Governance, Risk & Compliance Professional
Advancing governance maturity through structured risk assessments and continuous control evaluation aligned to enterprise risk tolerance.
Connect on LinkedInHello, I’m Matt. I’m a U.S. Navy veteran and cybersecurity professional specializing in governance, risk, and compliance. My portfolio demonstrates how I translate risk into action—featuring a CTEM strategy, structured risk assessments, and a metrics-driven risk register aligned to business impact. I also showcase hands-on security automation projects that accelerate teams and enables business growth.
This presentation outlines a shift from traditional vulnerability severity-based remediation to a business risk-driven approach using Continuous Threat Exposure Management (CTEM).
Conducted a structured risk assessment aligned to NIST SP 800-30 focused on access control governance over a Manufacturing Execution System (MES) supporting plant floor production operations.
Outcome: Strengthened identity governance, reduced exposure to unauthorized system modification, and improved alignment with least privilege and access control requirements.
| Risk ID | Asset | Risk Statement | Risk Rating | Control Owner | Risk Owner | Status | Review Cycle |
|---|---|---|---|---|---|---|---|
| MES-AC-01 | Manufacturing Execution System | Excessive privileged access may allow unauthorized modification of production parameters, resulting in operational disruption and quality control failures. | Moderate | Infrastructure Manager | Director of Operations | Active – Under Quarterly Review | Quarterly |
Risk aligned to NIST SP 800-30 methodology and tracked within structured governance review cycles.
The KPIs and KRIs below illustrate how control effectiveness and risk exposure can be monitored within a governance program, aligned to the access control case study above.
Privileged access reviews completed on schedule for critical manufacturing systems
Control Domain: Access Governance (AC-2 / AC-6)
Shared administrative accounts across production environments
Control Domain: Account Management & Authentication
Privileged roles mapped to documented job functions and approved access paths
Control Domain: Role-Based Access Control (RBAC)
Reduction in excessive privileged accounts after access remediation
Open high-risk access control exceptions for critical manufacturing applications
Mean time to revoke access after role change or termination
.
Automated privileged access reviews to strengthen identity governance and
improve visibility into administrative accounts across enterprise environments.
Built automated monitoring to detect IAM users without MFA enabled
using AWS Config, EventBridge, and Lambda to generate security alerts
and maintain continuous compliance visibility.
Implemented automated access validation to enforce least privilege principles
and enhance structured oversight of elevated permissions.
Built an event-driven control to detect high-risk security group misconfigurations in real time.
The solution continuously monitors CloudTrail events, evaluates exposure conditions, and generates
structured audit evidence while triggering immediate alerts.
Automated structured risk reporting from security findings to enhance
leadership visibility and strengthen continuous monitoring maturity.
Technical Projects
Azure Privileged Access Governance Automation
View Project
AWS Continuous MFA Compliance Monitoring
View Project
AWS Privileged Access Review Automation
>
View Project
AWS Public Exposure – Detection & Evidence Pipeline
View Project
AI Driven Risk Reporting
View Project