Download PDF

Casey Marquette

Omnicare Information Security Officer & Senior Director, Information Security at CVS Health

Summary

SENIOR-LEVEL EXECUTIVE

A proven Senior Executive with a passion for  leadership. Over 15 years of experience in security, with 10+ years leading and developing future leaders at Fortune 50 organizations.

Global experience establishing information security strategy/direction with an emphasis on execution.  Known for the following values:

  • Leadership
  • Positive Energy
  • Accountability
  • Connecting People
  • Learning

Work History

Sept 2015Present

Information Security Officer at Omnicare and Senior Director, Information Security at CVS Health

Omnicare, Inc., a wholly owned subsidiary of CVS Health

Responsible for the development and delivery of a comprehensive information security program to ensure information assets and technologies are adequately protected. 

  • Responsible for oversight and coordination of the Governance and Risk Management program including but not limited to the following:
    • Information Security Policy & Standards
    • Information Security Awareness
    • Information Security Risk Management
    • Third Party Security Risk Management
  • Establish and oversee Omnicare's security operations, architecture and engineering function.
  • Responsible for all security integration efforts between Omnicare and CVS Health.
    Sept 2014Sept 2015

    Senior Director, Information Security

    CVS Health

    Provide 24x7 protection of business operations by leading a team of 60 at CVS, a Fortune 7 company.  Responsible for architecture, engineering and security operations for the following security services: network and perimeter defense, endpoint protection, security information and event management (SIEM), security operations center (SOC), threat intelligence, computer security incident response team (CSIRT), electronic discovery, and forensics.

    • Responsible for leading enterprise wide development and communication of a service owner model across all security services at CVS Health providing a single point of responsibility and accountability for everything about each security service.
    • One of a select group of employees recognized by the CVS Health Business Planning Committee for my ability to positively affect the company's future growth and performance.  A significant 2016 retention award was received.
    • 59% decrease in mean time to remediate vulnerabilities. “The speed and depth of the improvement observed for an organization the size of CVS reflects an extremely effective and efficient information security program” Accuvant
    • 3,609% increase in the number of CVS Health security vulnerabilities remediated.
    • 86% reduction in threat containment time by innovating and leveraging already procured technology. A Symantec white paper written about the process implemented at CVS Health.
    • Developed and operationalized a first of its kind third party real time monitoring and response program.
    • Created and delivered specialized Engineering and Cyber Response Team to quickly identify control gaps and with a sense of urgency deliver the needed security controls.
    • Responsible for successful security integration of acquired companies.
    • Led effort and completed CVS and CVS affiliates first ever advanced threat compromise assessment covering 50,000+ computer systems.
    • 96% decrease in Mean Initial Work Time and 53% decrease in Standard Deviation for security incidents.
    • 83% decrease in Mean Time to Validate threats resulting in a 660% increase in the number of proactive incidents worked by the CVS Health Security Operations Center.
    • Achieved successful Report on Compliance (ROC) for PCI by leading the security segmentation and two factor authentication effort.
    Dec 2013    Sept 2014

    Director, Security Operations Center

    Johnson & Johnson

    Provide 24x7 global protection of business operations by leading a 30 person global team (FTEs and contractors) and managing a security service provider. 

    • Reduced Managed Security Service Provider total cost of ownership 200K year over year while increasing capabilities.
    • Responsible for management of security technologies that provided global network level security, as well as computing system protection.
    • Delivered a global incident response run book by collaborating with security officers representing 260 operating companies.
    • NIST Cybersecurity Framework gap assessment  and strategic plan to address gaps completed and briefed to J&J CTO.
    • Strategy and Leadership Credo champion nominated by IT Leadership Team to improve scores across all of J&J IT Infrastructure Services.
    • Recipient of Global IT Recognition and six J&J Encore awards for security work, business acumen, leading others, and thinking strategically.
    • Nominated by leadership and participated in the J&J Senior Leader Base program. A program targeted towards “high potential” directors or VPs.
    Dec 2012Dec 2013

    Director, Global Command Center

    Johnson & Johnson

    Johnson & Johnson Security Operations and Critical Response Team Global Process Owner. Led a global team responsible for ensuring operational excellence and protecting assets for 260 operating companies in 60 countries.

    • Promoted from Senior Manager to Director.
    • Increased security incidents handled by 250% by integrating Global Security Operations with the Global Command Center (i.e., SOC / NOC integration).
    • Reduced average monthly mean time to repair (MTTR) for business critical incidents from 5.54 hour average in 2012 to 3.63 in 2013.
    • Reduced Managed Security Services (MSS) response time to security incidents by 62% and increased actionable data by 70%.
    • Led the Global IT intern program to attract, develop, and retain talent.
    • Credo champion for J&J Global Operations Center responsible for leading survey focus groups, action plans, and presentation to leadership.
    • Core member of the J&J Crisis Management Team.
    • Implemented pro-active approach to business critical incidents s in April 2013 resulting in an average of 28% of critical incidents being worked proactively. 
    Jun 2011 -  Dec 2012   

    Senior Manager, Security Operations

    Johnson & Johnson

    Responsible for building the global  vulnerability management and computer security incident response functions at Johnson & Johnson

    • ISE® Northeast Information Security Project of the Year Award Nominee for build out of global enterprise vulnerability management program.
    • Led effort to standardize incident response procedures across 260 operating companies; thus, centralizing security incident response.
    Jan 2005 Jun 2011

    Senior Manager, Information Assurance and Forensics

    Medco

    Managed team responsible for technical investigations, incident response activities, and developing/managing risk assessment programs.

    • Promoted from Manager to Senior Manager.
    • Execution of ISO 27002 assessment resulting in standard compliance.
    • Execution of security risk assessment Program resulting in a reduction of risk by assessing assets against Global Security Standards and Guidelines. 
    • Matured the supplier risk assessment process resulting in the ability to measure IT risk across vendors in a quantifiable and repeatable manner.
    • Served as a subject matter expert in client facing activities.

    Board and Advisory Experience

    May 2017Present

    HHS Cyber Security Working Group

    U.S. Department of Health and Human Services
    Jan 2017Present

    FBI Healthcare Sector Co-Chief (Greater Cincinnati)

    InfraGard
    June 2015Present

    Cyber Security Advisory Council

    Montreat College

    Education

    Mar 2017

    Duke Executive Education - Transitions to Advanced Leadership

    Duke

     

    Jun 2016

    CISO FBI Academy

    Federal Bureau of Investigation
    Feb 2008    Jun 2009

    Master of Science in Information Security and Assurance

    Norwich University
    Mar 1996    Jun 2002

    Bachelor of Science, Criminal Justice

    University of Cincinnati

    Conference Talks

    Over the last 10+ years, I have presented at conferences numerous times to include the following recent examples in 2016:

    • Casey Marquette, "Asleep at the Wheel - Common SOC Pitfalls", 2017 Cincinnati CISO Summit.
    • Casey Marquette, "Security Metrics that Matter - Real Time Insight into Cyber Risks", University of Cincinnati 2016 Greater Cincinnati IT Symposium, Cincinnati, Ohio.
    • Casey Marquette, "A Vision for your Cybersecurity Program", Montreat College Cybersecurity Conference, Montreat, North Carolina.