Security Leadership at the Intersection of Strategy and Innovation.

OCC clears every listed equity option in the United States. The “Systemically Important” designation means the SEC and CFTC hold us to standards that most companies never encounter. I report directly to the CEO and sit on the Management Committee—which means security has a seat at every strategic conversation, not just the ones that feel like security conversations.

Beyond the traditional CSO mandate, our CIO asked me to also lead Technology Strategy & Innovation—an unusual expansion that reflects how deeply security and technology strategy are intertwined in critical infrastructure. I’m driving AI transformation across the firm: building governance frameworks for how AI agents securely interact with tools and data, deploying coding agents and agentic workflows, and transforming our entire service delivery model. I personally build POCs to stay hands-on with the technology before asking anyone else to adopt it.

On the security side, we completed a comprehensive cloud security assessment of our AWS environment against both the NIST Cybersecurity Framework and RegSCI requirements—a joint effort with AWS that became a public reference architecture. We implemented generative AI in our security operations, dramatically reducing software test documentation time while maintaining human review at every critical decision point. That work became a joint press release with AWS.

The security organization spans Cyber Operations, Security Governance, Security Engineering, and our Red Team. The role requires balancing innovation velocity with the zero-tolerance-for-failure expectations of clearing critical market infrastructure.

The deeper work is on the security side. OCC skipped the co-pilot era entirely—we went straight to powerful coding agents and frontier-model workflows. That hands-on experience with what these models actually do, not what vendors say they do, is what shaped my thinking on AI security. Most of the industry conversation still frames AI as an identity and access problem: know who’s using it, control what they can access. Working directly with frontier models revealed something different to me. AI agents don’t fear consequences, don’t protect reputations, don’t follow social norms—the invisible architecture that’s been doing most of our security work for decades just disappears. That’s not an access control problem. It’s a fundamentally new trust architecture problem. When I realized nobody had solved this yet, I decided to build the expertise myself.

That same hands-on depth informs the broader transformation work. We’re not just incorporating AI into existing workflows—we’re rethinking how work gets done when AI is native to the process. I’m throwing out prior assumptions about adversarial tactics and capabilities to rethink what security must look like in this era. The diminishing returns curve for security investment just moved. With AI, we’ll do more and better security than was possible for even the best-resourced organizations, because the constraints that limited us were never budget—they were human bandwidth.

At a quant firm, information asymmetry is the business model. The security challenge isn’t just preventing breaches—it’s protecting intellectual property so valuable that even a small leak could move markets or destroy competitive advantage. I built a 50-person globally distributed security organization responsible for 65 business-critical products, covering everything from data loss prevention and insider threat to security engineering and third-party risk—all calibrated for an environment where the people you’re protecting are also some of the most technically sophisticated in the world.

A few milestones that illustrate the scope: In 2019, I designed and implemented the trust architecture for Two Sigma’s China office—a greenfield problem where you’re extending a security perimeter into a fundamentally different threat landscape while operating in a country that doesn’t enforce IP rights. In 2021–22, I led the security workstream for the FPGA-to-cloud migration at Two Sigma Securities, moving core crypto trading infrastructure from custom hardware to cloud. I persuaded the CTO that Security Engineering should build the system—because crypto has none of the legal and regulatory safety nets that traditional finance provides, and that gap needed to be filled architecturally rather than contractually. And in December 2022, when ChatGPT launched, I was one of the first security leaders to move beyond blocking it—we had generative AI in production by mid-2023, with guardrails I designed from scratch because no playbook existed yet.

The MFA (Managed Funds Association) speaking engagements came from this role—three years on industry panels discussing security challenges specific to alternative investment management. This chapter also taught me how to communicate security risk to a board that thinks in terms of alpha, Sharpe ratios, and basis points rather than CVEs and MITRE ATT&CK. That translation skill—making security legible to people who think in business terms—turned out to be one of the most transferable things I’ve ever learned.

This was actually two distinct chapters. I started in Azure Government security and compliance—serving U.S. federal, Department of Defense, and state/local customers with requirements most cloud providers don’t even attempt to meet. FedRAMP authorization is one of the most rigorous compliance frameworks in existence, and I was responsible for navigating it. Then in February 2018, I was named CSO of Azure Global—security leadership for the entire Azure platform, not just the government cloud.

This is the chapter that taught me the most. The economics of tool-building I still reference every week came from here: building an internal tool that experts could use took X effort; making that same tool ready for general consumption took 10–20X more. That pattern maps directly to how I think about AI deployment now. I also led the data ethics council in 2017–2018, thinking through AI’s impact on customer data decisions before it was a commercial concern—early governance work that turned out to be a preview of everything I’m doing now at OCC.

On the operational side, I inherited a vulnerability management program that was deeply reactive and transformed it into a proactive hygiene cadence that dramatically compressed remediation timelines. That work taught me something I carry into every role: the difference between security theater and security that actually changes outcomes.

I gave over 100 presentations a year during this period—customer-facing talks attributed with over $1 billion in direct Azure revenue. CSA Federal Summit keynotes, government cloud conferences, compliance architecture deep dives. That volume is where I developed the presentation instincts I rely on now: if it sounds memorized, it sounds fake. This era also gave me the vendor perspective that complements my later roles as a customer and operator, and it’s where I learned what it means to operate at true hyperscale.

My biggest leadership failure happened here too. I spent 18 months quietly covering for peer organizations that were falling behind on commitments, until the house of cards collapsed. The lesson I took from it: embrace the red—admit what isn’t working, early, before the cost of honesty gets worse.

I was hired as a temp with a “prove it” task: write an audit protocol against the NIST 800-53 standard that the entire industry considered un-auditable. Incumbent Big 4 firms were telling government system owners a single audit would take longer than the three-year window the audit was meant to cover. I didn’t know that. I just sat down and read everything NIST had published—not just the control appendixes, but the full standards, the intent, the companion guides. My political science degree turned out to be the unexpected advantage: NIST documents read like laws and political theory texts. Three months later I had a protocol that two qualified engineers could execute in one month. DHS validated it against their Inspector General’s results across five systems: my audits completed in 10% of the time and found two orders of magnitude more issues with more detailed findings and remediation guidance.

That work repriced security auditing for the federal government and displaced incumbent firms on both price and quality. We helped DHS improve their congressional cybersecurity score from a D to a B+ in a single year. Then in 2009, DHS asked me to solve the next problem: how do you audit a government system when it runs entirely on someone else’s infrastructure? I wrote a new audit protocol and a new set of standards for interpreting 800-53 controls in this new model. DHS took what I wrote and, in collaboration with DoD and GSA, developed FedRAMP. In 2011, knowing I’d written its core fundamentals, Microsoft hired my firm to assess what became Office 365. When we turned in findings saying they weren’t ready, they brought in another firm, didn’t get the result they needed, and called us back—not as auditors, but as the people who would get them where they needed to be. That pivot became the core of FITS’s cyber practice.

By 2012 I was running a new west coast office out of Seattle, operating the cyber division as if I were the CEO of a sub-company. We expanded beyond Office 365 into Azure, Dynamics 365, Google Workspace, and other cloud providers—growing the division to over 100 personnel. In 2015, the head of Azure Global noticed a pattern in his meetings: his team would look to me sitting quietly in the back of the room for answers, and when I spoke everyone would stop and listen. He invited me to coffee and asked how to fix his team. I gave him a detailed analysis. His response: he wanted me to come implement it. I declined—I was on track for COO. He made an offer I couldn’t refuse. The multi-framework fluency and first-principles thinking I developed here is still the foundation I draw on for everything from OCC’s RegSCI requirements to AI governance frameworks.