Cybersecurity Professional · Builder · Problem Solver

Tony Varghese

I build security programs. I build teams. Now I build the tools, too.

15+ years in cybersecurity. Built an entire security function for a government covering 180+ entities and 30,000 users. Scaled a team from 3 to 22. Ran a state-level CERT. Reduced incident response times by 60%. Zero audit failures in 8 years. Now in Oklahoma City, building production-ready security applications with AI — because the best way to understand the tooling is to build it yourself.

15+ Years Cybersecurity
180+ Entities Secured
3→22 Team Scaled
60% MTTR Reduction
Get in Touch Read My Story
Tony Varghese

About

The Short Version

I started my career as an AI research assistant at the Indian Institute of Science. Then I spent six years running IT infrastructure in Bahrain. Then two years as a product manager shipping digital solutions in Dubai. Then six years as a cybersecurity consultant for government and banking clients across the UAE. Then nine years building an entire cybersecurity function for the Government of Sharjah — from a 3-person team to a 22-person department securing 180+ entities.

Now I'm in Oklahoma City, building production-ready security applications with AI tools, consulting, and looking for the next problem worth solving.

If you need someone who can present to your board on Monday and tune your SIEM on Tuesday — or someone who can design your compliance program and write the policies underneath it — or someone who can evaluate a new framework they've never seen and have an implementation plan within a week — that's me.

I don't need to be the smartest person in the room. I need to be the most useful.

Core Expertise

SOC Leadership GRC Programs Zero Trust NIST CSF ISO 27001 MITRE ATT&CK Cloud Security Incident Response Risk Assessment Security Architecture Team Building AI Development

The Full Story

Bangalore → Bahrain → Dubai → Sharjah → Oklahoma City

Where It Started

In 2000, I walked into the Indian Institute of Science in Bangalore as a research assistant. The project was in AI — natural language processing and cognitive computing. This was before AI was a buzzword. Before ChatGPT. Before anyone outside of research labs cared about machine learning. I didn't know it then, but that year shaped how I think about technology: not as something you read about, but something you build and test and break and rebuild.

A year later, I packed a bag and moved to Bahrain. No safety net. No contacts. Just an IT job at Alzayani Investments and the belief that if I could figure out AI research, I could figure out anything they threw at me. For six years I ran their IT — servers, networks, applications, strategy. It was there I learned that technology problems are almost always people problems in disguise. The server isn't the issue. The process around the server is the issue. Fix the people problem and the tech problem usually solves itself.

The Dubai Years

In 2007, I moved to Dubai. The next two years were different — I became a Product Manager at Emirads Digital, leading development for digital signage and wayfinding solutions. Not cybersecurity. Not GRC. Product development. Cross-functional teams. Agile before anyone called it Agile. I shipped things. It taught me something I carry into every security role: if you can't ship, your strategy is just a PowerPoint.

Then in 2009, cybersecurity found me. Dubai Bank needed someone who understood both technology and risk. I joined through Quadrant Risk Management, and for the first time, I was solving security problems full time. Risk assessments. SIEM implementations. Incident management. ISMS programs. The work was hands-on and the stakes were real — this was banking, and regulators didn't accept excuses.

When Quadrant was acquired by ISYX Technologies in 2013, I stayed through the transition and grew into a project lead. Over those years, I worked with 10+ clients across government, banking, and enterprise. Each one had different problems, different cultures, different levels of maturity. But here's what I learned as a consultant that I've never forgotten:

Every framework follows the same DNA. Scope it, assess the gaps, map controls, remediate, monitor, report, repeat. The names change. The domains shift. But the structure is the same. Once you've implemented a few end-to-end, any new framework is a matter of time, not capability.

I coached 5 organizations through ISO 27001 certification. 80% passed on the first attempt. Not because I was brilliant, but because I learned to listen before I prescribe.

Building Something From Nothing

In 2015, the Government of Sharjah called. They were forming a new digital department and needed someone to build their cybersecurity capability. Not manage it. Not advise on it. Build it. From zero.

I said yes.

What followed was the most defining chapter of my career. Over nine years — first as a Senior Consultant, then as Information Security Manager — I built an entire cybersecurity function for an emirate. Here's what "from zero" actually looked like:

Year 1

Just me and two other people. No SOC. No SIEM. No incident response process. No policies worth enforcing. 180+ government entities, each doing their own thing. I ran the first-ever state-wide gap assessment against UAE IA, NIST, ISO, and CIS standards.

