Security Risk Advisors was founded in 2010. We are a boutique consultancy serving the Fortune 1000 and Global 1000. We value:

Thought Leadership

We contribute to cybersecurity thought leadership conferences, including RSA, Gartner, ISC(2), FS-ISAC, NH-ISAC and other knowledge-sharing organizations. We develop free software and contribute to the community.


We are not a reseller of security software, so we are independent and neutral to recommend best-fit controls, based on our experience implementing and operating them.

Diverse Client Base

We focus on working with Fortune 1000 and Global 1000 companies, but we also maintain broad perspective by working with innovating technology startups and mission-oriented non-profits.

Next Generation

We partner with Universities to create excellent internships and fulltime opportunities for students, the next generation of cybersecurity practitioners.

Team Leaders

Tim Wainwright | Managing Director, CISSP

Tim has been a speaker at events hosted by Gartner, RSA, (ISC)2, the Association of Financial Crimes Investigators (IAFCI), SecureWorld and the CISO Executive Network.  Tim is also a co-founder and Director for the Philadelphia (ISC)2 chapter.  Tim also presents to Board of Directors, Audit Committees and Senior Management.

Tim advises CISO Offices on modernizing cybersecurity strategy to improve governance, communication, detection and response capabilities.

Tim has a background in security assessment, process improvement, security frameworks and policy development.

Chris Salerno | Director

Chris leads the 24×7 CyberSOC service line and provides oversight for the Technical Assessments service. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications. He has led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at RSA, B-Sides, SecureWorld, the CISO Executive Network and the Association of Financial Crime Investigators (IAFCI).

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.

Phil Wainwright | Director

Phil specializes in application security, mobile, network penetration testing, infrastructure security, and technical standards for various OS platforms.

Phil has led over 150 technical assessment projects, consisting of network penetration testing, web application and mobile assessments, and network architecture review.

Phil currently leads SRA’s AppSec and Mobile Practice, including managing teams on technical assessment projects, white box and design/architecture review, and helping clients build security into their SDLC.

Phil also co-authored the ISACA publication Security, Audit and Control Features Oracle Database, 3rd Edition.

Carl Angeloff | Director

Carl specializes in security frameworks including PCI DSS, FFIEC Handbook and the NIST Cybersecurity Framework.  He leads security program and controls assessments and develops actionable roadmaps for improvement.

Carl has extensive experience with PCI scope validation and reduction, and he advises clients on emerging PCI topics such as mobile payment security.

Prior to joining Security Risk Advisors, Carl led Comcast’s PCI DSS program.  This included acting as liaison with the acquiring bank.

Mike Pinch | Director

Mike joined Security Risk Advisors in 2018 as Director of Threat Management.

Mike was formerly the first CISO at University of Rochester Medical Center. During that time, he succeeded in building a robust security and compliance team capable of supporting vast clinical, research and educational enterprises. He implemented numerous new technologies designed to protect vital data, including network access control, next-generation firewalls, intrusion prevention and detection strategies, vulnerability management programs and two-factor authentication. Mike also oversaw the Medical Center’s annual HIPAA risk analysis process, disaster recovery, business continuity planning, the help desk and desktop support services.

Mike is nationally recognized as a leader in the field of information security, and frequently speaks at security and health care conferences. In addition, he has provided input into the development of national standards for health care and public health sector cybersecurity frameworks. He has been honored locally as one of the Rochester Business Journal’s 40 Under 40, and he has presented several times at the Rochester Security Summit and at local colleges.

Alan Simons | Head of Operations, CPA/ABV/CFF

Alan is a member of the management team and leads the company’s business operations. He functions as the chief operating and chief financial officer. Prior to Security Risk Advisors, Alan was a principal with a national accounting and consulting firm.

Mario Piva | Senior Manager, CISSP, CEH

Mario focuses on web application assessments and network penetration tests, with additional experience in forensic analysis and risk assessments.  Mario has led over 800 web application security assessments and 85 network penetration tests for Fortune 500 companies.

Mario is experienced in a variety of industries, including financial services, healthcare, entertainment and media, insurance and utilities.

Prior to Security Risk Advisors, Mario was a subject matter expert on web application assessments and penetration testing team lead at a Big4 Security Practice.

