Keith Lichtenwalner, CISSP, CRISC

SENIOR LEADER – CYBERSECURITY | RISK MANAGEMENT | INFORMATION SECURITY

A results-driven, analytic, and globally minded leader looking to advance a security, risk and compliance program while enabling an innovative and cost-effective business. A proven track record of building highly productive and challenged cybersecurity and information security organizations with a risk management foundation. Adept at developing and executing strategy to mitigate risk, ensuring a strong cyber security framework and balancing cybersecurity while enabling business success.

  • Strategic Solutions
  • Risk Mitigation
  • Manufacturing & Research Security
  • Governance & Compliance
  • Strategic Solutions
  • 3rd Party Risk Management
  • Process Management
  • Problem Resolution
  • Relationship Management
  • Risk Quantification (FAIR)
  • Vulnerability Management
  • Metric KPI Program

Passions include: Risk Management/Quantification, NIST CSF assessing to strategic program roadmap design, 3rd Party program design, data driven analysis to drive improvement (KPI, target risk appetite, etc.) and manufacturing / R&D cyber program control design.

EXPERIENCE

Lichtenwalner Security & Risk Consulting, LLC.
2021-Present
Owner & Principal Consultant
After 30 years in the IT industry and 20 years in Cyber Security and Risk Management, I decided to alter directions and use my experience, talent, and business understanding to help others. Specializing in 3rd party programs, control design solutions that enable business and the ROI, security assessments, and cyber risk investments while balancing risk with business ROI (e.g., consulting and prioritizing portfolios for CIOs & CISOs).

Key Successes include:

  • Major Global Pharmaceutical distribution and logistics provider (>$200B) Acting Senior Director leading Information Security Architecture and Cyber Resilience program enabler for improving cyber control effectiveness and maturity.
  • Major Pharmaceutical (>$49B) Business Information Security Officer (BISO) position focused on bridging, translating and implementing CISO strategy into Plant Operations globally.
  • Major Pharmaceutical (>$49B) Cyber Operational Technology Program focused on designing the core controls, practical guidance on implementation of core controls, establish core relative risk priorities and support tracking of preparation and deployment of cyber OT controls (Inventory, Malware, Incident Response, network Isolation (firewall, Elisity), Vulnerability Management, etc.)
  • Major Pharmaceutical (>$49B) KRI program redesign incorporating Enterprise Risk Management, industry best practices, strategic risk coverage and balancing risk appetite recommendations.
  • Cybersecurity Acceleration Maturity Program leadership for a £11B consumer health spinoff with focus on manufacturing, distribution & R&D services protection, cyber risk triage / management services, and KRI/KPI improvements. Leadership activities included NIST CSF roadmap to focus initiative design, strategy development to integrate cyber risk management into multi-year program for manufacturing (OT), distribution & R&D protection. Roles included: Chief of Staff for Deputy CISO, Business Information Security Officer for Cyber Solutions. Design & Facilitation of Cyber Strategy Conference.
  • NIST Initiative feeding a prioritized Investment Roadmap driven by quantification for Gaming Software Development firm over $3B.
  • Leader of controls interviews, enterprise control design (e.g., Asset Management, critical control visibility, Access review, Cyber Risk Register, etc.), NIST CSF assessment, and roadmap & engagement final deliverables for many customers in several sectors.
  • SOC2 Type 2 controls compliance assessment to protect $10M in a Pharma Lab business sales model.
  • Re-design & pilot implementation of a 3rd Party Information Risk Program for a $390+ million Pharma Lab company.
  • Cyber Operational Risk assessment (3rd Party focus) for large privately held Property Service Company.
  • Cyber Risk Management Governance Council design for several sectors: Pharma, consumer health, clothing manufacturing, lab, etc.

Pfizer, Inc.
2016-2021
Senior Manager of Cyber Risk Management & Governance
Cyber Risk Management leader to expand organization accountability and manage cyber risk appetite: Risk Register driving critical risk reduction, 3rd Party Cyber Risk Program development, Risk Quantification (FAIR methodology), Supply Chain/Manufacturing ICS Risk balance, Cyber exception and escalation management, Cyber related policy/standard program, NIST Cyber Security Framework assessment, Vulnerability Management Governance, and Global Information Security metric program with operation to board of directors coverage.