Years 2-4

We started building. Hired specialists. Deployed a SIEM. Wrote the policies. Created incident response playbooks. Launched a 24/7 SOC with MSSP partnerships. Founded the state's first CERT. Delivered 12+ executive workshops to align the Executive Council on strategy.

Years 5-8

The team grew from 3 to 22. We deployed Zero Trust architecture, PAM, EDR, BAS, SOAR. Launched secure cloud services — IaaS, hosting, 15,000+ mailboxes. Incident response times dropped 60%. Detection coverage expanded 40%. Zero audit failures. Every year. For eight years.

The numbers aren't the point. The point is: I took something that didn't exist and made it work. Not by being the smartest person in the room, but by listening, planning, hiring well, and refusing to build governance that gets in the way of people doing their jobs.

The Move That Changed Everything

In late 2024, I made the decision to move to the United States. Oklahoma City. Green Card in hand. New country, new market, new chapter.

The job market was — and is — brutal. I know that. Everyone knows that. I could have spent my time refreshing job boards and feeling frustrated. Instead, I asked myself a different question:

What would happen if I tried to build the security tools I spent my career wishing existed?

So I picked up Claude Code — an AI-assisted development tool — and started building. Over the next few weeks, I planned, designed, and built 3 production-ready applications from scratch. A full-stack GRC platform with AI-assisted risk scoring, multi-tenant architecture, compliance mapping across SOC 2, ISO 27001, HIPAA, and NIST CSF. I deployed everything to production. From the command line.

I'm not a developer. I'm a security professional who now understands — at a code level — how the tools I've spent 15 years evaluating actually work. That makes me better at everything else I do.

Building People, Not Just Programs

One thing I'm quietly proud of that doesn't show up in the metrics: every year, we brought in roughly 10 university interns. Students with no security experience, most of them unsure whether cybersecurity was even the right career path. I made it a personal priority to train them — not just assign them tasks, but actually teach them how security operations work, how governance frameworks connect to real-world risk, how to think about problems before jumping to solutions.

I paired them with senior team members, gave them real projects with real stakes, and made sure they understood the "why" behind everything, not just the "how." Some of them sat in the SOC and learned to read alerts. Some of them worked on compliance reviews and saw firsthand how policies translate into controls. Some of them joined penetration testing engagements and discovered they liked breaking things more than defending them.

Most of those interns have since gone on to build careers in cybersecurity — in security operations, governance, risk, consulting. A few have reached out years later to tell me that their time with us was what convinced them to choose this field. That means more to me than any dashboard or audit result. Because the programs I built will eventually be replaced. The tools I deployed will eventually be retired. But the people I trained are still out there, building security programs of their own. That compounds in ways that no KPI can measure.

Where I Am Now

I'm in Oklahoma City. I'm consulting. I'm building. I'm applying to roles across cybersecurity, GRC, project management, and operations. I'm open to leadership and I'm open to being an individual contributor. I've led teams of 22 and I've been the person doing the hands-on work — and I'm comfortable in either seat.

I'm not looking for a title. I'm looking for the right team and the right problem to solve.

Philosophy

Principles I've Learned the Hard Way

1. Security that slows people down isn't security — it's a tax.

I've seen governance programs that exist on paper and governance programs that actually work. The difference is always the same: did the person who designed it understand how people actually do their jobs? If your policy creates a workaround, you didn't create a policy — you created a vulnerability.

2. Frameworks are all the same. That's a feature, not a bug.

NIST CSF, ISO 27001, COBIT, HIPAA, SOX, PCI DSS, FedRAMP, CMMC — I've implemented them across government, banking, and enterprise. They all follow the same DNA. Scope it. Assess the gaps. Map controls. Remediate. Monitor. Report. Repeat. Hand me a framework I've never seen and I'll have a working implementation plan within a week.

3. The best security leaders are translators.

Your SIEM detected 47,000 events last month. Your board doesn't care. Your board cares about: are we protected? How do we compare to peers? What does this cost us if we get it wrong? I spent eight years presenting to the Sharjah Executive Council. The first presentation was full of technical jargon. It didn't land. The second one told a story with numbers they understood. It got funded.

4. You can't protect what you don't understand at a build level.

This is why I started building applications with AI tools. Not to change careers. To close the gap between the security team and the engineering team. When you've actually designed a data model, deployed a container, and debugged a production issue at midnight — you ask better questions in architecture reviews.

