Security Risk Advisors was founded in 2010. We are a boutique consultancy serving the Fortune 1000 and Global 1000. We value:

Thought Leadership

We contribute to cybersecurity thought leadership conferences, including RSA, Gartner, ISC(2), FS-ISAC, NH-ISAC and other knowledge-sharing organizations. We develop free software and contribute to the community.


We are not a reseller of security software, so we are independent and neutral to recommend best-fit controls, based on our experience implementing and operating them.

Diverse Client Base

We focus on working with Fortune 1000 and Global 1000 companies, but we also maintain broad perspective by working with innovating technology startups and mission-oriented non-profits.

Next Generation

We partner with Universities to create excellent internships and fulltime opportunities for students, the next generation of cybersecurity practitioners.

Team Leaders

Tim Wainwright | CEO, CISSP

Tim has been a speaker at events hosted by Gartner, RSA, (ISC)2, the Association of Financial Crimes Investigators (IAFCI), SecureWorld and the CISO Executive Network.  Tim is also a co-founder and Director for the Philadelphia (ISC)2 chapter.  Tim also presents to Board of Directors, Audit Committees and Senior Management.

Tim advises CISO Offices on modernizing cybersecurity strategy to improve governance, communication, detection and response capabilities.

Tim has a background in security assessment, process improvement, security frameworks and policy development.

Chris Salerno | Managing Director

Chris leads the 24×7 CyberSOC service line and provides oversight for the Technical Assessments service. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications. He has led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at RSA, B-Sides, SecureWorld, the CISO Executive Network and the Association of Financial Crime Investigators (IAFCI).

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.

Phil Wainwright | Director

Phil specializes in application security, mobile, network penetration testing, infrastructure security, and technical standards for various OS platforms.

Phil has led over 150 technical assessment projects, consisting of network penetration testing, web application and mobile assessments, and network architecture review.

Phil currently leads SRA’s AppSec and Mobile Practice, including managing teams on technical assessment projects, white box and design/architecture review, and helping clients build security into their SDLC.

Phil also co-authored the ISACA publication Security, Audit and Control Features Oracle Database, 3rd Edition.

Carl Angeloff | Director

Carl specializes in security frameworks including PCI DSS, FFIEC Handbook and the NIST Cybersecurity Framework.  He leads security program and controls assessments and develops actionable roadmaps for improvement.

Carl has extensive experience with PCI scope validation and reduction, and he advises clients on emerging PCI topics such as mobile payment security.

Prior to joining Security Risk Advisors, Carl led Comcast’s PCI DSS program.  This included acting as liaison with the acquiring bank.

Mike Pinch | Director

Mike joined Security Risk Advisors in 2018 as Director of Threat Management.

Mike was formerly the first CISO at University of Rochester Medical Center. During that time, he succeeded in building a robust security and compliance team capable of supporting vast clinical, research and educational enterprises. He implemented numerous new technologies designed to protect vital data, including network access control, next-generation firewalls, intrusion prevention and detection strategies, vulnerability management programs and two-factor authentication. Mike also oversaw the Medical Center’s annual HIPAA risk analysis process, disaster recovery, business continuity planning, the help desk and desktop support services.

Mike is nationally recognized as a leader in the field of information security, and frequently speaks at security and health care conferences. In addition, he has provided input into the development of national standards for health care and public health sector cybersecurity frameworks. He has been honored locally as one of the Rochester Business Journal’s 40 Under 40, and he has presented several times at the Rochester Security Summit and at local colleges.

Mario Piva | Director, CISSP, CEH

Mario focuses on Red Teams, Purple Teams facilitation, web application assessments and network penetration tests, with additional experience in forensic analysis and risk assessments.

Mario has led over 800 web application security assessments and 100 network penetration tests for Fortune 500 companies.

Mario is experienced in a variety of industries, including financial services, healthcare, entertainment and media, insurance and utilities.

Alan Simons | Director of Business Operations, CPA/ABV/CFF

Alan is a member of the management team and leads the company’s business operations. He functions as the chief operating and chief financial officer. Prior to Security Risk Advisors, Alan was a principal with a national accounting and consulting firm.

Chris Rose | Senior Manager, QSA, CHFI

Chris specializes in tiered data security and infrastructure monitoring controls including Security Incident and Event Monitoring (SIEM), Endpoint Detection and Response (EDR) and Data Loss Prevention (DLP) technologies.

Chris has a broad command of the strengths and limitations of leading DLP, SIEM and EDR platforms, and regularly leads toolset selection processes and proof-of-concepts to demonstrate how DLP, SIEM and EDR can improve visibility, monitoring and responsive controls aligned with the NIST Cybersecurity Framework and ISO 27002:2013

Chris is also a PCI Qualified Security Assessor (QSA) and maintains formal certifications in Symantec DLP, Websense DLP and Varonis.

Sphurthi Annamraju | Senior Manager

Sphurthi specializes in identification, selection and implementation of security solutions. Sphurthi has experience with Endpoint Detection and Response (EDR), Incident Response, Security Information and Event Management (SIEM) and Security Operations Center (SOC) processes. She helps clients analyze cyber security risks, correlate cyber risks with actual business risks, identify steps to mitigate and implement projects to resolve those risks.

