Who i am
Strategic, Results-Oriented Chief Information Security and Privacy Officer
Paul Love has earned a reputation as a strategic, results-oriented Chief Information Security & Privacy Officer (CISPO) with expertise in strategically orchestrating enterprise-wide security efforts. A thought leader with multiple publications and presentations to his name, he has achieved resounding success with industry leaders like Microsoft, E&Y, and Freddie Mac. Easily able to solve complex problems in simple, sustainable ways while building information security (IS) as a business capability, Paul ensures that companies and clients alike enjoy the best possible results.
Since 2017, Paul has committed himself to establishing a best-in-class Information Security and Privacy function as the CISPO with Co-Op Financial. Focusing on optimal budget utilization and effective integration of cutting-edge techniques and technologies, he built IS policies, metrics, and programs to deliver on lofty organizational goals. As an expert in speaking in clear business terms to drive coordination with executive leadership and board members, he has fostered continuous business growth while effectively and consistently mitigating risk.
A proud USMC veteran, Paul is known for his work ethic and dedication, as demonstrated by his extensive training and academic qualifications. He possesses a Master of Science in Network Security from Capitol College, and recently undertook “Cyber security: Managing Risk in the Information Age” with the Harvard Extension School. In his free time, he enjoys running, reading about marketing and process improvement as well as anything related to computers.
Chief Information Security & Privacy Officer
- Information Security
- Spearheaded origination of strategy and vision, including staffing plan, execution activities, IS standards, board development, and success metrics, ensuring optimal use for a budget and perfect alignment of the team under a heavy workload.
- Built heavily researched IS policies and standards to meet and continuously exceed regulatory and strategic requirements.
- Established and regularly enhance leadership metrics using a tiered approach, championing a multi-level approach adaptable for multiple levels of leadership from the Board of Directors, to technical, in-depth audiences.
- Headed the development of a best-in-class IS Incident program that led to highly responsive and collaborative response capabilities companywide.
Senior Director, Governance, Risk & Compliance (GRC)
- Policies and Standards
- Process Improvement
- Identified critical services, developed relevant documentation, created controls/documentation portal, and integrated optimization initiatives that improved scores surrounding service delivery.
- Selected to oversee the creation of IS policies/standards program to meet best practices; maintained clear lines of communication with business units, IT, and other key groups to build top-tier training plans, communications plans, and processes that drastically reduced risk.
- Constructed bespoke processes to identify control thresholds, testing procedures, and reporting for IS controls; oversaw the generation of a related handbook to convey lessons learned.
- Revamped all IS metrics reported to emphasize actionable, executive-level information that directly led to more informed risk decisions, with efforts cited as crucial to a reduction in overall exposure despite significant operational challenges.
- IT Patching
- Audit and Compliance
- Showcased executive leadership capacity in the implementation of companywide patching across action-oriented metrics, scalable/repeatable reporting/validation, and team support, increasing productivity across multiple clients.
- Provided subject matter expertise for client audit meetings, excelling as a primary liaison and building productive, professional relationships to foster improved client service.
Senior Director, Threat Assessment and Protection Services
- Security Operations
- Policies and Standards
- Security Technology
- Initiated the creation of the threat intelligence program as well as a significant improvement in the security incident response program, cutting down on tracking of remediation as well as security vulnerability response times by 100%.
- Hired 90% of team post-reorg within nine months with no disruption of service. Designed a unique program to manage better services, processes, and technologies which boosted operational efficiency against logistical challenges.
- Led formation of Web Application Security program to elevate coverage, incorporating a wide array of training and web application security tools while improving organizational security.
- Overhauled IS metrics to improve short- and long-term planning for a company generating $12B in annual revenue.
- Acted as an evangelist regarding the revamped approach to partnering with IT organization in vulnerability remediation, paring down unpatched/under patched systems, addressing numerous systemic risks, and significantly decreasing vulnerability assessment findings; sought as an internal advisor to executive leadership with cybersecurity concepts and emerging technologies.
Information Security Officer
- Risk Management
- Control Development
- Security Operations
- Created IS risk management program using SharePoint to resolve previously-unknown security risks representing significant risk exposure; program eventually used as a template for other Information Security efforts.
- Implemented multiple controls while dramatically enhancing existing controls and management of external managed security vendors, improving mean-time-to-detect by 100% and mean-time-to-resolve by 100%.
Director, Compliance and Audit
- ISO 27001
- Administered team of multiple employees and contractors driving Microsoft Cloud services (BPOS-F and Office 365) to achieve FISMA accreditation in <1 year with reduced staff, opening up multi-billion-government cloud services environment; expanded professional expertise at every opportunity to incorporate the use of new software and systems surrounding compliance and auditing.
- Managed team that achieved initial ISO 27001 recertification for Microsoft online services to improve positioning among the competition and secure significant new year-over-year sales.
