Landing Point — a career, charted

Khürt Williams

Lead Cybersecurity Architect (VP) — security architecture for regulated financial platforms, built on two decades of writing the tools myself before I ever designed controls for someone else's.

CISSP · CCSP · ISSAP · Princeton, NJ · Remote

↓ scroll
Summary

What I do

I design security architectures for regulated environments — cloud-native, Zero Trust, AI governance — where the cost of getting it wrong is measured in regulatory sanctions and reputational damage, not just technical debt.

My foundation is engineering. I started writing code before most current security frameworks existed, which means I approach risk as a systems problem rather than a compliance exercise. That distinction matters when you're building architecture that has to survive contact with real engineering teams under real business pressure.

My path into security came through software. I built full-stack web applications — JavaScript, Perl, PHP, GNU/Linux, UNIX, MySQL, and PostgreSQL — before security frameworks as we know them today existed. That background translated directly into building custom security tooling for regulated environments: a web-based vulnerability scanner, a CMDB compliance application, an intrusion detection deployment, and a log-search pipeline I built from scratch after a SIEM project was shelved. I wasn't configuring vendor products. I was writing the tools.

For the past decade, my focus has been financial services — banks, payment systems, regulated platforms — where security architecture has to satisfy regulators, survive audits, and still let the product move.

I've been writing about security, technology, and the open web at Island in the Net since 1999. That's not incidental — thinking in public over two decades forces a kind of intellectual honesty that doesn't survive in slide decks.

1981 — 2013

Built

Every architecture decision I make now is downstream of a decade spent actually building the systems I'm now responsible for governing. This is the part most resumes leave out.

1981

First computer, first circuits

Building circuit boards and electronics kits before a VIC-20 arrived. Calculus done in my head for fun, not for a grade.

1992–95

Pascal, C, assembler

VAX/VMS at Drew, C and assembler at Georgia Tech, early access to SunOS, AIX, and Macintosh at Michigan.

1995–98

Microprocessors to the web

C programming for video encoding at Sarnoff Labs, then Perl CGI and a hand-built templating engine at Bloomberg — before templating frameworks existed.

1999–2013

The open-source decade

A home lab — FreeBSD, FreeNAS, Linux, Windows — wired together in a basement. LDAP, domain integration, full stacks compiled from source. Founded POSSE (Princeton Open Source Security Experts). Writing publicly since 1999.

2008 / 2010

Ahead of the cloud curve

Opened an AWS account in 2008, years before enterprise cloud adoption was mainstream. Wrote an early whitepaper in 2010 on PKI and digital signatures for DRM — embedding permissions directly into files.

2013

The pivot

A patent expiration, a flood of generics, a stock drop, and a round of role eliminations across the company closed the building chapter — and opened the architecture one.

Experience

Chronological record

Dec 2024 — PresentPrinceton, NJ

Lead Cybersecurity Architect / Vice President

M&T Bank
  • Enterprise-scale security architecture strategy across cloud and regulated financial platforms, aligning business objectives with regulatory and risk requirements
  • Partner with Cybersecurity, Engineering, and Technology teams to integrate security into SDLC, DevOps, and Agile environments
  • Cloud security through Infrastructure as Code and automation; Zero Trust, IAM, and secure CI/CD pipeline standards
  • Regulatory alignment across SOX, FFIEC, and NIST frameworks; threat modelling and continuous evaluation of emerging risk
Jan 2024 — Dec 2024Buffalo, NY

Security Solutions Architect

TEKsystems
Client: M&T Bank, Buffalo, NY
  • Security architecture assessments, threat modelling, and risk assessment for on-premises and cloud applications
  • Evaluated risk to information assets against industry standards and regulatory requirements
Apr 2013 — Dec 2024Princeton, NJ · 11y 9m

Principal Security Consultant

Monkey Hill Consulting, LLC

My own independent security architecture practice. Senior security architecture, risk assessment, and compliance leadership for financial services, fintech, and government clients. Every engagement principal-led — no junior staff, no subcontractors.

Senior Security Architect — Client: Santander Holdings USA, Boston, MA — Jan 2021–May 2023
  • Led a remote team of senior security architects across the US and Mexico
  • Security assessments spanning hardware, applications, networks, and data systems
  • Frameworks and policy work aligned to GDPR, ISO 27001, FINRA, FFIEC, NYDFS, and SOX
  • Reported directly to the Director of Information Security
Senior Security Architect — Client: CLS Group, Inc., New York, NY — Apr 2018–Dec 2020
  • Designed secure information systems against unauthorised access and breach
  • Built an internal security controls framework drawing on NIST CSF, COBIT, and CIS Critical Security Controls
  • Reviewed architecture diagrams and vendor SOC 2 Type II / ISO 27001 documentation
Senior Security Specialist — Client: State of New Jersey Courts, Trenton, NJ — May 2013–May 2018
  • Led the redesign of application security architecture for online payments to achieve PCI DSS compliance
  • Scope expanded beyond the original PCI DSS mandate into broader security policy work, partnering directly with the Director of Security
  • Authored security hardening standards for Linux and Windows
  • Reorganised the vulnerability management programme: the existing process relied on a junior technician who could operate the scanning tool but not triage results for application and server teams — built the triage process and wrote the vulnerability programme guidelines
  • Created the incident response programme from scratch; ran Secure SDLC training and incident-readiness tabletop exercises
  • Established separation of duties between teams
  • Guided the organisation through PCI DSS audits to successful certification
Oct 2023 — Jan 2024New York, NY