5. Hire for ownership, not just skills.

The best hire I ever made was someone who didn't have the strongest resume but took complete ownership of everything they touched. The worst hire had perfect certifications and waited to be told what to do. I look for people who see a gap and fill it without being asked.

6. Listen first. Always.

Six years of consulting trained this into me permanently. The consultant who walks in with a pre-built solution fails. Every time. I start every engagement by shutting up and listening. What's actually happening? What do people believe is happening? Where's the gap? That gap is where the real problem lives.

7. Invest in people. Everything else depreciates.

Every year for eight years, I personally trained roughly 10 university interns — about 80 over the course of my time in Sharjah. Not because it was in my job description. Because someone invested in me early in my career and it changed my trajectory. Most of those interns went on to choose cybersecurity as their career path. The SIEM I deployed will be replaced in a few years. The policies I wrote will be rewritten. But the people I trained are still out there, compounding. That's the investment with the highest return.

Currently Building

Building the Tools I Always Wished Existed

In early 2025, I started doing something most security leaders don't: writing code. Not because I wanted to become a developer. Because after 15 years of evaluating, procuring, and implementing security tools — I wanted to understand how they're actually built.

Using Claude Code (an AI-assisted development tool), I planned, designed, and built 3 production-ready applications from scratch. Every decision — from the data model to the cloud provider — was mine.

GRC Command Center

A full-stack governance, risk, and compliance platform. Multi-tenant architecture so different organizations can operate independently. AI-assisted risk scoring that analyzes control gaps and prioritizes remediation. Compliance framework mapping across SOC 2, ISO 27001, HIPAA, and NIST CSF — with the ability to add new frameworks because, as I keep saying, they all follow the same structure. Automated vendor assessment workflows. Role-based access control. Executive dashboards.

This isn't a demo. It's a production application running on Akamai cloud infrastructure.

The Cloud Evaluation Journey

Choosing where to host taught me as much as building the applications themselves. I evaluated four platforms hands-on:

  • Oracle Cloud: Generous free tier, solid infrastructure, but the developer experience felt heavy for a solo builder.
  • Azure: Great enterprise tooling, but overkill for what I needed at this stage. The billing model was hard to predict.
  • AWS: The obvious default, but I wanted to make a deliberate choice, not a default one.
  • Akamai (Linode): Straightforward. Predictable pricing. Fast deployment. CLI-first workflow. Picked it and shipped.

The Tech Stack

Next.js TypeScript React PostgreSQL Prisma ORM Docker Tailwind CSS REST APIs Ollama/LLM Akamai Cloud CLI Deployment

Why This Matters

I'm not pivoting to software engineering. I'm expanding what it means to be a security professional. When I sit in an architecture review now, I'm not guessing how the application works — I've built one. When I evaluate a GRC platform, I'm not reading a vendor's marketing deck — I know what the data model should look like because I've designed one.

The best security professionals understand the things they're protecting. I decided to stop understanding them in theory and start understanding them in practice.

Achievements

Measurable Impact

State-Level SOC Transformation

Built and operationalized enterprise-grade SOC covering 180+ government entities with 24x7x365 threat detection and response capabilities.

60% Faster Response

Reduced incident response times by 60% through centralized SIEM, EDR, and security orchestration platforms.

3 → 22 Team Growth

Scaled SOC and security team from 3 to 22 experts while maintaining zero audit failures across eight years of operations.

70% Compliance Reduction

Unified multiple frameworks (ISO 27001, NIST, COBIT, PCI-DSS, GDPR) into a single control set, reducing compliance effort by 70%.

CIS Level 2 → Level 4

Improved organizational security maturity from CIS Level 2 to Level 4 across 184 entities within 3 years.

Industry Recognition

Excellence in CISO Leadership Award (2024) and Top CISO - Government Sector (2023) for program excellence.

~80 Interns Mentored

Personally trained ~10 university interns annually over 8 years. Most went on to build careers in cybersecurity — in security operations, governance, risk, and consulting.

