Cyber Security and Risk Management

NCTC formed a Risk Committee in 2020 with the goal of formalizing oversite of the organization's risk profile. The primary focus of this committee is Information Technology and Business Operations. I have led this committee since its inception.  This committee has multiple KPIs that roll up to the Board of Directors which include a "Risk Profile" for all technology resources, reports on findings from security audits, operational risks.
Common Vulnerability Scoring System
Years of Cyber Insurance Aquired
Corvus Score External Scan (Max 100)
Years Leading Executive Level Risk Committee

Risk Committee Members


  • Cyber Insurance
  • Worked directly with NCTC's in-house counsel (Jeff Nourse)
  • Led on all technical aspects including insurance application, implementation of policies + tools, owner of all security related Organization-Level Commitments
  • 94/100 Corvus Security Score (External Scan)
  • Cyber Insurance Acquired 2023 - Lockton
  • Cyber Insurance Acquired 2022 - Lockton
  • Cyber Insurance Acquired 2021 - Lockton
  • Cyber Security Improvements
  • Record Retention Policy using M365
  • Multi-Factor Authentication - Okta + Azure AD
  • Single Sign On - Okta + Azure AD
  • End Point Protection, Detection, Response
  • Protective DNS
  • Web Application Firewall
  • KnowBe4 - Email Fraud Training Service
  • Password Policies (staff, change schedule, global admins, domain admins, etc)
  • Cloud Hosted VPN Solution
  • Service Accounts configured using "least privilege"
  • Back Up Strategy (cloud, physical, immutable, annual integrity testing)
  • Formalized Server Patch Policy + Schedule
  • Personally Identifiable Information (PII) - GDPR / CCPA Compliant
  • Staff Training and Education
  • Recurring Organization wide security training
  • Led organization-wide in personal training
  • Personally Engaged with training and support for high risk staff
  • Automated staff testing based on performance
  • Penetration Tests + Security Audit
  • 2021 - Conducted by Red Siege
  • 2016 - Conducted by Cino
  • Business Continuity + Disaster Recovery
  • Tested Yearly
  • Addresses each unique line of business, related technical platforms, and alternative business operations during an outage
  • Led Executive level staff, assigning roles, responsibilities, and preparation
  • Commitments on restoration times from IT, testing annually
  • Mock Cyber Security Event (Hack / Ransomware)
  • In-house mock event with NCTC's Executive Level - Ransomware event where critical platforms are encrypted with decryption key being ransomed
  • Author of Cyber Playbook
    [1] Defined Severity Level
    [2] Financial Thresholds
    [3] Law Enforcement + 3rd Party Support (Cyber Security Partner)
    [4] Executive Level Responsibilities and Task Assignments
    [5] Formalized Communication (in-house, public, Board of Directors, social media)
  • Education and Training
  • "Breached" Mock Ransomware - Virtual Wargame (12/9/2021)
  • Security Round Table (2/1/2023) - Hosted by CBIZ, BMO, Polsinelli