ruby: two years later

It was two years ago today that I left an amazing career at Mandiant to join ruby, the parent company to Ashley Madison, as its CISO.

At the time, the company was reeling from the aftermath of one of the most infamous security incidents in history, and few understood why I chose to run into this particular fire. While the decision was complex, the answer was ultimately simple - nearly 20,000 new users were joining the site every day, and I believed that each of those users had a fundamental right to security and privacy. As you might imagine, there were few qualified candidates willing to take the risk needed to give them that.

Now, reflecting on two years of effort, I am incredibly proud of what my team has accomplished. In just a short time we've:

• Achieved full and continued compliance with some of the most in-depth FTC, OPC, and OAIC regulatory enforcement actions ever handed out
• Rebuilt our security governance program from the ground up
• Completed a full network and architectural redesign using cutting edge network and endpoint security solutions
• Developed a leading hybrid Security Operations Center in partnership with Deloitte
• Implemented an innovative "offensive driven" risk management strategy that ensures we are continuously emulating the adversary, assessing our controls, and driving continuous improvement
• Became the first, and to-date only, dating site to have the privilege of working alongside Chantal Bernier and Dr. Ann Cavoukian to achieve Privacy by Design certification
• Achieved mature alignment of our program with the NIST Cybersecurity Framework, as independently assessed by EY (required every two years, for the next twenty years!)
• Maintained PCI DSS Level 1 certification
• Grown our Security team from two to seven passionate and committed professionals, working tirelessly everyday to defend the company's systems and data
• Partnered with HackerOne to run our incredibly successful enterprise bug bounty program

Suffice it to say, we've been busy.

And while our users may never see the work we do on their behalf, read this note, or even know that we exist, we'll continue to fight for them in 2019 and beyond.