Skip to content
Method Career Recommendations Markets Education Get in touch
Savanna Myer
Open to opportunities

I help teams see
the compliance work
they're already doing.

I do

I build compliance programs that enable teams, open markets, and future-proof the business — turning regulatory complexity into durable, self-sustaining competitive advantage that outlives any single initiative or team.

New England, USA — remote-first, travel when it matters linkedin.com/in/savannamyer ↗ savanna.myersmiles.com ↗
Head of Security & Compliance Coordinated Compliance 20+ certifications Remote-first
Method

Compliance programs that give teams
clarity, not more work.

I’ve seen compliance treated as a tax on engineering and sales — a year-long audit scramble that burns out teams, blocks deals, and adds to the backlog. The programs I build are different: synchronized, automated, and designed so evidence collected once serves multiple frameworks simultaneously. The best programs feel invisible to the teams involved in them. It’s really pattern recognition at scale.

α
Controls consolidation

Multiple frameworks mapped into one simplified structure aligned to your internal processes and policies. Evidence collected once, routed to every framework that needs it.

β
Cycle synchronization

Audit windows aligned so multiple auditors run in parallel. Year-round burden compressed to a focused three-month sprint.

γ
Automated evidence

Ask once, use everywhere. JIRA workflows and Slack integrations route requests to control operators automatically. No spreadsheets. No chasing engineers mid-sprint.

δ
Revenue alignment

Every certification and regulatory decision maps to a specific deal pipeline entry or market segment — not to a security calendar.

ε
Continuous monitoring

Controls checked automatically between audit cycles. By audit time, evidence is already there. Certification becomes an announcement, not a burden.

AI-accelerated delivery

I direct AI tooling across every phase of the compliance program lifecycle — compressing timelines that used to take months into days. Time reductions reflect program records and are consistent with published benchmarks from McKinsey AI 2024, Gartner Security Predicts 2024, and ISACA GRC AI Survey 2024.

GAP ASSESSMENT
3 months 3 weeks
FRAMEWORK MAPPING
2 weeks 1 day
DOCUMENTATION
2 months 2 weeks
EVIDENCE REVIEW
Days Hours
Program outcomes
$90M+
Revenue enabled
ISO certs cited in public filing as direct revenue enabler
$1B+
Market access
Regulated market access unlocked through cert portfolio
3→13
Certifications
In 3 years while reducing audit burden simultaneously
95%
Eng. time saved
40 hrs → 2 hrs per control-owner per cert cycle
75%
Faster cycles
Year-round audit → 3-month sprint
0
Gaps in M&A
3 M&A integrations — zero compliance lapses
Industry average
9–12 months
Typical enterprise audit cycle including prep, fieldwork, and remediation. Gartner GRC research
Market standard
vs.
My programs
3 months
Multiple frameworks in parallel. Prep is continuous — the sprint is just the formality.
4× faster

Before → after vs. peer benchmark

Each row: baseline (grey circle), peer range (centre band), my result (vivid circle). Source: program records; SEC/NYSE public filings; Gartner Audit Cycle Benchmark 2023; ISACA State of Cybersecurity 2024; Foushee & ScottMadden GRC Benchmarks 2024.

Career

Where I build the programs
that open the markets.

