Ron Gibbs

The Journey

2024-Present  Cybersecurity Director at Alameda County Office of Education

  • Alameda County Office of Education services 18 school districts and all schools within those districts. The Office of Education provides multiple services to the districts including support for budget, technology, and educational initiatives generated from the California legislators and the California Board of Education.

    • As Director of Cybersecurity I manage all aspects of cybersecurity ranging from generating and managing policies and processes, to implementing programs and projects to comply with best practices and standards such as NIST and CIS Critical Controls. 

 

2023 -2024 Customer Trust Program Manager at Everlaw

  • Everlaw is a SaaS start-up company that provides software to the legal community to perform ediscovery. While originally hired by the GRC team to act as the cybersecurity expert as an inteface between our internal stakeholders such as cybersecurity, devops, engineering, sales and our external customers, I quickly took over two additional pillars of GRC; Security Awareness and Third Party Risk Management. 
    • As a Customer Trust Program Manager, I provided expertise on  all security and compliance communications between the cybersecurity, legal, and engineering teams and our external customers which included security questionnaires, customer meetings, contracts, security certifications and compliance.  This included developing training materials, technical playbooks, FAQs, and whitepapers to demonstrate our security measures to customers, auditors, and internal stakeholders. Additionally, I managed compliance with FedRAMP, StateRAMP, and CJIS compliance initiatives. 
    • As the Third Party Risk Manager, I managed the security reviews for all new and existing third party vendors. Additionally, I developed and operationalized risk policies and procedures to address any potential information security incident involving third party vendors.
    • As the Security Awareness Program Manager, I developed, published, and trained all employees on security and privacy best practices, including all annual and new hire trainings. Highlights included developing live new hire training that focused on the latest trends in the industry and how it impacted their roles, developing new methods of communicating security, compliance, and privacy concerns to the company such as quarterly news letters and brown bag lunch sessions, and working with HR to rethink how to track and encourage compliance traning.

 

2019-2022 Cybersecurity Manager at Alameda County

  • Alameda County consisted of 22 agencies and over 10,000 employees. It had a distributed model of cybersecurity where each IT department managed their own cybersecurity and each agency would manage how they handled cybersecurity within their own organization. I was hired as Alameda County's first cybersecurity manager to provide a unified approach to cybersecurity across all agencies as well as within  the IT department.

 

  • I conducted a gap analysis across the County using NIST 800-53 as a framework and the Cybersecurity Capability Maturity Model (C2M2) as a process analysis as well as many interviews across the agencies to develop a list of cybersecurity risks. Using risk calculations based on impact and likelihood, I developed a risk register and risk management process. Once these risks were prioritized and identified by resources and funds needed, I developed a comprehensive 4 year cybersecurity roadmap, a first for the County. 

 

  • Operationally, I developed a cybersecurity team. Starting with two account provisioning people, I developed their skill sets to build them into security analyst, developed a security engineer from a systems analyst, and hired an additional senior security analyst to build my team of four to implement and operationalize the projects on the roadmap. 

 

  • We were able to implement several key initiative which included implementing a next gen antivirus across the county, implementing a next gen firewall, an intrusion detection system, privileged access management (PAM), and 2FA across the County. From a process perspective, we intoduced a process for generating and reviewing all security policies and processes, migrating to a Role Based Access Control system, developing a county-wide incident response plan which included quarterly incident response tabletops across the County. I created a comprehensive security awareness program that not only involved security awareness training but also security awareness forums, news letters, and establishing cybersecurity awareness champions across the agencies.

 

  • Two of our biggest accomplishments were getting a county-wide cybersecurity policy approved by the Board of Supervisors, and adopting a Zero Trust Architecture (ZTA) across the County. This allowed all policies and technology purchases to be approved by our department so that we could provide that unified approach to cybersecurity and make sure it aligns with a ZTA and the NIST 800-53 framework.

 

2016-2019 Cybersecurity Program Manager at Blackhawk Networks

  • Blackhawk Networks is a global fintech company that specializes in gift cards and incentive programs. As such, they needed to address a diverse set of security and compliance standards and regulations. As the Cybersecurity Program Manager, I implemented all cybersecurity projects and programs including but not limited to the following:
    • As a certified ISO 27001 lead auditor, I led Blackhawk to obtain it's first ISO 27001 certification.
    • I built security into the company's SDLC process through implementing well defined security checkpoints within software development. This included implementing both static and dynamic code analysis and implementing a bug bounty program.
    • I managed programs to attain and comply with privacy initiatives such as Privacy Shield, GDPR, and CCPA. A key factor was in tracing PII across all systems to comply with GDPR s 'right to forget' initiative. 
    • I developed a cybersecurity process to align all new projects, equipment with cybersecurity best practices. 
    • I managed all M&A activities, focusing on network connectivity, contracts, and security concerns.

 

2011-2016 Cybersecurity Technical Program at VMWare

  • VMWare develops software to virtualize hardware such as servers and data centers. I was hired shortly after VMWare had experienced a significant breach and needed to implement a cybersecurity resiliency program. Some of the key initiatives I accomplished there were:
    • Migrating Active Directory to a greenfield forest.
    • Changing all administrative and service account passwords. This was particularly challenging with systems that had hard-coded passwords into their code.
    • Redesigning networks to comply with security best practices.
    • Assessing and Integrating M&A companies into VMWare's network safely.
    • Identifying all high value assets and applying all appropriate security parameters such as implementing least privileged.
    • Developing and operationalizing a better security vulnerability program.

 

2008-2010 General Manager at Socket Mobile

  • Socket Mobile is a hardware company who mainly manufactured bar code readers. The company needed to sell off its serial interface division and brought me in to raise the division's profitibility to sell it off to fund other aspects of the company. While managing the division, I guided the generation of new products, designed marketing campaigns, and established key programs such as the Socket Mobile Third-party Accessories Recommendation (STAR) program to engage customers and increase our profit margins.

 

2000-2007 Network Security Engineer at Applied Materials

  • Originally hired as a web designer, I quickly migrated to manage and operate Applied Materials first firewall. Throughout my career there, I migratred our firewall instance from Cisco to Checkpoint, creating several business zones, and operationalizing the security environment. My role was to manage all firewalls and remote access.

 

 

 

Certifications

  • Certified Information Security Manager (CISM) #1841436

  • Certified Incident Handling Engineer (CIHE) #14282-162-075-8681

  • ISO 27001 Lead Auditor (TPECS)

  • Certified Project Manager (CPM)

  • Project Manager Professional (PMP)