JOHN TROTTA

Executive owner of security, compliance, and technology for a regulated mid-size financial services firm operating across hybrid on-prem and cloud. Functioning as the organization's CISO with full accountability for security strategy, risk, and compliance.

• Built the defense-in-depth security program from scratch across IAM, EDR, DLP, PKI, network security, and 24×7 SOC. Zero major incidents in seven years.
• Stood up SOC 2 Type II, PCI-DSS, and HIPAA from nothing, all mapped to NIST CSF. Designed the control frameworks, authored the policy library, defined the audit scope. First-time certification on every program.
• Passed 10+ audits end-to-end with zero material findings.
• Drove uptime from ~95% to 99.99%. Lead quarterly DR/BC testing against aggressive RPO and RTO targets.
• Designed and shipped an AI compliance monitoring platform that replaced manual spot-checking with full-coverage legal disclosure verification and sentiment analysis on customer calls. Closed the compliance blind spots sampling could never catch and gave managers hours back every week.
• Trusted advisor to ownership on risk, organizational design, and operational efficiency across the business, not just the technology side.
• Technical authority on proposals, RFPs, security questionnaires, and contract terms. Present directly to prospective regulated clients. Primary liaison to legal, auditors, and regulators.
• Drove down technology spend through architecture rationalization and vendor consolidation, even as the company scaled through major growth.
• Build AI ops tooling: agentic workflows that monitor, remediate, and report on their own. Anything risky still comes back for approval.

• Led the WannaCry ransomware recovery with no DR plan, no golden images, and no documented procedures. Coordinated an ad-hoc response across internal team and outside vendors. Restored full operations in 48 hours.
• Used the incident as the catalyst to stand up formal disaster recovery, business continuity, and security monitoring programs from scratch.
• Owned availability, security, patching, and compliance across every enterprise system and network.

• Designed and deployed enterprise domain architecture, network segmentation, server infrastructure, and the foundational security controls every program since has been built on.
• Established PowerShell and Python as the automation default. The operating model the company would scale on.

• Assumed sole ownership of enterprise IT. Inherited a barely-managed network with no security controls and no documented policies.