Position Accountabilities and Key Successes include:

  • Develop and execute strategy of a 3rd Party Cyber Risk Program – integration with 3rd Party company risk program, development of service to identify high value targets, questionnaire development, standard delivery of findings, and escalation of compound risk combinations, management of 3rd Party Security Information Addendum, and risk-based 3rd Party refresh criteria (1+K / year, doubled productivity per assessor).
  • Design and Implementation of Cyber Risk Register, Critical risk to closure tracking (12K+), design of Pfizer Cyber Risk Rating across all observations, and compound risk analysis.
  • Manufacturing Cyber Risk Program – strategy, policy, risk balance/escalation, firewall rule prioritization and approval, BAU Vulnerability scanning and response standardization with heavy automation (Epic / Story structure).
  • Strategic Governance of critical cyber related exceptions to manage risk – e.g., External facing firewall rules, manufacturing network firewall rules, client elevated permissions (20k+ to <10K), Office365 non-managed device usage (5K to <500).
  • Risk Quantification (FAIR Methodology & RiskLens) – manufacturing floor identification of key factors to prioritize upgrades (contribution and recovery duration), Ransomware impact, standard loss tables.
  • Managed NIST Cyber Security Framework independent review and strategic response oversight for board of directors. Completed SoW, presentation preparations, review, board slide verification and response planning on tight five-month deadline.
  • Develop Global Information Security metric program to support operations to board of director presentation material.
  • Strategic Overhaul of Cyber Vulnerability Management Governance – reduce spend, increased visibility, insource service, upgrade to enterprise Tenable-IO with authenticated scans and establish new process to enable organization to step to new levels of risk balance and governance (team restructured to agile principles which critical to COVID vaccine protections, and support DevSecOps).
  • Manage internet facing profile (Attack & Penetration, Vulnerability Management, resolution priority).
  • Overhaul of Cybersecurity policies, standard, procedures and heighten control requirements (1st overarching cyber policy, expectation guidelines & awareness and all current in 1 year).
  • Integrate Cyber exception and Compliance deviation processes with linkage to Common Requirement Set to insure correct stakeholder signoffs.
  • Expand and move to continuous configuration monitoring of Server Minimum Security Baseline.
  • Manage >$1.5M budget including Vulnerability/Attack & Penetration services, Risk Quantification, tool/service maintenance.
  • Incorporating cyber controls and risk management into agile storylines and Development Security Operations practices.
  • To achieve the scale and scope of cyber risk management, the organization started as 2 people which has grown to 10 with a healthy mix of senior and junior talent with risk service leadership opportunities.
  • Direct report of the VP of Global Information Security (GIS), member of the GIS Leadership Team, and chairman of several committees including Acceptable Use, Minimum Security Baseline & Vulnerability Management.

Air Products & Chemicals, Inc.
2003-2016
Manager of IT Security, Compliance and Risk Management
Technical Infrastructure and Team leadership experience across many disciplines, project types, program sizes, and team leadership and creation. Cyber Security and Senior Leadership in Global IT (2011) with strategy focus including development of IT Risk Management department and program, establishing the Cyber Security pillars of Air Products, cyber IT controls and compliance management and overall reporting of direction with CIO to board of directors.

  • Established Cyber Vendor Risk Management Program in 2004.
  • Gained accountability for Cyber Security and Compliance organizations on a worldwide basis in 2007.
  • Established 3 Pillar Cyber Security direction with complimenting programs and funding – Information Risk Management -2008, Operational Technology (Plant) - 2011, and Enterprise Cyber Security for IT – 2014.
  • Manager of Automation Services – ITIL, ServiceNow and deployment services for server and client.

Key Successes:

  • Leveraged audit and senior relationships to establish needs and launch security pillars to manage overall Cyber Security risk balance for Air Products. Designed and implemented security improvements to meet requirements on-time and within budget ($3.2M).
  • Integration of Waterfall, Agile and shadow IT under a common Cyber Security direction for the Enterprise.
  • Lean Six Sigma Yellow Belt - $3.7+ MM over 7 years from <8 direct staff (SoD & Embedding Processes, External Exposed Governance, Service Improvements with Value Stream Maps/local admin rights, Shared PC/account switching, Onboarding/Compliance Tracker, Controls Tracker/Value Calculation, Audit/Vulnerability Scanning Process, Top Risk Leadership Tracking, etc.) – 2011 Global IT Productivity Award Winner – “iChange Million Dollar” program.
  • Risk Reduction with business goal achievement (Mobile data Sync management design)
  • NIST Cyber Framework Adoption – Air Products Profile goal, foundation for adoption delivered, ChemITC / American Chemical Council Guidance Development

Position Accountabilities include:

  • Direct report of the CIO, member of the GBS Leadership Team, and bi-annual reports with CIO to Air Products Board of Directors.
  • Worldwide accountability to enable business value and competitive advantage by balancing cost, risk mitigation, and compliance through a cyber “Defense in Depth” strategy while utilizing value Levers: Layers of Defense - People, Process, Data and Technology - Benchmarking with 3rd Party reviews.
  • Balance cyber risks with business value and competitive advantages in every action/decision. This requires both business understanding, cyber technology knowledge, and cross corporation working skills to enable the complete Cyber Program pillars (across IT, Corporate Risk Office, Purchasing, Legal, Internal Audit, external auditors, compliance requirements, etc.).
  • Constantly strive for situational awareness, a near real-time depiction of an organization’s security posture with the ability to identify threats, vulnerabilities, and the status of resources and assets.
  • Key Dimensions of the role include $1.5 MM direct operating budget plus influence ~7% of total IT Spend, direct 10 person staff and 40+ FTE security professions across IT, and 50+ cyber security Hosting/Outsourcing Cyber Contracts per year.
  • Strategically and tactically balance Air Products Cyber Risks by setting Policy, promoting awareness of relevant security risks and of the current industry-endorsed best practices for mitigating these risks.
  • Proactively mitigate, develop cyber security incident escalation procedures, and managed cyber security incidents to maintain the company’s computing environment and computerized data from both internal and external threats.
  • Ensure IT services are compliant with all applicable legislation (SOX, CFATS, Export Law, CTPAT, HIPAA, PCI, and Global Data Privacy) and industry best practices (NIST Cyber Framework, COBIT).
  • Lead the overall IT cyber security, compliance, and risk management program to influence and implement any appropriate changes to its IT security infrastructure, applications or services. Also oversight and design lead for Merger Acquisitions & Divestures digital risks and cybersecurity.

EDUCATION / CERTIFICATIONS / CLEARANCES

  • DeSales University – Dual Bachelor of Science Degree in Computer Science and Mathematics
  • DeSales University – Masters in Information Systems

  • CISSP® - Certified Information Systems Security Professional (#103349), February 2007-Present
  • CRISC – Certified in Risk and Information Systems Control (#1106396), March 2011-Present
  • Top Secret DHS Clearance - November 2010 - October 2016
  • Chemical Facility Anti-Terrorism Standard (CFATS) -CVI 20070705-1000504, July 2007-2021
  • Lean Six Sigma Yellow Belt, 2011

ACHIEVEMENTS

  • Healthcare ISAC (H-ISAC) – Member Since November 2016, 2018-2019 Co-Chairman of 3rd Party Risk Forum, 2019-2021 Chairman of the Prevalent 3rd Party Sub-Committee, 2017-2021 Member of H-ISAC Questionnaire Content and Update Committee, member of Healthcare Cyber Risk Committee. Recognized as expert presenting at H-ISAC Fall & Spring Summit conferences (2017 – 2020).
  • Plant Network Security Improvement Program (Pfizer) – “Gratitude and deep appreciation for your terrific contributions to improving Cyber security protection across Pfizer Global Supply Sites.”
  • RiskLens FAIR Analysis Fundaments Certificate – May 3, 2020.
  • CEB Leadership Academies – certificate of completion for excellence in leadership – April 2018.
  • Regional Leadership Forum – Society for Information Management – Mid Atlantic SIM RLF 2016 class graduation.
  • Cyber Storm II, Cyber Storm III & National Level Exercise 2012 – Recognized as a design team for Chemical Sector and exercise control member for simulated exercise with the purpose of testing the nation’s and private sectors ability to defend against cyber espionage/warfare.
  • ChemITC - American Chemical Council – Member Since 2004, 2014-2016 Chairman of Information Sharing Forum - DHS relationship building, Government drill development, Top Secret DHS / Chemical-terrorism Vulnerability Information (CVI) private sector/government partnership work for Chemicals’ sector. Recognized as expert presenting at numerous Chemical conferences and on core development of sector NIST Cyber Framework guidance.
  • Evanta 2014 Top 25 Global CISO Leadership Award & Top 10 Breakaway Leader Award - celebrates world-class information security leaders and honors CISOs and senior security executives whose leadership elevates their people, partners and business. Congratulations on fostering a culture of empowerment and innovation and driving your organization to take calculated risks that translate to enduring success: Recognized by peers for mobile risk balance to meet offline mobile business needs while mitigating risk of information loss.
  • Knowledge Connect LLC– Information Security Management Member – 2004-2017 – Respected presenting member of confidential, collaborative forum of Chief Information Security Officers for Fortune 500 from many verticals.
  • Boy Scouts of America – 15+ Years on-going - Woodbadge Training Certification, Scoutmaster, District Event planner, Pack Committee Chairman, and Den Leader.
  • The Potato Project – 2009 -2016 Field Manager and core team member with goal to feed those in need. Assisted in the annual harvest of 45+ acres of potatoes, sweet corn, and carrots touching an estimated 30,000 households in need with the help of over 900 volunteers. The annual harvest supplies 100,000+ pounds of potatoes, 4,000 pounds of carrots, 25,000+ ears of sweet corn, being 160,000+ pounds of fresh food all donated to neighbors in need. Personally, I continue to plant and harvest 1 acre out of care, love, and teaching tool with Scouting of America and Masonic Organizations while supporting Veterans.