Sphurthi has performed threat and vulnerability assessments of enterprise networks for various sectors including utilities, oil & gas, energy, manufacturing and airline. She also has experience developing cyber incident response plans, reviewing incident response programs and performing assessments against leading industry frameworks such as ISO 27002 and the NIST cybersecurity framework.

Michael Polise | Senior Manager

Mike specializes in data protection with a focus on strategy development and DLP implementation. He also has experience in security monitoring and alerting, as well as implementing perimeter and endpoint controls.

Mike has extensive experience encompassing a broad range of technical and procedural controls, including program development. His experience allows him to focus on long-term strategic goals by identifying cross-platform synergies and developing comprehensive, effective approaches for defending against today’s security threats.

Prior to joining Security Risk Advisors, Mike built and managed the information security and IT compliance programs for one of the largest independent power producers in the country. In addition to his experience, Mike has a Master’s Degree in Information Assurance and is an Instructor at Penn State Lehigh Valley teaching courses within the Security and Risk Analysis degree program.

Will Heineman | Senior Manager, ACP

Will specializes in security program assessment, GRC tools and processes including Vendor Management, BCP, Policy Management.  Will also has additional experience with host security tools.

As an Archer Certified Professional, Will has experience designing and implementing IT-GRC based controls including incident management, enterprise risk and compliance, service provider management and business continuity management.  Will has experience configuring threat feeds and integrating multiple external security tools into Archer.  Will has worked extensively with financial services, healthcare, and consumer product companies.

Garrett Fails | Senior Manager

Garrett specializes in penetration testing with additional skills in network engineering, application and data security, and security architecture.

Garrett has worked on unstructured data security projects with banks and PCI security programs in the telecommunications industry.

Garrett also has performed penetration testing coupled with organizational security strategy assessments with clients in the power and utilities, manufacturing, Defense, food service and medical industries.

Justin KleinKeane | Senior Manager

Justin specializes in cyber security defense having helped build and grow security teams in higher education, health care, and in software start ups over the last 10 years. Justin is a regulatory subject matter expert in HIPAA and FERPA. Justin also specializes in defensive security architecture, Internet of Things (IoT), biomedical and embedded medical systems, cloud architectures, software development, cryptography, and healthcare specific protocols such as HL7 and electronic medical records (EMR) systems.

Justin earned his master’s degree in computers and information technology, with a focus in software and security, from the University of Pennsylvania. Justin’s career began as a software developer and he is proficient in full stack development, databases, and Linux operating systems. Justin has taught college courses as an adjunct professor at Drexel University, speaks regularly at industry events, and publishes articles on emerging trends in information security.

Prior to joining Security Risk Advisors Justin managed the Security Operations Center at Penn Medicine. Before working at Penn Medicine Justin served as the Security Architect for Main Line Health and has also held security positions in academic departments at the University of Pennsylvania.

Laurence Conroy | Operations Manager, CyberSOC

A technology and engineering professional, Laurence has over 28 years’ experience in building and leading technical teams – managing and mentoring them for optimum performance.

Laurence is a Chartered Engineer (Registered professional title awarded by Engineers Ireland) and holds a master’s degree in operations management and 2 bachelor’s degrees in both electronic engineering and information technology.

He recently graduated as Certified Data Protection (GDPR) Professional.

Prior to joining SRA Laurence was the General Manager of CipherTechs EU Ltd. in Ireland, coordinating the activities of their EU Security Operations Centre.

Vince Miller | Senior Manager

Vince specializes in security compliance and strategy. As a certified information systems auditor (CISA), Vince has experience in IT security auditing, security strategy development and project management.

In addition to strategy work, Vince has in depth knowledge of various security frameworks including PCI, NIST CSF, ISO 27000 and ISF.

Rebecca Cooper | Senior Business Operations Manager

Rebecca is a member of the management team. Her primary focus is to ensure that company goals and objectives are met. She is the longest serving member in our business operations group. Prior to Security Risk Advisors, Rebecca was an educator and held positions in teaching and leadership development.

Spencer Morris | Manager

Spencer’s background is over a decade in carrier grade network operations in the telecom industry where he architected network security solutions for service providers and enterprise customers. He has experience providing toolset evaluation and selection, network monitoring, threat mitigation, incident response, and vulnerability testing.  Currently, Spencer is focused on threat management and incident response.

Corrin Woodard | Manager, CPA

Corrin has experience performing risk assessments and maturity assessments for organizations of all sizes. She is knowledgeable across HITRUST, HIPAA, NIST CSF and other regulations/frameworks. Corrin has led projects involving security strategy and governance, data privacy, security training and awareness, and HITRUST readiness assessments.

Corrin has worked extensively with healthcare payors, providers, and life sciences companies. She is also a Certified HITRUST CSF practitioner.

Kevin Foster | Manager, GCIF

Kevin is focused on threat detection and response with Data Loss Prevention (DLP) and endpoint detection and response (EDR) tools.

He helps clients define and locate sensitive data within business processes, document use cases and risks, and design and implementation robust and repeatable security processes based on DLP tools.

