Miguel Horta

Miguel Horta

Security, Compliance & Automation

San Francisco, CA · miguelhorta408@gmail.com

Summary

Security GRC leader with 8+ years owning and scaling risk, compliance, and automation programs at scale. Builds the infrastructure others audit against by consolidating frameworks, eliminating manual evidence work, and integrating AI and automation into live compliance operations. Known for displacing legacy tooling while delivering metrics and board-level visibility into security posture.

Experience

Staff Security GRC Engineer / Manager

Ripple Labs, Inc. · San Francisco, CA

  • Automated User Access Reviews (UARs) for compliance audits across 100% of in-scope apps, integrating Workday and 120+ system reports via Tines to cut review cycles from 2+ months to one.
  • Integrated Claude (AWS Bedrock) into UARs to flag terminated users against Workday records, analyze access lists for non-integrated apps, and perform AI-powered final checks after human reviews, reducing manual effort and improving SLAs.
  • Built the Third-Party Security Evaluation (TPSE) module in LogicGate, using Tines to orchestrate ETL jobs between LogicGate, ZIP, BitSight, and Oracle Finance Procure-to-Pay, automating 300+ monthly notifications and 20 assessments/month, saving $80K annually.
  • Integrated Claude (AWS Bedrock) into TPSE to auto-review pen test and compliance reports, summarize findings, and auto-approve low-risk vendors by evaluating ISO 27001, SOC 2, and InfoSec policy documents.
  • Built Ripple's first security maturity scorecard, consolidating 1,500+ controls across NIST, SOC 2, ISO 27001, CIS, and NYDFS into 300 Ripple Universal Controls, serving as a board-level reporting artifact for 3+ years.
  • Delivered 300+ automated evidence pipelines by establishing programmatic API access across 20+ systems (Okta, Workday, AWS, GCP, Azure, GitLab, Salesforce, and others), automating 60% of SOC 2 records and saving 57 hours per audit cycle. Integrated Gemini AI to guarantee source system integrity by generating API call logs and payload output at execution.
  • Deployed AI-driven controls testing using Claude and Gemini, achieving 34.3% automated coverage across 49 control tests and 530 regulatory requirements, surfacing overprivileged Vault policies, GitLab groups, and LDAP misconfigurations.
  • Founding member of Ripple's AI Strike Team, defining and operationalizing the AI Software Risk Methodology.
  • Extended automation to Learning & Development (98% on-time training), Finance Operations (5 hrs/week saved), Privacy Data Inventory, and Partner Onboarding.

Cybersecurity Analyst

Visa, Inc. · Foster City, CA

  • Owned the CIS V8 framework implementation from gap analysis through rollout: mapped V7.1 to V8 (184→166 sub-controls) across 140+ process owners and led 50+ stakeholder walkthrough sessions to calculate maturity scores across four consecutive assessment cycles.
  • Architected a Power BI security maturity scorecard incorporating 50+ Key Risk Indicators (KRIs) across vulnerabilities, encryption key management, DDoS, SIEM, and endpoint malware. Reported results to the board bi-annually, directly enabling $1M+ in business-approved security projects.
  • Automated 20+ recurring monthly data workflows via Power Automate (JSON and HTML), saving ~10 hours/month across a 4-person team.

Technology Risk Consultant

Ernst & Young, L.L.P. · San Jose, CA

  • Delivered SOX, SOC 2 Type 2, ISO, and WebTrust assessments for Fortune 500 clients (Google, Lyft, New Relic) through IT control testing, SQL code reviews, and threat modeling across 20+ apps.
  • Managed three offshore staff, reviewing work papers daily to maintain audit quality.

Insurance Risk Specialist

State Farm · San Jose / Santa Barbara, CA

  • Generated $300K+ in annual revenue by identifying liability risk exposure and selling insurance policies through in-person financial reviews.

Leadership

Speaker: Tines West Conference, LogicGate Agility Conference 2026, LogicGate Customer Advisory Board, OWASP Chapter Meetup. Consistently presents to internal InfoSec All-Hands and company-wide Engineering All-Hands.

Open Source: Published 4 GRC automation templates to the Tines community library: Automated User Access Reviews, Automated Evidence Collection, Automated Control Testing, Third-Party Breach Monitoring.

Education & Certifications

San Jose State University

B.S. Information Systems

Top 1% Silver Tines Builder Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) AWS Solutions Architect Associate AWS Cloud Practitioner Kubernetes & Cloud Native Associate (KCNA) HashiCorp Vault Associate LogicGate Power User

Skills

API Integrations

Okta, Workday, Salesforce, Azure, GCP, AWS, GitLab, GitHub, Grafana, Vault, JupiterOne, Atlassian, Freshservice, Greenhouse, BigQuery, Databricks, Datadog, Fireblocks, BillingPlatform, and internal homegrown applications

Automation & Platforms

Tines, LogicGate, Retool, Power Automate, Zapier, Google Apps Script

Languages

Python, JavaScript, SQL, JSON, HTML/CSS, VBA

Cloud & Infra

AWS (RDS, DynamoDB, S3), Azure, GCP, Kubernetes, HashiCorp Vault, Docker

Security Tools

Okta, GitLab, BitSight, CrowdStrike, Lacework, Brinqa, JupiterOne, Semgrep

Visualization

Tableau, Retool, Power BI, Lucidchart

GRC Frameworks

NIST, SOC 2, ISO 27001, CIS, SOX, NYDFS, DORA, PSD2, WebTrust

AI & LLMs

Claude (AWS Bedrock), Gemini, prompt engineering, AI-driven controls testing