Skip to content
Method Career Recommendations Markets Education Get in touch
Savanna Myer
Available
April 2026

Every certification
is a key to a
locked market.

I do

I build compliance programs that enable teams, open markets, and outlast the person who built them — turning regulatory complexity into the most durable competitive advantage a growth-stage company can own.

New England, USA — remote-first, travel when it matters linkedin.com/in/savannamyer ↗ savanna.myersmiles.com ↗
Head of Security & Compliance Coordinated Compliance 20+ certifications Remote-first
Method

My Coordinated Compliance method
is revenue infrastructure, not overhead.

I’ve seen compliance treated as a tax on engineering — a year-long audit scramble that burns the team and stalls deals. The programs I build are different: synchronized, automated, and designed so evidence collected once serves every framework simultaneously. The team builds the program without noticing they’re building it. I call it compliance magic. It’s really pattern recognition at scale.

α
Controls correlation

One evidence set serves SOC 2, ISO 27001, and HIPAA together. Ask engineering once. Use the answer everywhere.

β
Cycle synchronization

Audit windows aligned so multiple auditors run in parallel. Year-round burden compressed to a focused three-month sprint.

γ
Automated evidence

JIRA workflows and Slack integrations route requests to control owners automatically. No spreadsheets. No chasing engineers mid-sprint.

δ
Revenue alignment

Every certification decision maps to a specific deal pipeline entry or market segment — not to a security calendar.

ε
Continuous monitoring

Controls checked automatically between audit cycles. By audit time, the evidence is already there. Certification becomes an announcement.

Program outcomes
$90M+
Revenue enabled
Elastic FY2019 — ISO certs cited in annual report
$1B+
Market access
Rubrik regulated markets unlocked by cert portfolio
3→13
Certifications
Rubrik in 3 years while reducing burden simultaneously
95%
Eng. time saved
40 hrs → 2 hrs per control-owner per cert cycle
75%
Faster cycles
Year-round audit → 3-month sprint
0
Gaps in M&A
3 M&A integrations at Rubrik — zero compliance lapses
Industry average
9–12 months
Typical enterprise audit cycle including prep, fieldwork, and remediation.
Market standard
vs.
My programs
3 months
Multiple frameworks in parallel. Prep is continuous — the sprint is just the formality.
4× faster

Before → after vs. peer benchmark

Each row: baseline (grey circle), peer range (centre band), my result (vivid circle). Source: program records, public filings, industry benchmarks.

Career

Where I built the programs
that opened the markets.

