david brown_20150619

David Brown, CISSP, ITIL

SUMMARY Cyber Security professional responsible for the assessments of more than 2000 complex integrated

systems and applications. Strong technical foundation enables rapid acquisition of new technical knowledge Practical cyber security advocate balancing the every changing demand of the external threat horizon,

and internal politics, with the technical debit observed through continuous monitoring. A Risk Informed Servant Leader with exceptional ability to achieve business outcomes; in particular

applying Agile and Lean practices to create a Continuous Service Improvement environment. Delivers results to the benefit of the larger team; working the boundaries to assure outcomes through

improved people-process-technology interactions.

TECHNICAL EXPERTISE Windows Linux

(RHEL/CentOS, Fedora, Debian, Apple)

Networking (LAN, WAN, Broadband, Telecoms, Telephony, VoIP, Routers, Firewalls, Content Filter, WAN Acceleration, SATCOM)

Mobile Computing Performance

Testing Security Scanning

and Detection Auditing and

Penetration Testing Agile Project

Management FISMA NIST ISO 9001, 14001,

27001/27002 HIPAA HITECH HITRUST SOX

PCI DSS OWASP ITIL COBIT Scaled Agile

Framework Risk Management

Framework Governance

Regulatory & Compliance (GRC)

Open Source Security Testing Methodology Manual (OSSTMM)

Information Systems Security Assessment Framework (ISSAF)

Network security Operating system

security Web application

security Scanning:

Compliance, Vulnerability, Reconnaissance,

Footprinting, Enumeration

Identity & Access Management

Disaster Recovery Safe Harbor Data Loss

Prevention SDLC CAD/CAM Shell scripting

(bash, sh, csh, ksh) Java, Perl, Ruby,

PHP, C/C++/C#, 4GL, SQL

Oracle, SAP, noSQL, Postgress, DB2

Sendmail SNMP v1/v2/v2c,

TLS, SSH DNS, DDNS DHCP Netcool Optivity NMAP Satan Saint Radius (RAS) QIP

Windows & UNIX AntiVirus Tools

Veritas Nerve Center

Nessus LDAP Active Directory Open NMS Nagios OpenView ITO OVO Network Node

Management Port Sentry VMware XenCenter Nexpose Metasploit AppScan Burp Suite App Detective Fortify Backtrack Acunetix Solarwinds Q-Radar Splunk Data Dictionary System Center Puppet

CERTIFICATIONS

1 | P a g e


ITIL v2011 Foundations Certificate in Service Management - 2015

CISSP - 2008

Fully Qualified Cyber Security Validator - 2008 Lean-Six Sigma Black Belt – 2001

ACCOMPLISHMENTS Cyber Security Architect who performed design/build, administration, and support of enterprise security

solutions and tools for Linux, Windows and Mobile technology A balanced cyber security assessor who conducted system/ code reviews appropriate to the threat and

business environment, and made the results actionable for ready remediation Utilized Agile, Scrum and Kanban to realize cyber security outcomes; uncovering better ways of

providing value by being (and thinking) Agile, by doing it, helping others through service Skilled Risk Management practitioner delivers cost, schedule and capability to achieve business

outcomes Recognized by the Department of Veteran Affairs for creating the “Most Mature Security Program” in

their FISMA inventory; delivered the assured services that the customer and our nation deserved-- working cross-organizationally to identify and maximize emerging opportunities

Monitored security processes and procedures for continued proper operation; including enterprise security solutions for integration and automation of code-based security controls in a devops environment

Quantified cyber security threats by business impact and likelihood of occurrence; utilized this knowledge to focus security actions to deliver “best value to the enterprise”

Continuously monitored intrusion, event, and other log sources to quantify the health of the enterprise and identify emerging threats, both host and network based

Skilled cyber security researcher who remained abreast of security concerns, testing tools, techniques to the benefit of the IT customer

Responsive incident manager who designed and followed the appropriate process and procedures tailored to the environment and appropriate to maintain Security Compliance for disclosure and notification

Resourceful participates of tools and methods (like SWAT) needed to minimize the impact of technical debt on the corporate assets

