Kevin Villanueva


Kevin has been in the information technology field since 1997 and leads the firm’s IT infrastructure and security practice. He specializes in government, not-for-profit, private entity, higher education, and health care clients. His areas of practice include IT security assessments; penetration testing; PCI DSS assessments; HIPAA compliance auditing; HITRUST readiness and validation assessments, strategic technology planning; disaster recovery and business continuity planning; policies, procedures, and documentation development; and project management. In addition, he has designed and conducted technology assessments based on the internationally recognized ISO/IEC 27001/2, NIST, and COBIT standards, and has served as technical counsel on hundreds of technology security projects.

Selected Publications

  • "Improve Cybersecurity Program Reporting with Time-Based Metrics" (SC Magazine, January 2019)
  • "FSA Updates Cybersecurity Compliance FAQs" (Moss Adams Insight, May 2018)
  • "Safeguard Sensitive Patient Data with HITRUST CSF Controls" (Puget Sound Business Journal, May 2018)
  • "How to Improve Cybersecurity and Protect Your Organization" (Moss Adams Insight, October 2017)
  • "Protect Patient Data by Executing Best Practices and Controls with the HITRUST CSF" (Moss Adams Insight, July 2017)
  • "Evaluating Healthcare IT Security: A Holistic Approach" (California Healthcare News, August 2016)
  • "Assess Your IT Security to Creat a Competitive Advantage" (Moss Adams Insight, May 2016)
  • "Stay Ahead of Cybersecurity Breaches and Off the Media’s Radar" (Moss Adams Insight, June 2015)
  • "Cybersecurity: Net Threats Rise" (North Bay Business Journal, January 2015)
  • "Protecting Patient Data in the Cloud" (Healthcare News, June 2014)
  • "The SEC’s New Focus on Cybersecurity for Broker-Dealers and RIAs" (Moss Adams Insight, May 2014)
  • "Protecting Yourself and Your Organization from Heartbleed" (Moss Adams Insight, April 2014)

Selected Speaking Engagements

  • Are You Ready to Deal With a Cyberattack?
    (OGFOA 2018 Fall Conference, Salem, October 2018)
  • Red Team Penetration Testing: Taking the Offensive in Cybersecurity
    (Moss Adams Webcast, June 2018)
  • Why You Got Hacked (and how to make sure it doesn't happen again)
    (Healthcare Financial Management Association Webinar, May 2018)
  • Emerging Cyber Threats to Casinos
    (National Indian Gaming Conference, April 2018)
  • Internal Controls: Top Reasons Your Tribe Got Hacked
    (Native American Finance Officers Association Conference, April 2018)
  • Five Challenges Every Chief Information Officer Faces
    (Moss Adams Webcast, October 2017)
  • IT You Can Use: Third-party Cloud Risks
    (Moss Adams Webcast, June 2017)
  • Protecting Health Care IT: Understanding the Benefits of HITRUST Certification
    (Moss Adams Webcast, April 2017)
  • Cybersecurity Best Practices for Casino Operations
    (National Indian Gaming Association, Indian Gaming Tradeshow & Convention, April 2017)
  • Cybersecurity: Fraud Prevention and Cybersecurity
    (Maritime Commerce Club, February 2017)
  • Disaster Recovery
    (Northwest Association of Financial Professionals, February 2017)
  • The Internet of Things - Smart Devices, Not So Smart Technology
    (University of San Diego, Not-For-Profit Governance Conference, January 2017)

Professional Affiliations

  • Member, Information Systems Audit and Control Association


  • BS, business administration, Pepperdine University