Lifelong innovator helping organizations address hard cybersecurity problems while growing consultancies and revenues; focus on defining near-term CxO security challenges (12–24 months) and maturing people, offerings, tech, and skills to deliver at scale.
Built market-leading solutions spanning software security, governance and risk management, compliance, metrics & dashboards, threat modeling, DevSecOps, software supply chain security, and digital transformation—delivered via consulting, products, SaaS, and partnerships.
Approach: spend wisely across differentiators, controls, debt, risk reduction, and productivity—guided by good metrics to show what works.
Early contributor to Rainbow Books, Common Criteria, PCI, CMU CERT, and Government/NIST standards; co-creator and longtime leader/analyst of BSIMM and BSIMMsc, and co-creator of The CISO Study.
Research published in IEEE Security & Privacy, IEEE Software, ACM proceedings, and industry outlets; frequent speaker and media explainer of complex security topics.
- Imbricate Security — Principal: April 2023 – Present
- Synopsys Inc — Principal Scientist: December 2016 – March 2023
- Cigital, Inc. — Principal Scientist: August 2006 – December 2016
- Cybertrust, Inc. (TruSecure / ICSA Labs) — VP, Knowledge Management: May 2001 – July 2006
- iDEFENSE — Chief Scientist: October 1999 – May 2001