Chris Rose | Senior Manager, QSA, CHFI

Chris specializes in tiered data security and infrastructure monitoring controls including Security Incident and Event Monitoring (SIEM), Endpoint Detection and Response (EDR) and Data Loss Prevention (DLP) technologies.

Chris has a broad command of the strengths and limitations of leading DLP, SIEM and EDR platforms, and regularly leads toolset selection processes and proof-of-concepts to demonstrate how DLP, SIEM and EDR can improve visibility, monitoring and responsive controls aligned with the NIST Cybersecurity Framework and ISO 27002:2013

Chris is also a PCI Qualified Security Assessor (QSA) and maintains formal certifications in Symantec DLP, Websense DLP and Varonis.

Sphurthi Annamraju | Senior Manager

Sphurthi specializes in identification, selection and implementation of security solutions. Sphurthi has experience with Endpoint Detection and Response (EDR), Incident Response, Security Information and Event Management (SIEM) and Security Operations Center (SOC) processes. She helps clients analyze cyber security risks, correlate cyber risks with actual business risks, identify steps to mitigate and implement projects to resolve those risks.

Sphurthi has performed threat and vulnerability assessments of enterprise networks for various sectors including utilities, oil & gas, energy, manufacturing and airline. She also has experience developing cyber incident response plans, reviewing incident response programs and performing assessments against leading industry frameworks such as ISO 27002 and the NIST cybersecurity framework.

Michael Polise | Senior Manager

Mike specializes in data protection with a focus on strategy development and DLP implementation. He also has experience in security monitoring and alerting, as well as implementing perimeter and endpoint controls.

Mike has extensive experience encompassing a broad range of technical and procedural controls, including program development. His experience allows him to focus on long-term strategic goals by identifying cross-platform synergies and developing comprehensive, effective approaches for defending against today’s security threats.

Prior to joining Security Risk Advisors, Mike built and managed the information security and IT compliance programs for one of the largest independent power producers in the country. In addition to his experience, Mike has a Master’s Degree in Information Assurance and is an Instructor at Penn State Lehigh Valley teaching courses within the Security and Risk Analysis degree program.

Will Heineman | Senior Manager, ACP

Will specializes in security program assessment, GRC tools and processes including Vendor Management, BCP, Policy Management.  Will also has additional experience with host security tools.

As an Archer Certified Professional, Will has experience designing and implementing IT-GRC based controls including incident management, enterprise risk and compliance, service provider management and business continuity management.  Will has experience configuring threat feeds and integrating multiple external security tools into Archer.  Will has worked extensively with financial services, healthcare, and consumer product companies.

Garrett Fails | Senior Manager

Garrett specializes in penetration testing with additional skills in network engineering, application and data security, and security architecture.

Garrett has worked on unstructured data security projects with banks and PCI security programs in the telecommunications industry.

Garrett also has performed penetration testing coupled with organizational security strategy assessments with clients in the power and utilities, manufacturing, Defense, food service and medical industries.

Justin KleinKeane | Senior Manager

Justin specializes in cyber security defense having helped build and grow security teams in higher education, health care, and in software start ups over the last 10 years. Justin is a regulatory subject matter expert in HIPAA and FERPA. Justin also specializes in defensive security architecture, Internet of Things (IoT), biomedical and embedded medical systems, cloud architectures, software development, cryptography, and healthcare specific protocols such as HL7 and electronic medical records (EMR) systems.

Justin earned his master’s degree in computers and information technology, with a focus in software and security, from the University of Pennsylvania. Justin’s career began as a software developer and he is proficient in full stack development, databases, and Linux operating systems. Justin has taught college courses as an adjunct professor at Drexel University, speaks regularly at industry events, and publishes articles on emerging trends in information security.

Prior to joining Security Risk Advisors Justin managed the Security Operations Center at Penn Medicine. Before working at Penn Medicine Justin served as the Security Architect for Main Line Health and has also held security positions in academic departments at the University of Pennsylvania.

Spencer Morris | Manager

Spencer’s background is over a decade in carrier grade network operations in the telecom industry where he architected network security solutions for service providers and enterprise customers. He has experience providing toolset evaluation and selection, network monitoring, threat mitigation, incident response, and vulnerability testing.  Currently, Spencer is focused on threat management and incident response.

