User:Shannonstafford22

I take it upon myself to continue my education and improve my technical security and management skills. I am extremely self-motivated, focused and determined. I listen to educational webcasts during my daily commute to enhance my skills or to close knowledge gaps. I participate in a local security community, NolaSec, and am a member of local hacking groups to remain engaged in understanding new cyber security tools and techniques potentially used by adversaries.

I successfully demonstrated my ability as a change leader and my understanding of technical cyber security risks through the accomplishment of several key enterprise initiatives, including: - Creation of the Data Protection Taskforce; - Development and implementation of the Governance for Understanding and Assessing Risk to Data (GUARD) process, - Development of a comprehensive, enterprise IT risk program and risk procedures; - Maintenance and communication of Entergy’s security strategy; and - Development and maintenance of enterprise security policies, standards, procedures and guidelines.

I implemented an enterprise-wide cyber security awareness program which included: simulated phishing exercises, cyber security communication plan, an annual cyber security training, and a disciplinary and rewards program for user behavior; established an export review process to evaluate technologies and IT support functions for offshore consideration; developed and implemented a risk review process for IT exceptions, new technologies, and IT solutions to evaluate risks and recommend solutions to mitigate risk; created an internal skills matrix and development plan for team members; delivered cyber security roadshows throughout the organization; and educated team members on the risk assessment process and performed several on-site assessments with the team.

I persuaded senior leadership, who did not fully understand cybersecurity risks or how phishing emails could be used by attackers to successfully infiltrate an organization, to support an enterprise phishing awareness program. A business case was developed and presented to executive management to acquire a phishing simulation service. After a successful proof of concept period where the risk based on end-user click rates was quantified, a phishing simulation service was purchased and an enterprise-wide phishing program was developed and implemented. The risk associated with phishing dropped from 42% to 14% over a 12 month timeframe.

Last year I developed and executed an IT Risk Management Program to address the issue of executive management’s reluctance to acknowledge and manage cybersecurity risks. Cybersecurity risks exist in all areas of the organization, at all layers of the IT stack, and in both the physical and logical arenas. Although executive leaders realized cyber risks were escalating and the threat landscape was expanding, they were reluctant to acknowledge and ultimately treat high security risks in the organization. Additionally, an enterprise prioritized list of security risks had not been available historically to equip executive management with an adequate understanding of which risks to address given competing funding priorities. Over the next three months, I led the development and implementation of an IT Risk Management Program which included a cross-representation of leaders in the organization who determined the treatment of risk. By the end of the year, an enterprise IT risk management program was successfully documented and communicated and included the following components: -Risk Framework -Risk Assessment Procedures -Risk Assessment Work Instructions -Lead Sheet Template -Assessment Report -Notification Template -Risk Assessment Template -IT Risk Register -IT Risk Log -Baseline Critical Security Controls Assessment -Critical Security Controls Scorecard

As originally envisioned, the IT Risk Management Program deliverables provide the primary basis for maintaining the security strategy and developing business cases for funding to mitigate the risks identified and assessed through the program.

I have the following certifications and memberships: CISSP, CRISC, CISA, CIA, InfraGard, DC225, NolaSec