Senior Security Architect

ConsultNet Technology Services and Solutions
Client: S&P Dow Jones Indices, New York, NY
  • In-depth reviews of on-premises applications against corporate security policy and regulatory requirements
  • Threat models anticipating attack vectors, prioritised by business impact
Apr 2003 — Apr 2013Princeton, NJ · 10y 1m

Senior Security Advisor

Bristol Myers Squibb
A hybrid role: technical management with no direct staff, combined with hands-on analyst and engineering work.
  • Strategic and technical leadership for BMS's enterprise information security programme in a global, regulated environment
  • Served as Vulnerability Manager — inherited EVA (Enterprise Vulnerability Assessment) from a predecessor: a Perl/CGI scanning tool built on Nmap and Nessus, running on Solaris with a PostgreSQL backend
  • Designed EVA's database access model so only the Solaris host itself could reach the PostgreSQL backend — isolation enforced at the data layer, not just the network
  • Renamed and enhanced EVA with a JavaScript/AJAX interface and LDAP-based IAM integration, later refactoring it to PHP
  • Built EDEM (Enterprise Detection and Monitoring), a custom web-based vulnerability scanner, from scratch (Perl, CGI, JavaScript, MySQL) — designed and normalised the full database schema and data model
  • Built a CMDB compliance application for risk assessment
  • Stood up Snort for intrusion detection and deployed an enterprise SIEM; when that project was shelved, built a Bash/Perl log collection and indexing pipeline so the forensics team could search effectively
  • Served on the Incident Response team during active breaches and enterprise-level operational issues that impacted security
  • Created an AWS account in 2008 and wrote an early whitepaper in 2010 on PKI and digital signatures for DRM
  • Policy and governance work aligned to HIPAA, SOX, and FDA requirements; IAM initiatives and security awareness training
Jan 2000 — Apr 2003Princeton, NJ

Full-Stack Web Developer & IT Systems Consultant

Williams Interactive, Inc.
Clients: Johnson & Johnson, Bristol-Myers Squibb, Merrill Lynch, Prudential Securities, State Street Bank, Oki Business Solutions
  • Full-stack web applications — Linux, Apache, Perl, PHP, JavaScript, HTML — built and secured on UNIX/Linux (Solaris, BSD) servers
  • Designed and normalised the database schema for an online training platform built in PHP and JavaScript (2001–2002)
  • ETL workflows and enterprise data integration; automation via Perl and shell scripting
Sep 1998 — Jan 2000New Brunswick, NJ

Web Application Developer

The Computer Merchant, LTD
Client: Johnson & Johnson
  • Perl CGI scripting for press release publishing and an online job-posting/application system
Sep 1997 — Sep 1998Princeton, NJ

Web Developer

Bloomberg News
  • Perl CGI for dynamic content, form processing, and server-side logic on Bloomberg's Energy desk
  • Independently designed and built a server-side templating system and templating language — predating widely adopted templating frameworks
May 1995 — Sep 1997Princeton, NJ

Associate, Member Technical Staff

Sarnoff Corporation
  • C programming for very-low-bit-rate video encoding — videophone and early MPEG-4 applications
Range

Same title, different floor

"Lead Cybersecurity Architect" is the title on the org chart. It doesn't capture everything underneath it. The functional roles below are work I have actually done — not adjacent experience, not theory.

Software Engineer / Developer
Production code shipped at Bloomberg, The Computer Merchant, Williams Interactive, and Bristol Myers Squibb — Perl, CGI, PHP, JavaScript, C, assembler.
Security Engineer
Built a vulnerability scanner from scratch, enhanced an inherited Nmap/Nessus toolchain, stood up Snort and a SIEM, and engineered a log-search pipeline when the SIEM project was cancelled.
Security Analyst
Served as Vulnerability Manager at Bristol Myers Squibb; built forensics search tooling; sat on the Incident Response team during active breaches and enterprise-level operational issues that impacted security.
Systems / Infrastructure Engineer
Built and hardened Linux/UNIX servers from source — OS, Apache, MySQL, Perl, TLS — and integrated LDAP with Windows domain controllers across a self-built lab environment.
Database Developer / Data Modeller
Designed and normalised the database schema for an online training platform — genuine data modelling, not just a database running underneath a stack.
DevOps / Systems Administrator
Infrastructure automation via Perl and shell scripting; server hardening and provisioning across multiple consulting engagements.
I design controls for systems I understand because I have built systems like them.
Credentials

Education & certifications

Education

  • MS, Electrical and Computer EngineeringUniversity of Michigan — Rackham Graduate School
  • BE, Electrical and Electronics EngineeringGeorgia Institute of Technology
  • BA, PhysicsDrew University

Certifications

  • CISSPCertified Information Systems Security Professional · certified since 2004, current cycle to Oct 2028
  • CCSPCertified Cloud Security Professional · certified since 2021, current cycle to Sep 2027
  • ISSAPInformation Systems Security Architecture Professional · current cycle to Oct 2028
  • AWS Certified AI PractitionerEarly Adopter · issued Dec 2024, valid to Dec 2027
  • AWS Certified Cloud Practitionerissued Apr 2024, valid to Apr 2027
  • ITIL v3Information Technology Infrastructure Library
Contact

Get in touch

Prefer email? Click below to reveal an address rather than have it sit in plain text for every scraper on the internet.

LinkedIn: linkedin.com/in/khurt-williams

Writing: islandinthenet.com