Modern CISO Network: Board Book
A directory of board-ready security leaders
location
AMER
areas of expertise
- Public, private, and hybrid cloud security
- IaaS, PaaS, and SaaS platforms/services
- Cloud security architecture
- Big data platforms
- API and microservices
- End user/endpoint security
- Cryptographic key management
- Data security and risk management
John Evans
Director of Cloud Security and Risk Management
Merck
John Evans is an information security executive with more than 22 years of experience and a demonstrated history of successfully leading teams in both commercial and federal government sectors, including the Department of Defense, Judicial Branch, and Executive Branch of the United States Federal Government. He has also held key roles at the Fortune 500 companies, including Merck and Marriott International. John is currently the Director of Global Cloud Security and Risk Management at Merck, a research-intensive biopharmaceutical company, where he creates and implements their security strategy for public cloud adoption. The strategy includes aligning the people, processes, and technology to create a secure IT operating model for public cloud workload adoption and aims to reduce organizational risk while protecting Merck data and assets in Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and private cloud environments.
John was previously the Senior Director of Cloud Information Security Strategy and Architecture at Marriott International, where he defined the cloud security strategy for global IT and corporate enterprise security. He secured critical business initiatives such as cloud adoption and e-commerce, and provided corporate enterprise endpoint security. He continuously evaluated Marriott security policy/requirements and proactively assessed advanced threats to ensure that the security strategy evolved to address required changes in policy and threat awareness.
He also held key security roles at CGI, SAIC, and TWM Associates. While at CGI, he implemented and refined a DevSecOps model so that cloud system implementations could be performed quickly and efficiently. At SAIC, he analyzed the security posture of customer applications according to regulatory requirements and security standards. As an Information Security Analyst at TWM Associates, he developed security testing, evaluation, and contingency plans for the Department of Defense.