Security Engineering Leader
I've spent 20+ years building things that work quietly — cloud infrastructure that doesn't break, security programs that don't surprise you, and compliance that's ready before the auditor asks. Based in Boston. Currently open to what's next.
Philosophy
Every tool you add is something to monitor, patch, and explain to an auditor at 9am on a Tuesday. I build security programs with the minimum moving parts needed to do the job well — because the biggest attack surface in most companies isn't their infrastructure, it's their complexity.
If you're scrambling before an audit, you've already lost. Give auditors what they're looking for, in the format they expect to find it, and they go home happy. That means evidence collection is a year-round discipline. It means a policy library that's actually current. It means a risk register that reflects reality, not the moment.
IaC under version control, PR approvals before anything touches production, secrets that never leave the vault. If a human can make an undocumented change to a production environment, that's not a policy gap — that's a systems design gap. I close those gaps at the architecture level, not the rulebook level.
If your MDM is generating unprompted alerts for users who aren't doing anything wrong, you've misconfigured it — not secured it. Endpoint security should surface exactly when someone crosses a line, and never before. Security that gets in people's way gets worked around.
In practice
Built the program from near-zero maturity at Bento, a HIPAA SaaS company. Served as primary operator and auditor liaison for five+ years. The secret: treat the audit as a checkpoint, not a destination.
Designed and built a unified CI/CD platform using GitHub, CodePipeline, CodeBuild, Lambda, and Step Functions. Standardized across every environment. Deployment stopped being an event and became infrastructure.
Policies, risk management, vendor governance, awareness training, incident response, MDM, and ITSM — stood up in a regulated environment without slowing the engineering team down.
Led the move from on-premises to AWS in 2011, long before it was the obvious choice. Evolved that infrastructure over a decade into microservices, serverless, and high-volume transactional workloads.
Background
Head of Information Security & DevOps · Principal Cloud Architect
Dental benefits SaaS. HIPAA and SOC 2 environment. I own security architecture, compliance, CI/CD infrastructure, detection and monitoring, and corporate IT. Built most of it from the ground up.
Technical Director, Cloud Architecture & Infrastructure
Led cloud infrastructure strategy and engineering teams through a decade of growth. Early AWS adopter. Guided the transition from monolithic systems to microservices architecture.
Founder / Principal Architect
Independent practice building high-availability web platforms for clients. CMS, digital asset management, e-commerce. Two decades of client work alongside full-time roles.
Wolfram Research · Addison-Wesley Publishing · VPG Integrated Media
Started as a sysadmin at Wolfram Research in the early days of the internet, worked with Stephen Wolfram on some of the earliest internet-based systems, and never really stopped building things.
I'm looking for the right next thing — a company that needs someone who can own security and infrastructure, not just advise on it. If that sounds like your situation, I'd like to hear about it.