David W. Stacy, CISSP, FLMI - Principal 

David W. Stacy (Dave) is an information risk management & cyber security professional with thirty-eight (38) years of experience in the field, twenty-three (23) of which have been as the Chief Information Security Officer (CISO), or equivalent, for his organization. He has worked in the telecommunications, financial services, and medical device verticals where he has had leadership roles in Information Risk Management, Cyber Security, Privacy, Regulatory Compliance, Physical Security, Records Management, Disaster Recovery Planning, and Business Continuity Planning.  He was part of the first cohort to earn the Certified Information Systems Security Professional (CISSP) credential in 1994.  He is also a Fellow in the Life Management Institute (FLMI).

Dave retired as a Director in Medtronic’s Global Security Office (GSO) in May of 2018.  From October 2015 until December 2017, he led a GSO team of 50 professionals with responsibility for Cyber Security Policies & Standards, Security Awareness Training & Education, Identity & Access Management, Third Party Information Security Risk Management, Vulnerability Management, Cloud & Application Security, Applied Cryptography, and Security Solutions Design & Engineering.

Prior to joining Medtronic, Dave was a Senior Director & CISO at Allianz Life Insurance Company of North America from January 2014 until September 2015. From November 2011 until December 2013, he led the Security Operations team at Allianz Life.

From October 2009 until October 2011, Dave was Owner & Principal Consultant at D. W. Stacy & Associates where he performed ISO 27001 certification readiness assessments and led a major project to implement fraud detection software for a large healthcare organization.

Dave served as Director of Information Security for Thrivent Financial from January 2007 to June 2009.  From March 2001 to December 2006, he was the Manager, and eventually Director, of Enterprise IT Security & Controls at St. Jude Medical (now Abbott) where he built their information security program.  He was Manager of Information Asset Protection at Guidant (now Boston Scientific) from July 1996 to February 2001 where he established the company’s information security program following the company’s divestiture from Eli Lilly.     

Dave spent nearly ten (10) years at UNUM Corporation where he served as Manager of Information Security Services from February 1987 to May 1995 and established the company’s first information security program.  From June 1995 to June 1996, he led UNUM’s Business Continuity Planning function.

Dave began his information security career with Bell Atlantic (now Verizon) in 1984, shortly after the court-ordered divestiture of AT&T on January 1, 1984. At Bell Atlantic, he was part of the Risk Management & Security team and had multiple responsibilities. Prior to joining Bell Atlantic, he was a Programmer/Analyst at Chesapeake & Potomac (C&P) Telephone, a Bell Atlantic company, from April 1983 to April 1984. From July 1981 to March 1983, he was a Systems Analyst at E.I. DuPont de Nemours.

Prior to his change in career direction, Dave served in a number of student affairs administrative positions at Ohio Wesleyan University, Hamline University, Minneapolis College of Art & Design, and Indiana University (Bloomington).  He earned his Master of Business Administration (MBA) degree with a concentration in Management Information Systems from the Kelley School of Business at Indiana University (Bloomington) in May of 1981. He earned a Master of Science in Education with a concentration in College Student Personnel Administration from Indiana in May of 1975.  He earned his Bachelor of Arts degree in Sociology from Bucknell University in June of 1973.    

Dave is known for building and coaching high-performance teams that are highly-skilled and dedicated to protecting their organization's information assets. Over his long career, he has been a mentor and trusted advisor to many professionals who have risen to positions of greater responsibility in the information risk management & cyber security field. He believes that security professionals have two primary obligations: 1) manage, to the best of their ability, the risks to their organization's information assets and the data that has been entrusted to them by their customers and clients; and 2) "pay it forward" by making a contribution to the growth and maturity of the profession.  Dave tries to pay it forward via writing, speaking, mentoring, and engaging in outreach to promote diversity within the cyber security profession, especially attracting and retaining women in the field.