Kevin has participated in toolset selection, planning, installation, configuration and management of DLP solutions.

Kevin maintains formal certifications in Symantec DLP and Varonis and has experience working with McAfee DLP.

Matthew McHugh | Manager

Matt focuses on the engineering and implementations of security tools including network inspection, Network Access Control (NAC), Cloud Access Security Broker (CASB), and User & Entity Behavior Analytics (UEBA) tools.

Matt has also led a number of advisory projects for clients including security tool selections, risk assessments, and security program best practices.

Matt has additional experience in web application security, white box assessments, network penetration testing, and mobile security.

Matt has experience working with clients across multiple industries including financial services, pharmaceuticals, and consumer products.

Barry DeLuca | Manager

Barry has great experience coming from working in both the NOC and SOC environments.  While responsible for the networking, systems, and security administration within those centers, he also led in the quick resolution of incidents/events leading into successful change management. Barry holds a number of vendor certifications – Security and Network +, Microsoft, and ITIL foundations.

Katie Calabrese | Human Resources Manager

Katie oversees all aspects of SRA’s human resources function, including talent acquisition. She started her career as an attorney before transitioning into personnel management. Katie has extensive experience in the professional services industry, having worked for two different AmLaw 100 law firms.

Jason Rivera | Manager

Jason specializes in Incident Response (IR) program development, Network Security Monitoring (NSM), Next Gen Firewall (NGFW), Security Strategy and, Vulnerability and Risk Management.

Jason has additional experience running bug bounty programs, as well as performing SOC2 Readiness and Executive Metrics and Reporting.

Jason has led multiple product selection, engineering and process improvement projects within the pharmaceutical, insurance, retail, and cloud services industries.

Matt Schneck | Manager

Matt focuses on incident response, forensics, and advanced endpoint security solutions including various Endpoint Detection and Response (EDR) platforms including Tanium, CarbonBlack, Fidelis, Confer, Cybereason and others.

Matt works to develop detection rules for emerging attacks and has significant experience engineering and implementing detection solutions with a focus on mining endpoint data.

Matt is a GIAC Certified Forensic Examiner (GCFE).

Jessica Davis | Accounting Manager

Jessica overseas SRA’s Accounting Department, with a focus on firm financials. In addition to her Accounting experience, Jessica has a background in Financial Advising.

Jon Renard | Manager, OSCP, OSCE, CISSP

Jon focuses on red team assessments, network penetration testing and web application security testing.

Prior to joining Security Risk Advisors, Jon led the Vulnerability Assessment and Penetration Team for the Department of Justice and previously served on the Pentagon’s Penetration Testing and Software Assurance teams.

Clay Wells | Manager

Clay specializes in Digital Forensics and Incident Response (DFIR) and Cyber Threat Hunting. Clay has extensive experience in cloud security, including architecture, application deployment, design, and cloud security controls.  Clay has extensive experience with malware analysis, binary reverse engineering, Linux and Unix operating systems, software development, and application security.

Clay is deeply involved in the cybersecurity community as both a leader and organizer of several security groups.  Clay is a Director of Blue Team Village, which has been part of DEF CON and other security conferences since 2018. Clay also leads the Philadelphia DC215 security community and is one of the organizers of WOPR Summit, an annual cyber security conference.

Clay enjoys creating capture the flag exercises, training, and mentoring in the information security community.  Clay works to develop cybersecurity training that is released to the public in the interest of developing new cybersecurity talent and training current practitioners.
Prior to Security Risk Advisors, Clay worked in higher education as a Security Engineer. Clay served as a subject matter expert on web application assessments and performed application security reviews.

Clay presents at numerous conferences including REN-ISAC’s Security Professionals Conference, the Red Hat Summit, and various local cybersecurity groups.

Adam Diiorio | Manager

Adam specializes in security assessments and audits, primarily PCI DSS. Adam has experience leading PCI scope validation and strategy engagements, performing data risk assessments, and conducting various security framework readiness assessments.
In addition to extensive experience with PCI DSS controls and remediation strategies, Adam is knowledgeable in additional frameworks such as NIST CSF and ISO 27001.

Nate Rich | Manager

Nate is an RSA Archer Certified Administrator in the GRC Practice at Security Risk Advisors. Nate specializes in GRC Tools Development, including the implementation of Policy, Compliance, Risk, Vendor and Asset Management solutions. Nate has also developed custom solutions using RSA Archer to meet specific client workflow and data gathering requirements. Nate has worked with clients of all sizes including Fortune 500 investment firms, regional banks, health care providers among others.

Douglas Webster | Marketing Manager

Doug leads SRA’s marketing initiatives and oversees all activities related to Security Risk Advisors’ brand development and positioning. He manages the company website, social media, and is responsible for most of the company’s graphic design. His team is responsible for coordination and logistics of tradeshow sponsorships.  Additionally, Doug and his team support SRA’s business development through the creation of sales materials and proposals, procurement negotiation, CRM management, and reporting of sales and marketing success metrics. Doug joined SRA in 2015 and has been a marketing professional since graduating from Penn State in 2006.