What’re we doing here?
I started my professional career at Ernst & Young (EY) doing a whole lot of external auditing for SOC reports (SOC1, 2, and 3) and some SOX . I spent most of my time at EY in the San Francisco Bay area working on both tech behemoths and small startups trying to land their first big customer. I did a short stint in the Los Angeles office as well to get first year SOX done for another tech company. At EY I got a lot of exposure to a wide variety of companies and technologies and was able to get a firsthand look at how they built their compliance program and controls. EY also hammers in the importance of quality, detail, and deadlines which was painful at the time, but experience I value the most now.
EY was an excellent place to start my career and taught me a lot. External auditing was not where I wanted to stay, so when the opportunity came, I jumped to Dropbox. When I joined Dropbox, they already had a relatively mature Security GRC program with an assortment of compliance badges like SOC1, SOC2, ISO 27001/1, ISO 27018, ISO 22301, CSA STAR, HIPAA, and many more. I dove straight in and was part of the team keeping the Trust Program running to maintain these badges. I also got the opportunity to manage Dropbox’s business incident response process. Basically any time there was an incident that affected customers, my role was to manage the team and process to coordinate the relevant business stakeholders to respond (Legal, Marketing, Comms, Customer Experience, Engineering) and then communicate with the customer(s). My time at Dropbox was amazing. I had an incredible team, the food was delicious, the culture was excellent, and the GRC program was strong; definitely a great example to learn from and replicate.
After a little while at Dropbox I really wanted to build a program myself. I jumped to Cruise as part of the founding GRC team. My initial focus was on compliance, but quickly expanded to all of all aspects of GRC. It truly was an experience of building from 0 to 1. My team wrote every security policy and standard, created Cruise’s first unified control framework, stood up the risk management program, created the third party risk management program, implemented GRC tools, and everything else that goes along with it. It was a lot of strategic planning, negotiating priorities, hiring, and being scrappy. For several years after I joined Cruise, it was still entirely an R&D company with no customers, so a lot of time in the beginning was spent on truly foundational work like helping Security teams develop their maturity, design and implement basic controls, and identifying risks. Cruise was really still a startup in those early days and I wore many hats; I really increased the breadth and depth of my cybersecurity expertise at Cruise.
—————
The start of 2024 has been really rough for the tech industry. There have been huge numbers of layoffs (including 24% of Cruise) and the job market sucks. According to Layoffs.fyi, there’s been over 35,000 tech layoffs in just two (2) months, from December 2023 to January 2024. I decided to start this website for two (2) main reasons:
I have a lot of coworkers, direct reports, and friends I care a lot about that have been affected by layoffs. I want to share ideas and resources that can help them (and anyone else) land their next job via this blog. I share most of these blog posts on LinkedIn as well, but this is a website that isn’t locked behind an account login and isn’t trying to harvest your data for profit.
I want to start helping companies with whatever cybersecurity and/or GRC needs they may have. In particular, most early startups don’t have the funding or headcount to support a full time GRC hire (or often even a security hire), but still need a lot of help with their security program and meeting the compliance expectations of their customers, regulators, or investors. I’ve got a really wide range of experience across Security and I want to use that to help these companies be successful and protect themselves.