Jeffrey Crump

OVERVIEW:

Accomplished leader with a history of identifying, development and implementing solutions to help organizations reduce cyber risk and build resilience.

 

SELECTED ACCOMPLISHMENTS:

• Led business/security-aligned initiatives to fundamentally transform how cyber risk is identified, managed and achieved including:

  • Author, Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience

  • Led the development and validation of cyber crisis management plans for entities in the United States, China, Canada, Mexico, Russia, and India

  • Led the identification, categorization, cross-reference matrix development, and functional and operational compliance of China cyber security legal and regulatory requirements to be met by Express (Hangzhou) Technology Services Co. (American Express joint venture with LianLian) for operating license and National Security Review as part of establishing a non-domestic payment card network (the first US entity authorized to do so by the Chinese government)

  • Led multiple core security capability program workstreams (internationally) for Deloitte & Touche to develop strategically-aligned shared cyber risk services to meet five-year global revenue goals

  • Led multiple capability gap analyses and resulting strategic roadmaps, the most current being the assessment of and resulting optimized supply chain security program for Intel, including sub-fab industrial control systems

 

PROFESSIONAL EXPERIENCE:

5/2017 – Current

Cyber Security Training & Consulting Company Limited

Hong Kong SAR China & Phoenix, Arizona USA

Principal

• Cyber Crisis Management

  • Developed the Cyber Emergency Response Plan (CERP) for Express (Hangzhou) Technology Services Co. (American Express joint venture with LianLian)

  • Developed the Cyber Crisis Response Plans for American Express banks in USA, Canada, Mexico, India, and Russia

  • Assessed cyber crisis exercises for the Express (Hangzhou) Technology Services Co. and three American Express banks (Mexico, India, and Canada)

  • Achieved independent quality certification by PECB Management Systems of the Cyber Crisis Management Planning Professional course I developed

  • Authored Concept Note to address the implementation of cyber crisis management and information sharing capabilities for the U.S. Agency for International Development Europe and Eurasia

• ​China Cyber Security Law and Regulations

  • In support of operating license and China National Security Review requirements, serve as subject matter expert to American Express regarding China’s cyber security laws and regulations

    • Developed the policy framework for information technology and information security risk management policies and standards for American Express’ joint venture in China

    • Mapped China legal and regulatory controls to each other to identify overlap (e.g. GBT 22239, JRT 0071/0072, JRT 0142, China Cybersecurity Law, Cross-Border Data Transfer, Personal Information Standard, etc.)

    • Worked with China-based resources to develop an Information Security Management System (ISMS) to comply with ISO 27001 requirements

    • Mapped American Express policy and standards requirements to Joint Venture's ISMS library of measures and standards

    • Mapped China UnionPay Data Security Standards (UP DSS) for credit card processing to Payment Card Industry Data Security Standards (PCI DSS)

    • Consult on product selection for compliance with China’s national requirements for encryption and security tools and technologies

    • Participate in product implementation validation and operational readiness reviews

    • Developed a Creative Commons licensed financial regulatory tool to be used by a lead assessor during a Hong Kong Monetary Authority (HKMA) Cyber Fortification Initiative (CFI) Cyber-Resilience Assessment Framework (C-RAF) Inherent Risk Assessment (IRA) and Target/Minimum Maturity Assessment (NIST/ISO 27002/FFIEC-based)

• Cyber Security Training

  • Developed the Capability Maturity Model Certification (CMMC) training course series designed form Level 2 – Level 5 defense industrial base contractor companies

  • Developed the 60 Seconds of Cyber security awareness training course series

• Security Research and Contributions

  • Provide subject matter expertise on security and privacy standards and best practices through the development of executive and professional security awareness and training programs delivered to clients/employees such as IBM XForce Incident Response, KPMG, the OCC (Options Clearing Corporation), Indonesia’s National Cyber and Cryptography Agency (BSSN), Saudi Arabia’s King Abdulaziz City for Science and Technology, Hong Kong CITIC Bank, and Bank of America, including: Executive Education, Introduction to Cybersecurity Boot Camp, Cyber Crisis Management Planning Professional (C2MP2) Certification Boot Camp, and the FFIEC & ISO 27001/27002-based Hong Kong Monetary Authority (HKMA) Cyber Resilience Assessment Framework (C-RAF)

