An unlikely trajectory — from Interpol investigations to building GRC programs from zero in fintech. The common thread? Protecting what matters, with evidence and precision.
What looks like career pivots on paper is actually one continuous trajectory — from investigating human threats to defending digital ones. Each phase built on the last.
Started in Drug Enforcement (2010–2013) performing undercover and operational work against organized crime rings, before advancing to the International Cooperation Unit. There, I managed joint cross-border projects and collaborated directly with Interpol, Europol, and SIRENE. Every audit I run today relies on the skills forged here: flawless evidence integrity, precise documentation under strict legal standards, and high-stakes risk assessment.
Led major incident response for global enterprise clients — coordinating engineers across time zones under SLA pressure. This is where I discovered that investigation skills translate directly to triage: structured evidence gathering, hypothesis testing, and communicating under pressure. I also participated in client compliance audits, gaining hands-on exposure to audit processes and control assessments that would inform everything I built next.
This is where it all came together. Co-built the Information Security program from zero alongside the CISO at a PCI-regulated payment processor. Co-authored the complete policy suite with the CISO, stepping in as the primary owner to maintain and drive enforcement. Designed a Common Controls Framework harmonizing SOC 2, PCI DSS, and NIST, and led both the SOC 2 and PCI DSS compliance programs—with a strategic roadmap to expand into additional frameworks. Championed the Third-Party Risk Management program (45+ vendors), implemented GRC automation, and ran 24/7 incident response. Every incident became a direct feedback loop into stronger controls.
I believe GRC should accelerate the business, not create drag. These tools automate compliance, assess risk, and reduce friction between security and engineering.
Python CLI tool that connects to Okta, GitHub, and AWS APIs, gathers security evidence, evaluates it against SOC 2 controls defined in YAML, and generates automated pass/fail compliance reports. Turns weeks of manual evidence gathering into minutes.
Interactive web application applying the NIST AI Risk Management Framework across Govern, Map, Measure, and Manage functions. Evaluates AI use cases through structured risk assessments and produces risk-scored governance reports.
Self-service readiness assessment evaluating organizational controls against SOC 2 Trust Service Criteria. Identifies gaps, scores maturity levels, and generates prioritized remediation roadmaps for audit preparation.
Automated gap analysis mapping existing controls to ISO 27001 Annex A requirements. Scores maturity across all 93 controls and generates implementation roadmaps with effort estimates and prioritization.
Operational intelligence dashboard tracking MTTD, MTTR, severity distribution, SLA compliance, and root cause analysis. Demonstrates how incident data drives continuous improvement.
Interactive 25-question self-assessment across the NIST CSF functions — Identify, Protect, Detect, Respond, Recover. Generates maturity scores and prioritized recommendations.
Every organization is racing to adopt AI, most without guardrails. The conversation is split between technologists who understand models but not risk frameworks, and regulators who understand compliance but not the technology. GRC professionals sit at the intersection.
We already know how to assess risk, build control frameworks, and create audit trails that satisfy regulators. The NIST AI RMF isn't a departure from traditional GRC — it's an extension of it. The same skills that build a SOC 2 program can build an AI governance program.
The organizations that will win aren't the fastest to adopt AI — they're the ones that move fastest with confidence. That's why I'm building tools like the AI Governance Risk Assessor and pursuing the AIGP. The future of GRC isn't just protecting what exists — it's enabling what's next.
Whether it's building a GRC program from scratch, improving your incident response, or automating compliance — I'd love to hear from you.