About Paul

Building secure, compliant systems at the intersection of cloud infrastructure and AI governance

Professional Summary

I'm a business-focused and technically adept Chief Information Security Officer (CISO) with a proven track record of building and leading comprehensive security and compliance programs. My career combines executive-level security strategy with hands-on technical implementation, bridging the gap between high-level policy and real-world systems.

As a recognized thought leader in AI Governance and security, I'm actively shaping industry standards through the Fintech Open Source Foundation (FINOS) and engaging directly with Financial Services organizations on AI adoption strategies. My unique perspective comes from years of deep technical work in cloud-native technologies, DevSecOps, and open-source communities including Istio and Envoy.

Current Role

Chief Information Security Officer at Tetrate (2023 - Present)

As Tetrate's first CISO, I architected and implemented the company's entire information security program from scratch. This role perfectly embodies my passion for solving business challenges where technology and people intersect.

What makes this position unique is my dual responsibility: I serve as both the security executive and—until mid-2025—led the platform engineering team responsible for our internal cloud services. This combination allows me to embed security-by-design principles directly into infrastructure and development lifecycles, rather than treating security as a separate function.

Key achievements include:

  • Successfully led the organization to achieve SOC 2 Type II and ISO 27001:2022 certifications
  • Established comprehensive GRC strategy and vendor risk management processes
  • Lead GTM initiatives for AI governance solutions, acting in a field CTO capacity with Financial Services customers
  • Drive product strategy by translating customer insights into actionable requirements for AI governance middleware
  • Regular conference speaker at events including APIDays London and FINOS OSFF NYC

Recognition & Awards

In October 2025, I was honored to receive the FINOS Newcomer Award at OSFF NYC 2025. This award recognizes new members of the FINOS community who demonstrate commitment to open source through active participation in project meetings, code contributions, pull requests, and resolving GitHub issues. It's particularly meaningful as it acknowledges the work I've done to shape AI governance standards for the financial services industry.

Open Source Contributions

Contributing to open source has been a cornerstone of my career. I believe that the most significant advances in security and governance come from collaborative, transparent development.

FINOS AI Governance Framework

I'm an active contributor to the FINOS AI Governance Framework, shaping industry-wide standards for secure and compliant AI use in financial services. My contributions include:

  • CALM Visualizer: Completed a ground-up rewrite of the FINOS CALM (Common Architecture Language Model) visualizer tool
  • Agentic AI Risks: Contributed 1,300+ lines of code adding 5 new agentic AI risks and mitigations to the framework
  • Workshop Leadership: Led multiple workshops on AI Governance for financial services industry participants at major conferences

Istio & Envoy

During my time at Tetrate, I served as a security maintainer and release manager for the Istio and Envoy open-source projects. I was a member of the Istio Product Security Working Group for multiple years, responsible for managing vulnerability disclosures and driving security improvements. I also acted as the official Release Lead for two major versions of Istio, coordinating community efforts to deliver new features and security patches.

Career Journey

Senior Engineering Manager at Tetrate (2021 - 2023)

Before becoming CISO, I initiated and led Tetrate's first cybersecurity and compliance program, designing the foundational controls that enabled future certifications. In this role, I also led the platform engineering group as a hands-on technical manager, delivering code in Go and Python while managing teams focused on open-source software and information security.

IBM Cloud (2017 - 2021)

As Senior Engineering Manager & Compliance Lead for IBM Cloud Container Registry, I owned security and compliance for a mission-critical global PaaS service. This role gave me deep experience in large-scale Kubernetes deployments and the realities of multi-framework compliance.

Key achievements:

  • Successfully achieved and maintained SOC 2, PCI-DSS, and HIPAA compliance
  • Developed enhanced security controls for IBM Financial Services Cloud
  • Led and mentored a distributed team of 18 engineers
  • Balanced feature delivery with security requirements and operational stability at scale

Engineering Leadership at IBM (2012 - 2017)

Earlier in my career at IBM, I progressed through engineering management and program management roles:

  • Engineering Manager: Led teams of up to 45 engineers, transitioning a major cloud service to Kubernetes-based architecture
  • Program Manager: Managed development budgets of $50M-$60M, leading international cross-functional teams across multiple product releases in the IBM Storwize family
  • Development Project Manager: Coordinated teams of ~100 engineers across multiple releases, implementing process improvements and managing stakeholder communication at VP level

Technical Foundations (2004 - 2012)

I started my career as a Test Lead at IBM, gaining hands-on experience with storage systems, SAN, UNIX, and various programming languages. This technical foundation proved invaluable as I progressed into leadership roles—I never lost touch with the code and systems that underpin everything we build.

Areas of Expertise

Security & GRC Leadership

  • AI Governance & FinTech Risk
  • Security Program Development
  • SOC 2 & ISO 27001 Audits
  • NIST 800-53, PCI-DSS, HIPAA
  • EU AI Act & ISO/IEC 42001
  • Incident Response
  • Vendor & Third-Party Risk

Technical & Cloud Security

  • Cloud Security (AWS, GCP, Azure)
  • DevSecOps Strategy & Tooling
  • Kubernetes, Istio & Envoy Security
  • Application Security (AppSec)
  • PaaS Architecture at Scale
  • Go, Python, Bash Scripting
  • Compliance-as-Code (CALM)

Executive & Program Leadership

  • C-Level & Board Communication
  • GTM & Customer Engagement
  • Risk Management & Reporting
  • Strategic Planning & Roadmap
  • Budget Management ($50M+)
  • Team Leadership & Mentoring
  • Thought Leadership & Speaking

Education & Certifications

  • MEng (Hons) 2:1, Computer Systems Engineering - University of Warwick, UK
  • Project Management Professional (PMP) - Project Management Institute (PMI), 2008

What Drives Me

Throughout my career, I've been drawn to problems that sit at the intersection of technology, people, and business outcomes. Security isn't just about tools and policies—it's about enabling organizations to move fast while managing risk appropriately.

My work in AI governance stems from the same philosophy: as AI becomes central to how organizations operate, we need practical, implementable frameworks that allow innovation while meeting regulatory requirements and managing genuine risks. This is why I contribute to FINOS and engage directly with financial services organizations—the standards we're building today will shape how the industry approaches AI for years to come.

Whether I'm writing code, designing security controls, presenting at conferences, or advising executives, my goal remains constant: build systems that are both secure and pragmatic, combining technical depth with business acumen.

Let's Connect

Interested in discussing AI governance, security architecture, or potential collaboration? Feel free to reach out.

Email Me Connect on LinkedIn