Read Full Case Studies →

Career Journey

Professional Experience

Cybersecurity & GRC Consultant

Independent Consultant
Jan 2025 - Present Oklahoma City, USA
  • Advising enterprises on global SOC maturity, threat detection, and GRC optimization
  • Building production-ready security applications with AI-assisted development
  • Leading risk assessments and control mapping for cloud and zero-trust strategies

Information Security Manager

Sharjah Digital Department
Sep 2015 - Dec 2024 Government of Sharjah, UAE
  • Built entire cybersecurity function from zero for 180+ government entities
  • Established 24x7x365 SOC with MSSP partnerships; founded state CERT
  • Scaled security team from 3 to 22; zero audit failures in 8 years
  • Reduced incident response times by 60%; expanded detection coverage 40%

Project Manager & Security Consultant

ISYX Technologies
Apr 2013 - Sep 2015 Dubai/Abu Dhabi, UAE
  • Delivered cybersecurity programs for 10+ government, banking, and enterprise clients
  • Led ISO 27001 ISMS implementations with 80% first-time certification success
  • Designed SOC/incident response roadmaps for Fortune 500 banking clients

Information Security Consultant

Dubai Bank / Quadrant Risk Management
Dec 2009 - Apr 2013 Dubai, UAE
  • Enhanced security posture for major UAE financial institution
  • Managed ISMS and led security incident management efforts
  • Conducted risk assessments and implemented SIEM systems

Product Manager

Emirads Digital LLC
Aug 2007 - Nov 2009 Dubai, UAE
  • Led product development for digital signage and wayfinding solutions
  • Managed cross-functional teams using agile methodologies
  • Shipped real products — learned that strategy without execution is just a PowerPoint

Network and System Administrator

AlZayani Investments
Jul 2001 - Aug 2007 Manama, Bahrain
  • Led IT team managing servers, networking, and applications
  • Learned that tech problems are usually people problems in disguise

Research Assistant

Indian Institute of Science (IISc)
Jul 2000 - Jul 2001 Bangalore, India
  • Worked on AI project using NLP, Cognitive Computing, and Machine Learning
  • Before AI was a buzzword — learned to build and test and break and rebuild

Qualifications

Credentials & Education

Certifications

  • CISM Certified Information Security Manager, ISACA
  • CDPSE Certified Data Privacy Solutions Engineer, ISACA
  • CAIO Chief Artificial Intelligence Officer, Copenhagen Compliance
  • ISO 27001 Lead Auditor
  • ISO 20000 Lead Auditor
  • PRINCE2 Practitioner, AXELOS
  • Qualys Certified Specialist

In Progress: CISSP, CISA, CRISC

Education

  • Bachelor of Engineering Computer Science, Basaveshwar Engineering College, India

Awards & Recognition

  • Excellence in CISO Leadership 4th Future Workspace Summit & Awards, 2024
  • Top CISO - Government 3rd Edition Security Conclave & Awards, 2023

Open To

How I Can Help Your Organization

Leadership Roles

CISO · VP of Security · Director of Information Security · Security Program Manager · GRC Director

Where I've done this before: Built and led a 22-person security department. Managed multi-year budgets. Reported to executive councils. Defined strategy.

Senior & Principal Roles

Principal Security Architect · Senior GRC Consultant · Cybersecurity Project Manager · Senior Risk Analyst · Compliance Lead

Where I've done this before: Designed Zero Trust architectures. Led 10+ consulting engagements. Managed complex projects. Conducted enterprise-wide risk assessments.

Hands-On & Operations Roles

SOC Analyst · Security Engineer · Vulnerability Management Analyst · IT Security Administrator · Systems Administrator

Where I've done this before: Tuned SIEM use cases. Managed vulnerability scanning programs. Administered servers and infrastructure. I started here. I can go back here and be effective on day one.

Consulting & Advisory

Fractional CISO · Security Program Assessment · GRC Framework Implementation · Board Advisory · Compliance Readiness

Where I've done this before: Currently consulting. Delivered ISO 27001 certification programs. Advised executives. Ran compliance transformation programs.

I'm not looking for a title. I'm looking for the right team and the right problem to solve. I've led 22 people and I've been the individual contributor on the floor — I'm effective in either seat.

Logistics

  • Location: Oklahoma City, OK (onsite preferred) · Hybrid · Remote · Open to relocation
  • Authorization: U.S. Green Card Holder — no sponsorship required
  • Availability: Immediate
  • Industries: Government · Defense · Aerospace · Healthcare · Financial Services · Energy · Technology · Consulting

Get in Touch

Let's Connect

If you're building a security program, fixing a broken one, or need someone who can contribute at any level — I'd like to hear about it. And if you know someone who might be a good fit, I'd genuinely appreciate the introduction.

Email

varghese.tony@gmail.com

Phone

+1 (405) 861-4855

LinkedIn

linkedin.com/in/varghesetony

Location

Oklahoma City, OK, USA