Joshua Pennell
Founder and President
As IOActive's Founder and President, Joshua Pennell enjoys a proven, 12-year entrepreneurial track record of creating and maintaining a multimillion-dollar, customer-focused, independent global security services organization. Through Pennell's leadership, IOActive has emerged as one of the world's longest standing, highly technical boutique security consultancies with a history based on cutting-edge research and meritocratic governance.
Pennell serves on the advisory boards of Source, Vantos, and SiteScout. Pennell also is the Chairman of IOActive's advisory board, which includes such computer industry venerables as Steve Wozniak, Jim Reavis, and Jason Larsen. In years past, Pennell played an integral role in helping his team win Defcon's Capture the Flag competition for three consecutive years, followed by another three years of technically revolutionizing the competition before handing the game over to Kenshoto.
Pennell enjoys riding his bicycle in London while thinking of innovative ways to reduce IOActive customers' security risks through pragmatic application of security best practices. If you enjoy what you do for a living, you never work another day in your life.
Visit Mr. Pennell's LinkedIn profile.
Jennifer Steffens
Chief Executive Officer
As its CEO, Jennifer Steffens is responsible for all aspects of IOActive's North American business operations including sales, delivery, and finance as well as driving the company's strategic vision. Steffens brings a wealth of industry and business experience to the company, having been an early member of several successful startups.
Earlier in her career, Steffens was a Director at Sourcefire, where she helped build and grow the business from $250K to an over $35M run rate in just four years. Working closely with the CTO, Steffens helped commercialize the open source Snort technology and build several service offerings around the research initiatives. Prior to joining IOActive, she came to Seattle to help the struggling startup GraniteEdge reinvent itself. She spearheaded initiatives to restructure the company, and developed a product strategy to drive early market penetration that ultimately secured two additional rounds of funding.
With over 10 years of industry experience, Steffens has also held senior management positions at Ubizen, NFR Security, and StillSecure. She graduated from Mary Washington University with a Bachelor of Science in Psychology.
Visit Ms. Steffens' LinkedIn profile.
David Baker
Vice President of Services
David Baker is a subject matter expert on information security and incident response. As Vice President of Services, Baker helps drive the direction of IOActive's services, ensures successful client delivery, and oversees the quality assurance of IOActive's engagements. In addition, he works closely with the sales team to build and support IOActive's business development efforts.
Prior to joining IOActive, Baker was the Director of Security Architecture at Vantos and part of the A-round executive team. He was recruited directly by the CEO to develop industry essential practices for investigation and incident response management, in addition to aiding customers with investigations to promote partnerships and develop case studies. Baker worked with Fortune 1000 companies to drive security requirements and coordinate penetration tests.
Baker is a contributing member to the security community. He is an associate member of the Association of Certified Fraud Examiners (ACFE) and a member of International High Technology Crime Investigation Association (HTCIA). He graduated with a Bachelor of Science in Mechanical Engineering and a Master of Science in Aeronautical Engineering from Cal Poly State University.
Visit Mr. Baker's LinkedIn profile.
Barnaby Jack
Director of Security Testing
With over 10 years’ experience in the security consulting and research space, Jack has previously held positions at Juniper Networks, eEye Digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines. He has subsequently been credited with the discovery of numerous vulnerabilities, and has published multiple papers on new exploitation methods and techniques.
Jack is a frequent speaker at major security events in both the government and private sector, and he is often called upon for his opinions regarding the future of security research.
Visit Mr. Jack's LinkedIn profile.
Michael Vitolo
Director of Compliance Services
Michael Vitolo is IOActive's Director of Compliance Services where he employs his proficiency in governance, auditing, information security, project management and risk mitigation. Vitolo is knowledgeable in regulations including Sarbanes Oxley (SOX404), VISA Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and State and Government regulations in addition to utilizing frameworks such as ISO 7799, ITIL, and COBIT4.1 for risk assessment.
Prior to joining IOActive, Vitolo held positions at Walgreens—where he was responsible to manage VISA PCI and HIPAA compliance standards and application assessments—and Trustwave—where he served in Managing Security Consultant and Principal Security Consultant capacities. He is skilled at providing compliance recommendations that protect sensitive data and determine cost-effective remediation plans.
Vitolo is a Certified Payment Card Industry Security Auditor and Security Manager, Certified Information Systems Auditor, Certified Information Security Manager, and holds a Bachelor of Science in Operations Management from the University of Arizona.
Visit Mr. Vitolo's LinkedIn profile.
Mark Butler
Director of Services
Mark Butler is an exceptionally well-rounded technology professional who specializes in information security, data security and protection, and IT risk management disciplines. His broad, deep industry experience spans large corporate enterprises, technology start-ups, security vendors, resellers, and consulting/assessment firms.
As an IOActive Director of Services, Butler delivers security assessment services that provide visibility on client vulnerabilities and tangible value in solving security problems. He has direct impact on national business development, account engagement, and ownership responsibilities that cover IOActive's broad client base and standard services—including infrastructure, software, application, SCADA/Smart Grid, and incident response assessments—and also directly supports delivery of Compliance and PCI-DSS engagements.
Prior to joining IOActive, Butler held numerous positions at H&R Block, acting as Program Manager for their Privacy and Data Security, Risk/Legal/Executive Team; Information Security and Compliance Services Manager; and Security Services Manager. In 2006, he co-founded Depth Security LLC, an immediately profitable information security services organization.
Butler is a Certified Information Systems Security Professional, Certified PCI QSA (PCI-DSS Qualified Security Assessor), Certified Privacy Professional, and holds a Bachelor of Science in Business Administration from Avila University.
Visit Mr. Butler's LinkedIn profile.
Glenn Kaleta
Director of Services
As a Director of Services, Glenn Kaleta leads IOActive's Incident Response and Forensics services, and also oversees ISO 27002 compliance, penetration testing, and vulnerability assessments. Kaleta has held numerous leadership positions in law enforcement, corporate investigations, and technical consulting. He has extensive experience with law enforcement-related computer forensics in addition to large-scale forensics and e-discovery projects in SOX and non-SOX corporate environments.
Kaleta uses his strong understanding of technical, forensic, legal, business, and reputational exposure to successfully lead incident response projects related to malware infection, network intrusion, employee misconduct, loss of intellectual property and PII, and external malicious activity. He has served as a subject matter expert in corporate investigations and has helped companies and non-profits develop sound policies and procedures related to technical workplace investigations, the pragmatic use of computer forensics, incident response, fraud risk assessment, and investigations management.
Prior to IOActive, Kaleta was a manager at KPMG Forensics and Vice President of Corporate Investigations at a large regional bank. Kaleta has served on FBI task forces and is a graduate of the FBI Network Intrusion Investigation course.
Visit Mr. Kaleta's LinkedIn profile.
Andrew Turner
Director of EMEA Services
As the Director of EMEA Services, Andrew Turner leads IOActive's Information Security operations in Europe, the Middle East, and the African/Asian continents. Previously of Verizon Communications and Team Cymru, Turner has operated professionally in the information security space for over 10 years, providing international incident response and security consulting services to numerous Global 500 clients. He has extensive experience in conducting large-scale network and infrastructure security audits for meeting PCI compliance requirements. In addition, Turner has worked with many international computer emergency response teams (CERT) in the areas of cyber-threat analysis and incident response.
Turner graduated from Virginia Polytechnic Institute and State University with a Bachelor of Science in Economics.
Visit Mr. Turner's LinkedIn profile.