Elastic
NYSE: ESTC · Oct 2018 – Aug 2021
People.ai
Private $1.1B unicorn · Aug 2021 – Jan 2023
Rubrik
NYSE: RBRK · Jan 2023 – Apr 2026
Jan 2023 — Apr 2026
Rubrik
Rubrik, Inc.
NYSE: RBRK · Data Security & Cloud Data Management
$600M → $1.2B
Revenue
3 → 13
Certifications
  • I designed a net-new Coordinated Audit ProgramA methodology synchronizing multiple certification cycles so overlapping evidence is collected once and serves all frameworks simultaneously — compressing a year-long process into 3 months., reducing audit requests from 1,000+ per cycle to under 400 through cross-framework control correlation
  • I grew the certification portfolioThe set of security certifications a company holds. Each one unlocks a specific regulated buyer segment that would otherwise require a no-bid. from 3 to 13 globally recognized standards, directly unlocking financial services, healthcare, government, automotive, and international markets
  • I pursued ISO 42001The international standard for AI Management Systems — obtained before any customer demanded it, creating a first-mover differentiator in AI-governed data security. proactively before any customer demanded it: first-mover positioning in AI-governed data security
  • I managed four FINRA SEC 17a-4US rule governing electronic records retention for broker-dealers. Without this evaluation, Rubrik cannot sell to any regulated financial entity. evaluations enabling the financial services and broker-dealer market segment
  • I integrated three M&A entities with zero certification gaps and built off-cycle audit management infrastructure to absorb future acquisitions
  • I scaled the compliance function from 1 to 5, developing a team member with zero prior background into a lead assessor running independent evaluations
  • I owned Customer TrustThe function responsible for enterprise customer security posture visibility — security reviews, trust portal, and executive compliance briefings. Owned since Elastic., managing the full customer-facing security program alongside compliance — a function I have held continuously since Elastic
  • I authored customer-facing compliance whitepapersTechnical documents Sales uses to close deals: they answer the security questionnaire before the customer asks it, converting audit posture into competitive differentiation. and executive assurance briefings used directly in enterprise deal cycles — removing compliance as a blocker to sales and converting it into a differentiator
Head of Security & Compliance · Customer Trust · Team built 1 → 5
Aug 2021 — Jan 2023
People.ai
People.ai
Private · $1.1B Unicorn · AI Revenue Intelligence Platform
$38M → $56M
Revenue
Inc. 5000
Fastest growing
  • I built the compliance program from absolute zero at a newly minted unicorn: policies, processes, vendor selection, and full audit cadence
  • I achieved SOC 2 Type 2The gold-standard enterprise security audit. Required by most enterprise procurement as proof of operational security maturity. and ISO 27001International ISMS standard. Required by most global enterprise buyers as baseline proof of mature security governance., directly unblocking the enterprise sales pipeline these certifications had been gating
  • I expanded the portfolio to ISO 27701, ISO 27017, and CSA STARCloud Security Alliance certification — widely required in EU and APAC enterprise procurement for SaaS vendors., opening privacy-regulated and cloud-sensitive enterprise segments
  • I compressed the audit cycle from a full quarter to one month using my coordinated certification methodology
  • I participated directly in enterprise customer calls, removing compliance as a deal obstacle in real time
Sr. Manager, Governance and Compliance · Zero-to-one program build
Oct 2018 — Aug 2021
Elastic
Elastic
NYSE: ESTC · Enterprise Search, Observability & Security
$160M → $609M
Revenue
70% peak YoY
Growth rate
  • I led Elastic’s first-ever ISO 27001, 27017, and 27018 certifications — directly cited as enabling the majority of Elastic’s $271.7M FY2019 annual revenue (Elastic FY2019 10-K)
  • I assisted in building Elastic’s first FedRAMPFederal Risk and Authorization Management Program: the US government’s cloud security authorization. Without it, no federal agency can use a cloud service — one of the most rigorous compliance gates in enterprise software. certification program, contributing program management and compliance infrastructure to a team effort that opened the US federal government market for the first time in company history
  • I reduced audit-related engineering burden by 80% through evidence automationReplacing manual evidence collection with automated integrations that pull evidence from JIRA, GitHub, and cloud logs continuously — not just at audit time. and self-service collection tooling
  • I reduced security questionnaireVendor security assessments sent by enterprise buyers. Industry average turnaround: 10+ days. My pre-built response libraries cut this to 2.5 days, unblocking hundreds of deals annually. turnaround from 10 days to 2.5 days, accelerating hundreds of enterprise sales cycles
Principal Security Risk & Compliance Analyst
2017 — 2018
Aetna / CVS Health
Architect Advisor, Forensic Business Architecture

Forensic Architecture — expert analysis protecting Aetna Healthcare product development across enterprise systems.

2015 — 2017
Evariant
Director, Compliance & Information Security · Connecticut

Managed security and compliance for 50+ hospital networks handling PHIProtected Health Information: any health data tied to an individual. HIPAA requires strict controls for any vendor touching PHI. across AWS, Hadoop, and Salesforce.

2014 — 2015
Saint Mary’s Hospital
Information Security Officer · Connecticut

First information security executive. Launched first-ever IAM program, Federal Audit Responses, and Disaster Recovery planning.

