1. John J. Masiliunas – Managing Consultant –
Security and Privacy
CISSP, CISA, Certified Internal Auditor, Certified Public Accountant, Certified Bank
Auditor, Tivoli Certified Solutions Specialist, Certified Financial Services Auditor, IBM
Project Management Certified, Department of Treasury Secret Clearance, Department
of Homeland Security and FBI Secret Clearance
Contact Information: 7138 Eagle Trace Way, Indianapolis, Indiana 317-417-5829
Or 317-881-0883. email johnmasiliunas@hotmail.com
Summary of Skills
John has over 15 years of leadership in the sales, design, execution, project management and hands-on implementation
experience with leading-edge application security technologies at the most technically complex global organizations in the
world. This includes experience with all the major product vendors. Key attributes related to the specific opportunity
include:
Specifics regarding the opportunity include:
o Managing support offshore teams
o Developing 1,3,5 year security architecture and IAM plans
o Developed security architecture for enterprise web-based product solutions
o Designing and implementing SAAS and cloud security architectures for large cloud providers and
other service organizations
o Conducting assessments of SAAS/cloud security architectures
o Introducing new technologies and concepts into organizations and managing POC
o Experience with mobile and BYOD security solutions
o Associations with various information security leaders world-wide in industry and academia
Passed exams - CISSP, CISA, CISM, Certified Financial Services Auditor, Certified Bank Auditor
Experienced with using the PCI and other FSI frameworks
Certified Ethical Hacker – IBM
Qualys and Foundstone Certified
Consulting experience with Big 4, Andersen and Large System Integrators such as IBM and CSC
Experience with all security architecture methodologies including ISO, COBIT, FFIERC, NIST, CAP, FISMA, FRB and
SABSA
Built all systems to European and US privacy standards
Lead Information Security positions. In this role:
o Reduced Costs
o Developed Solutions
o Built security delivery teams
o Brought global security architectures to best practice standards
o Introduced more sophisticated and comprehensive risk management practices that included the use
of risk registers, data classification and metrics
o Upgraded staff
o Projected improved image of information security
o Became authority on all areas of security and business risk
o Chaired key committees on security and improved relations with audit and compliance
Lead Security initiatives in all areas of information security. All the projects involved initial conceptual design, cost-benefit
analysis, road-mapping, gap analysis, build-out project plans, leading execution initiatives and post go-live gap
analysis along with some post-go-live support. I am an expert at identifying solution and gaps and proactively working
with clients to design, build and deploy security architectures. I am known as a take-charge resource and leader who
through visual and verbal communications can sell the facts to management while saving money on security
initiatives. Finally, I am always up to date on newest trends and technologies that add value to organizations.
o Architecture Design, Gap-Analysis and Deployment Management experience with some of the most security
driven organizations in the world in the Financial Services Industry and major government agencies. Sample
clients include the Department of Homeland Security, Citi, Nordstroms, Numerous BCBS organizations, FBI,
Department of Justice, US Criminal Justice Information Systems, Wal-Mart, VISA, Kroger, Best Buy, Federal
Reserve Board, Department of Defense, Toyota Motor Corporation, American Express, Chase, Nationwide
Insurance, Allstate Insurance, State Farm Insurance, Bank of America, Duke Power, Marathon Oil, and
numerous other organizations that value information security.
Security Lockdown Experience with the following platforms; IBM Mainframe (MVS/VSAM), Websphere, Oracle
Application Server, SAP, WebLogic, Oracle ERP, Java, SOA and Web Services security in client and mainframe
2. environments, Active Directory, Oracle Internet Directory, DB2, SQL, Custom Java and .NET applications , Windows
and UNIX (RedHat and Sun)
Experience with all major enterprise security tools for SOA/WS Security, Identity and Access Management, Encryption
in Transit and at Rest, Operating and Network Security Vulnerability Management and Reduction, DLP technologies
such as Vontu and Verdasys, RSA 2 factor authentication and integration with IDM/IAM solutions. IDS and IPS
including newer solutions from Palo Alto Networks, Secure Code Application Development, Forensics and Advanced
Network Monitoring and Threat Analysis
All solutions were integrated with Enterprise High Availability, Help Desk, Failover and Disaster Recovery solutions
Finally, I have lead numerous teams of resources of up to 30 persons in geographically disperse locations , managed
teams and security budgets of over $20 million dollars, revitalized information security teams through proactive resource
management and development of personnel. I specialize in taking information security teams to proactive leadership via
metrics, compliance programs and careful hiring and mentoring of personnel. I can also work with management to obtain
the appropriate levels of funding for security operations.
