Cybersecurity, Data, and Design
Heath Nieddu Phd(c), CISSP, MBA, GCIH
About Heath
I’m a cybersecurity strategist with 17+ years of experience helping large organizations design and mature security programs rooted in data, process, and resilience. My career spans risk management, vulnerability management, incident response, and building the analytical capabilities behind those programs—with a focus on collaborative, sustainable progress.
Currently pursuing a PhD focused on how cybersecurity teams can better align with ITIL frameworks in order to more quickly adopt new technology. I’m exploring the structural and cultural changes needed to make security a more integrated, strategic partner in enterprise environments. I’m also preparing to teach at the community college level, with the goal of making security education more relevant and accessible.
Outside of work, I’m deeply interested in systems design—whether digital, organizational, or physical. I apply this systems-thinking lens to everything from architecture to furniture making, with a steady belief in patient craftsmanship and purposeful design.
Let’s connect if you’re working to bridge the gap between cybersecurity and operations—or just believe that good work starts with clear thinking, quiet confidence, and solid execution.
Services
Cyber Program Monitoring
I provide cyber security program evaluation to several of the world’s largest, complex, and global firms. I provide both point-in-time assessment and on-going implementation for commercial firms, governments, and educational institutions.
I design security program monitoring and metrics programs that are efficient and effective. Efforts to measure security efficiency and effectiveness quickly get bogged down. I leverage my experience to create the right approach for each client.
I provide on-going security consulting and advisory support. In some cases I can also serve over as a temporary security program lead. In conjunction with my evaluations and monitoring program, these services are designed to jumpstart your own security program for long-term success.
My Approach
I approach each client with a fresh mindset and time-tested processes for gathering information, creating a strategy, and generating value as soon as possible. A risk-based approach means every organization will have different priorities, and plans will be adjusted to reach those goals. Generally, I advocate for training enthusiastic security analysts to use native security capabilities already in the environment. There is often opportunity to increase capability with current tools before investing in new ones. Early in my engagements, I emphasize properly managing assets, configurations, access, and vulnerabilities. These activities, coupled with a trained incident response team, create the foundation of a mature security program.
Companies I’ve Worked With
Articles
Posts from the Field
AI Innovation Isn’t Always Disruptive to Firms—But It’s Almost Always Disruptive to IT Pros
Summary: Much of the current discourse about artificial intelligence hinges on whether it qualifies as a “disruptive innovation,” a term coined by Clay Christensen in the 1990s to explain why large firms lose their edge to unexpected competitors. But for IT and...
The State of My Corpus – Early 2024
I'm almost halfway done with the pre-requisites for my PhD. It feels good to be making headway. I created a word cloud of all the papers I've reviewed so far in order to see if any themes emerged. I was surprised to see the theme of 'big data' be so much more...
A Cyber Insurance Discussion
This post serves to gather some of the discussion points, questions, and further resources regarding the topic of cyber insurance discussed at the 2023 Planet Cyber Security Conference in San Diego 12/06/2023. Bottom Line Up Front: The majority of the group felt that...
Why Manual Security Questionnaires in 2023?
Vendor security questionnaires were always discussed with an eye roll when I started in this field in 2008. We assigned an analyst to address the concerns of our partners. We also assigned a security architect to send our security questionnaires to our growing list of...
Scenario Planning with both Realism and Novelty
Scenario Planning (SP) exercises can differ depending on the industry and managerial level. Strategic leadership, information system leadership, and academia all view SP differently. Before understanding SP, we need to wade through the sometimes-confusing terms of...
Information Security is Practiced Like Early Medicine
As an industry, security teams often operate in isolation, not receiving transparent, reliable data about the experiences of others. Throughout the profession, pockets of innovation exist, but these innovations are not uniformly deployed to the field. The evolution of...
Ensuring M&A Success with IAM
M&A activity is on the rise, presenting challenges to identity and access management (IAM) programs, but also providing opportunities to aid deal integration. The increase in global activity will challenge security teams, demand the utmost of current IAM programs,...
Just Enough Insider Threat Defense
Mitigating insider threats presents a unique problem for information security leaders. Authorized users carry out harmful actions by performing tasks that may appear part of their day-to-day work. This salient detail keeps insider threat activity under the radar of so...
HEATH NIEDDU
Phd(c), CISSP, MBA, GCIH
Please feel free to contact me with any questions or inquiries.