Doug Murray, CISSP, CISM, CRISC, CISA

Santa Clarita, CA  661-860-6050 (Cell)  doug.f.murray@gmail.com

Chief Information Security Officer - Healthcare

Career Overview
A dynamic, visionary and forward-thinking Information Technology (IT) professional with more than 20
years of progressive experience as a Transformational Information Security and Privacy Leader
committed to organizational success. Demonstrated success balancing the strategic and execution
requirements found in complex, transformational organizations. A proven track record of success
transforming and maturing global information security organizations in highly regulated environments,
especially healthcare. This includes embedding security into engineering, architecture, operations, risk
and privacy standards and processes, defining clear roles and responsibilities for these organizations.
Strengths include strategic, tactical and operational leadership and planning, business case
development, relationship management, Data Privacy, Risk Management and Compliance, Information
Security Governance, team development, and process improvement. Outstanding communication,
presentation, and negotiation skills, and can easily build positive working relationships with associates,
managers, and senior executives. Industries: Healthcare, Finance, Entertainment, Automotive
Manufacturing/Engineering/Sales, Advertising, Logistics, Utilities, Aerospace, and Telecommunications.

Qualifications
 Bachelor of Science degree from Pepperdine University in Business Management with an emphasis
in Management Information Systems.
 Executive and Senior Leadership roles directing/managing Information Security, Privacy, IT Audit,
and IT Governance, Risk and Compliance in a complex multi-platform information technology
environment (on premise and cloud) for large global organizations.
 Knowledge and experience in the following:
 Stay abreast of current / emerging Information Security technologies, threats, trends and
legal/regulatory requirements (International/US Privacy, HIPAA/HITECH, FFIEC [CFPB], SOX,
GLBA, NY DFS, PCI-DSS, FACTA, EFTA, GDPR/CCPA, Red Flags Rule, FedRAMP, FISMA, etc)
 Privacy, Information Security, IT Audit and IT Frameworks (ISO27001/2, NIST 800-53, HITRUST
CSF, COBIT, COSO, OWASP, ITIL)
 Direct/manage the implementation of preventive, detective and corrective IT and Information
Security controls (processes and/or technologies) to minimize and reduce the risk to global
organizations from a global, regional and local perspective
 Direct, manage and perform Privacy, Information Security and IT risk assessments/audits of
complex Information Security controls for global organizations including IT projects and vendors
(vendor risk management).
 Ensure key areas of improvements in the technologies and processes are performed on
regularly; provide oversight of security engineering / architecture to ensure the technology
and/or processes are implemented, documented successfully; including the assessment of
emerging information security technologies (products), establishing partnerships with our
security partners (vendors).
 Develop and communicate the Information Security/Data Privacy strategy, roadmap,
plans/initiatives, projects and posture to C-level executives, Board of Directors, Audit
Committee, Legal, business partners, staff and other stakeholders to ensure transparency and to
ensure strategic alignment to the company's business goals and objectives.
  Management of external partners (vendors) who perform independent security assessments
and professional services of our Information Security technologies and processes (controls) to
ensure compliance with internal and external requirements.

Certifications
CISSP - Certified Information Systems Security Professional – ISC2
CISM - Certified Information Security Manager – ISACA
CISA - Certified Information Systems Auditor – ISACA
CRISC - Certified in Risk and Information Systems Controls – ISACA
CIPP – Certified Information Privacy Professional – IAPP (In progress)
PCIP - Payment Card Industry Professional (Renewal in progress) - Payment Card Industry - Security
Standards Council

Work Experience
AltaMed Health Services, Los Angeles, CA
Information Security Officer and Director, Cyber Security Feb 2019 – Present
 Built the new Information Security, Data Privacy and IT Governance Risk and Compliance
organization.
 Provided Information Security and Privacy leadership to ensure full compliance with CCPA/GDPR,
HIPAA, Sarbanes Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), HITRUST
Cyber Security Framework and other IT related compliance requirements.
 Formed and lead the Information Security Steering Committee, member of the IT Governance and
Corporate Compliance (Enterprise Governance, Risk, Privacy and Compliance) Committees.
Accomplishments:
 Developed and implemented the new 2019 AltaMed Information Security and Privacy Policies,
Standards and Guidelines.
 Established the Data Security Improvement Initiative to address data privacy, PCI and HIPAA
deficiencies.
 Implemented the new Vulnerability Management Program for infrastructure, end points and
applications to ensure timely scanning and patching of vulnerabilities.
 Partnered with Information Security Vendors to address web, network, infrastructure and
endpoint security deficiencies; implementing these new technical controls in nine months.
Directed the new Secure Systems Development Life Cycle (SSDLC), IT Quality Assurance and
 Managed the successful implementation of the following security and IT projects/programs:
Cloud Security (CASB) Web Content Filtering Network Access Control
Next Generation Firewalls Anti-Malware Protection Endpoint Detection/Response
Two-Factor Authentication Asset Management Program Vulnerability Scanning