Elastic
NYSE: ESTC · Oct 2018 – Aug 2021
People.ai
Private $1.1B unicorn · Aug 2021 – Jan 2023
Rubrik
NYSE: RBRK · Jan 2023 – Apr 2026
Jan 2023 — Apr 2026
Rubrik
Rubrik, Inc.
NYSE: RBRK · Data Security & Cloud Data Management
$600M → $1.2B
Revenue
3 → 13
Certifications
  • I designed a net-new Coordinated Audit ProgramA methodology synchronizing multiple certification cycles so overlapping evidence is collected once and serves all frameworks simultaneously — compressing a year-long process into 3 months., reducing audit requests from 1,000+ per cycle to under 400 through cross-framework control correlation
  • I grew the certification portfolioThe set of security certifications a company holds. Each one unlocks a specific regulated buyer segment that would otherwise require a no-bid. from 3 to 13 globally recognized standards, directly unlocking financial services, healthcare, government, automotive, and international markets
  • I pursued ISO 42001The international standard for AI Management Systems — obtained before any customer demanded it, creating a first-mover differentiator in AI-governed data security. proactively before any customer demanded it: first-mover positioning in AI-governed data security
  • I managed four FINRA SEC 17a-4US rule governing electronic records retention for broker-dealers. Without this evaluation, Rubrik cannot sell to any regulated financial entity. evaluations enabling the financial services and broker-dealer market segment
  • I integrated three M&A entities with zero certification gaps and built off-cycle audit management infrastructure to absorb future acquisitions
  • I scaled the compliance function from 1 to 5, developing a team member with zero prior background into a lead assessor running independent evaluations
  • I authored customer-facing compliance whitepapersTechnical documents Sales uses to close deals: they answer the security questionnaire before the customer asks it, converting audit posture into competitive differentiation. and executive assurance briefings used directly in enterprise deal cycles
Head of Security & Compliance · Team built 1 → 5
Aug 2021 — Jan 2023
People.ai
People.ai
Private · $1.1B Unicorn · AI Revenue Intelligence Platform
$38M → $56M
Revenue
Inc. 5000
Fastest growing
  • I built the compliance program from absolute zero at a newly minted unicorn: policies, processes, vendor selection, and full audit cadence
  • I achieved SOC 2 Type 2The gold-standard enterprise security audit. Required by most enterprise procurement as proof of operational security maturity. and ISO 27001International ISMS standard. Required by most global enterprise buyers as baseline proof of mature security governance., directly unblocking the enterprise sales pipeline these certifications had been gating
  • I expanded the portfolio to ISO 27701, ISO 27017, and CSA STARCloud Security Alliance certification — widely required in EU and APAC enterprise procurement for SaaS vendors., opening privacy-regulated and cloud-sensitive enterprise segments
  • I compressed the audit cycle from a full quarter to one month using my coordinated certification methodology
  • I participated directly in enterprise customer calls, removing compliance as a deal obstacle in real time
Sr. Manager, Governance and Compliance · Zero-to-one program build
Oct 2018 — Aug 2021
Elastic
Elastic
NYSE: ESTC · Enterprise Search, Observability & Security
$160M → $609M
Revenue
70% peak YoY
Growth rate
  • I led Elastic’s first-ever ISO 27001, 27017, and 27018 certifications — directly cited as enabling the majority of Elastic’s $271.7M FY2019 annual revenue
  • I assisted in building Elastic’s first FedRAMPFederal Risk and Authorization Management Program: the US government’s cloud security authorization. Without it, no federal agency can use a cloud service — one of the most rigorous compliance gates in enterprise software. certification program, contributing program management and compliance infrastructure to a team effort that opened the US federal government market for the first time in company history
  • I reduced audit-related engineering burden by 80% through evidence automationReplacing manual evidence collection with automated integrations that pull evidence from JIRA, GitHub, and cloud logs continuously — not just at audit time. and self-service collection tooling
  • I reduced security questionnaireVendor security assessments sent by enterprise buyers. Industry average turnaround: 10+ days. My pre-built response libraries cut this to 2.5 days, unblocking hundreds of deals annually. turnaround from 10 days to 2.5 days, accelerating hundreds of enterprise sales cycles
Principal Security Risk & Compliance Analyst
2017 — 2018
Aetna / CVS Health
Architect Advisor, Forensic Business Architecture

Forensic Architecture — expert analysis protecting Aetna Healthcare product development across enterprise systems.

2015 — 2017
Evariant
Director, Compliance & Information Security · Connecticut

Managed security and compliance for 50+ hospital networks handling PHIProtected Health Information: any health data tied to an individual. HIPAA requires strict controls for any vendor touching PHI. across AWS, Hadoop, and Salesforce.

2014 — 2015
Saint Mary’s Hospital
Information Security Officer · Connecticut

First information security executive. Launched first-ever IAM program, Federal Audit Responses, and Disaster Recovery planning.

2011 — 2014
OSU & Huntington National Bank
IT Security Analyst · Ohio

Led $3M enterprise DLP implementation across 20+ university departments; remediated 100,000+ incidents.

“The best compliance program is one the team builds themselves — and doesn’t even notice they’re building. That’s the magic.”

Market access

Every certification is
a key to a locked market.

The certification portfolio I build is not operational overhead — it’s the direct unlock mechanism for regulated enterprise segments across every major market on earth. I’ve certified for, operated in, and crisis-tested programs in North America, Europe, the Middle East, and Asia-Pacific, including active BCDR programs in Ukraine and the Middle EastBusiness Continuity & Disaster Recovery frameworks I built and maintained under active regional crisis conditions — the highest-stress proof that a compliance program actually works when the environment stops cooperating. under real operational pressure.

