Dave Gordon


Co-Founder, Tincture Risk Solutions

Help people and their businesses establish and maintain healthy third party relationships involving sensitive data. We can help you assess third party privacy and security practices; detangle your technology portfolio; demystify a security questionnaire; train your employees, develop organizational data policies; and prepare for various types of information technology audits and assessments.

Information Security Manager, Aetna

Created and led subsidiary third party risk governance program for over 20 lines of business (~7,000 employees) including bSwift, PayFlex, and Aetna International. Collaborated with enterprise legal, procurement, privacy, and compliance as well as subsidiary management to assess and manage varied and complex 3​rd​ party relationships.

Senior Information Security Engineer, Aetna

Led security and risk management initiatives across multiple technology heavy lines of business focused on alignment with major industry frameworks e.g., HIPAA, HITECH, NIST 800-53, PCI-DSS, WCAG, BSIMM, etc.

Researcher, Microsoft

Produced privacy design recommendations for the smart grid; aided privacy management team in assessing new products for compliance with Microsoft Privacy Standard.

Software Engineer, Noein Inc.

Developed custom web solutions for local businesses in multiple web languages and frameworks; additional duties in system administration, requirements elicitation, proposal drafting, and legacy system analysis.


Here's a bunch of letters I spent years of my life on.

Ph.D. Engineering and Public Policy

Carnegie Mellon University

Advised by Travis D. Breaux, my researched focused on how multi-jurisidictional organizations contend with information privacy and security laws, regulations, and the like. I received funding from the HP Innovation Research Program, the Institute for Information Infrastructure Protection (I3P) as well as the National Science Foundation via their IGERT program. In addition, I served as a TA for an undergraduate senior capstone course on the digital divide as well as graduate level courses on Privacy, Policy, Law and Technology.

M.S. Engineering & Public Policy

Carnegie Mellon University

Coursework in policy analysis, data modeling, statistics, human judgment and decision making, risk analysis, and privacy and security.

MBA, Business Administration

University at Buffalo

Cohort-based MBA program with a focus on consulting, management, and strategy. Winning team: WNY Economic Challenge Competition, Steven Verney Case Competition, CITI Career Advantage Competition.

B.A., Computer Science

SUNY Geneseo

TA'd Introduction to Computer Science; member of Phi Beta Kappa, Dean's List, Computer Science Outstanding Student Scholar Award, Golden Key Honor Society

B.A. Music (Voice)

SUNY Geneseo

TA'd Intermediate Music Theory and led numerous student performing organizations, including NARD (barbershop quartet), SouthSide Boys, (male a capella), Exit 8 (coed acapella, 4), Chamber Singers, Musical Theatre Club, and Student Music Association. Stage performances included Forever Plaid, Urinetown, The Grey Zone, Assassins, and Pacific Overtures.

Additional Certifications


I'm also "certified" in a number of areas, meaning I took a one or two day seminar and/or passed a multiple choice test given by an overblown professional networking organization. These include a CISM (ISACA), a CSPO (Scrum Alliance), a CIPT (IAPP), a vBSIMM (BSIMM), and a CTPRP (Shared Assessments).


I'm not a full stack developer and will never claim to be, but I still spend a lot of time in text editors or a terminal.

Client-side Development

Javascript (jQuery, Bootstrap, others), [S]CSS, Phaser

Server-side Development

Javascript (Node, React), Python, gulp, git, Rally

Cloud Operations

Most of Amazon Web Services (AWS), some Azure and Google

Cloud Administration

Google for Business, Office365, Owncloud

*nix OSs, Desktops

Debian Family (incl. Kali, Raspbian), Arch, OS X; GNOME, XFCE, e17

Other Languages

R, Scheme (LISP), Perl


I've spent a significant amount of my free time on stage singing, acting, and duping choreographers into ignoring my two left feet. Some of my favorite experiences have included:

GastonBeauty and the BeastVintage Theatre
EnsembleHello DollyPerformance Now
SmudgeForever PlaidPerformance Now
Aaron FoxCurtainsVintage Theatre
Officer LockstockUrinetownEquinox Theatre
IvanWomen on the VergeEquinox Theatre
EnsembleAidaPittsburgh Opera
EnsembleDon GiovanniPittsburgh Opera
EnsembleHandel's Messiah (staged)Pittsburgh Symphony
Principal SingerMultiple performancesBuffalo Philharmonic


I've had some research published, most of it relating to IT privacy and security governance. For a full list please contact me.

Without Borders: Addressing Legal Requirements in Multi-Jurisdictional IT Environments

David G. Gordon, PhD Dissertation, Carnegie Mellon University, 2014.

The Role of Legal Expertise in Interpretation of Legal Requirements and Definitions

David G. Gordon, Travis D. Breaux, IEEE International Requirements Engineering Conference. 2014.

Legal Aspects of Cloud Computing (book chapter)

David G. Gordon, Cloud Computing Encyclopedia. Wiley Publishing, 2015.

Assessing Regulatory Change through Legal Requirements Coverage Modeling

David G. Gordon, Travis D. Breaux, IEEE International Requirements Engineering Conference. 2013.

Too Much, Too Late: What Just In Time Notifications Really Indicate

David G. Gordon, Janice Tsai, Workshop on Risk Perception in IT Security and Privacy. 2013.

A Cross-Domain Empirical Study and Legal Evaluation of the Requirements Water Marking Method.

David G. Gordon, Travis D. Breaux, Requirements Engineering Journal. 2013.