Greg Surber

From Configs to Cognitive Risk.

Greg Surber, CISSP, CISM, Associate C|CISO

Principal Cybersecurity Architect | OT Security & GRC | Kinetic AI Risk | CISSP CISM

Billerica, MA | 253-951-5505 | info@gregsurber.com | linkedin.com/in/gregorysurber/

Professional Summary

Accomplished cybersecurity executive with 15+ years driving enterprise GRC solutions and quantitative risk management strategies across regulated industrial and commercial environments. Expert in aligning security posture with business objectives, managing risk in IT/OT convergence zones, and establishing governance frameworks. Deep expertise in translating complex regulatory requirements (PCI DSS, HIPAA, GDPR, CCPA/CPRA, FISMA) into scalable, automated GRC solutions. Proven history building high-performing teams, enhancing third-party risk management (TPRM) programs, and driving measurable security improvements. Currently pioneering research into ‘Kinetic AI Risk,’ developing frameworks to secure the intersection of Agentic AI and Operational Technology (OT).

Strategic Leadership Highlights

  • Audit Excellence: Built enterprise security programs achieving consistent audit excellence across federal, utility, and commercial environments, serving as subject matter expert for FISMA, OIG, DoD STIG, and NERC CIP audits with zero findings.
  • Policy & Framework Development: Created the first DoDEA System Security Plan—a 375-page framework now used as the agency-wide template. Championed major regulatory transitions including leading a federal agency’s transition from DoD C&A to Risk Management Framework (RMF).
  • Third-Party Risk (TPRM): Enhanced TPRM processes by standardizing security requirements in MSAs/SOWs with Legal, reducing vendor-related risk exposure.
  • Security Culture: Engineered security culture through enterprise-wide awareness initiatives for diverse audiences—from 6,000 educators to Master’s-level cybersecurity students.
  • IT/OT Convergence: Led an Operational Technology (OT) Security Working Group for a critical infrastructure utility, coordinating security implementation between IT and industrial control systems (ICS)/SCADA teams.

Active Research & Open Source

Creator & Lead Researcher | Kinetic Prompt Dataset (KPD) Jan 2026 – Present

  • Developing the industry’s first “Prompt-to-PLC” vulnerability dataset, designed to benchmark Large Language Model (LLM) interactions with Industrial Control Systems (ICS).
  • Pioneered the “Kinetic Risk Mapping” framework, translating OWASP Agentic AI vulnerabilities (e.g., Goal Hijacking, Context Poisoning) into physical failure modes.
  • Engineering custom Python tooling to scrape and analyze arXiv research at the intersection of SCADA security and Generative AI.
  • Repository: github.com/gregsurber/kinetic-prompt-dataset

Professional Experience

Principal Cybersecurity Architect (Acting Associate Director) | Quanterix | Jan 2024 – Present

Functioned as the primary security lead for the organization, bridging the gap between technical execution and executive strategy.

  • DLP & DSPM Strategy Leadership: Architected and implemented an enterprise-wide Data Loss Prevention (DLP) and Data Security Posture Management (DSPM) program utilizing Microsoft Purview. Established granular data classification standards, automated labeling policies, and integrity procedures to protect sensitive IP across hybrid environments.
  • Third-Party Risk Management (TPRM): Enhanced the vendor security ecosystem by collaborating with Legal to standardize security requirements in MSAs/SOWs. Led the evaluation of critical vendors, reducing supply chain risk exposure through rigorous due diligence and continuous monitoring.
  • Cross-Functional Governance: Partnered with Legal, IT, and Compliance stakeholders to align security controls with GDPR, CCPA, and HIPAA requirements, ensuring regulatory compliance while enabling business velocity.
  • Incident Response & Forensics: Managed end-to-end security incident response processes, including forensic investigations and root cause analysis, effectively containing threats and minimizing business disruption.
  • Security Architecture & Engineering: Led security architecture reviews for new cloud platforms and infrastructure deployments, ensuring a “security by design” approach for all new applications and services.

Cybersecurity Manager | SAIC / Volpe Center, US DOT | Jul 2020 – Jan 2024

  • Designed and implemented enterprise-wide privilege access management solution, reducing local administrator accounts by 85%+.
  • Served as subject matter expert for FISMA and Office of Inspector General audits.
  • Supported strategic decision-making by providing continuous risk visibility to leadership.

Adjunct Professor of Cybersecurity | City University of Seattle | Aug 2021 – Present

  • Developed and delivered Masters’ and Bachelors’-level curriculum for Cybersecurity Auditing, Ethical Hacking, Data Security, and Cloud Security.

Senior Cybersecurity Engineer / Vulnerability Manager | Puget Sound Energy | Apr 2016 - Jul 2020

  • Architected and managed enterprise vulnerability solutions for 9,000+ assets across IT and OT environments, achieving 95% average monthly security patch compliance.
  • SIEM & Tooling Strategy: Led vendor product evaluations, testing, and selection for SIEM, vulnerability scanning, and third-party patching tools, ensuring optimal ROI and capability alignment.
  • Led Operational Technology (OT) Security Working Group, coordinating between IT and OT teams on industrial control systems and SCADA device security.
  • Served as subject matter expert for NERC CIP-007 and CIP-010 compliance audits, achieving zero findings in 2016 and 2019 NERC/WECC audits.
  • Supported Payment Card Industry Data Security Standard (PCI DSS) compliance efforts by implementing security controls and conducting vulnerability assessments of payment systems.

Chief, Information Assurance Branch (GS13) | Department of Defense Education Activity (DoDEA) | Aug 2010 – Apr 2015

  • Directed information security for 40,000+ users across 9 countries, managing $750k budget and team of 7 geographically dispersed IA officers with full personnel management responsibilities.
  • Led agency transition from DoD C&A to Risk Management Framework (RMF), creating the first-ever DoDEA System Security Plan now used as agency-wide template.
  • Achieved zero findings across multiple federal audits (FISMA, OIG, DoD STIG) through quantitative risk management and proactive compliance monitoring.

Core Competencies & Technical Skills

  • Emerging Tech & OT: AI & LLM Security (OWASP Top 10), OT/ICS Security (IEC 62443, NIST 800-82), Kinetic Risk Mapping, Intelligent Interaction Honeypots.
  • Technical Stack: Python (Data Analysis/Automation), Docker, Linux (Kali), GitHub/Gitflow, Jekyll.
  • Governance & Risk: Enterprise Risk Management (ERM), TPRM, NIST CSF 2.0, ISO 27001, Regulatory Compliance (SOX, GDPR, HIPAA).
  • Leadership: Security Architecture Strategy, Board-Level Reporting, Cross-Functional Team Leadership, Crisis Management.

Education & Certifications

  • M.S. in Cybersecurity City University of Seattle
  • B.A. in Sociology/Criminology University of Oklahoma
  • Certifications: CISSP, CISM, CEH, CCSK, Associate C CISO

Publications

Surber, J.G., & Zantua, M. (2022). Intelligent Interaction Honeypots for Threat Hunting within the Internet of Things. DOI: 10.53735/cisse.v9i1.147