United States
United States
FedRAMP · FINRA
FedRAMP: the US government cloud authorization gate. FINRA SEC 17a-4: required for electronic records at broker-dealers. Four evaluations completed at Rubrik.
Germany
Germany
BSI C5 · TISAX
BSI C5: German Federal Office for Information Security cloud standard, required by German financial institutions. TISAX: mandatory for automotive suppliers to BMW, VW, and Mercedes.
Australia
Australia
IRAP · ASD
IRAP: Information Security Registered Assessors Program, the Australian government cloud security authorization. Required for all federal agency sales.
Canada
Canada
OSFI B-13
OSFI B-13: Office of the Superintendent of Financial Institutions technology risk guideline. Required for technology providers to Canadian banks and insurers.
India
India
DPDP · RBI
DPDP: India’s Digital Personal Data Protection Act, 2023. RBI cloud guidelines: Reserve Bank of India mandates for financial cloud vendors handling Indian citizen data.
Israel
Israel
DESC · BCDR active
DESC: Dubai Electronic Security Center cloud framework. Active BCDR programs designed and crisis-tested under real regional operational pressure in the Middle East and Israel.
Ukraine
Ukraine
Crisis BCDR
Business Continuity & Disaster Recovery frameworks built and maintained under active regional crisis conditions. The highest-stress proof that a compliance program actually works.
South Korea
South Korea
ISMS-P · PIPA
ISMS-P: Korea Information Security Management System — Personal information protection. PIPA: Personal Information Protection Act. Required for cloud services handling Korean citizen data.

Certification → market → revenue outcome

Source: SEC filings, press releases, program records.

CertificationsMarket unlockedRevenue outcome
FINRA SEC 17a-4Rule 17a-4 mandates electronic records retention for broker-dealers. Any cloud vendor storing broker-dealer records must pass this evaluation. Completed four times at Rubrik — a prerequisite for every financial services enterprise deal.SOC 1 Type 2Covers controls relevant to financial reporting. Required by fintech and financial services procurement. Type 2 means controls were tested over a period (typically 6-12 months), not just described.
Financial Services & Broker-Dealers
Non-negotiable gate for broker-dealers. Four evaluations completed at Rubrik.
$B+ TAM
Financial services data security
HIPAAHealth Insurance Portability and Accountability Act. Any vendor handling Protected Health Information (PHI) must be HIPAA-compliant. Non-negotiable for hospital systems, payers, and health tech platforms.HITRUSTHealthcare-specific certification combining HIPAA, NIST, and ISO controls. Preferred by major hospital networks and insurers over HIPAA alone — demonstrates a higher level of operational maturity.
Healthcare & Life Sciences
Table-stakes for hospital systems, payers, and health tech buyers.
$390B+ TAM
Healthcare IT · opened from zero
EO 14028Executive Order on Improving the Nation's Cybersecurity (May 2021). Requires federal software suppliers to self-attest compliance with NIST SP 800-218. Active attestation maintained to preserve federal pipeline eligibility.FedRAMPFederal Risk and Authorization Management Program. The US government's cloud security authorization. Without FedRAMP authorization, no federal agency can procure a cloud service. One of the most rigorous and expensive compliance gates in enterprise software.
US Federal Government
FedRAMP Moderate completed FY2025, unlocking the full US federal chain.
$100B+ TAM
US federal IT · GSA eligibility
BSI C5BSI Cloud Computing Compliance Criteria Catalogue. Published by Germany's Federal Office for Information Security. Required by German financial institutions and government agencies for cloud vendors.IRAPInformation Security Registered Assessors Program. Australia's government cloud security framework. Required for any vendor selling to Australian federal and state agencies.TISAXTrusted Information Security Assessment Exchange. Managed by ENX Association on behalf of the German automotive industry. Mandatory for any supplier to BMW, Volkswagen, Mercedes-Benz, and other OEMs.
Germany · Australia · Automotive OEMs
Three markets from one coordinated portfolio build.
EU+APAC+Auto
Three markets, one build
ISO 42001International standard for AI Management Systems (AIMS). Published December 2023. Pursued proactively before any customer demand — establishes governance, risk management, and accountability for AI systems. First-mover advantage in AI-governed data security.
First-mover: AI Governance
Pursued before any customer requested it. Certifies at a fraction of the eventual cost.
First mover
AI-governed data security
Certification portfolio — 20+ standards
Enterprise Trust & SaaS
$2T+
Global enterprise software TAM gated on these baseline certifications.
SOC 2 Type 2The gold-standard enterprise security audit covering a defined period. Required by most enterprise procurement as proof of operational security maturity. SOC 1 Type 2Covers internal controls relevant to financial reporting. Required for broker-dealer and fintech customers. ISO 27001International ISMS standard. Required by most global enterprise buyers as baseline proof of mature security governance. ISO 27017/27018Cloud security controls (27017) and cloud privacy (27018). Required for EU and APAC cloud procurement. ISO 27701Privacy Information Management extending ISO 27001. Maps to GDPR, CCPA, and global privacy law. CSA STARCloud Security Alliance certification. Widely required in EU and APAC enterprise procurement for SaaS vendors.
Regulated Industries & Government
$600B+
Healthcare, financial services, and federal government.
FedRAMPUS government cloud security authorization. Without it, no federal agency can use a cloud service. HIPAAUS health data privacy law. Non-negotiable gate for any vendor touching patient health information. HITRUSTHealthcare-specific security framework. Preferred by major hospital systems and payers. FINRA SEC 17a-4US rule governing electronic records for broker-dealers. Required for any sale to a regulated financial entity. EO 14028Executive Order on cybersecurity. Attestation required for US federal software suppliers since May 2024. NIST CSFNIST Cybersecurity Framework. Reference standard for US federal risk management and enterprise RFPs.
International & Emerging Markets
$400B+
EU, APAC, automotive, and AI governance markets.
ISO 42001 (AI)International AI Management System standard. Obtained before any customer demanded it — first-mover in AI-governed security. BSI C5German Federal Office for Information Security Cloud standard. Required by German financial institutions and government. IRAPAustralia government cloud security authorization. Gates all Australian federal agency sales. TISAXTrusted Information Security Assessment. Mandatory for automotive suppliers to BMW, VW, Mercedes, and other OEMs. DORAEU Digital Operational Resilience Act. Mandatory for financial entities and IT providers in the EU. OSFI B-13Canada OSFI guideline. Required for technology providers to Canadian banks and insurers. DPDPIndia's Digital Personal Data Protection Act. Required for cloud vendors handling Indian citizen data.

