David W. Stacy, CISSP, FLMI - Principal 

David W. Stacy (Dave) is an information risk management & cyber security professional with thirty-nine (39) years of experience in the field, twenty-three (23) of which have been as the Chief Information Security Officer (CISO), or equivalent, for his organization. He has worked in the telecommunications, financial services, and medical device verticals where he has had leadership roles in Information Risk Management, Cyber Security, Privacy, Regulatory Compliance, Physical Security, Records Management, Disaster Recovery Planning, and Business Continuity Planning.  He was part of the first cohort to earn the Certified Information Systems Security Professional (CISSP) credential in 1994.  He is also a Fellow in the Life Management Institute (FLMI).

Dave retired as a Director in Medtronic’s Global Security Office (GSO) in May of 2018.  At Medtronic, he led a GSO team of 50 professionals with responsibility for Cyber Security Policies & Standards, Security Awareness Training & Education, Identity & Access Management, Third Party Cyber Risk Management, Vulnerability Management, Cloud & Application Security, Applied Cryptography, and Security Solutions Design & Engineering.

Dave was a Senior Director & CISO at Allianz Life Insurance Company of North America from January 2014 until joining Medtronic in October 2015.  He led the Security Operations team at Allianz Life for two years prior to being named CISO. 

Dave was Owner & Principal at D. W. Stacy & Associates from October 2009 until October 2011. In that role, he performed ISO 27001 certification readiness assessments and led a major 18-month project to implement fraud detection software for a large Pharmacy Benefits Management company.

Dave served as Director of Information Security for Thrivent Financial from January 2007 to June 2009.  From March 2001 to December 2006, he was the Manager, and eventually Director, of Enterprise IT Security & Controls at St. Jude Medical (now Abbott) where he built their first information security program.  He was Manager of Information Asset Protection at Guidant (now Boston Scientific) from July 1996 to February 2001 where he established the company’s information security program following the company’s divestiture from Eli Lilly.     

Dave spent nearly ten (10) years at UNUM Corporation where he served as Manager of Information Security Services from February 1987 to May 1995 and established the company’s first information security program.  From June 1995 to June 1996, he led UNUM’s Business Continuity Planning function.

Dave began his information security career with Bell Atlantic (now Verizon) in 1984, shortly after the court-ordered divestiture of AT&T on January 1, 1984. At Bell Atlantic, he was part of the Risk Management & Security team. Prior to joining Bell Atlantic, he was a Programmer/Analyst at Chesapeake & Potomac (C&P) Telephone, a Bell Atlantic company, from April 1983 to April 1984. From July 1981 to March 1983, he was a Systems Analyst at E.I. DuPont de Nemours.

Prior to his change in career direction, Dave served in a number of student affairs administrative positions at Ohio Wesleyan University, Hamline University, Minneapolis College of Art & Design, and Indiana University (Bloomington).  He earned his Master of Business Administration (MBA) degree with a concentration in Management Information Systems from the Kelley School of Business at Indiana University (Bloomington) in May of 1981. He earned a Master of Science in Education with a concentration in Highter Education & Student Affairs from Indiana in May of 1975.  He earned his Bachelor of Arts degree in Sociology from Bucknell University in June of 1973.    

Dave is known for building and coaching high-performance teams that are highly skilled and dedicated to protecting their organization's information assets. Over his long career, he has been a mentor and trusted advisor to many professionals who have risen to positions of greater responsibility in the information risk management & cyber security field. He believes that security professionals have two primary obligations: 1) manage, to the best of their ability, the risks to their organization's information assets and the data that has been entrusted to them by their customers and clients; and 2) "pay it forward" by making a contribution to the growth and maturity of the profession.  Dave pays it forward via writing, speaking, mentoring, and engaging in outreach to promote diversity within the cyber security profession, especially attracting and retaining women in the field.