Chief Information Security Officer

Security that scales from a startup to a Fortune 100.

I’m Rob Fuller. For 25+ years I’ve built, fixed, and scaled security, from a first hire to 1.5M+ endpoints at a $300B+ healthcare leader. The same hands-on judgment works whether you’re thirty people or a global enterprise.

USMC Veteran 25+ Years in Cyber 0-to-1 Builder Fortune 100 VP BlackHat Instructor Boardroom Certified
Portrait of Rob Fuller
Proven at any scale

The same operator, at both ends of the spectrum.

Most leaders fit one size of company. The record below makes the case that I fit yours, at either end.

$300B+
in enterprise revenue I help protect today

At enterprise scale

$300B+revenue at McKesson, a Fortune 100 healthcare leader
1.5M+endpoints secured across the enterprise
100K+United Airlines employees protected
$25Midentity & access program directed
60M+threat signals operationalized every month
4security functions owned: Red Team, Vuln Mgmt, EDR, Endpoint

From zero

1→25person security org built from a single hire
40%critical/high vulnerability backlog cut in 9 months
3+companies & communities founded and run
3compliance frameworks made audit-ready: SOC 2, ISO 27001, PCI
~30purple-team assessments, SMBs to enterprises
25+open-source tools shipped, still hands-on

Whether the budget is a rounding error or nine figures, the job is the same: find the root cause, engineer it out, and make security something the business runs on, not around.

“It’s not the forklift driver’s job to spot a phishing email. It’s mine to make sure they never have to.” I don’t accept “it’s not if, but when.” I build programs that find root causes and engineer whole classes of risk out of the business.
Operating principle
What I bring

A business leader who never stopped being an operator.

Take users out of the threat model

I engineer protection into the fabric, so your business never hinges on one person catching one bad click. People are the mission, not the last line of defense.

Cut critical/high vulnerabilities 40% in nine months

Separate signal from hype

AI and quantum, judged on evidence instead of headlines. I have the technical depth to tell what’s real and the governance to deploy it responsibly.

Briefed DHS on AI threats · United AI Security Review Board · FDD quantum peer reviewer

Fix the root cause

Risk-based prioritization and architecture-level controls that remove whole classes of problems, instead of triaging the same alerts forever.

Audit findings down 60% year over year

Speak the board’s language

I translate cyber risk into business terms a board can act on, with the credentials to back it.

Boardroom Certified (QTE) · MBA · CMU CISO Certificate
The arc

A quarter-century of build, fix, and scale.

Every chapter built the next. Together they prove the range a top-tier CISO is hired for.

2000–2008
Build

United States Marine Corps

Combat Engineer → Network Security Architect

A combat engineer who retrained into cyber and defended some of the most targeted military networks on earth.

MOS 1371 → 0656Military networksLeadership under pressure
More

The Marines taught two things no certification can: how to decide under pressure with incomplete information, and how to build teams where accountability is non-negotiable. Combat engineers think in both construction and destruction, a mental model that maps directly onto security architecture.

Moving from MOS 1371 to a tactical data-network gateway role wasn’t a career change; it was the same mindset applied to a new domain: building and defending infrastructure against adversaries with nation-state patience.

2008–2009
Fix

The Capitol & the Pentagon

Incident Response, U.S. Senate · Penetration Tester, Pentagon

Defended one of government’s most significant networks at the Senate, then red-teamed the Pentagon. Defender and attacker, back to back.

Senate IRPentagon pentestNational security
More

At the Senate, every alert was real and every decision carried national-security weight. At the Pentagon the role flipped to finding the gaps real threat actors would exploit. Holding both sides at once is the dual perspective that still shapes how I lead.

2009–2017
Fix

Elite consulting & red team

Rapid7 · GE · IBM X-Force Red

Eight years and hundreds of engagements across every industry and attack surface, learning what “good” looks like everywhere.

~30 assessments / yearGE 2011–2015500 apps to AWSIBM X-Force Red
More

Consulting forces a breadth in-house roles can’t: every kind of environment, every kind of failure, every kind of organizational dysfunction. You learn what works and what’s theater. At GE (2011–2015), as Senior Red Team Analyst and then Senior Security Architect, I helped architect the migration of roughly 500 applications to AWS and re-architect them as cloud-native, well ahead of the trend. In parallel, as CTO of the National CyberWatch Center, I built a cybersecurity team from zero and developed GRC frameworks for a national education initiative.

