Meet Cody | Cody Keller

Experience

10 Years Building Security Programs

Information Security Manager, GRC September 2024 – Present

SoundThinking, Inc. (SSTI, Nasdaq) — Fremont, CA

Compliance Program Leadership: Partners with the CISO to lead SoundThinking's enterprise security and compliance program across SOC 2 Type 2, HIPAA, CJIS, TX-RAMP, NIST 800-53, and SOX ITGC. Chairs the Compliance Committee, leads the governance section of the corporate ESG Committee, and guides cross-functional teams across IT, Finance, Legal, and Operations.
SOX ITGC Program Ownership: Assumed full accountability for SOX ITGC controls in June 2025, spanning IAM, Change Control, and Disaster Recovery. Manages all control design, evidence coordination, auditor liaison, and remediation tracking across multiple control families. Authored the SOX ITGC compliance operations playbook from the ground up.
Enterprise Risk Strategy: Drives the enterprise risk roadmap as the primary executor for strategic compliance initiatives, translating technical risk into actionable business language for leadership and external auditors. Leads the TPRM program, shifting from manual reviews to a NIST 800-53 baseline with AI-driven analysis, reducing vendor review turnaround by ~50%.
Vulnerability & Endpoint Management: Architects and manages enterprise vulnerability and endpoint management platforms in partnership with IT and DevOps, including full lifecycle ownership of cloud agent deployment, patch scheduling, and compliance tagging.
Revenue Enablement: Reduced security questionnaire response time from 2 weeks to 3 days through workflow automation and AI tooling, directly accelerating sales cycles.
Enterprise AI Governance: Built and owns the organization's AI governance program — authoring the corporate Acceptable AI Use Policy (ISO/IEC 42001 reference), deploying mandatory training to 350+ employees, implementing DLP controls for shadow AI detection, and leading enterprise AI platform transition to Claude Enterprise and GitHub Copilot Enterprise.

Senior Information Security Analyst September 2024 – May 2025

SoundThinking, Inc. (SSTI, Nasdaq) — Fremont, CA

SOC 2 Program Build & Delivery: Sole architect and owner of the company's inaugural SOC 2 Type 2 program. Independently designed all controls, led gap remediation, managed auditor relationships, and delivered 100% compliance with zero exceptions across 3 products, now scaled to 5 products.
Security Operations Leadership: Built and managed the enterprise security stack: MDM (Jamf, Intune), EDR, SIEM, and DLP. Transformed incident response from reactive and ad-hoc to a documented, mature program with defined escalation paths and SLAs.
Culture & Organizational Influence: Drove 100% onboarding security training completion company-wide by designing automated HR workflows. Created and delivered the Shared Security Responsibility program including tabletop exercises, executive briefings, and all-hands presentations.

Information Security Analyst May 2021 – September 2024

SoundThinking, Inc. (SSTI, Nasdaq) — Fremont, CA

Led the company through its inaugural SOC 2 Type 2 audit — achieving 100% control compliance with zero exceptions across 3 products (now 5). Built the control assessment, gap remediation, and audit fieldwork processes from the ground up.
Deployed and managed the enterprise security stack via MDM (Jamf and Intune), including EDR, SIEM, and DLP. Transformed incident response from ad-hoc to a mature, procedural discipline.
Drove 100% onboarding security training completion by automating workflows with HR. Led the "Shared Security Responsibility" culture through tabletop exercises and company-wide presentations.

Information Security Analyst February 2016 – May 2021

Edgewood Insurance Brokers and Consultants — Concord, CA

Owned the vulnerability management program — implemented an automated patch strategy that resolved critical/high vulnerabilities across 3,500+ endpoints within 30 days of initial deployment.
Delivered weekly threat intelligence briefings to 30+ stakeholders including executives, IT, and M&A teams, enabling proactive risk mitigation.
Managed the internal phishing simulation program (KnowBe4) and employee security training curriculum.

Open Source & Projects

Built in the Field, Shared Publicly

Guardian AI — Threat Intelligence Agent

Automated threat agent that aggregates CISA/NIST feeds and uses GenAI to map critical vulnerabilities to internal assets, reducing manual triage noise.

AI Vendor Response Agent

RAG-based tool that ingests historical audit artifacts (SOC 2, SIG) to autonomously draft responses to incoming vendor security questionnaires.

Breach Notification Engine

Logic engine that calculates mandatory legal notification deadlines for GDPR, HIPAA, and SEC regulations based on incident severity metrics.

All projects available at github.com/codyjkeller

Certifications

Credentials

CISSP — Certified Information Systems Security Professional

(ISC)² · Credential ID: 797229

CISM — Certified Information Security Manager

ISACA · Credential ID: 1390053

CRISC — Certified in Risk and Information Systems Control

ISACA · Credential ID: 263076495

CompTIA Security+

CompTIA · Credential ID: COMP001020948034

Core Competencies

Technical & Domain Expertise

Leadership

Cross-Functional Program Direction Compliance Committee Chair Auditor Liaison Vendor Management Executive Reporting

GRC & Compliance

SOC 2 Type 2 SOX ITGC HIPAA CJIS TX-RAMP TPRM Audit Management

GovTech & Frameworks

NIST 800-53 ISO/IEC 42001 GovRamp FedRAMP Readiness

AI Governance

Responsible AI LLM Agents RAG Architecture DLP / Shadow AI Prompt Engineering

Security Operations

SIEM / EDR Jamf Pro Intune Qualys Incident Response Business Continuity

Education

Academic Background

Bachelor of Science — Business Administration, Management

California State University, Chico

May 2013