About Me

The Short Story

I love technology! I'm in the zone (fueled by passion) when I am designing and building new things (whether that be products, businesses or presentations) from the ground up, leveraging my diverse capabilities, including researching, coding, writing and designing, while inspiring others around the vision.

The Longer Story

My passion for technology has manifested itself in many ways over the course of my career, spanning various technologies, verticals and business models.

I built my security company, Redspin, because of my interest in security. Security is ever changing and always evolving with an ever present frontier of risk. I think of a security as just a concept of managing risk that overlays whatever technological and operation environment you are given. 

In particular my experience includes technical and management activities around the following areas of security:

  • Web application security assessments
  • Penetration testing
  • Mobile application security
  • Enterprise-wide security assessments and risk assessments
  • Compliance security assessments for banking, healthcare and gaming.
  • Social engineering, including physical, social and technical (i.e. storage devices with payloads)

Compliance & Risk Management

It's difficult to work in security at an enterprise level without a good dose of compliance. While I don't think that focusing on compliance gets your network and data secured, I do believe that focusing on security does get you pretty far down the path of compliance. Here is a blog post I wrote on the subject of compliance vs. security. And here is another one of my posts. My strategy has always been to focus on the spirit and intent of the compliance requirement rather than getting too caught up with the "checking the box" aspect of the various compliance requirements. I've done extensive work in the compliance realm, including:
  • Credit Card & Consumer: PCI DSS - Payment Card Industry Data Security Standard
  • Financial Services: FFIEC - Bank and credit union security guidelines
  • Healthcare: HIPPA Security Rule, HITECH Act - For anyone that touches personal health information
  • Power Grid: NERC CIP - Security guidelins for bulk power system infrastructure security


I enjoy coding in Java as for me it has the right balance of flexibility and abstraction. However, it never seemed to deliver on the promise of easy portability. I've done extensive Perl coding and always enjoyed, even early on, the extensive availability of modules. Lately I've been coding iOS apps using the Titanium Appcelerator platform which is a Javascript based environment which can be compiled into Java for Android or Objective C for Apple iOS. I've done some Java development for Android, but I have focused mostly on iOS and have several apps on the Apple App Store. Also, I've enjoyed hacking away at hardware, using the Arduino prototyping board, which is a microcontroller that enables C / C++ code to be written and uploaded to the board via USB; rapid hardware prototyping! This will present interesting opportunities for apps that control the physical environment. 

Apps on the App Store

As a developer I am intrigued by the possibilities that exist as every smart phone user has a full featured computer with extensive sensor capabilities built in. These are my projects that are available on the Apple App Store.

  • SYODSecure Your Own Device, a BYOD (Bring Your Own Device) security app for iPhone. I developed this for Redspin.
  • McRun: Running calculator for elite athlete. A popular running calculator used to calculate performances.
  • Omulator: Meditation timer with graphical output. A meditation timer that leverage the audio power measuring capabilities of the iPhone. This has been popular in Asia!

Vertical Markets
Various markets have captivated my attention.
  • Banking and Financial Services: I have personally worked with about 100 banks nationwide, and other service providers such as Mastercard and various global bank service providers. I have been a speaker at many banking security conferences.
  • Healthcare: The healthcare market is interesting in that it is so big (like 17% of GDP) it is its own world. Also, some providers like hospitals have very complex, heterogeneous and physically challenging security environments, making this a very interesting space from a risk management perspective.
  • Defense & Government: Security naturally lends itself to public sector applications.
  • Gaming: Gaming and casinos are a high-growth business and having grown up near tribal American Indian reservations, I am excited to see that many of the tribes have developed profitable business gaming entities that channel profits to healthcare,  education and other tribes. Seems like a little karma at play here.
  • Security: while I am always interested in security from a technical and risk management perspective, the industry is significant and it in itself is somewhat of a market of its own. I am a student of the various companies, technology and business models in the security space.

Public Speaking / Presentations
Communication is always a fun challenge, especially explaining nuanced technical issues to non-technical people. My communication experience spans various audiences from technical to executive.
  • Security Training Seminars: I've led security training seminars for the Institute of Internal Auditors as well as for various other banking and gaming security conferences, such as the National Tribal Gaming Commissioners/Regulators (NTGC/R) and banking conferences.
  • Radio: I was interviewed live on KABC radio in an extensive interview about security best practices. 
  • Keynote Addresses and Presentations: The best part about a presentation is seeing all the preparation and effort to provide top quality slides pays off and helps really connect with an audience.
  • Hacking Seminars: I brought some of the Redspin security team on a roadshow sponsored by Citrix and Microsoft for a north american tour which included a security seminar and live hacking examples. It's amazing how real-world examples and demos really hit home with an audience.
Here are a couple examples of some presentations on Slideshare:

A few examples of security and industry specific risk management blog posts:

Market Validation
I am a big fan of the process of market validation which is a structured approach to approach to developing products and customers.  Here is my blog post on how to apply market validation to a new security product opportunity.

Product and Business Operations Evaluation
Having spent 10 years, essentially running a technical audit business, I became adept at evaluating technology, companies and products. The key to a successful evaluation is both in the evaluation AND the ability to communicate the findings to executive management and the board. Our assessment skills at Redspin were typically of course applied in a security setting, however, new CIOs and companies looking at acquisitions sometimes perform a security assessment to quickly evaluate the technical and operation state of the organization.


CEO/Founder/Security Evangelist - 2001 to 2012

  • Redspin: 2001 - 2012: I bootstrapped Redspin from the ground up starting with just a vision, building it as a significant player as a premium provider of high value security assessment and advisory services to Fortune 500 companies.

Founder/Product Manager - 2007 to 2008

  • Jetmetric: This was a business unit of Redspin in which we commercialized our backend technology and spun out and later merged back into Redspin. Jetmetric provided a web interface to the various proprietary tools and application we created to automate various parts of the security assessment process.

Software development, network engineering, Product management - 1995 to 2001

I had various technical, management or consulting roles at a range of tech and startup companies. These include:

  • Intuit
  • InterVU: Acquired by Akamai
  • Websidestory: Acquired by Omniture/Adobe
  • Bidland
  • Various startups: Edupoint, Predict Power, language translation, image editing, ....

Entrepreneurial - 1992 to 1994

  • Freestyle StudiosThis is a company I built with my brother, Peter, in which we developed multi-media CD-ROM titles to be bundled with MPEG capable motherboards. We successfully developed content and secured deals for tens of thousands of units. In this case we learned how fast things could be commoditized. Prices per CD-ROM went down by an order of magnitude over 12 months once Microsoft got in the game. Today, Freestyle Studios still exists and hosts the McRun app which I created with my brother.


I love learning. While at UCSB, the administration sent me a letter that basically said "hey, you've got too many units, time to hit the road" so I graduated. After graduation, because I had some programming experience since junior high in FORTRAN (yes, I actually experienced punch cards back in 8th grade), Pascal and Basic ( I had a Commodore 64 as a kid), I pretty quickly ended up in technology after graduation. I started taking night classes at SDSU in 1999 and was a class short of a Maser's Degree, but I opted for an entrepreneurial path.

  • UCSB - University of California Santa Barbara:  BS in Environmental Studies and Geography, with an emphasis in physics and remote sensing - 1986 to 1990
  • SDSU - San Diego State University: MS (almost) in Computer Science. 1999 to 2001

No comments:

Post a Comment