2011 — 2014
OSU & Huntington National Bank
IT Security Analyst · Ohio

Led $3M enterprise DLP implementation across 20+ university departments; remediated 100,000+ incidents.

“The best compliance program is invisible to the team building it, and unmistakable to the market trying to buy from you. Structured enough to survive an audit. Light enough that no one dreads the next one. Clear enough to open doors the competition cannot reach.”

Market access

Every certification is
a key to a locked market.

The certification portfolios I have built are not operational overhead — it’s the direct unlock mechanism for regulated enterprise segments across every major market on earth. I’ve certified for, operated in, and crisis-tested programs in North America, Europe, the Middle East, and Asia-Pacific, including active BCDR programs in Ukraine and the Middle EastBusiness Continuity & Disaster Recovery frameworks I built and maintained under active regional crisis conditions — the highest-stress proof that a compliance program actually works when the environment stops cooperating. under real operational pressure.

United States
United States
FedRAMP · FINRA
FedRAMP: the US government cloud authorization gate. FINRA SEC 17a-4: required for electronic records at broker-dealers. Four evaluations completed at Rubrik.
Germany
Germany
BSI C5 · TISAX
BSI C5: German Federal Office for Information Security cloud standard, required by German financial institutions. TISAX: mandatory for automotive suppliers to BMW, VW, and Mercedes.
Australia
Australia
IRAP · ASD
IRAP: Information Security Registered Assessors Program, the Australian government cloud security authorization. Required for all federal agency sales.
Canada
Canada
OSFI B-13
OSFI B-13: Office of the Superintendent of Financial Institutions technology risk guideline. Required for technology providers to Canadian banks and insurers.
India
India
DPDP · RBI
DPDP: India’s Digital Personal Data Protection Act, 2023. RBI cloud guidelines: Reserve Bank of India mandates for financial cloud vendors handling Indian citizen data.
Israel
Israel
BCDR active
Active Business Continuity and Disaster Recovery programs designed and crisis-tested under real regional operational pressure in Israel and the broader Middle East.
UAE
UAE / Dubai
DESC certified
DESC: Dubai Electronic Security Center cloud standard. Required for cloud service vendors operating with UAE government and enterprise entities. Certification → Middle East government market → enterprise revenue in the Gulf region.
Ukraine
Ukraine
Crisis BCDR
Business Continuity & Disaster Recovery frameworks built and maintained under active regional crisis conditions. The highest-stress proof that a compliance program actually works.
South Korea
South Korea
ISMS-P · PIPA
ISMS-P: Korea Information Security Management System — Personal information protection. PIPA: Personal Information Protection Act. Required for cloud services handling Korean citizen data.

Certification → market → revenue outcome

Source: SEC filings, press releases, program records.