  • Conduct security research and publish public blog entries related to cybercriminal offender profiling with emphasis on the relationship between cultural factors (e.g. Hofstede’s Nation Culture, United Nation’s Cybercrime Law status, World Justice Project Rule of Law, poverty, etc.) and psychological factors (e.g.  Hare Psychopathy Checklist Revised, Myers–Briggs Type Indicator, IBM Watson Personality Insights artificial intelligence, and the Java Graphical Authorship Attribution Program (JGAAP) and JStylo to leverage machine learning algorithms to identify threat actors)

  • Authored article on security awareness in Human Resources Magazine, the printed and online publication from the Hong Kong Institute of Human Resource Management (HKIHRM)

  • Authored article for the published Crisis Response Journal on cyber crisis leadership training challenges and the utility of virtualized environments as a viable option

  • Article author of How China, Iran, and Russia Have, Are, and Will Attack the US, published on Medium, which provides summary analysis of MITRE ATT&CK™

  • Authored a three-part article series on Cyber Threat Actor Cultural and Psychological Factors

  • Authored article on the top tactics and techniques utilized by China, Iran, and Russia for cyberattacks against the United States, as per the MITRE ATT&CK data set

 

10/2014 – 5/2017

Deloitte & Touche LLP

Phoenix, AZ

Manager, Cyber Risk, Audit & Enterprise Risk Services

• Led multiple international teams as part of a global operational change initiative (~$21M annual budget) to plan, build and run the Unified Cyber Portal (integrated applications and managed services) including Threat Service (Splunk & Jira-based Monitored Security Services Provider(MSSP), Threat Intelligence & Analytics, Global Application Security Testing (SAST, DAST, & MAST), Threat Lifecycle Management and Cyber Strategy (compliance assessment) Framework

• Collaborated with Global Cyber Executive Committee members, regional leaders (Americas, EMEA and APAC) and other member firm cyber leaders from locations such as the United States, Canada, Spain, Belgium, United Kingdom and Australia

• Liaised with, and develop reports for, multiple governance, risk and compliance bodies to comply with national and international standards

• Built and led a Global Cyber Rapid Deployment Team, responsible for the on-boarding of international member firms to the above-mentioned solutions. This included the development of an on-boarding artifacts ranging from an introductory primer to introduce global cyber leaders to the on-boarding process, kickoff and technical working session materials, global on-boarding project plan, detailed step-by-step process for on-boarding each capability, implementation of a centralized repository of all on-boarding materials, service catalog, interim support model, and vendor and interfirm legal/contracts

• Led a Supply Chain Security Program and Ecosystem assessment for a multinational semi-conductor client, which included conducting more than 20 interviews and related information security policies, procedures, standards, and guidelines and supplier contract reviews to assess the organization against eight domains:

  • Governance & Risk Management, Business Continuity, Human Resource Security, Identity & Access Management, Information & Asset Management, Physical & Environmental Security, Third & Fourth Party Security, and Threat Intelligence & Analytics

  • Also included an evaluation of the sub fab and building management system industrial control system (ICS) environments

  • Identified the need for specific security policies, procedures, standards, and guidelines updates, and made recommendations to client regarding update approvals, dissemination, and maintenance

• Developed a Cyber Crisis (Management) Response Plan (CCRP) for an American multinational financial services client.

 

7/2014 – 10/2014

Wells Fargo

Phoenix, AZ

Contract Senior Project Manager

• Responsible for project to mitigate IRA fraud loss through procedural-based solutions

 

4/2013 – 7/2014

DataShield (now ADT Cybersecurity) Monitored Security Service Provider (MSSP)/Security Operations Center (SOC)

Scottsdale, AZ

Program Manager, Security & Compliance

• Worked with 40+ clients to identify, evaluate, and report on information security risks, practices, and controls required to mature their security and enhance overall resilience and compliance (e.g. GLBA, PCI, HIPAA HITECH, etc.)