3. Employer History and Experience
April 2008– Present – Independent Consultant
In this role, I functioned as a Security Architect with the responsibility for introducing new solutions, managing POCs,
developing business cases and then architecting and delivering solutions.
For several utilities conducted NERC-CIP security architecture gap assessments and architecture
For 2 organizations, designed, architected and implemented SailPoint IAM solutions
For a large insurer, conducted security architecture assessments
For a large insurer, designed an CA Identity, Role, Control and Governance Minder architecture
For a large software vendor, developed an application security and secure SDLC strategy
For numerous firms, developed a 1,3,5 year cloud security architecture strategy
For 2 large SAAS providers developed web application SDLC security solutions to ensure cloud security
Conducted security assessments over VM/cloud based environments
Designed security architecture for a VM environment consisting of over 9000 virtual servers
For several large cloud providers, implemented a federated identity management solution
For 2 large SAAS/cloud providers, developed an enterprise security architecture
For a large FSI, developed a infrastructure logging and change management solution
For a large bank developed a mobile security solution for web based transactions along with a mobile IAM strategy
For a large retail cloud provider, designed, architected and implemented an enterprise security solution
For a large healthcare cloud provider, designed, architected and implemented an enterprise security solution
For a large retailer and a large manufacturer, developed a BYOD and NAC security solution for their cloud solution
For a large government agency, architected and implemented an Oracle IDM/IAM solution over a cloud solution
For a large government agency conducted a PCI, NIST and FISMA based security assessment. This included
developing an application security framework and a GRC framework
Implemented DLP solutions for WebSense, Symantec and RSA over cloud environments
For a large distributor, architected a IBM Guardium DB Security solution
Developed an enterprise security architecture for a software developer including the secure development of
applications sold to customers via cloud
For a large manufacturer/distributor, implemented a ITIM/SAP GRC solution
Current training in latest version of Oracle OIM, OAM and Oracle Role Manager
Attended IBM TFIM training for current version.
Attended Q-Radar Training for Q-Radar version 1.1 MR4. This was hands-on training
For a large government agency, architected and implemented PCI solutions for P2P encryption, tokenization and
Network Enclaving/Zoning
For a large retail pharmacy working in cloud, designed and architected an enterprise security architecture for
SOA/Web Services and in-store encryption this was using the TFIM and Datapower solution. Also introduced a mobile
security solution for web users and employee.
For a large pharmacy, designed, architected and implemented a Q-Radar solution for SEIM for a cloud solution
For a large financial services company, architected, designed and implemented a role consolidation solution from
Oracle. Also, executed a role consolidation project
For a large retailer, designed, architected and implemented a high-availability solution for CA Identity Manager r12
SP11.
For a large bank, designed, architected and implemented an enterprise security architecture lockdown and security
improvement plan across the entire stack including application and GRC security
For a large bank, re-designed, re-architected, re-deployed and re-energized a large cloud IAM/IDM solution that had
languished for 2 years and spent $8 million with no delivery. This included ITIM, TDI, TFIM and TAM ESSO
As a contract architect and security director lead an enterprise buildout of security architecture for a large health
insurer offering a cloud-based solution. Included in this efforts was the purchase of numerous security tools, the
addition of staff, implementation of enterprise IAM/IDM, 2 factor authentication and SOA/Web Services security and
the use of a variety of enterprise security tools including web application security. This was based on TAM, ITIM,
TFIM and Datapower
As a contract architect director, designed, architected, sold, road-mapped and lead the implementation of an
enterprise WS/SOA, DB, VM and IDM/IAM/Federation security architecture for a large SAAS/cloud online education
institution. This solution would lead the organization to adopt the latest in authentication, authorization centralization
and other advanced security solutions. Post go-live, lead various problem resolution sessions. Lead Security
Architectural Review Board meetings focused on security roadmapping. Additionally, designed a password self
service solution that lowered help desk costs by over $1 million dollars.
