Wells Larsen

Risk-First Business Enablement: I build security programs that deliver frictionless enterprise growth while embedding risk, compliance, and resilience.

Translation Mastery: I convert complex technical risk into compelling business narratives that drive C-suite action and board confidence.

Cultural Architecture: I design and embed self-sustaining cultures of security awareness and shared accountability, turning compliance into a source of organizational pride.

Servant-Strategic Leadership: I multiply talent and scale enterprise resilience by insourcing key roles, hiring expert leaders, and empowering teams to own outcomes.

Executive Alignment: When presenting to ELT, I translate technical risk into business and financial terms that drive informed, risk-aligned decisions.

Post-Breach Recovery: I partnered with counsel on OCR response and litigation preparation, closed breach-related gaps, implemented bi-annual audits, and established CMMI-based maturity assessments to rebuild executive and regulatory trust.

Organizational Redesign & Delivery Gains: I restructured the program into Security Engineering, SOC, and Service Delivery, insourced 38 roles and hired senior leaders, increasing project delivery 132% and reducing MTTR 67%.

Executive Governance & Operating Model: I formalized an executive charter defining shared accountability between the CISO Office and ELT, unified HIPAA, NIST, and ISO 27001 under one operating model, and launched councils for technology, security, and emerging tech governance.

Program Architecture & Elevation: I transformed four core security domains into structured sub-programs with appointed leaders, defined maturity roadmaps, and embedded continuous improvement cycles that sustain progress long after initial transformation.

TVM: The program cleared a backlog of 100K+ CVEs in seven months, expanded coverage to OT and medical devices, and implemented a maturity roadmap to sustain reduced exposure.

IAM: I rescued a failed SailPoint deployment, reduced onboarding incidents 78%, eliminated social engineering, and modernized password management with Azure SSPR.

Security Awareness: I hired a program lead and launched the “Security is Everyone’s Responsibility” campaign, embedding shared accountability and measurable culture KPIs.

Cyber Fusion Center: I recruited a former FBI incident response leader and evolved the SOC into a Cyber Fusion Center integrating threat hunting, intelligence, and response, with defined capability-maturity metrics.

Risk Transparency for Decisions: I centralized the enterprise risk register, standardized scoring, and instituted ELT-level financial impact reporting to align security investments with measurable risk reduction.

Zero Trust Architecture Modernization: I’m leading the organization’s shift from a legacy castle-and-moat model to a modern Zero Trust architecture that enables the business to adopt cloud services with confidence. I developed a three-year roadmap and sequenced foundational initiatives — CMDB overhaul, RBAC redesign with least privilege, and network segmentation — establishing the core framework for scalable, identity-driven Zero Trust adoption.

AI Governance & Data Protection Framework: I established an enterprise AI governance framework that enabled the business to adopt AI rapidly and responsibly. I embedded AI into the enterprise risk model and aligned it with NIST, ISO 27001, and GDPR to create a repeatable standard for evaluating AI use cases. I formed an AI Governance Board that brought business and clinical leaders into shared decision-making and standardized how each initiative is reviewed for risk, ethics, and compliance. I also secured M365 and Azure data sources so AI models train only on governed, trusted information, allowing the business to move forward with rapid AI adoption while maintaining trust and accountability.

Executive Clarity: I built a fully automated Power BI dashboard as a single source of truth for KPIs, risk and incident flow, project status, intake, and high-risk approvals — translating complexity into board-level clarity.

Resilience & Continuity: I achieved 100% BCP plan currency across business units and led quarterly DR tabletops to validate RTO and RPO and update recovery runbooks.

Recognition: Program & CISO named to Becker’s Hospital Review “53 CISOs & CPOs to Know (2025)” and personally recognized as DC100 Top 100 Deputy CISO (2025).

Managed Service Provider (MSP) Business Builder: Co-founded and scaled Optum’s Managed Service Provider (MSP) from a 5-person startup into a multi-billion-dollar line of business that helped small and mid-sized providers stay profitable and independent by reducing information technology (IT) spend, improving service quality, and accelerating modernization across seven healthcare systems.

Systems-Thinking Operating Model (Shared Services + Local Leadership): Applied systems thinking to design a hybrid operating model combining centralized shared services (standards, policies, procedures, reusable platforms), including Security Operations Center as a Service (SOC-as-a-Service) and Fully Managed Cloud-as-a-Service, with embedded local leaders aligned to regional priorities — strengthening trust, improving execution consistency, and scaling outcomes across healthcare systems.

Policy-Driven Cloud Guardrail System (Policy-as-Code + Everything-as-Code): Conceived and led the policy-driven cloud guardrail system powering Fully Managed Cloud-as-a-Service, enabling rapid builds in Microsoft Azure (Azure) and Amazon Web Services (AWS) while maintaining security and compliance by default. Delivered self-service provisioning that triggered Continuous Integration/Continuous Delivery (CI/CD) automation to apply policy baselines, enforce controls, and run Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), reducing provisioning and compliance cycles from months to days.

