Download PDF

Martin G. Nystrom,,


Build and operate cyber security programs to protect customers and enterprises


Proven cyber security executive with experience delivering $50M+ portfolios, building and leading customer-facing security services, and corporate InfoSec
  • Commands advanced experiential knowledge on security threats and response
  • Advises executive customers of security threat and operational trends in quarterly briefings
  • Compelling presenter with credibility to engage customers and win business
  • Published author, representing rich cyber security experience in books, papers, and executive briefings
  • incident response, detection, and investigations
  • security operations
  • cyber threat intelligence
  • application, network, and system security
  • designing, deploying and securing web applications

Work experience

Cisco Security Services December 2015 — Present

Responsible for global delivery of rapidly growing $55M managed security portfolio, including advanced cyber threat detection and security device management.
  • 24x7 delivery across 4 global Security Operations Centers (SOC) in USA, APAC, and EMEAR
  • Directs global team of team of senior security investigators to hunt threats using advanced threat intelligence, security telemetry, and advanced analytics
  • Delivers and cultivates rapid threat detection and mitigation using Cisco Sourcefire IPS with AMP, ThreatGrid sandboxing, advanced threat intelligence using CIF, Soltra, and OpenSOC, including Hadoop for consuming, parsing and analyzing 6 Gbps at each PoP, with all forms of system telemetry and syslog
  • Delivers expert security device management including monitoring, planned changes, patch management, and architectural growth
  • Specialist in cyber security for healthcare and public sector

Cisco Security Services July 2014 — December 2015

Senior Manager
Leads Managed Threat Defense (MTD) advanced cyber threat detection for Cisco Security Services
  • 24x7 advanced cyber threat detection across 4 global Security Operations Centers (SOC) in USA, APAC, and EMEAR
  • Responsible for rapidly growing $5.5M service portfolio
  • Manages team of senior security investigators to hunt threats using advanced threat intelligence, security telemetry, and advanced analytics
  • Delivers and cultivates rapid threat detection using Cisco Sourcefire IPS with AMP, ThreatGrid sandboxing, advanced threat intelligence using the CIF, and OpenSOC, including Hadoop for consuming, parsing and analyzing 6 Gbps per PoP, with all forms of system telemetry
  • Curates hot threats to rapidly respond and monitor for IOCs gleaned from emerging attacks, conceptual attacks, and urgent vulnerabilities such as Heartbleed and Shellshock

Cisco CSIRT 2011 — 2014

Senior Manager

Built and led global engineering staff of 17 security architects and engineers; delivering innovative solutions against growing threats, including APT.

  • Developed and coordinated broad InfoSec strategy to detect and contain advanced threats
  • Coordinated all CSIRT operations to ensure investigations, analysis, and engineering functions execute consistently
  • Architected, budgeted and delivered new $1M portfolio for CSIRT, enabling global cyber security solutions and growing investigations staff of 60.
  • Managed successful delivery of massive security response portfolio including Splunk, Cisco WSA, Cisco IPS, Sourcefire FirePower and AMP, Cisco ESA, FireEye, Passive DNS collection, DNS-RPZ, Cisco ISE, Lancope StealthWatch, and Mandiant, collecting over 20 billion events per day into 1TB of growing events per day.

Cisco CSIRT 2009 — 2011


Managed security operations team, 19-person global staff conducting 24x7 security monitoring, operations, and routine investigations for Cisco's network.

  • Developed scheduling and workload distribution to provide 24x7 monitoring
  • Negotiated, developed, and managed $500,000 portfolio of monitoring engagements for internal clients
  • Coached staff to new areas of responsibility and aptitude, enabling senior engineers to take on larger projects
  • Motivated team with creative rewards and growth, maintaining 0% attrition over 2 years
  • Drove improvements using Capability Maturity Model (CMM) by improving quality assurance, engagement clarity
  • Assured security in Cisco cloud services initiatives (TelePresence as a service) by providing risk-based monitoring and response (team recognized with "Collaboration Across Cisco" award)
  • Continuously operationalized detection and response infrastructure for new acquisitions, data centers, and PoPs

Cisco CSIRT 2005 — 2009

Information Security Investigations Manager
Investigated, mitigated, and provided subject-matter expertise for dozens of security incidents
  • Lead and drove improvements to information security monitoring and incident response
  • Developed strategy for broader team, ensuring project portfolio alignment with strategic objectives Conducted global threat summit with diverse IT staff, drove projects to mitigate identified threats Tested and drove improvements to Cisco products (CS-MARS, CS-IPS, others) by regularly engaging engineering/marketing based on deployment experience
  • Developed standardized incident response handbook for global investigative staff, coordinated input and approval across HR, Legal, and internal auditors
  • Selected to attend Cisco Global Technical Leader Program, 2008

Cisco InfoSec 2002 — 2005

Security Architect

Provide security direction for Cisco projects. Specializing in web security, consult with IT project teams to provide secure architecture for large projects. Write policy and standards documents to address secure programming and deployment.

  • Developed web auditing/remediation team to address web security vulnerabilities.
  • Served as architect for web services security Developed database security strategy
  • Delivered a series of "Nerd Lunch" presentations to security staff on database, web services, and web security
  • Authored for O'Reilly Media - SQL Injection Defenses
  • Developed and delivered Secure Web Programming in Java course for global development staff Provided on-call incident response support: troubleshot high impact incidents, deployed firewall changes, investigated security incidents

Cisco IT 2000 — 2002

IT Engineer
Provided technical direction to team of engineers. Acted as consultant to business clients in exploring concepts for new applications. Provided architectural guidance to Sales IT Architecture Team. Sized and delivered tool enhancements and integration efforts. Develop ed and articulated technical vision. Mentored engineers through coaching, training, and guiding through technical challenges. Delivered series of presentations to e-commerce staff on internationalization, queuing, and b2b data exchange via XML.

Developed Partner Business Central - a portal into e-channels applications that allow Cisco partners to select, compare, and configure Cisco products, then interact with Cisco distributors for pricing, availability, and ordering. Product built in Java, using XML/XSL, CORBA, and Oracle, allows data exchange with business partners using XML over HTTP. Enabled RosettaNet integration for standardized message exchange with Cisco business partners.

Publications and Presentations

Seven Most Damaging Attacks: 2015’s Lessons Learned in Intrusion Detection

Cisco Live Management Sessions, 2015

Real World Threat Hunting

Keynote, CONFidence Conference, Krakow, Poland, 2015

Deconstructing Incident Response

RSA Conference, 2015

Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks
(co-author), O'Reilly Media, 2009
Required reading for Network Forensic Analysis course at Boston University (2010) 

SQL Injection Defenses
O'Reilly Media, 2007


Master of Engineering

North Carolina State University
Master of Engineering in Computer Science

Bachelor of Arts

Iowa State University

BA, Business Administration in Management Information Systems (MIS)

Awards and Honors

Manager of the Year (Cisco IT), 2012

Collaboration Across Cisco Award, 2010
for teamwork in securing infrastructure for Cisco's TelePresence during COP15