Mark Merkow, CISSP, CISM, CSSLP
Contact
mmerkow@gmail.com
msmerkow.me
Summary
- Software Security Architecture and Engineering
- Visiting Professor for DeVry University Online (IT Security, E-Commerce)
- Visiting Professor Keller Graduate School of Management Online (IT Security)
- Adjunct faculty for University of Denver Online (IT Security)
- Author or co-author of 17 published books on IT and IT Security
- Industry leader on Banking and Finance Cybersecurity and Critical Infrastructure Protection/Homeland Security
Certifications and Inventions
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Secure Software Lifecycle Professional (CSSLP)
- Certified TOGAF Practitioner
- Computer book author (17 books authored or co-authored)
- Co-inventor US Patent Dynamic Security Provisioning of Grid Computing Environments
- Co-inventor US Patent Dynamic Security Provisioning of SAN/NAS Environments
- Co-inventor US Patent Cardholder Authenticated Payments using Mobile Communications Devices
- Co-author Smart Card Security Common Criteria Protection Profile (SC-PP)
Professional Associations
- Member: Information Systems Auditing and Control Association (ISACA)
- Member ISC(2) Phoenix Chapter
- Chair: Financial Services Information Sharing and Analysis Center (FS-ISAC) Education Committee
- Former Member BITS Security Working Group
- Former Member FSSCC Cybersecurity Committee
- Former Member: Board of Directors - Accredited Standards Committee (ASC) X9 - Financial Services
- Founding Member - Research and Development Committee – Financial Services Sector Coordinating Council on Homeland Security (FSSCC)
Education
M.Ed., Educational
Technology
Mary Lou Fulton Teachers College
Arizona State University, Tempe, Arizona
MS Decision and Information Systems
W.P. Carey School of Business
Arizona State University, Tempe, Arizona
BS Business Administration (Decision and Information Systems)
W.P. Carey School of Business
Arizona State University, Tempe, Arizona
Mary Lou Fulton Teachers College
Arizona State University, Tempe, Arizona
MS Decision and Information Systems
W.P. Carey School of Business
Arizona State University, Tempe, Arizona
BS Business Administration (Decision and Information Systems)
W.P. Carey School of Business
Arizona State University, Tempe, Arizona
Work experience
HealthEquity Inc. (formerly WageWorks) July 2019
- Working to evolve the AppSec Program into a holistic, culturally-appropriate Secure Scrum SDLC and a pathway to DevSecOps
Charles Schwab and Company, Inc.
- Developed and implemented a holistic secure software development lifecycle for all enterprise-level applications in both RUP and Scrum development methodologies
- Trained over 700 development team members across 8 development roles in secure application requirements analysis, design, development, testing, and rollout
- Maturing the program as new Agile teams come onboard and as new vulnerabilities pop up
- Developed and began implementation of a Talent Strategy to map employee roles to the NICE Framework Work Roles to determine coverage and depth of Information Security Program. Further mapping of employee work roles with the Knowledge, Skills, and Abilities (KSAs) helps to assure coverage sufficient to succeed or excel in a work role, and filling in any gaps with continuing education.
PayPal, Inc.
- Develop, manage, assure adequate reviews, and maintain the Information Security Policies and Standards Library for PayPal worldwide access and use.
- Using the requirements within the standards, establish and run an effective security training and awareness for 14,000 PayPal employees worldwide.
- Leveraged effective media and tools to create culturally- and geographically -appropriate Security Awareness and Training campaigns to help people understand that “Security is Everyone’s Responsibility.”
- Led the development and implementation of security awareness campaigns for Lock It When You Leave It, Compliance Jeopardy Game, an Information Security Related Haiku contest and in-person events that bring industry experts to PayPal to share their experiences and knowledge with PayPal software developers, Site Operations Personnel, and Information Security personnel.
- Our rotating Data Protection Weeks reach thousands of Call Center personnel with security training and security awareness that rapidly reminds them of their responsibilities for handling sensitive customer information and offers them a forum to answer specific questions -- given their limited time for training and contact.