Executive Partnership (vCISO and vCIO): Served as virtual Chief Information Security Officer (vCISO) and virtual Chief Information Officer (vCIO) across six healthcare systems, advising executives on sequencing security investments, aligning roadmaps to business priorities and regulatory expectations, and improving service reliability with measurable risk reduction.

Strong Ground Leadership: (Psychological Safety + Thought-Leadership Pipeline): Built “Strong Ground” conditions across teams by prioritizing psychological safety, clear decision rights, and coaching with high accountability. Developed leaders who surfaced risk early, learned out loud, and carried standards forward — growing resilient thought leaders and durable ownership that sustained outcomes through change.

Expanded a security operations engineering team from 8 to 25 members within a year, overseeing the management of 22 enterprise security platforms.

Collaborated with cross-functional teams to enhance security and stability across Target.com and retail stores, achieving greater organizational resilience and efficiency in a post-breach environment.

Led the comprehensive overhaul of Target's Root Cause Analysis (RCA) and problem management program, resulting in over $500,000 in savings in 2015 compared to the previous year.

Developed and deployed automation services to streamline workloads, achieving $200,000 in savings in 2013.

Identified and resolved a critical flaw in the SSL renewal process, designing automation to prevent downtime on Target.com, which avoided millions of dollars in potential lost revenue and eliminated the need for a costly third-party solution.

Led Tier 2 (T2) troubleshooting, diagnosing defects, data issues, and integration failures impacting patient monitoring workflows.

Built Linux and Bash automation for log analysis and triage, reducing time to resolution and improving repeatability of root cause analysis.

Developed interim middleware fixes and software workarounds designed to remain stable for 12+ months, enabling safe operation while remediations progressed through Food and Drug Administration (FDA) review cycles.

Partnered with engineering, quality, and clinical stakeholders to ensure mitigations met safety, privacy, and regulatory expectations.

Added network security engineering and infrastructure hardening responsibilities (firewalls, load balancers, platform stability), improving resilience and availability for a global patient-care platform.

Directed engineers and vendors to deliver capacity and reliability upgrades, including Business Continuity and Disaster Recovery (BCDR) procedures and major storage expansion.

FuturistCISO Award 2025: CXO Inc.: A peer-recognized honor presented at CXO Inc.’s CISOMeet events to CISOs who articulate and lead a forward-looking security vision—often highlighting AI, business enablement, and readiness for emerging threats. Winners are typically selected by fellow CISOs at the event.

DC100 - Top Deputy CISO 2025: CISOs Connect: Recognized among the 2025 DC100 Top 100 Deputy CISOs by CISOs Connect, highlighting leadership and impact in building and advancing modern security programs.

Program recognition: CISO (Stacy Stika) named to Becker's Hospital Review '53 CISOs & CPOs to Know (2025): Stacy Stika (CISO) was recognized for leading an 18-month transformation of the security program following a breach, strengthening resilience, governance, and organizational trust.

Executive alignment (vCIO and vCISO): Drove IT and InfoSec strategy alignment with exec leadership (roadmaps, investment decisions), with dotted-line influence across ~600 employees.

Product Delivery: Delivered an everything-as-code secure guardrails cloud platform and launched SOCaaS, leading a 25-person DevOps/DevSecOps team.

Board Member - CyberRisk Collaborative - Twin Cities Chapter: The Twin Cities Leadership Board is a group of local leaders committed to the idea that national security and critical infrastructure resiliency is strengthened through peer-to-peer knowledge sharing, diversity, and leadership development.

Advisory Board Member - Halcyon's Healthcare Advisory Board: The Halcyon Healthcare Advisory Board brings together experienced healthcare and technology leaders to help shape Halcyon’s approach to innovation in complex, high-trust healthcare environments. The board provides strategic guidance on responsible adoption, risk, trust, and governance, ensuring that healthcare-focused initiatives and founders are supported with the right guardrails to scale safely and effectively.

Mentor - Irvine Technology Corporation (ITC) - Women in Technology Leadership Program: This program is designed to empower women pursuing technology leadership roles by providing them with a rigorous 13-week curriculum tailored to advance their careers toward CIO, CISO, and executive positions.

Member - Private Directors Association: Member of the Private Directors Association (PDA), a national organization dedicated to helping private companies build high-performing boards. PDA focuses on the unique governance needs of private, family-owned, employee-owned, and private equity-backed companies and connects executive leaders who are current and aspiring board members. Currently seeking private board certification.

