Resume
Michael B. Housch
CISM · CISSP
VP-Level Technology & Operational Risk Leader · Global Cybersecurity Executive · Board Member
25+
Years Experience
$21M
Budget Managed
150+
Team Size Led
40+
SOC 2 Audits/yr
Summary
Strategic technology and operational risk executive with 25+ years of experience leading risk advisory functions across large, regulated financial institutions. Deep expertise embedding fit-for-purpose risk governance across digital product platforms, cloud environments, AI/ML-driven capabilities, and API ecosystems. Proven ability to influence senior technology and business executives, build high-performing risk advisory teams, and drive measurable risk reduction while enabling business agility. Recently focused on building and governing production agentic-AI systems in regulated environments — pairing hands-on AWS Bedrock AgentCore delivery with board-level AI risk governance.
- Executive-level communicator with a track record of translating complex technical risk into clear business implications for C-suite, boards, and large-bank regulators (OCC, FDIC, FRB, VA).
- Demonstrated success managing global risk and security teams of 150+ professionals and budgets exceeding $21M; recognized on CISOs Connect™ Top 100 CISOs in North America 2024.
- Deep fluency in modern digital delivery models — Agile, DevOps, CI/CD, cloud-native architectures (AWS, Azure, GCP) with hands-on experience governing risk across platform-based engineering environments.
- Published thought leader in Forbes on encryption and cybersecurity; member of the Forbes Technology Council.
Core Competencies
Technology & Operational Risk Advisory
Digital Risk Governance
AI/ML Risk Management
Agentic AI Security
AWS Bedrock / AgentCore
AI Governance (NIST AI RMF)
MCP Governance
Security Automation & GRC Tooling
Cloud Risk (AWS, Azure, GCP)
Digital Product Platform Risk
API & Application Security
Agile / DevOps / CI/CD Risk Controls
Platform Resilience
OCC · FDIC · FRB · GDPR · CCPA
NIST SP 800-53 / NIST RMF
ISO 27001
PCI DSS · FISMA
IAM / RBAC
Third-Party Risk / Supply Chain
SOC Leadership
Issue Management & Governance
Professional Experience
- Embedded fit-for-purpose risk governance across Agile delivery and cloud-native engineering teams, ensuring risk controls kept pace with digital product development and platform deployments.
- Implemented an AI-driven security solution across user endpoints, reducing privacy incidents and accidental data exposure by 85%, demonstrating hands-on oversight of AI/ML risk within production digital environments.
- Designed and deployed an agentic "DCISO" AI skill on AWS Bedrock AgentCore encoding 12 deputy-CISO-grade workflows — from control mapping to evidence collection — under an explicit "augment, don't replace" model presented to the Business Operations Committee.
- Led security-tooling vendor rationalization across an ~$11M portfolio, consolidating overlapping controls and renegotiating contracts to remove roughly $1M in annual spend while preserving coverage.
- Scaled the security function through automation — building an AI RFP/security-questionnaire responder (Freshdesk + curated evidence library), a Vendor Risk Assessment Agent (Copilot Studio / Power Automate), and a ZenGRC connector for automated vendor-renewal tracking.
- Defined the security reference architecture and guardrails for the Bedrock AgentCore integration with the Empower LOS — sandbox/VPC isolation, least-privilege IAM, and action controls for agents operating against a regulated loan-origination platform.
- Led design and deployment of a comprehensive IAM framework with least-privilege principles, RBAC, and automated provisioning; directly governing digital identity risk across the enterprise.
- Developed and deployed a Data Loss Prevention (DLP) solution across endpoints, email, and cloud environments, significantly reducing sensitive data exfiltration risk across digital channels.
- Enhanced third-party and supply chain risk governance by integrating vendor monitoring into SOC operations, reducing risk exposure across the digital vendor ecosystem.
- Launched enterprise security awareness program achieving a 92% reduction in phishing attempts; enforced NIST RMF standards reinforcing regulatory compliance with federal agency partners.
- Conducted comprehensive technology risk assessments across all digital business units, identifying and driving remediation of critical risk exposures across platform and product portfolios.
- Transitioned application security to a risk-driven remediation model within an Agile delivery environment, aligning risk controls with digital product development timelines and priorities.
- Matured third-party risk governance program, integrating it with SOC operations to provide real-time oversight of vendor risk within the digital banking ecosystem.
- Governed technology risk across digital customer journeys, cloud infrastructure, and API ecosystems during a full enterprise migration to AWS — achieving zero data breaches while following AWS Well-Architected risk principles.
- Built and led a global team of 150+ risk and security professionals with a $21M budget, developing high-performing risk advisory capabilities aligned to digital products and platform portfolios.
- Directed cross-functional risk advisory teams in achieving and maintaining NIST SP 800-53, FISMA, and PCI DSS compliance for SaaS and digital platforms serving the VA and major financial institutions.
- Led 40+ successful SOC 2 Type II and PCI DSS audits annually, working directly with regulators, auditors, and second/third line assurance teams.
- Developed a vulnerability management program reducing Severity 4 and 5 vulnerabilities past SLA by 95% month-over-month through risk-prioritized remediation aligned with business impact.
- Implemented a comprehensive incident response and issue management framework, reducing mean time to detect and respond to technology risk events by 60%.
- Delivered regular technology risk briefings to the Board Risk Committee on Key Risk Indicators (KRIs), providing forward-looking, decision-oriented risk insights to senior leadership.
- Established enterprise-wide technology risk policies, standards, and access controls governing digital systems across all banking platforms and business lines.
- Developed and executed a comprehensive information security and privacy risk assessment program to proactively identify, assess, and mitigate threats to critical digital banking systems.
- Maintained strong relationships with banking examiners (OCC, FDIC, FRB), ensuring transparent regulatory communication and successful examination outcomes.
- Delivered executive-level technology risk reporting to the Board of Directors, translating complex risk concepts into clear business implications for non-technical stakeholders.
Education
Master of Business Administration (MBA)
Accounting and Finance · Jacksonville University · May 2022
Bachelor of Science, Computer Science
Southern Texas University · 1989–1993
Executive Education Program
Wharton University of Pennsylvania · 2018–2019
Certifications
CISM — Certified Information Security Manager
CISSP — Certified Information Systems Security Professional
Awards & Publications
- CISOs Connect™ Top 100 CISOs in North America (2024)
- HousingWire 2024 Vanguard
- Member, Forbes Technology Council
- Forbes: "Rethinking Phishing Tests: A Call for Trust and Control in Cybersecurity"
- Forbes: "The Current Encryption Landscape: The Need for 3072-Bit Keys"