David W. Stacy, CISSP - Owner & Principal Consultant

David W. Stacy (Dave) is an information risk management & cybersecurity professional with thirty-five (35) years of experience in the field, twenty-three (23) of which have been as the Chief Information Security Officer (CISO), or equivalent, for his company. He has worked in the telecommunications, financial services, and medical device verticals where he has had leadership roles in information risk management, cybersecurity, privacy, regulatory compliance, physical security, records management, disaster recovery, and business continuity.  He earned the Certified Information Systems Security Professional (CISSP) designation in 1994.  He is also a Fellow in the Life Management Institute (FLMI).

Dave retired as a Director in Medtronic’s Global Security Office (GSO) in May of 2018.  From October 2015 until December 2017, he led a GSO team of 50 professionals with responsibility for Cybersecurity Policies & Standards, Security Awareness Education, Identity & Access Management, Third Party Information Security Risk Assessments, Vulnerability Management, Cloud & Application Security, Applied Cryptography, and Security Solutions Design & Engineering.

Prior to joining Medtronic, Dave was a Senior Director & CISO at Allianz Life Insurance Company of North America from January 2014 until September 2015. From November 2011 until December 2013, he led the Security Operations team at Allianz Life.

From October 2009 until October 2011, Dave was Owner & Principal Consultant at D. W. Stacy & Associates where he performed ISO 27001 certification readiness assessments and led a major project to implement fraud detection software for a large healthcare organization.

Dave served as Director of Information Security for Thrivent Financial from January 2007 to June 2009.  From March 2001 to December 2006, he was the Manager, and eventually Director, of Enterprise IT Security & Controls at St. Jude Medical (now Abbott) where he built their information security program.  He was Manager of Information Asset Protection at Guidant (now Boston Scientific) from July 1996 to February 2001 where he established the company’s information security program following the company’s divestiture from Eli Lilly.     

Dave spent nearly ten (10) years at UNUM Corporation where he served as Manager of Information Security Services from February 1987 to May 1995 and established the company’s first information security program.  From June 1995 to June 1996, he led UNUM’s Business Continuity Planning function.

Dave began his information security career with Bell Atlantic (now Verizon) in May 1984, shortly after the court-ordered divestiture of AT&T on January 1, 1984. At Bell Atlantic, he was part of the Risk Management & Security team and had multiple responsibilities. Prior to joining Bell Atlantic, he was a Programmer/Analyst at Chesapeake & Potomac (C&P) Telephone, a Bell Atlantic company, from April 1983 to April 1984. From July 1981 to March 1983, he was a Systems Analyst at E.I. DuPont de Nemours.

Prior to his change in career direction in 1981, Dave served in a number student affairs administrative positions at Ohio Wesleyan University, Hamline University, Minneapolis College of Art & Design, and Indiana University (Bloomington).  He earned his Master of Business Administration (MBA) degree with a concentration in Management Information Systems from Indiana University (Bloomington) in May of 1981. He earned a Master of Science in Education with a concentration in College Student Personnel Administration from Indiana in May of 1975.  He earned his Bachelor of Arts degree in Sociology from Bucknell University in June of 1973.