Member - Gartner C-Level Communities: Gartner C-Level Communities fosters leadership development and collaborative exchange among North America's top executives. We bring together thousands of c-suite executives each year to create unmatched opportunities for leaders of the best companies to network, share, and learn.

Member - SANS CISO Network: An exclusive networking group for CISOs and senior security professionals. The SANS CISO Network provides its members with a platform to influence our digital future and make the world a safer place.

Member - InfraGard: InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia and state and local law enforcement; each dedicated to contributing industry specific insight and advancing national security.

Member - Team8 CISO Village: The Team8 CISO Village is a global community of cyber security senior executives, CISOs and thought leaders from leading enterprises. The Village is an avenue for exchanging ideas, collaborating as an industry, and promoting innovation in cyber security.

Member - The CISO Society: The CISO Society is a private community of CISOs collaborating on everything from security strategy, industry challenges, project roadmaps, technology partners, talent acquisition, leadership and investments. They promotes trusted, peer-reviewed decision-making and strategic collaboration, facilitate vendor due diligence backed by actual CISO feedback, supports leadership development—transforming technical roles into strategic business enablers and help members stay ahead on hot topics like AI risk governance, third-party resilience, and team well-being.

Advocate - KDIGO (Kidney Disease: Improving Global Outcomes): An independent, global nonprofit organization that develops and publishes evidence-based clinical practice guidelines for kidney disease. KDIGO's mission is to improve the care and outcomes of people with kidney disease worldwide by promoting coordination, collaboration, and consensus in the development and implementation of high-quality, evidence-based clinical guidelines across the full spectrum of kidney health.

Where to Hear the Most Thoughtful Warnings About Artificial General Intelligence (AGI) Risk: A Podcast Listening Guide

Why Are Health Systems Pushing Back on HHS?

Empathy Is the Strategy: Why Inclusion Is a Prerequisite for Culture Transformation

Practical Security Is Empathy in Action

Thoughts on Security Awareness: Why Phishing Training Alone Falls Short

Enough Talk: Let’s Move the AI Conversation Forward

Psychological Safety in the Workplace: I believe teams do their best work when it is safe to ask questions, surface risk early, and disagree respectfully. Psychological safety creates the conditions for accountability, learning, and speed without blame.

Responsible & Ethical AI Adoption: I support narrow-focus Artificial Intelligence that advances innovation in practical, measurable ways. At the same time, I am cautious about Artificial General Intelligence (AGI), where capability may outpace governance and control could be lost. I advocate for transparent, well-governed use of Artificial Intelligence with clear guardrails, accountable stewardship, and a bias toward preventing harm.

Transplant Awareness: Organ donation and transplant programs save lives and restore families. I support efforts that increase awareness, access, and empathy for the long path patients and caregivers walk before and after transplant.

Innovative Healthcare: Healthcare should be both high-trust and high-velocity. I support innovation that improves care delivery, reduces clinician burden, and strengthens patient safety without adding unnecessary complexity.

Animal Protection: I have a deep love for dogs, and that love extends into a broader commitment to humane treatment and reducing animal suffering. I support responsible stewardship, rescue and adoption efforts, and practical policies that protect vulnerable animals.

Environmental Protection: Healthy environments are foundational to human health and long-term stability. I support practical, responsible action that preserves natural spaces and reduces harm for future generations.

Neurodiversity & ADHD Inclusion: Human cognition is not one-size-fits-all. I support environments that recognize and value neurodivergent ways of thinking, including Attention-Deficit/Hyperactivity Disorder (ADHD). When organizations design work around clarity, flexibility, and trust—rather than rigid norms—they unlock creativity, pattern recognition, deep focus, and innovation that might otherwise be lost. I advocate for practical accommodations, reduced stigma, and leadership approaches that see neurodivergence not as a deficit to be managed, but as a capability to be understood and supported.

People Skills for a Virtual World Collection By: Harvard Business Review

Harvard Business Review Emotional Intelligence Collection By: Harvard Business Review

Being Your Best Collection By: Harvard Business Review

Captivate By: Vanessa Van Edwards

Cues By: Vanessa Van Edwards

Things My Son Needs to Know about the World By: Fredrik Backman

A Man Called Ove By: Fredrik Backman

Any Dumb-Ass Can Do It By: Garry Ridge

The Grand Philosophy Collection By: Marcus Aurelius

Late Bloomers By: Rich Karlgaard

Falling Upward By: Richard Rohr

Trust and Inspire By: Stephen M.R. Covey

Daring Greatly By: Brené Brown

Read Your Mind By: Oz Pearlman

Atlas of the Heart By: Brené Brown

Rising Strong By: Brené Brown

Strong Ground By: Brené Brown

The Next Conversation By: Jefferson Fisher

Alchemy By: Rory Sutherland