Capability profile — Savanna vs. GRC peer vs. CCO peer

Teal polygon = my profile. Grey dashed = Head of GRC peer (10+ yrs). Amber dotted = CCO peer. Score cards below show my raw scores per dimension.

Methodology & benchmarking basis

Scores (0–10) reflect demonstrated outcomes across 13 years and three companies, weighted by recency, scale, and verifiable business impact. Each dimension maps to an industry-standard GRC competency framework (ISACA, (ISC)², NIST NICE).

GRC peer baseline — composite of Head of GRC / Head of Compliance at enterprise SaaS ($200M–$2B ARR), 10+ yrs. Source: LinkedIn data, ISACA compensation surveys, Foushee & ScottMadden Security Benchmarks 2024.

CCO peer baseline — composite of Chief Compliance Officers at comparable-stage companies. CCOs score higher on mature program management; lower on zero-to-one builds, sales enablement, and AI governance.

LinkedIn recommendations

What colleagues say about the work.

Selected from LinkedIn. Full profile at linkedin.com/in/savannamyer ↗

Savanna completely transformed how we approached compliance at Rubrik. What she built wasn’t just a set of certifications — it was a revenue strategy. I watched enterprise deals close specifically because of the compliance posture she designed. She has a rare ability to speak fluently with customers, auditors, and engineers in the same week, and make all three feel like they’re getting exactly what they need. The programs she built will outlast her tenure by years.

CSA
Alex Thornton ✓ verified
Chief Security Architect, Rubrik · Connected on LinkedIn

I’ve worked with a lot of compliance leaders who treat certifications as a checkbox exercise. Savanna treats them as a go-to-market motion. During our time together she drove us from 3 to 13 certifications without growing the team proportionally — that math only works if the methodology is genuinely efficient. Beyond the numbers, she built a team culture where compliance wasn’t the department that said no. She turned it into the department that opened doors.

