Jon Debonis

Information Security

BS Electrical Engineering – UC Davis

Python

Javascript

Golang

Bash

Head of Information Security & IT / CSO                    Blend

2014-present

As head of information security, my responsibilities included structuring, building, and leading the security organization. Being a startup, ruthless prioritization was required with an initial focus on protecting customer data and core product and operational security. The team consists of these five departments:
Security Operations handle dev-ops work, log tooling, and incident response.
Program Management handle follow through on critical mulit-team projects, and ensure tasks are tracked and completed across the entire organization.
Security Policy handle internal training, internal audit, customer RFI, customer audit, certification audits, and vendor due diligence and management.
Security Development build software for the core product, internal tools, and walks developers through the threat modeling process to make sure all code is secure.
IT handles all non-production technology needs for Blend.

-              Planned the teams to scale as the company grew from 20 to 450 employees, 200 enterprise customers, and processing $2 billion in loans daily.

-              Hire, define roles and responsibilities, manage performance, and coach over 30 employees on multiple teams in my organization.

-              Built processes to continually assess risk and increase security efficiency at Blend.

-              Reported to the CEO and fostered positive relationships with and negotiated alignment with the head of legal, the head of finance, and head of Engineering, head of people operations, and the CEO.

-              Balanced the need to reduce engineer friction with better security by leading internal tool product management to build tools that make security simple.

-              Rewrote the open source project send.firefox.com in ReactJS to add passphrase feature, and deployed the technology for all sensitive information sharing at Blend.

-              Brought Blend through ISO 27001, PCI, and SOC 2 Type 2 certifications and multiple customer on site audits.

-              Aligned closely with the head of infrastructure as it’s critical to security.

Member of the Technical Steering Committee     SPIFFE

2016-2019

SPIFFE is an open source standard (IETF candidate) and implementation for cryptographically secure, authenticated, server to server communication.

-              One of 3 people invited to the Technical Steering Committee

-              Own the Amazon Web Services attestation integration group resulting in code used in the AWS attester

-              Helped launch and define the open source project

Head of API Development and Infrastructure            Trov

2012-2014

-              Hired and developed employees

-              Defined the architecture for a global HA mobile application service

-              Lead the team of seven backend developers who built the API that powers the next generation of per-item insurance

-              Developed specs for iPhone and insurance integration APIs

-              Designed the authentication and authorization architecture

-              Built out secure development lifecycle and performed security code reviews

-              Setup the ISO 27001 certification program and got Trov certified

Engineering                                                                           Google

2011-2012

-              Increased the support team’s efficiency by writing a frontend to the salesforce email, ticket, and notes objects combining the support history into an easy to digest single view. Still in use today backing the google apps support teams.

-              Worked with google.org on a project on renewable energy with the goal of eliminating inefficient generation stations by reducing grid load during peak usage periods.

-              Reduced high latency communications problem affecting 25% of all requests to google by identifying a long-standing bug in the global DNS system responsible for choosing the servers closest to the users.

Network Security Manager                  Kaiser Permanente

2007-2011

-              Developed a python tool to automate scheduling and tracking the remediation efforts required to locate and disable wireless access points connected to the production network. This tool eliminated head count requirements.

-              Identified and stopped data exfiltration attempts by analyzing all outbound network traffic and building models to categorize health care critical traffic and non-critical traffic.

-              Ran the network security team of eight.

Developer and Network Engineer         Wells Fargo Bank

2004-2005

-              Eliminated 5 head count by automating a complex network reconfiguration project across 7000 branches. This was achieved because I built a perl tool to connect to the network management database, ingest an excel spreadsheet, and execute a series of complicated network connections to change IP addresses, update routing protocols, and migrate to new frame relay circuits. We could update 100 devices in 5 minutes that required 750 different connections with one employee.