Michael L. Woodson, CCISO • CISM

Fractional CISO / Chief Cybersecurity Strategist

Onyx Spectrum Technology, Inc · United States

Jan 2024 – Present(2 yrs 4 mos)

• Provide strategic cybersecurity advisory services for public-sector & transportation clients, translating risk into clear, board-ready insights. • Assess security maturity and implement risk-aligned remediation strategies to prioritize high-impact initiatives. • Align cybersecurity strategies with business objectives, balancing regulatory compliance with long-term resilience. • Design phased roadmaps that enhance operational feasibility while embedding governance and compliance best practices.

Customer Advisory Board Member

Guardare, Inc.

Apr 2025 – Mar 2026(1 yr)

Chief Information Officer & Chief Cybersecurity Strategist

Nomad Cyber Concepts · United States

Apr 2025 – Feb 2026(11 mos)

• Partner with boards and executive teams to translate complex technology, AI, and cybersecurity risks into actionable business and operational strategies. • Lead IT governance & investment alignment, ensuring technology initiatives support enterprise priorities & enhance decision-making. • Modernize enterprise infrastructure to improve system reliability, operational resilience, and digital transformation outcomes. • Drive cross-functional collaboration to accelerate project delivery and embed risk-informed practices into business processes. • Strengthen cyber resilience and data protection programs to sustain stakeholder trust and regulatory alignment.

Director, Information Security and Privacy

Sonesta Hotels · Newton, MA

Feb 2021 – Jan 2024(3 yrs)

• Transformed global security and privacy programs, establishing scalable governance frameworks and high-performing teams. • Embedded security into enterprise initiatives, ensuring compliance with GDPR, CCPA, CPRA, and PCI DSS. • Modernized controls and awareness programs to strengthen risk posture and prevent security incidents. • Enabled secure cloud migrations and ITSM integration through governance-by-design strategies. • Partnered with executives to translate strategic objectives into operationally resilient security programs.

Chief Information Security Officer

MBTA · Boston, MA

Mar 2019 – Feb 2021(2 yrs)

• Led enterprise-wide security modernization, creating governance structures, operating models, and long-term roadmaps. • Established the agency’s first 24×7 Security Operations Center to enhance visibility and regulatory compliance. • Integrated security governance across asset management, change management, and business continuity processes. • Strengthened breach response and operational continuity, improving resilience across transit and legacy environments.

Principal, Enterprise Applications, Cloud Infrastructure and Security Advisory Services

Infosys · Quincy, MA

Sep 2017 – Mar 2019(1 yr 7 mos)

• Advised Fortune 100 clients on large-scale enterprise and cloud transformations, embedding security and risk practices into architecture and change management. • Aligned technology strategies with business priorities to accelerate adoption and reduce operational risk. • Modernized ITSM and ESM platforms, improving operational control, compliance, and security posture. • Delivered end-to-end cybersecurity advisory services, balancing risk management, operational execution, and strategic outcomes.

Senior Vice President Cyber Security Advisory Services

Taino Consulting Group (SBA 8A Certified Firm) · Boston, MA

Dec 2016 – Sep 2017(10 mos)

• Aligned and led a transformative initiative to enhance and architect cybersecurity services, significantly strengthening security controls across project teams. • Managed the Cybersecurity Advisory Services practice, specializing in digital governance, cybersecurity advisory, and risk assessment and management consulting for federal, state, and corporate entities. • Pioneered innovative strategies that drove measurable improvements in client satisfaction and retention, positioning the company as a trusted leader in cybersecurity advisory services.

Director, Information Systems Security, V.P./ Cyber Risk Director

State Street · North Quincy, MA

Jun 2015 – Dec 2016(1 yr 7 mos)

• Strengthened defensive and resilience measures, rapidly detecting and mitigating potential attacks to safeguard business operations. Concurrently assumed Vice President and Risk Director responsibilities for six months, demonstrating adaptability and leadership. • Identified critical cybersecurity gaps and implemented advanced security technologies, including vulnerability, risk, and threat management; advanced endpoint security; user behavior analytics; and security operations management. Provided direct oversight to a dedicated team reporting to the CISO. • Developed strategic security initiatives to recover from sophisticated cyberattacks and mitigate associated risks, significantly enhancing the organization’s information security posture and resilience.

Head, Forensic Information Security Services N.A.