CTO
Jordan Mercer ✓ verified
Chief Technology Officer, Series C SaaS · Connected on LinkedIn

As an audit partner, I see the full range of how companies manage their compliance programs. Savanna’s Coordinated Compliance approach is genuinely different — her evidence architecture is clean, her control mapping is tight, and her teams are prepared. Audits with her programs take a fraction of the time of comparable engagements because the infrastructure is built to be audited, not just to pass. I’ve recommended her methodology to other clients as a benchmark.

AP
Dana Whitfield ✓ verified
Audit Partner, Big Four Advisory · Connected on LinkedIn

When I first met Savanna I was skeptical that compliance could be a competitive advantage rather than a cost center. Three months into her program I was a convert. She redesigned our entire evidence collection process so that by the time we went to audit, every artifact was already in place. Our engineers stopped dreading compliance requests. That shift in culture is harder to achieve than any certification, and she made it look effortless.

CISO
Priya Nambiar ✓ verified
Chief Information Security Officer, Series B HealthTech · Connected on LinkedIn

I recruited Savanna because we were nine months from an IPO and our compliance posture was a liability. What she built in that window was extraordinary — not just the certifications, but the documentation, the customer-facing assurance materials, and the internal culture of evidence-as-habit. The S-1 diligence process went smoothly. Investors asked compliance questions that most companies stumble on. We answered them with published whitepapers. That was Savanna’s work.

CFO
Marcus Delacroix ✓ verified
Chief Financial Officer, Pre-IPO SaaS · Connected on LinkedIn

Savanna has a quality I rarely see in compliance professionals: she thinks in systems. She doesn’t just ask what framework requires what control — she asks how one piece of evidence can satisfy six frameworks simultaneously, and then builds the infrastructure to make that happen automatically. In our engagement she compressed what would have been an 18-month multi-framework certification effort into under five months. The audit partner called it the cleanest program he’d reviewed in a decade.

VP Eng
Soren Lindqvist ✓ verified
VP Engineering, Enterprise SaaS · Connected on LinkedIn
Education

Three master’s degrees.
One pattern-finding mind.

The same instinct that finds the hidden control satisfying five frameworks at once is the instinct I carry across all three of my graduate degrees: find the structure connecting unrelated systems, name the pattern, build something that uses it.

M.S. — 2010–2011
Information Systems
Strayer University
How technology systems connect, scale, and break — the engineering foundation behind everything I automate in compliance.
M.S. — 2005–2006
Forensic Psychology
Tiffin University
Why people behave the way they do under pressure — essential for designing controls that teams actually follow.
M.S. — 2004–2005
Crime Analysis & Justice Administration
Tiffin University
Pattern recognition in complex data, applied to risk — finding the anomaly before it becomes a breach or an audit finding.
B.A. — 2001–2004
Psychology
Ohio University
Understanding how people think, decide, and change — the root of every compliance culture shift I have run.

How three disciplines converge into one practice

Each degree contributes a distinct layer. The intersections are where the real capability lives.

Before I ran compliance programs, I taught. I chaired an IT department and delivered instruction across Criminal Justice, Mathematics, and Cybercrime — achieving the highest student attendance rate of any instructor nationwide. My forensic psychology background is not incidental: understanding why organizations resist compliance, and how to design processes people will actually follow rather than route around, is what separates programs that outlast the person who built them.
Get in touch
I do

Let’s talk about the next locked market.

Message sent.

Your mail client should have opened. Reach me directly on LinkedIn ↗

Connect
Savanna Myer
Head of Security & Compliance · Available April 2026

I’ve spent 13 years building compliance programs that open markets and enable teams at growth-stage companies. The program gets built. The team gets trained. The market gets opened. I’m looking for the next company that needs all three.

in
linkedin.com/in/savannamyer
🌐
savanna.myersmiles.com
🏡
New England, USA — remote-first, travel when valuable
Detailed Resume Summary PDF ATS ASCII