making around business risk.

Title: Senior Ethical Hacking Analyst
Company: Jackson National Life Insurance
Location: Lansing, MI
Dates: 11/2018  - 10/2020

Within a hybrid private-public cloud infrastructure environment, primarily comprising MS Azure infrastructure, Ensure software product security through requirements specification, design, architectural and code review, testing (SAST & DAST), and vulnerability management. Built standardization of application security tooling and DevOps processes integrating Fortify SAST solution with CI/CD pipelines. Utilized SAST and DAST tooling, including Burp Suite, AppScan, and Fortify. Development of processes and tooling to enable developers and product managers to perform on-demand SAST scanning, request DAST scans, generate reports, and provide feedback on identified issues and remediations with the result of improvements in application security and developer awareness of security issues and coding practices.  Established the processes and tools for application security threat modeling. Delivered vulnerability management reporting using Qualys and Rapid7 tooling to ensure systems and network configurations were maintained up to standards. Protection of company assets and personal data for millions of customers and independent advisors across multiple business units.

Title: Manager Information Security Controls Program
Company: Jackson National Life Insurance
Location: Lansing, MI
Dates: 09/2016  - 11/2018

Building on stakeholder input and my own analysis of business needs, I delivered the Information Security Policy, standards for implementation, and related security controls definitions through multiple documentation streams. Led a team with direct reporting staff, plus interns and external consultants to ensure security control definitions aligned to business needs and regulatory requirements, validate control ownership, and implementation. Through my ownership, design, and project management over development of the enterprise information security risk GRC product module, I was able to automate management attestations to controls, capture evidence, and perform repeatable testing. My team created a management dashboard with differentiated functional access for different stakeholders. We delivered regular management metrics on the program to support executive-level presentations and decisioning. While I established these processes for Jackson's multiple North American business units, elements of the policy, standards, and processes were later adapted for application across all global business units. I developed the due diligence program for 3rd party risk Provided metrics and reporting, demonstrating achievement of management directives. Analysis and certification to regulatory issues covering GLBA, SOX, FINRA and NY DFS regulations, GDPR, other legislative, regulatory, and internal compliance mandates. Oversight of audit engagements – internal and external. I also served as the Security representative to the Enterprise Architecture Forum and within various technology development projects to ensure the use of appropriate security architecture would establish a firm foundation for future developments. Delivered qualitative and quantitative risk analyses using approaches such as Open FAIR, to ensure appropriate understanding of risk exposures at the executive level.

Title: Sr Application Security Tester
Company: Jackson National Life Insurance
Location: Lansing, MI
Dates: 11/2014 - 09/2016

Introduced practice and delivered application security threat modeling and risk assessment.
Delivery of job-specific security awareness training for software QA associates.
Delivery of validated software security assessments using AppScan and Burp Suite DAST tools.
Development of the secure coding test standards aligned to OWASP.
All toward establishment of application security processes, developer awareness of secure coding standards and issues, and reduction to enterprise risk.

Title: Senior IT Security Auditor
Company: Jackson National Life Insurance
Location: Lansing, MI
Dates: 09/2012 - 11/2014

Led IT Audits within North American business units and coordinated with international teams to cover larger audit objectives. I developed and delivered IT Audit tests of design and effectiveness, prioritized for risk and based on analysis of Jackson's policies and standards, as well as other standards of good practice, such as from NIST. Delivery of on time audit reports in support of global audit team quotas with results leading to meaningful improvements in organizational security, risk, compliance, and business process. Support for IT elements of integrated audits over complex financial services and in coordination with global audit teams. Identified control weaknesses and IT security vulnerabilities in North American Business Unit companies and engagement with business. Tracked issue remediation efforts to implementation and verified effectiveness. Introduction of standards-based IT risk assessment practices.

Title: Mentor Instructor
Company: SANS Institute
Location: Lansing, MI, various, and remote
Dates: 09/2015 - 03/2020

Present SANS training materials through classroom instruction and mentoring to professionals from IT, security, and audit from state government and private companies preparing for professional certification exams, including Certified Information System Security Professional (CISSP) and GIAC Certified Web Application Defender (GWEB). 100% student pass rate. Served as Teaching Assistant to lead course instructors in live and remote security trainings.

Title: Senior IT Security Consultant
Company: Info@Risk
Location: Eugene, OR
Dates: 08/2004 - 01/2014

The primary focus of the position was vulnerability assessment and penetration testing for U.S. and international clients, but included development of controls audits, policies, and procedures, and consulting on a wide range of IT governance, risk and control areas for clients in diverse industries. Key accomplishments include: Assisted clients with internal and external compliance mandates, including HIPAA, GLBA, NERC, PCI, FFIEC, and other regulatory schemes. Developed technical controls testing as a customer deliverable, based on NIST SP800-53. Developed other security penetration and vulnerability testing methodologies and tools. Scope and develop consulting engagements with banks, credit unions, hospitals, universities, electrical utilities, city, county, and state government for customer success. Strategic development, implementation and management of all internal  IT infrastructure. Improvements in security measures protecting the finances and personal data of hundreds of thousands of people, as well as client intellectual property and operational reliability. Contributions to strong customer relationships and company reputation. Mentoring and development of junior staff.