CertificationsMarket unlockedRevenue outcome
ISO 27001International Information Security Management System standard. Required by global enterprise buyers as baseline proof of mature security governance. Cited in Elastic's FY2019 10-K as directly enabling $271.7M revenue.ISO 27017 / 27018Cloud-specific security controls (27017) and personal data protection in the cloud (27018). Required by EU and APAC enterprise buyers above the baseline ISO 27001.ISO 27701Privacy extension to ISO 27001. Maps directly to GDPR and CCPA obligations. Required by privacy-regulated enterprise buyers and EU data processors.
Global Enterprise & Privacy-Regulated Markets
ISO 27001/17/18 cited in Elastic FY2019 10-K enabling $271.7M ARR. ISO 27701 opens EU privacy-obligated buyers.
$2T+ TAM
Global enterprise SaaS baseline
FINRA SEC 17a-4Rule 17a-4 mandates electronic records retention for broker-dealers. Any cloud vendor storing broker-dealer records must pass this evaluation. Completed four times at Rubrik — a prerequisite for every financial services enterprise deal.SOC 1 Type 2Covers controls relevant to financial reporting. Required by fintech and financial services procurement. Type 2 means controls were tested over a period (typically 6-12 months), not just described.
Financial Services & Broker-Dealers
Non-negotiable gate for broker-dealers. Four evaluations completed at Rubrik.
$B+ TAM
Financial services data security
HIPAAHealth Insurance Portability and Accountability Act. Any vendor handling Protected Health Information (PHI) must be HIPAA-compliant. Non-negotiable for hospital systems, payers, and health tech platforms.HITRUSTHealthcare-specific certification combining HIPAA, NIST, and ISO controls. Preferred by major hospital networks and insurers over HIPAA alone — demonstrates a higher level of operational maturity.
Healthcare & Life Sciences
Table-stakes for hospital systems, payers, and health tech buyers.
$390B+ TAM
Healthcare IT · opened from zero
EO 14028Executive Order on Improving the Nation's Cybersecurity (May 2021). Requires federal software suppliers to self-attest compliance with NIST SP 800-218. Active attestation maintained to preserve federal pipeline eligibility.FedRAMPFederal Risk and Authorization Management Program. The US government's cloud security authorization. Without FedRAMP authorization, no federal agency can procure a cloud service. One of the most rigorous and expensive compliance gates in enterprise software.
US Federal Government
FedRAMP Moderate completed FY2025, unlocking the full US federal chain.
$100B+ TAM
US federal IT · GSA eligibility
BSI C5BSI Cloud Computing Compliance Criteria Catalogue. Published by Germany's Federal Office for Information Security. Required by German financial institutions and government agencies for cloud vendors.IRAPInformation Security Registered Assessors Program. Australia's government cloud security framework. Required for any vendor selling to Australian federal and state agencies.TISAXTrusted Information Security Assessment Exchange. Managed by ENX Association on behalf of the German automotive industry. Mandatory for any supplier to BMW, Volkswagen, Mercedes-Benz, and other OEMs.
Germany · Australia · Automotive OEMs
Three markets from one coordinated portfolio build.
EU+APAC+Auto
Three markets, one coordinated build
ISO 42001International standard for AI Management Systems (AIMS). Published December 2023. Pursued proactively before any customer demand — establishes governance, risk management, and accountability for AI systems. First-mover advantage in AI-governed data security.
First-mover: AI Governance
Pursued before any customer requested it. Certifies at a fraction of the eventual cost.
First mover
AI-governed data security
Certifications and Attestations Portfolio — 22 active standards
Enterprise Trust & SaaS
$2T+
Global enterprise software TAM gated on these baseline certifications.
SOC 2 Type 2The gold-standard enterprise security audit covering a defined period. Required by most enterprise procurement as proof of operational security maturity. SOC 1 Type 2Covers internal controls relevant to financial reporting. Required for broker-dealer and fintech customers. ISO 27001International ISMS standard. Required by most global enterprise buyers as baseline proof of mature security governance. ISO 27017/27018Cloud security controls (27017) and cloud privacy (27018). Required for EU and APAC cloud procurement. ISO 27701Privacy Information Management extending ISO 27001. Maps to GDPR, CCPA, and global privacy law. CSA STARCloud Security Alliance certification. Widely required in EU and APAC enterprise procurement for SaaS vendors. NIST CSFNIST Cybersecurity Framework. Reference standard for US federal risk management and enterprise RFPs. ISO 42001 (AI)International AI Management System standard. Obtained before any customer demanded it — first-mover in AI-governed security.
Regulated Industries & Government
$600B+
Healthcare, financial services, and federal government.
FedRAMPUS government cloud security authorization. Without it, no federal agency can use a cloud service. HIPAAUS health data privacy law. Non-negotiable gate for any vendor touching patient health information. HITRUSTHealthcare-specific security framework. Preferred by major hospital systems and payers. FINRA SEC 17a-4US rule governing electronic records for broker-dealers. Required for any sale to a regulated financial entity. EO 14028Executive Order on cybersecurity. Attestation required for US federal software suppliers since May 2024. NIST CSFNIST Cybersecurity Framework. Reference standard for US federal risk management and enterprise RFPs.
International & Emerging Markets
$400B+
EU, APAC, automotive, and AI governance markets.
ISO 42001 (AI)International AI Management System standard. Obtained before any customer demanded it — first-mover in AI-governed security. BSI C5German Federal Office for Information Security Cloud standard. Required by German financial institutions and government. IRAPAustralia government cloud security authorization. Gates all Australian federal agency sales. TISAXTrusted Information Security Assessment. Mandatory for automotive suppliers to BMW, VW, Mercedes, and other OEMs. DORAEU Digital Operational Resilience Act. Mandatory for financial entities and IT providers in the EU. OSFI B-13Canada OSFI guideline. Required for technology providers to Canadian banks and insurers. DPDPIndia's Digital Personal Data Protection Act. Required for cloud vendors handling Indian citizen data. ISMS-PSouth Korea combined InfoSec and privacy certification. Required for Korean market access. DESCDubai Electronic Security Center standard — required for Middle East government and enterprise market vendors.