Recognized for engaging the entire IT staff as members of the security team through security awareness and related training and monitoring. “Education does more for security than a standing army”

Visionary who engaged stakeholders and IT staff in developing an actionable security roadmap; ensured security was included in all IT strategic planning and in all project activities, not a standalone silo

Worked with the stakeholders and contracting to establish/ manage annual operating and capital budgets; was accountable for managing his portion of the budget

Supervisor who provided staffing, interview, hire, scheduling, tracking, conflict resolution, performance appraisal, project assignment, staff development, corrective counseling and termination activities

Facilitator who presented to stakeholders the status of key projects, led and/or actively participated in meetings within the scope of his assigned role

Built strategic relationships with senior management through regular proactive communicationsFUNCTIONAL EXPERIENCE

2 | P a g e


Cyber Security – David is a skilled risk assessor/validator who leverages his detailed knowledge of information system operations to focus security efforts to limit negative disruption while delivering required security safeguards. Years of system design, testing and remediation success inform each recommended action yielding a practical approach to the potentially complex.

Risk – David delivers business outcomes in many functional areas by understanding the relationship between risk and reward. Regarding IT risk; the most certain risk (the issue) is that poorly-implemented/ managed IT programs increase cost, delay value delivery and reduce business impacts. David reduces the negative impacts of IT by working closely with stakeholders to prioritize potential actions, focus impacts to the few most useful actions, and continuously improving the maturity of the program.

Operations – David creates and maintains a culture of continuous improvement, where risk-informed decisions are rewarded when they succeed and reviewed when they fail. Empowerment of peers and direct reports encourages them to gather facts, articulate opportunities and take actions.

DevOps – David balances the demands of operations with the requirements coming into development. By targeting development opportunities to improve operations, the development impacts of operations improvements more readily compete for development resources. Leveraging the benefits of continuous build/test the cycle time to remediation is compressed.

Privacy – David defends the privacy of information, systems, and people by applying industry best practices, remaining abreast of the ever-changing threat horizon and tailoring privacy safeguards to the specifics of the situation at hand. “One-Size Fits All” is a concept ill-suited to the present business climate.

Configuration Management – David understands “control over configuration enables the organization to focus on the target at hand.” Configuration control creates the foundation needed for agile outcomes.

Strategy – David embraces the balance between People, Process and Technology; understanding investment in one requires consideration of all. Incremental improvement needs the guiding vision of its executive stakeholder(s); information flow is critical to focus each action, which in turn yields its optimal impact.

Architecture – David designs and delivers framework and system (network, hardware, and applications) solutions tailored to the opportunity at hand; leveraging stakeholders (accountability-authority intersections) to manage their associated people, process and/or technology. Engaging stakeholders helps ensure near-term investments continue to yield during operations.

Finance – David refines raw accounting to readily consumed metrics responsive to business controls. Each business leader operates to specific outcomes unique to their circumstance; through tailored views, trends and analysis each leader is empowered to manage using near-real time accounting feedback.

Manufacturing – David thrives on the transformation of raw materials into business value; having experience in sheet metal fabrication, heavy assembly, and chemical manufacturing. He benefits from more than eight years of experience working alongside, managing and supporting shop floor workers.

Agile Coaching – David embodies the essence of agile management, refining intent to business value, within a variety of business areas. Beyond its application development origins, David has harnessed agile impacts for IT Security, Requirements Management, and Project Management purposes. Most organizations already apply the

3 | P a g e


simple principles behind agile, however, orchestrating them into an organizational framework is a task not lightly taken.

PROFESSIONAL EXPERIENCE

Agile Assurance 2014 - PresentJohnson City, TNOwner/Independent Consultant

Agile Assurance is a provider of professional services: Coached an IT department of a Fortune 500 company on Agile practices Director of IT Security Services for a healthcare system. Implemented HIPAA and HITECH controls.

