Josh Jones
About Me
GRC engineering and security operations specialist skilled at turning compliance frameworks into scalable controls, building audit-ready systems, and bridging regulatory and engineering worlds in fast-paced environments. Experienced across IT and security domains including security architecture, security governance, security risk management, system administration, networking, and application development.
- > CISSP - Certified Information Systems Security Professional
- > CISA - Certified Information Systems Auditor
- > CSIS (A+, Network+, Security+)
- > PCI ISA - PCI Internal Security Assessor
- > PCIP - Payment Card Industry Professional
- > Project+
- > ISO 42001:2023 Lead Auditor
Work Experience
Compliance Programs Manager, Security and Healthcare
- > Built the enterprise Compliance Engineering function, automating continuous monitoring across Azure, M365, AWS, OCI, and on-premises environments
- > Reduced audit prep time for controls through automated audit evidence collection, saving engineering teams countless hours
- > Built custom agentic AI review processes for control and policy/standard mapping, POAM drafting, evidence review, and questionnaire response drafting
- > Successfully completed over 25 external audits or assessments annually covering PCI DSS, PCI Secure Software Standard, HITRUST, SOC1, SOC2, SOC3, and partner audits
- > Partnered with DevOps, Security, and Infrastructure teams to embed compliance into SDLC practices
- > Performed control mapping to enable the development of a common control framework
Security & Healthcare Compliance Analyst IV, Lead
- > Served as the primary internal PCI subject matter expert covering four level one PCI DSS ROCs and one PCI Secure Software Standard product
- > Led internal Operational Readiness reviews for hundreds of projects and new products, partnering with product and engineering teams
- > Collaborated with PCI SSC's Special Interest Group (SIG) to help develop industry guidance "PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures"
- > Participated in RFCs as a PCI SSC Participating Organization, helping to develop numerous PCI standards
Senior PCI Security Analyst
- > Worked with numerous high-profile clients to improve security readiness and compliance with PCI DSS
- > Reviewed technical controls, system configurations, policies, and procedures to assess compliance and recommend improvements
- > Worked closely with company executives and clients on the development of a SaaS-based integrated risk management (IRM) platform capable of supporting 800+ compliance standards
Information Security Analyst
- > Worked under the PCI QSA and assisted with PCI assessments
- > Wrote various scripts to assist with the collection of evidence
Systems Analyst
- > Administered numerous systems including ERP, ITAM, POS, E-Mail, Document/Records Management, M365, Public Safety, and more
- > Administered a mixed environment of Windows, Linux, and IBM i operating systems
- > Implemented various security technologies such as the Elastic Stack for SIEM and centralized logging capability as well as CrowdStrike for EDR
- > Wrote various scripts and utilities to assist with patch management, automation, and more
- > Assisted with security compliance related activities (PCI DSS and CJIS)
IT Helpdesk Analyst
- > Triaged and routed all IT service requests as the sole Help Desk Analyst
- > Provided tier 1 & 2 technical support for over 600 users and 800 devices including mobile phones, laptops, desktops and servers
- > Performed Active Directory administration including the management of users, organizational units, security groups, and group policies
Co-Founder
- > Developed web application front-end and back-end for e-waste recycling business
- > Operated e-waste recycling business, refurbishing and reselling used electronics including cell phones, laptops, desktops, and more
Technical Skills
Frameworks & Standards
- • PCI DSS, Secure Software Standard, Secure Software Lifecycle, Key Management Operations, Point-to-Point Encryption, PIN
- • SOC 1, SOC 2, SOC 3
- • HITRUST CSF
- • HIPAA
- • CMS Chapter 9 and 21
- • ISO 42001
- • CJIS
- • More...
Tools & Technologies
- • Wiz, ImPAC, Qualys, Snyk
- • ServiceNow, Jira, Azure DevOps
- • Copilot Studio
- • Power Automate, Python, Bash, PowerShell
- • Elastic Stack, Exabeam, CrowdStrike
- • Hyperproof
Cloud Platforms
- • AWS
- • Azure
- • GCP
- • OCI
Key Projects
ctrlmap - GRC Automation CLI
GRC automation CLI that maps internal policies to security frameworks (NIST 800-53, PCI DSS, SOC 2, ISO 27001) using local AI. Layout-aware PDF parsing, built-in heuristics, and local LLM inference via Ollama. Zero data leaves your machine.
Sentinellium - AI Defense Grid
Client-side, privacy-preserving AI defense grid. WebGPU-accelerated browser extension for local AI security inference - detecting phishing, prompt injection, and malicious content without sending data to external servers.
NSC Reviews with MCP & LLMs
Educational lab demonstrating MCP servers with LLMs for automated network security control reviews and segmentation analysis using AWS Security Groups and Network ACLs as an example.
AI Control Mapper - n8n Workflow
Intelligent n8n workflow that automatically maps security controls between compliance frameworks using AI-powered semantic similarity. Uses Google Gemini embeddings to find the best matches between source and target framework controls.
Get In Touch
Ready to discuss security compliance challenges or explore collaboration opportunities? Drop me a message and let's secure the digital world together.