As a contract architect and security director for a large insurer
4. o Introduced client to an advanced Enterprise Network forensics product that significantly improved forensics,
DLP and management of network security.
o Designed and architected an enterprise wide IAM/IDM/Federation/SOA/WS and RSA 2 factor authentication
security architecture
o Designed enterprise AS400, Unix and DB security lockdowns to include configuration, encryption and VM
ware security.
o Improved staffing levels. Trained teams on cloud and SAAS security
Functioning as a contract architect and director for a large civilian/military healthcare payer
o Designed, architected and managed an enterprise SSO, SOA/WS, IDM/IAM, web application/secure coding.
Designed real-time code review systems that scanned source-code as part of the build. Met military grades of
encryption and controls
o Lead reviews of mainframe and DB security systems and managed the implementation of improved security
controls.
o Conducted gap-analysis of enterprise SOA/WS security architecture for a large bank. Prepared build-out
plans, roadmaps and architectures
For a large online cloud-based auto retailer that had been subjected to online fraud, designed, architected and
managed the implementation of IDS/IPS, IAM/IDM/SSO/Federation, DLP, network, SOA/WS and DB security
solutions.
Developed a web application security strategy for SDLC
Functioning as a security architect and director for a systems integrator to the FBI, CJIS and DOJ conducted gap-analysis
of application security for various classified and unclassified law enforcement systems and then designed,
architected and lead implementation efforts of the IAM/IDM/SSO/Federation, SOA/WS, Developed Application
Coding, Database, Network, Advanced Authentication including 2 factor, DLP and VMWare server security
components. Introduced this highly security centric organization to advanced concepts in VMware, network
forensics/monitoring solutions such as NetWitness and advanced adaptive authorization and authentication security.
This included RSA AA, TIM, TAM, TFIM and Datapower
For the Department of Homeland Security Customs and Immigration Division designed, architected and lead pilot
implementation of a mainframe and client server SOA/WS, IAM/IDM solution, DB and client server security solution.
This was a TIM, TAM and TFIM solution
For the US Department of Transportation, designed a mainframe and client server security architecture that focused
on improvements in the areas of DLP, Network Forensics, SEIM, IAM/IDM/SSO and SOA/WS security. Managed the
day to day implementation of the IAM/IDM/SSO solution.
For a large multi-national pharma manufacturer conducted an enterprise global security architecture assessment. Out
of this project came:
o A revised enterprise security architecture roadmap
o Improved data classification and risk management/inventory practices using Archer
o Overhaul of entire enterprise security technology suite and addition of numerous tools
o Elevation of information security function to director status
November-2007 – April 2008 – Office Depot - Third-Largest Business E-commerce Web Vendor and Largest
Business Retailer
Senior Director of Information Security and Security Architect . All activities were conducted on a global basis
Implemented vulnerability reduction and management programs with a focus on vSphere, Redhat, McAfee and
Tripwire
Introduced concept of Federation for SSO to multiple sites from vendors and OD. Lead a pilot
Implemented DLP solutions
Implemented ISS Proventia
Implemented IDS solutions
Implemented SEM solutions
Implemented a WebServices authorization, authentication and encryption solution using DataPower.
Managed team of 10 resources and 5 contractors
Implemented more comprehensive risk registry and data classification program for US and global divisions
Designed SOA security architecture to support Oracle E-Biz and Retek Deployment
Implementing Oracle IAM and IDM for Vendor and Internal systems provisioning and access control to provide for
Enterprise SSO for thousands of vendors.
Redesigned Inbox Request process to reduce unworked queue
Implemented Web-Based access control software from Oracle
Specific application security tasks included:
Managed PCI and SOX compliance initiatives
5. o Conducted ecommerce application security assessments for PCI compliance. Used Rational AppScan,
Ounce Labs and other tools. Worked with all impacted compliance and development teams to implement a
SDLC application security methodology that is business risk-based.
o Implemented secure coding frameworks using tools, code libraries and process of scanning a rework
o Worked with developers to resolve and correct vulnerabilities
o Implemented ecommerce application security solutions for PCI and SOX compliance. Worked with risk
management teams to develop solutions that addressed risks.
o Implemented external authentication/authorization and provisioning systems
Implemented Tivoli Compliance Insight and Tivoli Compliance Manager
Conducted security awareness and training for a variety of clients
January 2005 – November-2007 – IBM - Largest Consulting Company in World
Managing Consultant – Security and Privacy Practice. In this role conducted numerous application security assessments
and build-outs related to a secure application security lifecycle development process. I worked with developers,
compliance personnel and business unit stakeholders to design a business -risk based solution. Developed solutions and
contracts to deliver solutions. Hired resources to meet needs.