ICU Medical, San Clemente, CA

Global Head of Information Security (CISO) and Director, IT GRC Jul 2018 – Jan 2019
 Directed and managed the planning and implementation of enterprise IT security technologies,
physical security and business operations to minimize the risk of security breaches and
vulnerability issues globally.
 Provided direction in the company’s IT compliance efforts to ensure full compliance with HIPAA,
Sarbanes Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), HITRUST Cyber
Security Framework, GDPR/CCPA and other IT related compliance requirements.
 As a senior member of the executive team, participated in the governance processes of the
organization’s information, cyber and cloud security strategies.

Accomplishments:
 Developed and implemented the new 2019 ICU Medical Global Information Security and Privacy
Policies, Standards and Guidelines.
 Developed and implemented the new IT Risk Steering Committee to address existing and
emerging risks to ensure appropriate prioritization and treatment.
 Established the Vulnerability Management Program for infrastructure, end points and applications
to ensure timely scanning and patching of vulnerabilities.
 Directed the new Secure Systems Development Life Cycle (SSDLC), IT Quality Assurance and
System Testing frameworks, embedding the processes into the newly developed Project
Management Framework.
 Managed the successful implementation of the following security and IT projects/programs:
Cloud Security (CASB) Secure SDLC Full Disk Encryption
Next Generation Firewalls CSC CIS Top 5 Printer Security

Hyundai Motor Group (Autoever America), Fountain Valley, CA

Executive Principal and Chief Information Security Officer Feb 2015 – Jul 2018
 Working under the ISO 27001/2 and NIST Cyber Security frameworks, directed and managed the
development, implementation and maintenance of the corporate-wide Information Security
management system (including the InfoSec policy, standards and procedures) for the America’s
region, ensuring that all information systems (including Telematics) are functional and secured in
an appropriate manner for over 20 global business units (i.e. Hyundai Capital America (finance),
Hyundai Motors America, Kia Motors America, Genesis Motors America, etc).
 HIPAA Security and Privacy Officer for Hyundai and KIA Motor America, ensuring compliance with
HIPAA Security and Privacy requirements by performing periodic HIPAA privacy and security
assessments of the information systems and technology environments and implemented the
Information Security/Privacy controls to ensure adherence to the requirements.
 Upon creating and leading the Information Security Steering Committee, advised and
communicated to the Board of Directors, senior executive leadership, business unit senior
executives and stakeholders on the Information Security strategy, roadmap, plans and current
state of each business organizations’ security posture to ensure transparency and assurance.
 Served as an advisor to all Genesis, Hyundai and Kia business unit legal departments on
compliance issues/requirements regarding Information Security and privacy regulations; and
upcoming/evolving legislative regulations and requirements (i.e. GDPR, CCPA).
Accomplishments:
 As the interim Data Privacy Officer for all business units, developed and implemented the Data
Privacy Program for North America to ensure Hyundai Capital, Genesis / Hyundai / KIA Motors
America are complying with federal and state data privacy legislative requirements (i.e. GLBA,
GDPR, CCPA and data privacy laws for Canada and Mexico).
 Using the FFIEC Cybersecurity Assessment Tool (CAT), successfully performed an audit of
Hyundai’s financial subsidiary, Hyundai Capital America. This resulted in appropriate and timely
remediation of the gaps including the implementation of a new segmented zero trust network.
 Established, directed and managed the IT Governance, Risk and Compliance team, mentoring them
to support all security and privacy audits, develop mitigation strategies, perform risk assessments
and serve as liaisons to the business units. 
 Security Awareness Program – Established, developed, and implemented a robust Information
Security awareness training program for all corporate (IT and business) employees as well as
contractors.
 Built high performance Security Operations and Engineering teams to deliver security projects on
time and on budget per the Information Security roadmap. This was accomplished by effectively
providing direction and managing the resources (working within the budget) to develop/deliver all
security projects and monitor the security assets in a timely manner.
 Vulnerability Management Program – Implemented this program to include not only end-point
security, but application, infrastructure, network and vendor security to ensure that security
vulnerabilities at the enterprise and vendor levels are appropriately managed and secured.
 Configuration Management Program – Similar to my role at other companies, successfully
developed and implemented this program to ensure the standardization of hardening guidelines
and baselines of all infrastructure and end-point devices, ensuring adherence to the corporate
Information Security policies and standards.
 Secure SDLC – As part of the Global Vulnerability Management program, successfully implemented
an application security framework for all IT application projects and initiatives via the global
Program Management Office.
 Managed the successful implementation of the following security and IT projects/programs:
Cloud Security (CASB) Incident Response (CIRT/SIRT) Managed Security Services
Network/Server Access Control Information Security Awareness Endpoint / Email Security
Database Encryption/Monitoring Two-Factor Authentication IDS/IPS
Security Information & Event Mgmt. Data Loss Prevention Identity Access Management
Disaster Recovery/BCP Advanced Persistent Threat Vulnerability Management
Infrastructure Security Network Security Physical Security Program