Capability profile — Savanna vs. GRC peer vs. CCO peer

Teal polygon = my profile. Grey dashed = Head of GRC peer (10+ yrs). Amber dotted = CCO peer. Score cards below show my raw scores per dimension.

Methodology & benchmarking basis

Scores (0–10) reflect demonstrated outcomes across 13 years and three companies, weighted by recency, scale, and verifiable business impact. Each dimension maps to an industry-standard GRC competency framework (ISACA, (ISC)², NIST NICE).

GRC peer baseline — composite of Head of GRC / Head of Compliance at enterprise SaaS ($200M–$2B ARR), 10+ yrs. Sources: LinkedIn Salary Insights; ISACA State of Cybersecurity 2024; Foushee & ScottMadden Security Benchmarks 2024.

CCO peer baseline — composite of Chief Compliance Officers at comparable-stage companies. CCOs score higher on mature program management; lower on zero-to-one builds, sales enablement, and AI governance.

Education

Four degrees.
One pattern-finding mind.

The same instinct that finds the hidden control satisfying five frameworks at once is the instinct I carry across all four of my degrees: find the structure connecting unrelated systems, name the pattern, build something that uses it.

M.S. — 2010–2011
Information Systems
Strayer University
How technology systems connect, scale, and break — the engineering foundation behind everything I automate in compliance.
M.S. — 2005–2006
Forensic Psychology
Tiffin University
Why people behave the way they do under pressure — essential for designing controls that teams actually follow.
M.S. — 2004–2005
Crime Analysis & Justice Administration
Tiffin University
Pattern recognition in complex data, applied to risk — finding the anomaly before it becomes a breach or an audit finding.
B.A. — 2001–2004
Psychology
Ohio University
Understanding how people think, decide, and change — the root of every compliance culture shift I have run.

How three disciplines converge into one practice

Each degree contributes a distinct layer. The intersections are where the real capability lives.

Before I ran compliance programs, I taught. I chaired an IT department and delivered instruction across Criminal Justice, Mathematics, and Cybercrime — achieving the highest student attendance rate of any instructor nationwide. My forensic psychology background is not incidental: understanding why organizations resist compliance, and how to design processes people will actually follow rather than route around, is what builds programs teams can own, sustain, and grow long after the initial build.
Northern Lights
Myer’s Miles
OFFICIAL PHOTOGRAPHERS

Through the lens.
Every layer.

Jesse in the car, Savanna behind the lens. Official photographers for SCDA and COMSCC events. The kit spans every scale of seeing: macro through astrophotography, circuit racing through deep sky.

“The same discipline that reveals structure in a macro crystal, a racing line, or a Northern Lights corona applies to a compliance program: seeing what the system is actually doing versus what it appears to be doing. Every scale of the lens tells you something the adjacent scale cannot.”

SAVANNA MYER  ·  OFFICIAL PHOTOGRAPHER, SCDA & COMSCC

FUJIFILM LONG GLASS DJI FPV DWARF LAB 3 ONBOARD PDR LIGHTROOM CC ADOBE PORTFOLIO
myersmiles.com
Savanna photographing the Northern Lights, Norway

Circuits & locations

SCDA & COMSCC official  ·  F1, Grand Prix & world-class circuits

Lime Rock Park Historic ★ KEYSTONE  ·  COTA  ·  Watkins Glen  ·  Mid-Ohio  ·  Thompson  ·  NHMS  ·  PIRC  ·  and growing

Get in touch
I do

Let’s talk about the next locked market.

Message sent.

I’ll be in touch shortly. You can also reach me directly on LinkedIn ↗

Connect
Savanna Myer
Head of Security & Compliance

I’ve spent 13 years building compliance programs that open markets and enable teams at growth-stage companies. The program gets built. The team gets trained. The market gets opened. I’m looking for the next company that needs all three.

in
linkedin.com/in/savannamyer
🌐
savanna.myersmiles.com
🏡
New England, USA — remote-first, travel when valuable
Full Resume (.doc) Summary PDF ATS ASCII