Implemented vulnerability reduction and management programs with a focus on vSphere, Redhat, McAfee and
Tripwire
Implemented secure web application solutions for large system product providers
Implemented DLP solutions from Reconnex and Verdasys
Implemented ISS PRoventia solutions
Designed and implemented IDS solutions
Designed and implemented SEM solutions
Designed and implemented SOA and Web Services security solutions for encryption, authentication and authorization
using DataPower and TFIM
Conducted security awareness and security training for a variety of clients
Conducted numerous application security reviews using Ounce Labs and Rational
Prepared over 40 proposals, SOWs and architecture designs to support pre-sales efforts in the IDM/IAM and
application security space
Implemented Archer GRC and Tivoli Compliance Insight Manager and Compliance Manager
Conducted numerous application security assessments using AppScan and Fortify
Conducted WebSphere application security assessments at numerous corporations
Designed a PCI compliant encryption architecture for several retailers including DB and transmission systems
Implemented Oracle Identity and Access Manager at a large retailer
ITIM, ITAM, IDI, IBM LDAP and TPM architecture, implementation and configuration on a Red Hat Linux operating
system for a large telecommunications company.
Completed SAP and Oracle application security assessments
Designed Enterprise Security and Identity Management Architecture for a large retail food chain using ITAM, ITIM and
RSA. Additionally, assisted in developing ROI justification cases.
Assisted in installation of ITIM and ITAM for a large retailer.
Developed an ITAM v5.1/ITIM 4.6 security architecture for a bank. The system ran on AIX and Windows 2003,
WebSphere and HTTP Server and utilized single sign-on using a combination of SPNEGO/Kerberos and Active
Directory. In addition to the development of technical design, the work included product selection, requirements
definition, use case development and product justification.
Designed security architecture for e-commerce based systems at a large wireless services company and a large
utility. Conducted assessments of same.
Conducted numerous iSeries and DB2 security assessments and security architecture designs.
Designed Security Operations Center design for a large wireless company.
Conducted detailed assessments and security architecture re-design for an outsourced web-services system for a
state that processed credit-card transactions and handled personal data.
Conducted several HIPAA and PCI assessments and managed security buildouts for those organizations.
Functioned as an application security architect for a custom-built, internet-based Java order management and pricing
application for a large electronics distributor/manufacturer. Specific tasks includes:
o High level and detailed
Security architecture designs
Design of Role-based Access control including roles, functions, design of portlet policy access, data
element access and design of provisioning systems
Token-based system to manage access profiles
SAML and WS Security
6. Specific RBAC work includes; identification of roles and functions, consolidation of roles and
functions, development of role management policies and procedures
Design of LDAP schema
Design of provisioning system
Configuration of portlet policy-access server
Design of Identity and Access Management solution using TIM/TAM
Developed secure Java coding manuals
Using Fortify and Web-Inspect tools, conducted secure coding assessments over developed Java
code and managed remediation efforts
Conducted final go-live application penetration tests of the Java-based ecommerce system
Designed SOA and SOMA security architecture and assisted with implementation of
authorization/authentication and encryption solutions
System involved TIM/TAM, ITDS, IDI, Vignette, webMethods, WebSphere, Java, SOA and
WebServices
DataPower encryption and firewall implementation and architecture to protect WS calls
o Won IBM S&P Bravo Award for sales and delivery work on project
Attended IBM SOA Bootcamp, IBM Ethical Hacking Class, IBM Qualys Training Class
For an extremely large Financial Services, Banking and Insurance Company, performed the following
o Designed security architecture for SOA/SOMA, DataPower, ISS, z/Series, p/Series and WAS environments.
These environments complied with IBM, industry and regulatory requirements while meeting high-volume
processing requirements
o Implemented WS security architecture
o Conducted SOA security assessments involving banking applications
o Conducted a high-level HIPAA security assessment
o Served as a liason with IBM product security SME’s to address client problems and questions
o Was a part of the client IBM leadership team that defined IBM strategy at client
o Conducted code assessments using Fortify tool
o Designed improved code assurance process using updated guidelines and integration of Fortify and Rational
Tool
o Provided client with state of the art security concepts to improve zoning and segmentation, product
compliance and overall strategy
o Conducted DB2 security assessment
o Conducted PCI assessments and development of PCI compliant security architecture
o DataPower encryption and firewall implementation
For a large automotive manufacturer
o Designed and managed Sun IDM implementation and upgrade and sold a Tivoli TIM.TAM/TDI project.
