GRC leader with 12+ years building compliance, risk, and security programs at high-growth tech companies and public-sector orgs. I don't just manage audits. I write the code that automates them.
I started in the trenches: racking servers, writing PowerShell scripts, managing VMware clusters. That sysadmin foundation taught me how infrastructure actually works, which turned out to be the thing most GRC people are missing.
From there I moved into security operations and eventually into GRC program management, leading risk programs and building a vendor assessment process covering 2,000+ vendors for the City of San Francisco (55 departments, 30,000 employees) before shifting to high-growth startups.
At Amplitude and Handshake, I found my groove building compliance programs that actually work (SOC 2, ISO 27001, PCI) while simultaneously building the internal tooling to automate the boring parts. This is also where I learned firsthand how painful customer trust workflows are and became convinced that no human should ever manually fill out a security questionnaire again.
AI has been part of my toolkit since the early GPT-3.5 days, when I started using it to accelerate GRC workflows like policy drafting, risk analysis, and evidence mapping. That evolved into writing Python scripts with Copilot, then building full production applications with Claude. Today I use AI-assisted development to ship internal security tools on GCP, going from idea to deployed Cloud Run service in days, building tools that would otherwise never exist.
The throughline: I make security programs that don't depend on me being in the room. Automated evidence collection, self-service vendor reviews, codified risk processes. Programs that outlast the audit cycle.
End-to-end ownership of audit programs from scoping through delivery. Zero-exception track record across SOC 2, ISO 27001, and PCI DSS. Built automated evidence collection pipelines that cut audit prep time by 80%.
Build governance and risk programs from scratch: policy frameworks, risk registers, risk councils, and assessment methodologies. Experienced with FAIR quantitative risk and ISO 27005 qualitative approaches.
Design, build, and deploy production security applications using Claude Cowork. Full-stack apps on GCP Cloud Run that automate vendor risk, customer trust, and compliance workflows, shipping tools in days that would otherwise never exist.
Deployed self-service customer trust portals and AI-powered questionnaire response, reducing time spent on security questionnaires by 90%+. Built vendor risk programs assessing 2,000+ vendors with risk-based tiering and SLA-driven review processes.
Enterprise-scale security awareness and training programs with onboarding controls, phishing simulations, and completion enforcement. Build security culture through education, not just policy.
Deep infrastructure roots: VMware, Active Directory, Linux/Windows ops. PowerShell and Ansible automation. The foundation that makes everything else possible.
Fully automated security request intake system, from GTM to Linear to Wolfia. 14 systems integrated, zero manual steps. Reduced time spent on customer security questionnaires by 90%+.
Automated vendor risk platform that syncs with procurement (Ramp) and project tracking (Linear). Tracks 162 vendors with automated risk evaluation, daily syncs, and Slack alerts.
22 security policies managed as markdown in GitHub with automated publishing to Notion via GitHub Actions. Every change is version-controlled, peer-reviewed, and audit-ready.
Self-service SOC 2 evidence collection through GCP and GitHub integrations with Anecdotes. Achieved 100% evidence coverage and 80% auditor acceptance of automated evidence.
Risk-based vendor tiering workflows in Sudozi. Cut vendor security review SLA from 8 days to 2 business days with 100% review coverage for all in-scope vendors.
Built the City of San Francisco's cybersecurity risk management program using FAIR methodology. Guided 55 departments through risk assessments, gap analysis, and treatment plans.
.claude/skills folder and they work immediately. Built from real production workflows, anonymized for public use.Complete deployment patterns for shipping internal apps on Cloud Run with security built in. Covers Docker builds for Apple Silicon, IAP authentication, Secret Manager injection, SQLite persistence via GCS FUSE, in-process APScheduler with catch-up logic, and role-based access control.
View skill →Generates professional, audit-ready security and compliance policy documents as formatted .docx files. Covers cover pages, tables of contents with clickable navigation, headers and footers, version control tables, and 10+ common policy types out of the box.
View skill →A domain, GitHub Pages, and Claude. Here is the playbook for building a portfolio site from scratch, what it costs, and why practitioners in GRC and security should have one.
Read post →I went from never having shipped an application to running one in production in six days. This is the story of building a TPRM platform with Claude, and why the bottleneck between knowing what to build and being able to build it is gone.
Read post →