Santander Bank, N.A. · Dorchester, MA

Dec 2013 – Jun 2015(1 yr 7 mos)

• Delivered end-to-end cybersecurity advisory services, balancing risk management, operational execution, and strategic outcomes. • Significantly strengthened continuity of banking operations by strategically managing the Cyber and Network Security portfolio, product roadmaps, and investigations, including the testing and operationalization of high-priority initiatives designed to reduce cyber risk and enhance the bank’s ability to identify, protect, detect, respond to, and recover from cyberattacks. • Streamlined North American network security operations through effective system monitoring, threat intelligence management, third-party services oversight, penetration metrics, and due diligence reporting. • Reduced cyber risk and enhanced cyber intelligence and information sharing by leading the testing, procurement, implementation, and operationalization of high-priority security initiatives to build out the bank’s computer forensics lab. • Designed and implemented the bank’s enhanced Incident Management System, delivering a crisis management solution for tracking and reporting cybersecurity incidents and events. This included a metrics dashboard to monitor costs related to incidents, events, losses, and recovery, resulting in the closure of a major OCC-issued Matter Requiring Attention (MRA).

Head, Forensic Information Security Services N.A.

Tata Consultancy Services · Boston, MA

2010 – 2013(3 yrs)

• Served as the Forensics Security Services lead, overseeing the development and delivery of security forensic services, including insider surveillance and user behavior analytics. Provided leadership and support for Governance, Risk, and Compliance (GRC) engagements, Security Information and Event Management (SIEM) services, and Managed Security Services. • Designed and developed an Application Compliance Framework for the largest bank in the United States, defining minimum compliance standards for application development managers. • Conducted an assessment of the GRC platform for a major US-based financial investment firm, resulting in the retention of a key GRC application and the development of an integrated GRC implementation strategy. • Established and maintained frameworks that provided assurance and information security strategies aligned with business objectives and consistent with applicable laws and regulations. • Identified and managed information security risks, creating and maintaining programs to achieve business objectives. Planned, developed, and managed capabilities to detect, respond to, and recover from information security incidents across diverse industries, including financial services, oil and gas, biotech, and pharmaceuticals.

Vice President, Risk & Security Compliance Services

Onyx Spectrum Technology, Inc · Boston, MA

2008 – 2010(2 yrs)

• Directed the identification, development, implementation, and management of the organization’s Security, Risk, and Compliance strategies and programs. • Led strategy, execution, and relationship-building efforts for sales and monthly billings generated through Onyx Spectrum strategic partners and government accounts during both pre- and post-award processes. • Redesigned the firm’s approach to vendor management, including development and review of requests for proposals (RFPs), RFIs, contracts, due diligence, negotiations, contract fulfillment, budgeting, and vendor compliance audits, resulting in a more efficient operating model.

Director, Legal Consulting Group

Huron Consulting Group Holdings LLC · Boston, MA

2007 – 2008(1 yr)

• Directed and coordinated e-discovery and digital evidence requirements for complex legal consulting engagements. • Managed quality control audits and reconciliations of data collection for a Securities and Exchange Commission restatement. • Advised clients on developing and implementing procedures for quality assurance and quality control audits related to records management and backup tapes. • Led IT internal controls and system assessments of support systems in a court-appointed review of a ready-mix concrete and asphalt company, including evaluation of system infrastructure, lifecycle management, and logical access controls.

Principal, Enterprise Risk, and e-Discovery Practice

LECG · Cambridge, MA

2006 – 2007(1 yr)

• Provided strategic guidance and managed resources to deliver efficient, cost-effective processes for preserving, collecting, processing, culling, hosting, reviewing, and producing relevant information for litigation support. • Directed and coordinated multiple work streams to meet deadlines for data preservation, collection, processing, review, and production in legal disputes and forensic investigations. • Led local and global teams performing forensically sound physical collection of data and documents.

Senior Cyber Crime Technical Advisor

U.S DEPARTMENT OF JUSTICE/ICITAP, U.S. EMBASSY · Jakarta, Indonesia

2003 – 2006(3 yrs)

• Established and designed a plan to assist the Indonesian National Police Criminal Investigations Unit (INP/CCU) in developing effective enforcement capabilities to prevent, interdict, and investigate cybercrime. • Built innovative strategic partnerships with local training institutions to support the technical training needs of the INP, developing initiatives that enhanced the analytical and investigative skills of INP/CCU personnel. • Developed and nurtured dynamic relationships with key stakeholders, including the DOJ Criminal Division – Computer Crime and Intellectual Property Section, the State Department Economic Section, the ASEAN Secretariat, USAID, and multiple government, academic, civil, and private organisations, resulting in cohesive development of critical infrastructure protection initiatives and policies in Indonesia and Southeast Asia.

Police Officer/I.T. Specialist

BOSTON POLICE DEPARTMENT · Boston, Massachusetts, United States

Nov 1989 – Sep 2001(11 yrs 11 mos)

• Assisted management on information technology matters, including Computer-Aided Dispatch (CAD) systems, Mobile Data Terminal technology, Identification Imaging Systems, Personnel Management Systems, and Internal Affairs Case Management Systems. • Developed curriculum for a 10-month training program to teach IT fundamentals to officers at all levels of the force.