Performed key tasks
o Designed and managed e-directory upgrade
o Managed a staff of 4 offshore resources responsible for coding and upgrading Dir-XML drivers. Designed the
new driver systems
o Using ITIL, implemented processes that reduced incidents by over 100%
o Designed new provisioning and password processes that reduced costs by over 200%
Designed and implemented SUN IDM v7.0 for a large multi-national manufacturer
Designed revised IDM/IAM architecture for a large financial services and securities processor
Attended SUN IDM design and deployment class
Implemented a WebSphere and DataPower based security architecture for an SOA based system
Implemented ITCAM for SOA and ITCAM for J2EE to monitor database, process and LDAP calls for WebSphere and
a Java-Based system
Conducted SOX compliance reviews and designed controls to address SOW
Conducted PCI compliance review and encryption strategy design/implementation for a large retailer
New and add-on consulting sales of over $1.8 million per year.
January 2004 to January 2005 – Toyota Motor Mfg. - Largest Japanese Automotive Manufacturer in World
Contractor - Security and Identity Management Consultant
Implemented vulnerability reduction programs
Implemented DLP solutions
Implemented IDS and ISS PRoventia solutions
Performed design, requirements definition, use cases, goodness of fit analysis, ROI development along with
conducting/managing the implementation of identity/access management and provisioning solutions using CA
SiteMinder and IdentityMinder
Implemented Web Services and ecommerce application security architecture and conducted assessments.
7. Conducted e-commerce application security assessments on Java and .Net applications using Ounce Labs, App-
Scan and SPI WebDynamics.
Designed vulnerability reduction program.
Conducted security awareness and training programs for a variety of clients
Lead management in re-evaluations of existing security strategies to focus on business risk appropriate, world-class
security. Projects returned savings of over $1 million and reduced provisioning time to under 1 minute.
Managed Federated Identity Management Proof-of-Concept.
Designed SOA security architecture.
Designed SOC for US.
Worked with Eurekify product to identify existing roles within an organization
Conducted SAP and Peoplesoft security assessments
Conducted SOX compliance reviews and designed SOX controls
July 2003 – January 2004 – Federal Reserve Board - US Government Agency Responsible for Regulation of
Banking
Contractor - Identity Management Consultant
Managed team focused on requirements analysis (use case, goodness of fit, business and technical requirements),
technical/functional and logical design and implementation of identity management system for access to numerous
web-based treasury applications and internal systems. Key value driver was the formation of a identity enablement
factory that brought together ad-hoc teams to design and code the connectors that provision various applications.
Used SUN IDM and Netegrity systems
Implemented Web Services security and ecommerce application security solutions including the use of the Reactivity
product.
Conducted Web Services security assessment.
Designed and built-out a SOC.
January 2003 – June 2003 – Oracle - Worlds’ Second Largest Software Company
Contractor - Identity Management Consultant
Identified significant product gap issues in the identity management space. Lead a team of four professionals in
redesigning the vendors identity management solutions and strategies to meet market needs.
Conducted security assessment and enterprise security architecture design for several financial services companies.
Designed and implemented identity management solutions at various clients using SiteMinder, Oracle Internet
Directory and SSO (OID and SSO) and the Thor provisioning product.
Extended and add-on sales of over $500,000.
Prepared SOWs and proposals to support pre-sales efforts
July 2002 – January 2003 – SLM - Quasi-Governmental, Publicly-Traded, Financial Services Company
Director of IT Security
May 2002 – July 2002 – Hoosier Lottery - State Lottery Organization
Contract Security Architect
November 2001 – May 2002 – KPMG - Information Security/Risk Management Consulting Company
Senior Consultant
April 2000 – November 2001 – CSC - Global Consulting Organization
Senior Consultant
November 1995 – April 2000 – Andersen - Information Security/Risk Management Consulting Company
Security Architect
April 1994 – November 1995 – NBD - Large US Bank – Credit Card Divisions
Security Architect
April 1993 – April 1994 – Heller - Large US Finance Company
Security Consultant
November 1987 – April 1993 – Allstate - Worlds’ Second Largest Insurance Company
Security Consultant
Education
B.S. in Accounting and Computer Science. Loyola University of Chicago
8. MBA in Finance and Information Systems. Roosevelt University of Chicago.