Corrin Woodard | Manager, CPA

Corrin has experience performing risk assessments and maturity assessments for organizations of all sizes. She is knowledgeable across HITRUST, HIPAA, NIST CSF and other regulations/frameworks. Corrin has led projects involving security strategy and governance, data privacy, security training and awareness, and HITRUST readiness assessments.

Corrin has worked extensively with healthcare payors, providers, and life sciences companies. She is also a Certified HITRUST CSF practitioner.

Vince Miller | Manager

Vince specializes in security compliance and strategy. As a certified information systems auditor (CISA), Vince has experience in IT security auditing, security strategy development and project management.

In addition to strategy work, Vince has in depth knowledge of various security frameworks including PCI, NIST CSF, ISO 27000 and ISF.

Kevin Foster | Manager, GCIF

Kevin is focused on threat detection and response with Data Loss Prevention (DLP) and endpoint detection and response (EDR) tools.

He helps clients define and locate sensitive data within business processes, document use cases and risks, and design and implementation robust and repeatable security processes based on DLP tools.

Kevin has participated in toolset selection, planning, installation, configuration and management of DLP solutions.

Kevin maintains formal certifications in Symantec DLP and Varonis and has experience working with McAfee DLP.

Matthew McHugh | Manager

Matt focuses on the engineering and implementations of security tools including network inspection, Network Access Control (NAC), Cloud Access Security Broker (CASB), and User & Entity Behavior Analytics (UEBA) tools.

Matt has also led a number of advisory projects for clients including security tool selections, risk assessments, and security program best practices.

Matt has additional experience in web application security, white box assessments, network penetration testing, and mobile security.

Matt has experience working with clients across multiple industries including financial services, pharmaceuticals, and consumer products.

Barry DeLuca | Manager

Barry has great experience coming from working in both the NOC and SOC environments.  While responsible for the networking, systems, and security administration within those centers, he also led in the quick resolution of incidents/events leading into successful change management. Barry holds a number of vendor certifications – Security and Network +, Microsoft, and ITIL foundations.

Steven Vanlandingham | Manager

Steven focuses on application security, including both web and mobile application security assessments. Steven has experience performing numerous red team activities, such as network penetration testing, wireless assessments, and Citrix reviews. Steven has executed more than one thousand web application assessments and hundreds of mobile application assessments. Prior to Security Risk Advisors, Steven lead an application assessment team for a Big4 consulting firm at a Fortune 100 client.

Katie Calabrese | Human Resources Manager

Katie oversees all aspects of SRA’s human resources function, including talent acquisition. She started her career as an attorney before transitioning into personnel management. Katie has extensive experience in the professional services industry, having worked for two different AmLaw 100 law firms.

Rebecca Cooper | Operations Manager

Rebecca is a member of the management team. Her primary focus is to ensure that company goals and objectives are met. She is the longest serving member in our business operations group. Prior to Security Risk Advisors, Rebecca was an educator and held positions in teaching and leadership development.

Jason Rivera | Manager

Jason specializes in Incident Response (IR) program development, Network Security Monitoring (NSM), Next Gen Firewall (NGFW), Security Strategy and, Vulnerability and Risk Management.

Jason has additional experience running bug bounty programs, as well as performing SOC2 Readiness and Executive Metrics and Reporting.

Jason has led multiple product selection, engineering and process improvement projects within the pharmaceutical, insurance, retail, and cloud services industries.

Matt Schneck | Manager

Matt focuses on incident response, forensics, and advanced endpoint security solutions including various Endpoint Detection and Response (EDR) platforms including Tanium, CarbonBlack, Fidelis, Confer, Cybereason and others.

Matt works to develop detection rules for emerging attacks and has significant experience engineering and implementing detection solutions with a focus on mining endpoint data.

Matt is a GIAC Certified Forensic Examiner (GCFE).

Jessica Davis | Accounting Manager

Jessica overseas SRA’s Accounting Department, with a focus on firm financials. In addition to her Accounting experience, Jessica has a background in Financial Advising.

Jon Renard | Manager, OSCP, OSCE, CISSP

Jon focuses on red team assessments, network penetration testing and web application security testing.

Prior to joining Security Risk Advisors, Jon led the Vulnerability Assessment and Penetration Team for the Department of Justice and previously served on the Pentagon’s Penetration Testing and Software Assurance teams.