Affiliation: Capital One / ClueTrust
Nomination Committee Evaluation: Qualified
1. Board of Trustees Qualifications and Responsibilities
Please review the ARIN Board of Trustees Expected Qualifications and Responsibilities thoroughly. Please describe, providing specific details, any barriers you foresee to your fully meeting those qualifications and undertaking those responsibilities. A Trustee’s responsibilities have usually required about 5-10 hours per week.
2. Conflicts of Interest
a) Please disclose any conflicts of interest you may have, real or perceived, that would impact your ability to perform your duty as a member of the ARIN Board of Trustees. (If no conflicts, please enter “N/A”)
I (personally) hold two IPv4 /23s and an ASN and am an LRSA signatory
I am associated with ClueTrust, an ISP in the ARIN region which holds several small IPv4 address blocks, an IPv6 allocation, and an ASN – all under RSA.
My day job is with a large enterprise (Capital One) which is an end user of ARIN-supplied number resources.
I serve ICANN as a Trusted Community Representative (TCR Crypto Officer) for signing the DNSSEC root.
b) How do you propose to resolve any conflicts identified in (a)? (If no conflicts identified, please enter “N/A”)
I do not believe that any of these situations is an actual conflict of interest when properly disclosed. Three of the four make me a personally-interested consumer of ARIN’s services. I have a track record of helping make sure that ARIN policy proposals affect all similarly-situated organizations equally.
c) Are you currently eligible to serve on the Board of Trustees according to the Conflict of Interest Requirements and the eligibility requirements?
d) If not currently eligible, describe how you will become eligible to serve, if elected (i.e., “If elected, I will resign from the position of ____________ before 31 Dec 2022”). If currently eligible, please enter “N/A”.
If elected, I will resign from the ARIN Advisory Council before 31 Dec 2022.
a) Please list any degree(s) you received, the institution and the date issued.
- I pursued a degree in Electrical Engineering at University of Delaware but dropped out.
b) Please list any professional designations, certifications, or development education (non-degree) and the dates completed.
- Senior Member, IEEE (based on CV review), 2015
4. Employment and Experience
a) Please provide the name of any company or organization you currently are employed by, or from which you receive directly or indirectly a material portion of your compensation. Please describe the business of each such entity, your current title, and the office address of the organization.
Capital One is a multinational multi-line bank headquartered at 1680 Capital One Drive McLean, VA 22102.
I am a Senior Manager in the Information Security Office providing technology oversight and risk briefings for leadership.
b) Please refer to the ARIN Board of Trustees Guidance to the 2022 Nomination Committee in answering this question: Please describe your relevant professional experience and expertise and explain how this background will make you an effective trustee.
My career arc of over 30 years as an individual contributor and people manager in large and small service providers and critical Internet infrastructure providers informs my thoughts about scaleable and secure infrastructure in both large enterprises and organizations that are central to the reliable operation of the Internet. While primarily a technologist, my skill set includes risk evaluation and explaining complex technical issues in a fashion suitable for a wider audience.
Please note that the attached short form resume has not been updated to detail current job functions.
Attach a resume, curriculum vitae, or other biography highlighting your experience most relevant to the duties of the ARIN Board of Trustees. (PDF, DOC, DOCX files only)
You may also optionally include additional web links to external websites (e.g., social media), though not as a substitute for your biography. One URL per line.
5. Governance Experience
a) Please identify any boards on which you currently serve that carry fiduciary duties, whether at a for-profit or non-profit organization. Please note how long you have served and what offices, if any, you have held.
None at present.
b) Please identify any other boards on which you have served in the past 10 years that are not included in answer to (a), listing your dates of service.
None within the last 10 years, however, just outside of the scope of this question are two positions that are relevant to serving on the ARIN Board of Trustees:
- I served from 2008 to 2011 on the North American Network Operators Group (NANOG) Steering Committee, which became the NANOG Board of Directors as it evolved to a standalone organization.
- I served from 2004 to 2012 as the Secretary and Treasurer of Piedmont NRA Instructors, a non-political non-profit dedicated to teaching firearm safety to the general public.
In the more distant past I served as a Board Alternate on a 501(c)(3) amateur radio organization and as President and cofounder of an ISP that was organized as a 501(c)(12) cooperative telephone company.
c) What is the role of ARIN’s Board of Trustees?
ARIN’s Board of Trustees serves in a supportive, strategic, and oversight capacity. Unlike smaller boards, its role is not dirt-underfingernails, but rather to ensure proper succession plans, secure, retain, and challenge senior leadership, be informed of risk, and make wise decisions in terms of big-picture direction. Of particular interest is the Board’s responsibility in the Policy Development Process: the ARIN Board of Trustees is not actively involved in crafting policy; rather its job is to ensure that the bottom-up community driven policy process is followed while protecting the continued viability of the organization. The ARIN Board oversees the management of ARIN’s investments. From time to time, the Board has found it necessary to enact emergency policies to deal with exigent circumstances via the process outlined in ARIN’s bylaws.
d) How does your past governance experience prepare you to help fulfill that role by serving as an ARIN Trustee?
I served on NANOG’s board during a period of intense change. As we evolve our thinking about ARIN’s revenue sources, equitable fee structures, and what it will mean to be an RIR in a post-IPv4 world, I believe my previous experience with that will serve me well.
6. Understanding of ARIN’s role in the Internet governance ecosystem
a) What is ARIN’s role in the Internet governance ecosystem?
