Unlike a typical 2-3 page resume, we’ll start at the beginning from my formal advanced education journey 35 years ago, dig deeper at each stop and demonstrate how one role progressed into the next, with a myriad of different but related progressive experiences that collectively have given me a breadth and depth of experience over the past 3+ decades that make me the veteran Information Technolgy and Security leader I am today.
Sept 1988 – Dec 1992
I attended Pacific Union College in the Napa Valley of California where I started on a Bachelors in Physics degree, but realized after about 1 1/2 years that my heart wasn’t really in that field. Rather than throw away the many advanced math, science and computer programming language classes I had taken, I decided to pivot to getting an Associates in Applied Laser Physics. I added a Bachelors in History and completed both degrees in Dec 1992 while also holding down a Resident Assistant to the Dean role and helping to run the college as a Student Body Senator then Student Body President. I was a leader from the beginning who knows how to multi-task and prioritize to achieve success.
June 1989 – Jan 1994
While attending college I also started working at the Mount View Hotel in Calistoga California as a Front Desk Clerk. Through hard effort and demonstrating my capabilities to the owners I was promoted to Front Desk Clerk, then to Hotel Manager, and finally to General Manager over the Hotel, Spa and Restaurant. I was still only in my early 20’s leading a staff of ~100 employees and representing the remote owners’ financial and operational interests on a daily basis. I ran all marketing and Sales and at one point also oversaw a major multi-million dollar hotel and IT infrastructure remodel effort, while keeping the doors open and the customers satisfied.
At 24 years of age though I decided that the hotel industry wasn’t my future though, so I moved back to my hometown of Sacramento and into the next phase of my career.
Jan 1994 – September 1995
Once back in Sacramento I came across an opportunity to work in the Financial Securities industry, and I joined the Netherlands based, Global 500 company Fortis Investments as a Sales Agent. I learned the role, earned my Securities and Exchange Commission (SEC) Series 6 and Series 63 licenses and quickly was promoted to District Manager overseeing a team of 8-10 Sales Agents. Because I was recognized and awarded on multiple occasions for being in the Top 10 company-wide for Sales, and I personally managed over $10 million of customer retirement and investment funds, I was about a year away from earning my own office as a Branch Manager.
In mid-1995 I was working with one of my customers, a local area pastor, and advised him that what he needed for his particular retirement package was a specific mutual fund. My Branch Manager directed me to instead sell him a Variable Universal Life (VUL) Insurance policy which was hot at the time, but this particular product definitely didn’t fit into his portfolio, nor did it meet his financial needs. The Branch Manager was very clear that it wasn’t about what the customer needed or wanted, but rather what made the office the most money. This wasn’t the first time something like this had happened, and it was becoming apparent that this approach was pervasive not just in this branch, but throughout the company and likely even the industry. I achieve strong positive outcomes in whatever I do while operating with a high level of integrity, so it didn’t take much deliberation at that point for me to decide that this was the final straw and I had no intention of spending the rest of my career in this field or with a company that fostered and encouraged this sort of culture, so I tendered my resignation.
Oct 1995 – Oct 2000
What to do next? All of my family had completed military service and it was around this time that I felt a strong urge to give back to my country. I had options of going into the Reserves or National Guard as an Officer, but I wanted to join up on Active Duty, so I enlisted into the US Army as a Specialist (E-4) in Signals Intelligence (SIGINT) and as a Korean Linguist. After graduating from Basic Training (Where I was the Soldier of the Cycle – equivalent to Class Valedictorian) the Army sent me to Monterey, CA to the Defense Language Institute (DLI) for 60+ weeks to learn how to read, write and speak Korean, one of the hardest foreign languages for an English speaker to learn. After graduation from DLI I attended additional training in Texas and Arizona and was shipped to South Korea where I served three honorable tours, earning: an Army Commendation Medal, Good Conduct Medal, National Defense Service Medal, Army Service Ribbon, Overseas Service Ribbon (w/ number 2) and Expert Marksmanship Badges (M-16 and Grenade).
During my time in Korea I was instrumental in the role of User Acceptance tester for introducing new computing systems into the operating environment. I also built out web portals for the gathering and display of intelligence data and I taught myself UNIX Systems Administration. I began to realize with these projects that Information Technology (IT) and its security-related components really interested me. I also enjoyed the opportunity to consistently be selected to brief Generals, Congressmen, Department and three-letter Agency Heads and other VIPs when they would visit.
With my five-year enlistment coming to an end I was deciding between staying in the Army or moving on to becoming an IT professional. The latter won out and I completed my time honorably with the US Army, then moved into my next role and began what has since become my life’s passion, IT and Information Security.
