Miguel Horta
Experience
Senior Security GRC Engineer / Manager
Ripple Labs, Inc.
- Architect of Ripple’s tailored security controls by consolidating +1000 controls from CIS, NIST, SOC2, ISO 27001, NYDFS, MAS, DFSA, and DORA into ~200 and designing a database model. Develop extract, transform, and load (ETL) jobs to parse the framework, owner, division, and department data for each control and develop visualization in Tableau for cross-team sharing.
- Developed an end-to-end user access review process for 80+ systems by integrating Workday, JIRA, and in-scope systems via API to automate review responses, reminders, and centralize evidence for non-integrated systems. This enhancement saved 40+ hours monthly from 45+ reviewers across 12 teams, resulting in an estimated $40K annual savings in efficiency.
- Developed an automated evidence collection system using Python, Bash Scripts, and APIs to generate data from asset management systems and Gitlab, covering 50% of SOC 2 evidence requirements and contributing to an unqualified attestation for the Stablecoin, Payments, and Custody product suite.
- Engineer a ‘create, read, delete, update’ (CRUD) web application through Retool to perform the first security maturity assessment of the new Ripple-tailored controls. Identify unknown risks and report maturity score calculations (0-100) to the board & leadership.
- Implemented a new third-party security workflow in LogicGate, saving $40K in tooling costs and $60K annually through automated reminders thus eliminating the need for part-time contractors. Led the Third-Party Security program, managing over $50M in spend, evaluating vendor risk, and ensuring high-risk vendors undergo quarterly reviews, Okta SSO enrollment, and BitSight monitoring.
- Identify production infrastructure vulnerabilities through surface management tooling and coordinate remediation of critical findings.
- Develop security training content and led 15+ onboarding sessions annually, training over 300+ employees & contractors.
- Manage the procurement, proof-of-concept testing, and configuration of security tools, including centralized GRC platforms, third-party security assessment, vulnerability management, user access review, and phishing campaign platforms.
Cybersecurity Analyst
Visa, Inc.
- Executed the CIS V8 framework implementation from start to finish by performing a V7.1 to V8 mapping exercise (consolidating 184 sub-controls down to 166), identifying overlap on the new vs. same controls (48 unique + 27 modified), identifying process owners (140+), communicating assessment expectations (3 workstreams over two months), identifying risks, and leading 50+ walkthrough meetings to calculate maturity scores.
- Led the security controls maturity assessment of 184 sub-controls and 130+ stakeholders across engineering & business teams for four consecutive cycles. Reported results to the board on a bi-annual basis.
- Architected PowerBI dashboards to capture security control maturity scorecard results containing key risk indicators (KRI), Gartner scores, identified risks, and audit findings. This scorecard facilitates business enablement of security projects totaling over $1M.
- Engineered Microsoft PowerAutomate workflows (JSON & HTML) to automate 20+ recurring monthly data requests, reducing the manual effort required to send emails by ~10 hours per month across a 4-person team.
- Developed KRIs specific to Vulnerabilities, Encryption Key Management, DDoS, SIEM, Endpoint Malware, and Network Traffic.
Technology Risk Consultant
Ernst & Young, L.L.P.
- $1,882 Billion Technology Company specializing in Internet-related services and products
- Performed testing of products’ platforms and information systems against defined criteria (SOX, SOC, ISO, and Webtrust) and helped teams arrive at conclusions over control design and operating effectiveness.
- Executed code reviews for IT application controls and performed reviews of SQL script to query financial CSV files.
- $160 Billion Technology Company specializing in ride-hailing services
- Developed process threat modeling flows for 20+ homegrown/corporate applications and mapped relevant controls to the process.
- $6.17 Billion Technology Company specializing in application performance monitoring services
- Directly managed three offshore staff by reviewing 5+ work papers every week and providing feedback daily.
- $1.4 Billion Technology Company specializing in automated cloud security and compliance services
- Completed a SOC 2 Type 2 report by leading walkthrough meetings with the client and testing 2+ controls daily.
Insurance Risk Specialist
State Farm
- Earned over $300,000+ in annual revenue by identifying customers’ liability risk exposure during in-person financial review meetings and selling automobile, fire, life, personal liability, flood, and earthquake insurance policies to mitigate risk.
Education
San Jose State University
Certifications
- Certified Information System Auditor (CISA)
- Certified Information System Security Professional (CISSP)
- Amazon Web Services Cloud Practitioner (AWS CP)
- Amazon Web Services Solutions Architect (AWS SA)
- Kubernetes & Cloud Native Associate (KCNA)
- Hashicorp Vault Associate (002)
- LogicGate Power User
Skills
Programming languages and Tools
- Spreadsheets (Gsheets, AppScript)
- Workflows (Tines, PowerAutomate, Zapier, Retool, LogicGate)
- Visualization (PowerBI, Tableau, Visio, Lucidchart)
- Database (PostgreSQL, Microsoft-Access, AWS-RDS, AWS-DynamoDB)
- Repositories (Gitlab, Github, Git)
- Coding/Programming (SQL, Python, VBA Excel, HTML, JavaScript, CSS, JSON, npm, node.JS, Express)
- Program Management (Asana, JIRA)
- Cloud (AWS, Azure, GCP, Docker, Kubernetes, Hashicorp Vault)
- Operating Systems (MacOS, WindowsXP, Linux)
- Security Tooling (JIRA, BitSight, Whistic, LogicGate, Crowdstrike, Lacework, Brinqa, JupiterOne, Chronicle, Semgrep)