Brandon Carreon

Information Security professional with 7+ years of experience across governance, risk, compliance, security operations, and program development. Proven track record of designing and operationalizing enterprise GRC capabilities, including risk lifecycle management, exception governance, third-party risk intake, risk management program development, and compliance operations, executive reporting, and AI governance. Experienced in translating security requirements into business-aligned processes, controls, and decision support for leadership.

Experienced in supporting RMF-aligned risk management processes and compliance operations. Currently pursuing an MBA and operating at an Information Security Officer (ISO)-level through ownership of enterprise risk management processes, governance structures, and security program development.

Cyber Security Analyst II (GRC Program & Systems Development) at Texas Secretary of State (2023-11 – Present)

Transformed a largely ad hoc and underutilized risk function into an operational GRC system by designing and implementing an integrated risk lifecycle, remediation tracking (POA&M), and exception management framework.

• Provided risk-based recommendations to leadership, enabling informed decisions on security investments, risk acceptance, and program priorities.
• Architected a layered GRC system separating user intake (MS Forms), core processing (Risk Management Core Engine), and executive reporting to improve usability, data integrity, and scalability.
• Architected and deployed a centralized Risk Management Core Engine (CORE) enabling structured risk intake, automated POA&M generation based on risk appetite, and end-to-end traceability across risk, remediation, and exception workflows.
• Shifted risk management from leadership-triggered activity (1–3 risks annually) to a structured, intake-driven model, establishing a scalable foundation for consistent enterprise risk identification and tracking.
• Designed and implemented foundational GRC governance structures, including a Risk Appetite Statement, Executive Accountability Standard, Risk Acceptance Authority Standard, and centralized policy/standards library.
• Standardized and integrated risk and exception management processes, introducing formal lifecycle governance, approval routing, and audit logging where no consistent processes previously existed.
• Designed a closed-loop risk assessment process that generates business-aligned reports and automatically integrates outputs into the risk register and POA&M workflows.
• Developed a Technology Party Risk Determination (TPRD) process with automated questionnaire generation based on assurance gaps such as SOC 2, FedRAMP, and TX-RAMP.
• Developed executive dashboards consolidating risk, POA&M, exception, and third-party risk data into a unified reporting layer, significantly improving leadership visibility into enterprise risk posture.
• Built executive-level reporting frameworks, dashboards, and governance report packs to improve leadership visibility into enterprise risk and program maturity.
• Developed secure AI usage frameworks, including enterprise-wide and security-specific prompt configurations, a structured prompt library, and an AI ROI model to support controlled AI adoption.
• Developed an agency-wide Information Security Policy, Incident Response Plan, complementary Red Book, and custom controls catalog aligned to NIST SP 800-53 Rev. 5, TAC 202, Texas Government Code 2054, FedRAMP, TX-RAMP, PCI DSS, and CSA CCM.
• Supported security budget planning and procurement by maintaining budget tracking, submitting acquisition requests, and developing business-aligned justifications for security investments.
• Operated with a high degree of autonomy to define and implement enterprise security program processes, effectively functioning as the organization's GRC lead.
• Conducted a Texas Cybersecurity Framework assessment and developed deliverables to improve the agency's security maturity posture.

Cyber Security Analyst II at Texas Department of Public Safety (2019-11 – 2023-11)

• Conducted system security documentation reviews, risk assessments, and contract reviews to evaluate alignment with federal and state cybersecurity requirements.
• Served as a technical liaison between security teams and business stakeholders, translating security requirements into operational controls and business needs.
• Compiled management metrics and reporting data, conducted vulnerability analysis, and supported security operations through log review and related security activities.
• Supported security operations and incident analysis activities, including log review, vulnerability analysis, and collaboration with SOC personnel to investigate and triage security events.
• Evaluated and approved macro code for business use and contributed to process improvement efforts with minimal oversight.
• Trained and mentored new SOC analysts and interns, providing guidance on security tools, procedures, and risk-related practices.

Master of Business Administration – Baylor University

Bachelor of Science in Computer Science – Texas State University (2020-12)

– Texas Department of Public Safety Leadership School (2020-10)