• Primary point of contact for all client relationships, including the liaison between the customer and the Security Operations Center/MSSP

• Partnered with architects, infrastructure, and application teams to ensure that technologies and monitoring solutions complied with internal and client standards

• Led daily morning standup meeting with Security Operations Center staff and provided daily direction on work efforts

• Led the development of the Monitored Security Service Provider (MSSP)/Security Operations Center (SOC) Use Case Maturity Model (SOC-UCMM) framework, incorporating SANS Critical Controls, PCI, ISO 27001 and NIST Improving Critical Infrastructure Cybersecurity Executive Order 13636

• Established previously non-existent standardized processes for:

  • RSA Security Analytics Security Information and Event Management (SIEM) for (Packets), Envision (Logs), Event Stream Analyzer (Complex Correlation), and Data Loss Prevention client on-boarding

  • Develop metrics and dashboards for our internal staff and clients to measure and communicate the effectiveness of the security monitoring program, and increase both our internal and client’s maturity of the program over time

  • Developed key artifacts for customer relationship management and operational effectiveness to include:

    • Monitored Security Service Getting Started Guide;

    • Client Security Profile (Organizational and Environmental factors);

    • Communication Plan;

    • Customer Configuration;

    • IPSec Connectivity Form; and

    • Monthly Executive Summary.

  • Developed and delivered program management data used in meetings with prospects and investors

• Led the preparation activities leading up to a Service Organization Controls Type 2 (SOC 2 Type 2) audit

 

10/2011 – 4/2013

Wells Fargo

Phoenix, AZ

Contract Senior Project Manager (18 month contract term limit)

• Led the development of a Day 1 process for check fraud detection, which included working directly with Harland Clarke and internal risk management/fraud groups.

 

2/2010 – 10/2011

CDI Corporation Phoenix, AZ

Client Executive

• Lead the delivery of an information security and governance organizational and functional assessment for a major gaming/casino client located in Las Vegas.

 

5/2008 – 2/2010

Symantec Corporation Phoenix, AZ

Security & Availability Business Critical Account Manager

• Single point-of-contact for Severity 1 and Severity 2 escalations for premier Datacenter, National and Global clients across availability and security products on a 24x7x365 basis.

• Supported global clients including IBM, Honeywell, Apollo Group, and the U.S. Army (Pacific Rim: Western US, Alaska, Hawaii and Korea).

• Hosted incident-management bridge calls including representation from client, outsourced service providers and hardware/software vendors.

 

7/2007 – 5/2008

Compuware Corp. Phoenix, AZ

Senior Project / Program Manager Services Sales and Delivery

• Senior Project Manager for the implementation of all Phoenix-based projects including custom application development, business intelligence, testing services and end-user experience / ITIL- compliant business service management solutions.

• Managed $3MM book and more than 20 consultants executing application development, business intelligence, business analysis and infrastructure monitoring projects.

 

2/2007 - 7/2007

Keane, Inc. Phoenix, AZ

Client Manager / Program Manager: Outsourced Services

• Keane announced on my first day at work that it was being acquired by Caritor. My position was already being filled by an incumbent.

• Senior project manager / program manager for the delivery of a broad range of IT services including custom application development and maintenance and enhancements for mainframe, mid-range and Web platforms valued at $5MM.

 

2/2004 - 2/2007

EnterpriseCM, Inc. Phoenix, AZ

Senior Project Management Consultant

• Identified, assessed and established an international Offshore Partner Network with technology solution providers in Russia, India, China, Philippines, Ukraine and Vietnam to act as service delivery units for US-based clients to help the business and clients minimize risk

• Developed previously non-existent standardized criteria to assess offshore suppliers called the Independent Offshore Company Assessment (IOCA) that included a subjective and objective capability and risk analysis of the security and viability of offshore application development suppliers, which was referenced in multiple annual publications of CIO Magazine

• Led multiple organizational change readiness and operational assessments, with resulting strategic roadmap:

  • Assessed the functional requirements of customer's software change management and business process / application life cycle (DevOps) solutions / secure systems development life cycle (SSDLC).