Conducted Meaningful Use assessment Conduct vendor risk assessments Developed HIPAA/HITECH security policies Developed security training Encouraged teams and individuals to remain security minded in both their methods and practices,

helping people rethink and change the way they deliver security services. Clients:

Mountain State Health Alliance American Cancer Society Michelin

United States Department of Defense 2009 - 2014 Assurance Risk Manager This Department of the Navy activity operates as a federal consulting group (to Defense, Treasury, Commerce, Transportation, State, DHS, NSF to name a few) providing advanced information technology design-build services.

Responsible for delivering assurance services to enable authority to operate as required by FISMA. Work with the details of security and assurance, providing process (how to) and execution (results), my

primary mission is to refine project results to an executive level as evidence of continued proper operation.

Implemented new Agile Assurance, process driven, Security practices which started and ended with People; self-managed through Agile Scrum. Specifically, fostered leadership accountability, and provided visibility into the security control points by providing comprehensive, actionable, improvements and gap analysis within the Assurance Wheelhouse

Worked directly with the Department of Veteran Affairs, Office of Cyber Security, overseeing the cyber assurance for a politically charged / high visibility, $116M+ program, improving the Security, analytics, and the productivity of the project

4 | P a g e


Recognized as the Agile Assurance SME for complex, multidimensional programs; and for mastery of FISMA, NIST, and organizational security requirements through ready refinement into actionable outcomes

Honeywell Technology Solutions, Inc. 2006 - 2009 Assurance Lead Honeywell Technical Services is a wholly owned subsidiary of Honeywell International which provides technical services primarily to local, state and federal government activities. Non-government sectors included banking, utility and industrial customers.

Responsible for delivering security testing and analysis with a specialty in risk management of large complex system which dampens the impact of transient political noise.

Recognized as the first to provide holist Information Assurance Accreditation Services to the Navy’s leading Tactical Transport Program of Record. These services resulted in the survival of this system under targeted attack during time of war; the only means of tactical communication available to the operations theater for a period of more than two weeks

Awarded for establishing the competitive basis for vulnerability management vs capability development decisions

Put to task for breaking from prescriptive scan-fix tradition; developed cooperative-collaborative best effort security practices

Exsil Inc. 2004 - 2006 Department Manager Exsil Inc is a wholly owned subsidiary of Rockwood International which provides specialty chemicals and advanced materials, specifically in Silicon Wafer Reclaim.

Responsibilities included Management over the Information Technology and Materials Departments, and development lead for the web-enabled plant-wide Manufacturing Execution System (MES).

Enabled ISO-9001 / ISO-14001 Registered Manufacturer Certification by tracking customer and consumable materials plant-wide

Established basis for Sarbanes-Oxley Act compliance through technical upgrades and process improvements; provided evidence of proper management of information systems

Recognized for delivering targeted value with minimum operational cost through the skilled use of kaizen events to define process improvement opportunities and solution parameters

Honeywell 1996 - 2004 Process Lead Honeywell Home and Building Controls is a wholly owned subsidiary of Honeywell International, and provides life safety and energy management products and services.

Promoted several times starting in Energy, Lighting, Fire and Security installation designs and programmed control application and ending in my process lead role over interoperability integration of

5 | P a g e


estimating and material ordering/tracking systems. My most interesting activity involved developing a top-down-breakdown of goals and objectives to better enable the annual business planning cycle.

Developed process management tools including: o Web based estimating and material ordering/tracking ($2.5 Mil savings) and Web based user

application trainingo Rebate tracking enhancement to the Oracle reporting application ($500K annual recurring

savings)o Supply Management ($5.8 Mil savings)o AP / AR (write off of $126 Mil uncollectable, NVA cost avoidance $3.2Mil annual recurring)o Service Delivery ($800K annual recurring savings)o System Engineering ($120K annual recurring savings)o Call Center: Customer Support / HR / Recruiting / Workforce Scheduling ($1.5 annual NVA cost

avoidance, $2.5Mil in tax credits, $5Mil direct savings)

EDUCATIONUniversity of Phoenix

Master of Science (MS), Computer and Information Sciences and Support Services East Tennessee State University

Bachelor of Science (B.S.), Electronic Engineering Technology (EET)

6 | P a g e

david brown_20150619

Documents