Aug 2000 – Dec 2002
I had a couple months of paid leave earned with the Army, so while I was still technically in the military I got out and became an Information Technology Engineer with a couple small companies providing IT Project Management and deployment services to the US military in Korea and Japan. I was responsible for independently traveling throughout the region to install and configure computing, networking, communications, cross-domain solutions and encryption equipment. I personally managed on average 20-30 simultaneous IT projects, each with a value up to the $500k range. I delivered each on time and at/under budget.
Dec 2002 – Dec 2003
An opportunity came open to work with Northrop Grumman in the Army’s Regional Computer Emergency Response Team (RCERT-K) as a Security Operations Center (SOC) Analyst. I had the privilege of working the front lines monitoring Firewalls, Intrusion Detection Systems (IDS) and related Information Security tools in defense of our National interests, protecting the US Army’s networks against nation-state attacks and the often foolish Insider Threats. Mids shift, swings, weekends, twelve hour workdays, I experienced all of that as a front-line analyst and I still bring that level of hands-on technical and operational experience to my leadership style today. I also earned my Masters of Science during this period in Network Security from Capitol College (They have since changed their name to Capitol Technology University).
Dec 2003 – Mar 2005
In late 2003 Northrop Grumman had an opening for an Information Technology and Security Consultant up in Seoul, South Korea that I applied for, and was promoted into by the company. I moved the family and became a Trusted Advisor to the J6 (the military equivalent to a commercial CIO) and provided recommendations on computing Risk Management. The command had dozens of subordinate units that wanted to connect their hundreds of applications, systems and enclaves into the computing backbone. They all had to come through me first, where I would review their documentation, IT hardware and software and security controls, periodically also conducting physical onsite inspections, then I would make a recommendation to leadership on whether they should allow the unit to connect or not in their present state, or whether corrective actions were first necessary. This process saved the command and the enterprise from dozens of costly mistakes that might have occurred if the applications, systems or enclaves had simply been allowed to connect.
When they were allowed to connect I would draft Service Level Agreements (SLAs) and Memorandums of Agreement (MOAs) outlining the conditions for connectivity, how they had to maintain their risk mitigation levels, required actions for data disclosure or other breaches, etc. I was right in the mix working with Senior level Colonels, Generals, and corporate leaders, acting as the right-hand man to the “CIO” providing risk mitigation strategies and thought leadership for critical computing systems.
Mar 2005 – Dec 2008
After over four years with Northrop Grumman in multiple roles, when a Sr IT and Information Security Consultant role for the Defense Information Systems Agency (DISA) suddenly became available my background to date was a natural fit and I was offered the position by Computer Sciences Corporation (now DXC). I was now the IT and Information Security liaison between DISA HQ and the US military commands across the entire western Pacific. I was responsible for advising military and civilian Senior Leaders across the theater on the development and implementation of IT hardware systems, Information Security policies, Managed Security Services, enterprise Certification and Accreditation, Audit preparation and execution, risk management, cross-domain solutions and encryption, contingency planning, secure architectural engineering, critical asset protection, business continuity and disaster recovery and cyber incident handling.
I traveled extensively throughout the Pacific region interfacing and sharing Information Technology and Security best practices with civilian and military peers and leadership within the applicable US, Philippine, Singaporean, Australian and Thai agencies. I was also the Project Manager for logistics and technical support activities throughout the Pacific theater, including: Information Security training courses, IT hardware and network defense system installation/integration teams, and network compliance audit/assessment teams. It was my job to oversee all of the project logistics to stage the environment for success, get the teams in country, conduct the installation and integration activities while ensuring customer satisfaction, then get the teams back out of theater safely.
I loved my job, and look back on that role very fondly. At the time though our son was entering elementary school and I felt like it was time for him to grow up in America. It was time to finally move back to the US.
Dec 2008 – Mar 2011
Right about the time I was looking to move back to the US, CSC, had an opening within the team for the role of Director Global Security Operations Center (SOC) at the DISA Continental United States (CONUS) HQ located on Scott Air Force Base in Shiloh, Illinois. I accepted and was promoted into the role, and moved the family back to Illinois to begin the process of learning the mission and leading the team. During my time at DISA CONUS I invested a lot of effort in representing the team and mission to very senior military and Congressional VIPs, communicating the importance of the mission and outlining how we could do even more with the right resources. As a result, we were given the budget and I expanded the CONUS team from 29 to 54 personnel (an 86% increase in personnel and capabilities under my watch), adding advanced capabilities such as: a Forensics and Reverse Code Analysis Team, a Threat Intelligence Team and a Content Development Team to write IPS/Firewall signatures (that were adopted by the JTF-GNO which is now part of US Cyber Command) and SIEM use cases that were utilized at the US National Level.
