Brandon Cal

Senior Security & Privacy Professional

Experience

Data Protection & Incident Response

TikTok USDS JV

2025 – present

Bellevue, WA

  • Sole West Coast data-protection incident responder for USDS — the independent entity established to govern and safeguard U.S. user data — operating independently across triage, containment, and remediation of escalated incidents on a distributed national response team.
  • Own program management for Joint Venture–to–Global playbook development on insider risk and protected data-sharing, and lead data impact analysis across federated data systems on escalated matters.

Incident Commander

Alphabet (Google)

2019 – 2025

Sunnyvale, CA

  • Served as Incident Commander for Alphabet's highest-severity privacy and trust incidents (S1 through P0) across Gmail, YouTube, Drive, and Google Cloud Platform — directing cross-functional response spanning engineering, product, legal, comms, and support from detection through remediation and postmortem. Recognized by a Google VP of Engineering for incident command on a Drive P0.
  • Owned executive incident communications for all S1+ events, authoring executive updates and briefing decks that translated technical exposure into decision-ready guidance for product and legal leadership.
  • Drove regulatory incident response on long-tail matters involving FTC demand letters and the Google Buzz and YouTube consent decrees, coordinating program management across legal and product to meet binding regulatory obligations.

Security & Privacy (GDPR Intern to Analyst)

SAP (Concur)

2017 – 2019

Bellevue, WA

  • Held Public Trust (T2) clearance handling CUI; owned security program management for Concur's public-sector environments, including a FISMA re-ATO in the GSA environment and a DoD prototype build-out in AWS GovCloud.
  • Supervised two junior analysts and ran the Vendor Risk Management Program, conducting compliance and risk reviews across security operations, product, legal, and procurement.
  • Delivered privacy program operations: PIAs and DPIAs for product teams, data-subject request handling (SARs/DSARs), customer audit questionnaires, and data protection agreements (MDPAs, security exhibits).

Certifications

Security

  • ISC2 | Certified Information Systems Security Professional (CISSP)
  • GIAC | Cloud Security Automation Certification (GCSA)
  • GIAC | Certified Forensic Analyst (GCFA)
  • GIAC | Certified Incident Handler (GCIH)
  • GIAC | Certified Intrusion Analyst (GCIA)
  • GIAC | Defensible Security Architecture (GDSA)
  • GIAC | Network Forensic Analyst (GNFA)

Privacy

  • IAPP | Certified Information Privacy Manager (CIPM)
  • IAPP | Certified Information Privacy Professional – United States (CIPP/US)
  • IAPP | Certified Information Privacy Technologist (CIPT)

Audit

  • ISACA | Certified Information Systems Auditor® (CISA)

Education

SANS Technology Institute (Bethesda, MD)
In-progress: MS, Information Security Engineering
Washington State University (Pullman, WA)
BA, History (cum laude)

Memberships

  • Association for Computing Machinery (ACM)
  • Information Systems Audit and Control Association (ISACA)
  • Institute of Electrical and Electronics Engineers (IEEE)
  • InfraGard
  • International Association of Privacy Professionals (IAPP)
  • National Association of Corporate Directors (NACD)