Zurich Financial Services / Farmers Insurance Company, Woodland Hills, CA

Principal (Director), IT Audit (Global InfoSec Center of Excellence) Jan 2014 – Jan 2015
Head of Information Security GRC and Farmers CISO, America’s Region Nov 2009 – Jan 2014
Senior IT Audit Consultant (Global InfoSec Center of Excellence) May 2007 – Nov 2009
 HIPAA Security and Data Privacy Officer for the Zurich / Farmers family of companies ensuring
compliance with HIPAA/Data Privacy requirements as well as responsible for the implementation of
Information Security controls to provide assurance that we adhere to all regulatory and internal
requirements.
 Provide leadership and direction in the evolution, maintenance, and implementation of our new
corporate Information Security, governance, risk and compliance standards, guidelines and practices
to a global company of 100+ business units and 60,000 employees.
 Direct the evolution of the company’s ongoing information technology/systems governance, risk
management, privacy and compliance frameworks; including the Information Security management
system (program) to ensure compliance with internal and external regulatory requirements and
laws (FFIEC, HIPAA, PCI-DSS, SOX, Safe Harbor, GLBA, etc.) and in support of existing / emerging
information risks.
 Directed and managed the direction and accomplishments of the overall goals and objectives of risk
assessments, baseline controls assessments, and audits for all regional and global business units,
providing appropriate leadership and mentoring to audit staff and IT risk consultants to achieve
success.
 As the certified PCI Internal Security Assessor (ISA), managed the annual PCI Data Security Standard
reviews for Zurich North America, Farmers Insurance, 21 st Century Insurance, Bristol West and
Foremost Insurance companies in the America’s region.
 Provided leadership in the IT governance, risk, and compliance (GRC) efforts at Zurich, globally,
which includes the following:
 o Directed and managed the development of the Global Data Privacy Program to ensure
Zurich/Famers is complying with data privacy legislative requirements globally.
o Directed and managed the performance of IT Project and Vendor Risk Assessments to provide
assurance that IT projects and vendors have the appropriate level of controls to minimize risk
and comply with requirements.
o Planning, development and implementation of enterprise Information Security strategies that
are aligned with the strategic direction of the business.
o Maintained and updated the Information Security education and awareness programs which
includes ensuring all employees are taking the required annual courses.
Accomplishments:
 Developed / implemented an ongoing IT compliance and risk management programs targeting
data, application, infrastructure security; mobile device management, BYOD and cloud security.
 Vulnerability Management Program – ensure the quarterly scanning/remediation of critical
systems; including the implementation of a patch management program.
 Configuration Management – directed the standardization of hardening guidelines and baselines
of end-point and perimeter network devices.
 Application/Infrastructure Security – provided oversight to the application and infrastructure
teams to maintain an adequate application/infrastructure security program per our established
Information Security policies.
 Directed / managed a high-visibility regional / global security review that had various high
impact findings, leading to the global Data Security Initiative to strengthen data security and
privacy controls to minimize the risks to the regional / global business units.
 Data Security Improvement (DSI) Initiative – Successfully led the program in the implementation
of data classification, data privacy, data loss prevention, and appropriate data security controls
across all business lines globally hitting all milestones.
 Secure SDLC – As part of the Global Vulnerability Management program, successfully
implemented an application security framework for all IT application projects and initiatives.

Education / Affiliations
University of California, Los Angeles
Professional - Information Systems and Network Security, Data Communications/Network Management
Pepperdine University
Bachelor of Science, Business Management, MIS emphasis
Chief Information Security Officer (CISO) Governing Body Member – Evanta (Gartner), 2015 to present
Member – International Association of Privacy Professionals (IAPP)
Member – The International Information Systems Security Certification Consortium (ISC) 2
Member – Information Systems Security Association (ISSA)
Member – The Information Systems Audit and Control Association (ISACA)

Conference Keynote Speaker / Career Awards

Keynote Speaker and Discussion Leader:
 Evanta (Gartner) CISO Executive Summit – 2015 thru 2019
 Argyle CISO Leadership Forum – 2015 thru 2018
 GDS Group Security Insight Summit – 2016 and 2018
 ISACA North America CACS Conference – 2019
 IIA Orange County Summit - 2019
RSA Excellence in the Field of Information Security Award – Presented May 2014 at RSA Conference
RSA Archer Innovation Award – Presented in October 2013 at the RSA Conference
Verizon Excellence Award Finalist Recipient – Presented in July 2006 by the CEO
ACE and High-Five Award’s during my career at Southern California Edison