Director of Information Security and Business Continuity
- Business Continuity
- Security Operations
- Information Security
Master of Science - Network Security
- Certified Information Systems Security Professional (CISSP)
- Certified Information Privacy Professional/United States (CIPP/US)
- Certified Cloud Security Professional (CCSP)
- GIAC Network Forensic Analyst (GNFA)
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Battlefield Forensics and Acquisition (GBFA)
- Fellow of Information Privacy (FIP)
- Certified Information Security Manager (CISM)
- Certified Information Privacy Professional/Europe (CIPP/E)
- Certified Information Systems Auditor (CISA)
- Certified Information Privacy Professional/Canada (CIPP/C)
- Certified Information Privacy Manager (CIPM)
- Certified Information Privacy Technologist (CIPT)
- Payment Card Industry Professional (PCIP)
- Microsoft Certified: Azure Fundamentals
Global Technology Audit Guide 15 – Information Security Governance
This Global Technology Audit Guide (GTAG) will provide a thought process to assist the chief audit executive (CAE) in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organization’s ISG activity delivers the correct behaviors, practices, and execution of IS.
Take a proactive approach to Enterprise Linux security by implementing preventive measures against attacks--before they occur. Written by a team of Linux security experts, this hands-on resource provides concrete steps you can take immediately as well as ongoing actions to ensure long-term security.
Hardening Network Security
Take a proactive approach to network security by implementing preventive measures against attacks--before they occur. Written by a team of security experts, this hands-on resource provides concrete steps you can take immediately as well as ongoing actions to ensure long-term security. Get complete details on how to systematically harden your network from the ground up, as well as strategies for getting company-wide support for your security plan.
IT Audit Checklist: Privacy and Data Protection
This paper supports an internal audit of the organization's regulatory, legal, contractual and reputation protection requirements to maintaining the confidentiality and integrity of sensitive information related to itself, employees, customers, business partners, and other entities.
Paul is a detail oriented security professional with a knack for creating structured, well defined teams. Paul excels at creating solid frameworks around which security programs can be built, and objectives readily achieved. During his tenure at Fifth Third, Paul worked diligently to create cross-organizational teams designed to respond to computer security incidents, as well as address system related vulnerabilities and breaches. Paul's sense of humor and integrity make him a pleasure to work with.Via LinkedIn
Paul is a tremendous leader and has created and driven excellence in our Information Security Program. He has the ability to set strategy and communicates complex concepts to all levels of the organization and board committees effectively. Additionally, external parties routinely reach out to Paul for his guidance and expertise. He is a regular and much requested speaker at multiple events. Coupled with a collaborative approach, Paul is one of the best in his field!Via LinkedIn
Paul played the key role in aligning our operation to proper security requirements. His dedication and commitment was outstanding and I could not ask more of him and in fact he did far more then I could have ever have asked. I can provide the highest of recommendations for Paul and if possible I would have him on my team any time.Via LinkedIn
Paul is one of those rare professionals who always considers the interests of his profession and his employer first, believing that doing the right thing will always benefit everyone involved. He also brings a keen process focus to his work, ensuring that his contributions will remain viable and meaningful beyond his tenure. Paul's attitude, discipline, and level of professional breadth make him an asset to any organization.Via LinkedIn
Paul Love is one of those rare individuals whose achievements belie their humility. Paul is a published author, an IT security savant, and an affectual leader. Having worked with him on multiple projects over the course of the years I've known him, he's always had an ability to work great in teams, to understand all points of view, and to bring consensus from divergence. Paul will be the last one to speak highly of himself, he speaks highly of others first. This trait exemplifies what it is to be a level 5 leader, and Paul is one of the best I've worked with. Advice to any company wanting to work with Paul: Grab him...he'll be one of the best decisions you've ever made.Via LinkedIn
Sherry (McCarthy) Pradhan
I feel extremely fortunate to have had the opportunity to work with Paul while he was at Freddie Mac. He is an incredible leader with a one-of-a-kind and contagious passion for the Information Security practice that is unseen and unheard of. Not only does he give his best at all times but also exhibits a consistent sense of urgency and is always available to provide leadership and support practically on a 24/7 basis. During the course of my career, I have met a number of charismatic, exemplary leaders and visionaries, but Paul is one of the distinct few that has left a positive and life changing kind of impact due to his thorough professionalism, strong ethics, and unmatched high integrity that he exhibits at all times, no matter what. I do wish and hope that someday I can work with Paul again and will look forward and commit to any such opportunity, should that ever arise. He is truly the best in my bookVia LinkedIn
Under Paul's direction at Fifth Third, his team tackled several major security initiatives including the development of a Vulnerability and Compliance Management program as well as established and Incident Response team. Paul's technical expertise and leadership enabled us to very quickly establish formalized processes and bring in the necessary technologies to implement these key programs. Paul was also instrumental in developing policies, standards, and procedures aligned across the numerous standards that regulate the financial services industry such as ISO 17799/27001, Sarbanes-Oxley, Gramm-Leach-Bliley Act, and the Payment Card Industry's Data Security Standards. Paul was a strong advocate for his team and insisted upon integrity and teamwork in all things we did. Paul heavily influenced my move into a leadership position and acted as a mentor and coach, helping me to develop executive presence, clear communication skills, and other essential leadership traits. I would not hesitate to work with Paul again in the future and believe he would be an asset to any Information Security program, especially in the areas of leadership and strategy.Via LinkedIn