I also led our team in preparations for internal and external audits such as the Computer Network Defense Service Provider (CNDSP) audits. My preparation and response was so well thought out and executed that our unit received the highest score from the Defense Intelligence Agency that had been awarded to that date, and my methodology was then disseminated and replicated throughout the Department as the standard to achieve.
On a daily basis my team was monitoring the backbone and sub-networks for all of the Combatant Commands (COCOMs) in the Continental US, as well as about 20-25 Department of Defense units and Agencies and 20-30 Cleared Defense Contractor networks. We were seeing and advising leadership on 750-900 separate global incidents and events per month.
It was an exciting time, and really a highlight of my career to have had the opportunity to lead this elite unit and participate in this mission. But, during the time we lived in very rural Southern Illinois where we had four tornadoes land within a mile of our house, hail the size of golf balls, horrid humidity and freezing winters and we were nowhere near an ocean or mountains, so after 6 years with CSC my family decided it was time for a change.
On a side note, prior to moving from Korea back to America I had started around March 2007 on earning my Doctorate in IT Organization and Management at Capella University. Long story short, I completed all of my coursework, colloquiums, final exams and was All But Dissertation (ABD). The US Department of Defense (DoD) Deputy Assistant Secretary of Defense (DASD) for Information Assurance had agreed to be my sponsor, but that process took so long that by the time he left office things had gone from him to the DISA Director, and finally the DISA CONUS Commander providing approval and becoming my sponsor. Because it had taken so long and the scope of my sponsorship had changed the University wanted me to redo my methodology and thesis. It was right at this time that I was also moving on to my next role at Health Net, so while I have been formally trained on IT Organization and Management at the Doctorate level I put my program on pause and unfortunately haven’t picked it back up (yet).
Mar 2011 – May 2013
As luck would have it, a position opened up in my hometown of Sacramento, California as the CISO with Health Net, a Fortune 150 health insurance provider. Health Net owned the health insurance contract that supported the Veterans Affairs and active-duty military east of the Mississippi. In order to support this contract their computing network had to be certified and accredited under the Defense Information Assurance Certification and Accreditation Program (DIACAP) standards (in addition to maintaining SOX, HIPAA, DSS PCI, GLBA, ISO 27001/27002, HITRUST, NIST and related regulations). They had lost their Authorization to Operate (ATO) from the government in support of this contract and they needed someone who knew how to help them get it back. Additionally, on my first day with Health Net they went public with news that they had lost a hard drive containing tens of thousands of customers’ Personally Identifiable Information (PII). Health Net brought me on-board because they knew I had years of experience in IT, IT Security, Certification & Accreditation and Information Security at-large that would help them to achieve their goal of re-obtaining the ATO and building out a proper Information Security program that provided true defense-in-depth IT capabilities.
Needless to say, I and my team of around 10 direct report employees and the 250+ outsourced IT Systems Integrator staff that I directed, jumped in to correct the situation. I was able to re-obtain Health Net’s ATO within 90 days. I used that deep knowledge that I had quickly gained about the IT infrastructure and security of the enterprise through working side-by-side with my team 14-16 hour days, sometimes up to 6 days a week, to further enhance Health Net’s defense-in-depth posture and to build out the IT and Information Security Program, establishing: Corporate Information Security polices and guidelines; business-relevant metrics to measure effectiveness and efficiencies; Incident response and insider threat programs; Corporate Business Continuity and Disaster Response Programs; Internal/external Audit support processes; and a Forensics and cyber investigation team. Throughout the effort I worked together with the Physical and Personnel Security Dept, HR, Privacy and Legal to ensure that corporate policies and procedures were followed, corporate interests were represented, and to educate multiple stakeholders on the benefits that Information Technology and Security provided to the business and how it was a business enabler.
During that process I also justified and obtained approval to double the size of my internal team to over 20 personnel and conducted a Request for Proposal (RFP) for a 24×7 Managed Security Service Provider (MSSP), including the SOC and a SIEM tool. After a thorough evaluation of the multiple products and services available, a multi-year contract was awarded to McAfee/Leidos in December 2012.