- Using a variety of measurement tools to gauge the effectiveness of a campaign, we were able to prove that the Lock It When You Leave It campaign alone effected positive behavior changes in 65% of the participants we surveyed.
American Express Technologies, Phoenix Arizona
- Responsible for the Application Development Security Program as a natural aspect of the Software Development Life Cycle at American Express
- Led a group of IT Security Subject Matter Experts in Project Governance activities that include Product Evaluations for proposed COTS implementation, development of standards, strategies, and prescriptive frameworks for reusable security services
- Responsible for conducting Proof-of-Concept evaluations on new IT Security tools to determine the suitability of use and support
- Collaborated with CISO Office on policy enforcement mechanisms and joint reviews of CISO Policies and Standards and CTO Standards and Strategies for implementing IT Security Controls across the AMEX Enterprise.
- Developed IT Security Strategies for Enterprise Technology Roadmap (ETR) expansion and elaboration using TOGAF tools and techniques
- Responsible for Enterprise Security Technical Standards – Serve Author and Standard Delegate Roles for CTO
- Served as American Express Technologies Representative to BITS/Financial Services Roundtable Security and Risk Assessment Committee
- Served as American Express Technologies Representative to the Financial Services Information Sharing and Analysis Center (FS-ISAC)
- Served as American Express Technologies Representative on Financial Services Sector Coordinating Council on Homeland Security and Critical Infrastructure Protection (FSSCC) R&D Committee and Cybersecurity Committee
American Express Technologies, Phoenix Arizona
- Critical Infrastructure Protection for Finance and Banking Cybersecurity
- BITS Security and Risk Assessment Committee as Executive Subcommittee Member and Member of the Lab Governance Committee (LGC) for Financial Institutions Data Evaluation Security (FIDES)
- Site Coordinator for Financial Services Information Sharing and Analysis Center (FS/ISAC)
- Developing and implementing policy and standards base for long-term security strategy and operations
- Synthesis and migration of IT Security policy and standards library to RSA Archer Security Management Platform
- Advanced Payments (chip cards, RFID cards, key fobs) security
- Key Signing Officer for AMEX related cryptographic keys and Certificate Authority
- Project consulting, issues resolution, and security exceptions decision making
Publications
Books:
- Breaking Through Technical Jargon, 1990, Van Nostrand Reinhold
- Building SET Applications For Secure Transactions, 1998, Wiley Computer Publishing
- Thin Clients Clearly Explained, 1999, Morgan-Kaufmann
- Virtual Private Networks For Dummies, 1999, IDG Books International
- Complete Guide To Internet Security, 2000, AMACOM Books
- The ePrivacy Imperative, 2001, AMACOM Books
- Computer Security Assurance Using the Common Criteria, 2004, Delmar Learning – Thomson Publishing
- Information Security: Principles and Practices, 2005, Prentice-Hall Pearson Education
- Secure and Resilient Software Development, 2010, Auerbach Publications (CRC Press)
- Security Policies and Implementation Issues, 2010, Jones and Bartlett Learning
- Secure and Resilient Software: Requirements, Test Cases, and Testing Methods, 2011, Auerbach Publications (CRC Press)
- Information Security: Principles and Practices, 2nd. Ed, 2014, Prentice-Hall Pearson Education
- Secure, Resilient, and Agile Software Development, 2020, Auerbach Publications (CRC Press)
Contributing Editor:
- Hack-proofing Your E-commerce Site, 2001, Syngress Press
- The Internet Encyclopedia, 2003, Wiley Computer Press
- Internet Security Handbook, 2006, Wiley Computer Press
- Wiley Handbook of Science and Technology for Homeland Security, 2008, Wiley-Interscience
Patents:
- System and method for completing a secure financial transaction using a wireless communications device - US Patent Office 7,909,243, 2011, March 22, 2011
- System and method for dynamic security provisioning of computing resources - US Patent Office 7,827,294, 2010, November 2, 2010
- ·System and method for dynamic security provisioning of data resources - US Patent 8,266,670, 2012, September 11, 2012
- System and method for nameless biometric authentication and non-repudiation validation - US Patent 7,802,723, 2010, September 28, 2010