I worked for Paul for two years. He is an outstanding information security executive and author who is able to create and lead effective technology teams. His broad and deep technology skills allow him to optimize already high-performing teams to make them even better. His direct and supportive style allows his teams to instantly trust his leadership and gets him superior results. He is adept at planning and communicating an information security program that fits both business objectives and information security best practices. His high-integrity and results driven nature allows for any organization to quickly and consistently achieve great results. I hope that we can work together again soon.Via LinkedIn
Paul was one of my very favorite clients/co-workers. He looked at his job as providing recommendations (based on risk) to be taken or not taken. He marketed to those who didn't see security as an issue, using clever techniques that got even the most ardent technophobe interested. And he ensured an environment that protected customers, including employees. He liked new approaches, new ideas and teamwork. He also mentored, good-naturedly, others who weren't as forward thinking as himself. I see him in ten years being the CTO for a Fortune 500 company ... and that company would be lucky to have him.Via LinkedIn
Paul has a great ability to see through complexity and boil down issues to a core problem and identify a doable and understandable solution. He doesn't get caught up in hype and stays grounded in the what it takes to move the business forward. Paul understands that information security and business continuity disciplines should enable the businessVia LinkedIn
Paul is a strong leader with ability to inspire and is strongly focused on delivering tasks. A thought leader who knows both to listen and to drive focus towards most critical activities. I have worked with Paul most recently at Ally Financial where he has helped me shape the transformation of Cyber threat operations team as well as our overall Information Security practice. He is the consummate professional with a wide-ranging experience and expertise that uniquely qualifies him to provide effective leadership in several disciplines and multiple industry sectors. His integrity is above reproach and he is respected by his peers. He leads by example and with humility. This is a quality that colleagues respect and admire and instills trust in everyone he meets. I count myself fortunate to have worked for Paul and experienced remarkable leadership first hand.Via LinkedIn
I had the pleasure of working with Paul during an ISO 27001 audit. I was impressed with his approach to auditing and compliance management and his ability to establish strong partnership with key stakeholders. Paul's knowledge of security and risk makes him a valuable partner and leader.Via LinkedIn
Paul was one of the first people I hired when I was CISO at Fifth Third Bank. With little direction, Paul was able to have a significant impact on turning security operations around. It was a pleasure to work with him and would hire him without hesitation again.Via LinkedIn
In the 5+ years I worked with Paul I watched him take a fledgling security operations team and remake them into a winning GRC group. Paul was able to explain and demonstrate the practical need for Information Security to all levels of the companyVia LinkedIn
Paul and I worked together quite a bit, developing IT General Controls and testing plans for the IT Infrastructure department and ITIL related processes. We also worked closely on an Identity and Access Mgmt project. Paul is the one that was always asking "Why is this important to the business? What's going to make the company want to do this?" Because of this grounding in the business' needs, he was very effective at influencing managers outside of IT. Paul is a very reliable partner to work with. We were able to have very open and honest discussions, and respectfully disagree at times. Paul is a calming influence in the organization. He is serious about his deliverables, and is able to work with others without causing a lot of stress. I would gladly work with or for Paul again.Via LinkedIn
I learned a lot from Paul during our time in the OEMBA program. His insight and thoughts on discussion topics were always a rich source of learning for me and our OEMBA classmates. I would recommend Paul for any organization, I hope that I get the opportunity to work with him in the future.Via LinkedIn
I worked with Paul for about 3 ½ years. During this time, Paul helped me develop from an Intern into a CISSP. He graciously shares his experience and skills with others and is constantly seeking new knowledge. He recommended reading material that helped me develop not only in the field of Information Security, but in my personal growth as well. As Director of Information Security he led our team to become strategic Information Security thinkers instead of focusing just on day to day operations. Under his leadership, out team developed Policies and Standards, improved the Information Security Exception process, and initiated a Metrics program and Business Process Assessment program. Just to name a few. When Paul left the company, I was happy for him and his new opportunity, but sad to lose a true leader and mentor.Via LinkedIn
While serving with Paul in the United States Marine Corps, I was provided the opportunity to increase both my technical skills and overall knowledge. Paul served a both a mentor and a leader during this time. He created a work environment where junior Marines could learn from his knowledge and experience as well as distinguish themselves based on their own personal accomplishment. Paul would then take the time and initiative to ensure individuals were recognized for contributions to the success of the team. I would recommend working with Paul as his methods of leadership foster individual/professional development and team/project success.Via LinkedIn
Sherri (Hawes) Tomek
Paul is the most professional Security Manager I've had the pleasure of working with over the years. He takes his job very seriously and is a very dedicated employee. I would recommend Paul for any positions.Via LinkedIn
I had the opportunity to work with Paul in different areas from BCP program to knowledge sharing and transfer between our organizations. I found in Paul a colleague willing to share with open mind and always looking at every angle from the risk perspective and making sure those were communicated across his people as well as others. He recognized the balance existing between his team and others and always took accountability to a serious levels helping us enable a great work relation between our organizations.Via LinkedIn