2017–2021
Build · Scale

Big tech & autonomous systems

Uber · Cruise (GM) · Black Hills Information Security

Security engineering where software failures are measured in lives. Built SOAR automation, identity architecture, and a 30-assessment purple-team program.

SOAR / PhantomSSO · MFA · IAMAutonomous-vehicle safety
More

At Uber I architected the SOAR detection and attack-emulation platform (later open-sourced) and led Red/Purple Team work across AD, IAM, and PAM, including the Azure AD migration. At Cruise, the stakes shifted from data to physics: securing software that drives cars on public roads. At Black Hills I built and led a purple-team program of roughly thirty assessments while mentoring the next generation.

2021–Now
Scale

Enterprise security leadership

Director, United Airlines → VP, Information Security, McKesson (current)

From a $25M identity program protecting a global airline to owning security strategy for a $300B+ healthcare leader that delivers roughly one-third of the pharmaceuticals used in North America.

$25M IAM program1.5M+ endpoints25-person org from scratch40% backlog cut
More

At McKesson I own security strategy across Red Team, Vulnerability Management, EDR Engineering, and Endpoint Strategy, protecting 1.5M+ endpoints. I built a 25-person organization from scratch, cut the critical/high backlog 40% in nine months through risk-based prioritization, and turned the vulnerability disclosure program into a strategic asset feeding the EASM effort.

At United Airlines I directed Red Team, Cyber Threat Intelligence, and IAM across a 100,000+ employee operation: driving a $25M IAM program, operationalizing 60M+ monthly threat signals, partnering with TSA, FBI, and ISACs on nation-state response, and cutting audit findings 60% year over year across SOX, SOC 2, PCI 4.0, ISO 27001, and NIST.

Influence & brand

Known for the craft and for shaping the field.

A public track record that brings credibility, network, and recruiting pull to whatever I lead.

BlackHat USA
Instructor since 2013

From Metasploit Mastery to Abilities Driven Red Teaming. On the Training Review Board since 2026.

Hak5
Originated the WiFi Pineapple

The Jasager/KARMA research on Fonera routers that became Hak5’s WiFi Pineapple. Host of Metasploit Minute.

HBO · Silicon Valley
Senior technical advisor

Seasons 2–6, making technical concepts accurate and compelling.

Homeland Security
AI threat briefing

Briefed DHS on AI-driven national-security threats, from model poisoning to prompt injection.

Quantum readiness
FDD peer reviewer

Reviewed the Foundation for Defense of Democracies’ quantum-readiness roadmap.

SolarFlare
Five years early

Built a SolarWinds Orion audit tool in 2015, years before the 2020 supply-chain breach made it matter.

Community
Founder & chair

NoVA Hackers · VMRG Chair · SecurityTitles.com · USMC Cyber Auxiliary founding member.

Next generation
Core red team

National CCDC and ISTS: red-teaming the student teams who become the next defenders.

In memoriam
RestInCode.com

Honoring the people who built and defended the information-security industry.

On stage since 2007

A voice the industry already knows.

Beyond the stage, a decade as DEF CON staff (a “Goon”) helping run the world’s largest security conference.

30+
conference talks
3
continents
20+
podcast episodes
2013
BlackHat instructor since
10
years as DEF CON staff
Credentials & education

The homework behind the judgment.

Education

MBAMS, CybersecurityBS, Cybersecurity & Information Assurance

All three degrees from Western Governors University.

Executive

Chief Information Security Officer Certificate Program, Carnegie Mellon University (Heinz College). Completed 2026.

Certifications

CISSPCISMCISACCSPOSCPCRTOECIHCEHSSCP

Clearance & networks

SECRET clearance (active)CISO SocietySANS CISO NetworkDigital Directors Network
Let’s talk

See what a CISO who’s operated at every scale can do for you.

A full-time CISO seat, a fractional or interim engagement, a board or advisory role, or the stage. The first step is a 30-minute conversation.

Full-time CISO Fractional / Interim Board & Advisory Speaking & Training