ARIN is a Regional Internet Registry and is responsible for fair, impartial, and technically sound administration of Internet Number Resources within its service area (geographic region). The ARIN Advisory Council shepherds community-submitted policy proposals to accomplish this. ARIN also develops globally coordinated number resource policies with other RIRs via the Number Resource Organization. Like all RIRs, ARIN has three seats on the Address Supporting Organization Address Council. Among other things, the Address Supporting Organization is responsible for appointing seats 9 and 10 to the ICANN Board. In addition, ARIN maintains liaisons with governments and law enforcement, NGOs, treaty organizations, and similar Internet governance stakeholders.
b) Describe any past experience or involvement with ARIN or other Internet governance bodies.
I have served on the ARIN Advisory Council since 2003 and have served on multiple committees in conjunction with that role.
I served on NANOG’s Steering Committee / Board of Directors from 2008 to 2011.
I have been a Trusted Community Representative (Crypto Officer) for signing the DNSSEC Root since 2010.
7. Board Discussion Topics
a) Risk Oversight and Management
i) Understanding and overseeing organizational and environmental risk is an important responsibility of Trustees. What do you see as potential risks to the organization, and which are newer risks that have emerged more recently?
Pandemic risk being top of mind has subsided into a “new normal” of hybrid meetings. Yet hybrid meetings pose their own set of challenges for inclusion and a level playing field between remote and on-site participants and encouraging full community participation.
If we fail, there are associated business, financial, and reputational risks as well as a possibility of regulatory risk.
Increased reliance on RPKI to a degree many of us did not expect years ago creates operational risks for the Internet, which fall to the RIRs to mitigate.
While the transfer market has existed for over a dozen years, the particulars of the challenges to keep it healthy continue to evolve and landscape for the intersection between transfers (both on and off the books), registry accuracy, and several of the risks outlined above continues to evolve.
There is risk that is not entirely ARIN’s to mitigate. Should one or more components of the RIR system appear to be in grave danger, there is regulatory and reputational risk that will attach to ARIN by association, which the Board must stand ready to swiftly mitigate if that unfortunate time comes.
There are ongoing risks and challenges in areas of internal governance, government relations, equity and participation, and transparency.
ii) How should the Board best discharge its responsibilities regarding risk oversight and management?
As stated earlier, the ARIN Board is not a small-organization-hands-on board, yet just as we need board members who are skilled in reading a financial statement and asking well- grounded questions of staff and external auditors, we need Board members who are skilled in risk analysis and management to help ensure that we have proper leadership in place and make sure that our strategic plan to manage risk is sound. We also need board members who are well versed in the minutiae of how the Internet (both customers and non-customers) interact with the ARIN ecosystem. As ARIN takes a more active role in the routing infrastructure of the Internet via RPKI and evolution of ARIN’s IRR component, this becomes more and more necessary.
It is important to note that elimination of risk is not the prime directive! Risk reduction (with a goal of acceptable risk not completely getting rid of risk) must be carefully balanced against mission goals; it would not do to be so risk averse that we fail to support our constituency or are unwilling to be bold and do the right thing.
A mature formal risk register is important to properly contextualizing the plethora of risks that are before the organization at any given time, and the Board should continue to make sure that appropriate resources are available to facilitate its growth and evolution.
iii) How will you contribute to strengthening risk oversight and management at ARIN?
My understanding is that ARIN is already moving in the direction of having more formal security structures, particularly in the cyber arena (such as SOC2 and/or ISO27000). But risk goes well beyond mere cyber risk. There is risk in literally everything we do. Legal, reputational, operational, and financial risks need to be taken into account as well.
My day job is technical and business risk evaluation, including developing risk and threat models and matrices. If elected, I will champion continuous improvement of formalized risk evaluation – not as an end unto itself but rather as a tool to inform our strategic thought about our exposures.
i) Supporting and reviewing the strategic direction identified by ARIN’s management, in consultation with its membership, is an important responsibility of Trustees. Based on your understanding of ARIN’s current strategic plan and the environment in which it operates, what opportunities or challenges do you foresee for the organization?
ARIN is still figuring out what it means to be an RIR in a post-IPv4-depletion world, and moreover in a post-IPv4 world. What is the proper level of oversight to apply to number resource transfers? What are appropriate and equitable fee structures? We have made much progress over the past decade yet there is still work to do. The time will come when the value of IPv4 addresses falls because they are no longer technically relevant, just as nobody is interested anymore in Telex numbers or X.25 DNICs. Far from being an indictment of current or past leadership, this situation is a reflection that the only constant in life is change.
ii) How might these challenges and opportunities influence current or future strategic plans?
Nature abhors a vacuum. If we fail to evolve to meet current demands of our constituency, others will step in to fill that void. Will they share our values of a community-driven open process with bottom-up policy development?
iii) Please explain how your background and experience would help in addressing what you believe are ARIN’s greatest challenges.
Having served on the ARIN AC for approaching two decades, my institutional knowledge of where we have been and past challenges will be invaluable as we look to the future. As a deep technologist, I have served ARIN in the arena of RPKI, IRR, and registry integration and will continue to do so. My career pivot in recent years to risk oversight of essential infrastructure rather than building same provides important dimensionality to my understanding of our problem space, while a central theme of my entire career has been as a bridge builder between hardcore techies and those whose skills lie in business and finance.