May 2013 – Feb 2018
Around March 2013 McAfee product Sales leadership came to me and told me that there had been some changes within their Professional Services division, and because they really appreciated the way I had handled myself during our ongoing relationship and throughout the RFP process they wanted me to come work for them as the Director IT Professional Services Director responsible for their Northwest commercial region. I started in May and covered multiple local and state government agencies and commercial enterprises (banking/finance, retail, hospitals/medical, technology, hospitality, higher education, and the entire Silicon Valley and its many technology companies) in the Northwest (Northern California, Oregon, Washington, Alaska, Hawaii, Montana, Wyoming and Idaho) overseeing the team of IT Professional Services consultants that installed, configured and optimized our enterprise software and hardware products, conducted external audits, pen testing, Incident Response, Managed Security Service Provider/SOC services and related activities. Nine months into the role, In Nov of that year the North America Professional Services VP came to me and said, “Billy, with the work you’ve done increasing IT Professional Services delivery revenue in your region this year, your zero employee turnover and extremely satisfied customers we’d like you to take over our nationwide Federal Civilian practice”.
In Feb 2014 that came to fruition and I took over McAfee’s nationwide Federal Civilian customer base, to include all three branches of the Federal government and their respective Departments (minus the Department of Defense and the three-letter Intelligence Agencies). Over the five years at McAfee I delivered an average annual increase of over 60% in IT services delivery revenue, while also growing my combined internal direct report and outsourced team to 50+ consultants across at least 6-8 partner vendors and in 2018 my team was on track to deliver greater than $10 million in IT Professional Services revenue.
On a daily basis I was collaborating internally with McAfee Finance, Product Support, Engineering and Sales Teams to drive profitable attached IT Services renewals and new business growth by leading efforts with customer presentations, proposal generation, project scoping and development of Statements of Work (SOWs). I was responsible for and consistently achieved 80%+consultant utilization, met bookings goals, and exceeded Profit/Loss and margin/delivery revenue targets each quarter. I was also responsible for maintaining a high level of customer satisfaction measured through consistently strong Net Promoter Scores (NPS – final quarter 86 points). I did this by fostering a culture where the team first thought “How do we take care of the customer by saying yes?” to discovering ways to accomplish the customer’s mission, while at the same time being good stewards of McAfee’s resources. Direct interface with customer C-Level leaders was also a core component of my success, as I frequently demonstrated the value add that McAfee IT Professional Services brought to their organization. Because we were delivering IT and security projects across at least 30 simultaneous customers and multiple industries and sectors at all times I gained the equivalent of a decade or more of experience that one would not otherwise have by supporting a single company during the same time period.
McAfee was sold by Intel to a private equity investor (KPG) and in late 2017 KPG decided to pursue a different direction with McAfee’s IT Professional Services organization by significantly downsizing it and relying almost exclusively on partners. I was caught up in that effort to outsource when my position (along with over 100 others) was eliminated. While it’s always difficult to lose your job through no fault of your own, especially after having poured years of heart and soul into the company and its customers, the re-org was a strategic business decision that I understood. I declined the offer to stay with the company in another role and moved on to the next step in my career.
March 2018 – September 2021
After exploring various opportunities, I accepted an offer with Aerojet Rocketdyne a 10 minute drive from home, where I was the CISO for this $2 Billion/year in revenue Aerospace and Defense company overseeing a team of ~30 outsourced security professionals across Cyber Operations, Cyber Engineering, Vulnerability Management, Incident Response, Security Operations Center (SOC), Threat Hunting and Forensics to ensure the confidentiality, integrity and availability of enterprise resources. I also led the efforts to modernize AR’s IT and security controls and methodologies to support compliance to NIST 800-53, 800-171 and FedRAMP regulatory requirements and was the Program Manager for 4-5 separate simultaneous security IT product deployments to further enhance the defense-in-depth posture of the enterprise.
In Dec 2020 Lockheed Martin announced that they were going to buy AR. Throughout Q2 and Q3 of 2021 I led the AR side of the effort to plan and execute several key IT component integrations into Lockheed’s enterprise. While I wasn’t actively looking at other roles at the time, I was independently contacted by a recruiter to talk about an aerospace startup that was looking for a new CISO. Conversation led to an offer, which I proudly accepted, and that led me into the next chapter of my career.
September 2021 – Present
I started in late September, taking on the role of Chief Information Security Officer for in-space transportation company Momentus. Within two weeks I was also asked to take over as the VP of Information Technology as well. Since then I oversee all things Information Technology and Information Security, Compliance, the Security Operations Center (SOC), the internal teams and outsourced managed service providers for both. Under my watch and direction we have expanded the footprint into both the AWS and MS Azure environments to support our space flight mission operations and digital manufacturing workflows.
I am extremely excited to have the opportunity to continue working at the confluence of Information Technology, cybersecurity and the Aerospace and Defense industry. We have multiple space flights under our belt now due in strong part to the success my team has had in optimizing the administrative computing environment and bringing new technologies to bear to support best practices and align the environment with regulatory requirements. I continue to lead this team, work with other business units and take the department and company to the next level along with advancing my personal and professional skills and abilities in preparation for the next phase of my career as a Chief Information Officer.