  • Worked with one of the nation’s leading mortgage lenders to assess and evaluate their current processes in the following areas as they relate to Sarbanes-Oxley (COBIT / COSO) compliance.

  • Worked with one of the nation’s leading mortgage lenders to develop a change management life cycle system to support SOX compliance.

  • Developed a Balanced Scorecard approach to enterprise change management implementation and usage for a Top 5 bank.

​

10/1998 - 2/2004

SERENA Software, Inc. Phoenix, AZ / Crossville, TN

Managing Principal

• Responsible for all client technical and organizational change management clients in the Western area

• Executive Program Manager for the assessment of Enterprise Application Lifecycle Management (DevOps) at the U.S. Postal Service for both the mainframe and distributed platforms

 

Principal Change Management Consultant (Practice Manager)

• Led Enterprise Change Management Business Reviews, which addressed the technology-, management- and business-related issues and challenges facing customers implementing enterprise allocation lifecycle (DevOps) process improvement

• Led consulting teams tasked with performing Change Management Business and Process Reviews, as well as Configuration Needs Assessments. These solutions enabled customers to align the business with technology while paying close attention to the people aspect. In addition, as a supplement these solutions helped customers to move from their current state to an ideal state based upon industry Best Practices, the Capability Maturity Model (CMM), the Information Technology Infrastructure Library (ITIL), or the Rational Unified Process (RUP)

 

Senior Change Management Consultant (Project Manager)

• Led multi-site assessments of clients’ mainframe and distributed application lifecycle management (DevOps).

 

6/1996 - 10/1998

McKesson HBOC Phoenix, AZ Project Manager

• Managed the project initiation, planning, execution, control, and closure activities for McKesson's CareEnhance Resource Management Software (CRMS), CareEnhance Clinical Management Software (CCMS), Pathways Compliance Advisor, and CodeReview solutions software implementation projects.

 

6/1992 - 6/1996

Coast Guard St. Petersburg, FL / Juneau, AK Public Affairs Specialist / Project Manager

• Secret Security Clearance

• Managed the cost, quality, functional objectives and services for the delivery of data and image acquisition products and services to meet the changing needs of DOT's Public Relations staff in Alaska.

• Responsible for developing press releases, conducting radio and television interviews for national and international audiences, and collecting and distributing still and video images to media outlets during routine and crisis situations.

 

6/1984 - 6/1992

Air Force / First Colony Life / Bell Atlantic / Ameritech Florida / Virginia / Pennsylvania / Illinois Systems Programmer

• Top Secret / SCI Security Clearance

• Installed and maintained the IBM mainframe MVS operating system utilities and third-party products. Evaluated third-party software and made procurement recommendations.

• Responsible for installing and maintaining mainframe information systems security using ACF2 and RACF.

​

EDUCATION:

• SANS ICS410: ICS/SCADA Security Essentials (Industrial Control Systems)

• Certified Cyber Crisis Management Planning Professional (C2MP2) Instructor

• Certified Information Systems Security Professional (CISSP) #548344

• Certified Project Management Professional (PMP) #418108

• Certified Scrum Master (CSM)

• Microsoft Operations Framework (MOF)

• COBIT Foundations

• ITIL Foundations Certified

• Graduate, Defense Information School (DINFOS)

• Capella University B.S., Project Management (Inactive Candidate – Less than one semester remaining)

 

​

SELF-PUBLISHED WORKS:

• Book author of Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience available for sale on Amazon

• Article author of How China, Iran, and Russia Have, Are, and Will Attack the US, published on Medium

• Authored a three-part article series on Cyber Threat Actor Cultural and Psychological Factors

• Article author of Myers-Briggs Type Indicator for Cybercriminal Psychology Offender Profiling

• On-going series author of Doxxing the Puppet, which describes my personal account of using open source intelligence to (possibly) identify one the world’s most wanted hackers, Phineas Fisher

• Article author on Security Awareness for Human Resources Magazine, the print and online publication from the Hong Kong Institute of Human Resource Management (HKIHRM)

• Article author of Creating leaders on the cyber battlefield for the print and online publication, Crisis Response Journal

​