david brown_20150619
TRANSCRIPT
David Brown, CISSP, ITIL
SUMMARY Cyber Security professional responsible for the assessments of more than 2000 complex integrated
systems and applications. Strong technical foundation enables rapid acquisition of new technical knowledge Practical cyber security advocate balancing the every changing demand of the external threat horizon,
and internal politics, with the technical debit observed through continuous monitoring. A Risk Informed Servant Leader with exceptional ability to achieve business outcomes; in particular
applying Agile and Lean practices to create a Continuous Service Improvement environment. Delivers results to the benefit of the larger team; working the boundaries to assure outcomes through
improved people-process-technology interactions.
TECHNICAL EXPERTISE Windows Linux
(RHEL/CentOS, Fedora, Debian, Apple)
Networking (LAN, WAN, Broadband, Telecoms, Telephony, VoIP, Routers, Firewalls, Content Filter, WAN Acceleration, SATCOM)
Mobile Computing Performance
Testing Security Scanning
and Detection Auditing and
Penetration Testing Agile Project
Management FISMA NIST ISO 9001, 14001,
27001/27002 HIPAA HITECH HITRUST SOX
PCI DSS OWASP ITIL COBIT Scaled Agile
Framework Risk Management
Framework Governance
Regulatory & Compliance (GRC)
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
Network security Operating system
security Web application
security Scanning:
Compliance, Vulnerability, Reconnaissance,
Footprinting, Enumeration
Identity & Access Management
Disaster Recovery Safe Harbor Data Loss
Prevention SDLC CAD/CAM Shell scripting
(bash, sh, csh, ksh) Java, Perl, Ruby,
PHP, C/C++/C#, 4GL, SQL
Oracle, SAP, noSQL, Postgress, DB2
Sendmail SNMP v1/v2/v2c,
TLS, SSH DNS, DDNS DHCP Netcool Optivity NMAP Satan Saint Radius (RAS) QIP
Windows & UNIX AntiVirus Tools
Veritas Nerve Center
Nessus LDAP Active Directory Open NMS Nagios OpenView ITO OVO Network Node
Management Port Sentry VMware XenCenter Nexpose Metasploit AppScan Burp Suite App Detective Fortify Backtrack Acunetix Solarwinds Q-Radar Splunk Data Dictionary System Center Puppet
CERTIFICATIONS
1 | P a g e
David Brown, CISSP, ITIL
ITIL v2011 Foundations Certificate in Service Management - 2015
CISSP - 2008
Fully Qualified Cyber Security Validator - 2008 Lean-Six Sigma Black Belt – 2001
ACCOMPLISHMENTS Cyber Security Architect who performed design/build, administration, and support of enterprise security
solutions and tools for Linux, Windows and Mobile technology A balanced cyber security assessor who conducted system/ code reviews appropriate to the threat and
business environment, and made the results actionable for ready remediation Utilized Agile, Scrum and Kanban to realize cyber security outcomes; uncovering better ways of
providing value by being (and thinking) Agile, by doing it, helping others through service Skilled Risk Management practitioner delivers cost, schedule and capability to achieve business
outcomes Recognized by the Department of Veteran Affairs for creating the “Most Mature Security Program” in
their FISMA inventory; delivered the assured services that the customer and our nation deserved-- working cross-organizationally to identify and maximize emerging opportunities
Monitored security processes and procedures for continued proper operation; including enterprise security solutions for integration and automation of code-based security controls in a devops environment
Quantified cyber security threats by business impact and likelihood of occurrence; utilized this knowledge to focus security actions to deliver “best value to the enterprise”
Continuously monitored intrusion, event, and other log sources to quantify the health of the enterprise and identify emerging threats, both host and network based
Skilled cyber security researcher who remained abreast of security concerns, testing tools, techniques to the benefit of the IT customer
Responsive incident manager who designed and followed the appropriate process and procedures tailored to the environment and appropriate to maintain Security Compliance for disclosure and notification
Resourceful participates of tools and methods (like SWAT) needed to minimize the impact of technical debt on the corporate assets
Recognized for engaging the entire IT staff as members of the security team through security awareness and related training and monitoring. “Education does more for security than a standing army”
Visionary who engaged stakeholders and IT staff in developing an actionable security roadmap; ensured security was included in all IT strategic planning and in all project activities, not a standalone silo
Worked with the stakeholders and contracting to establish/ manage annual operating and capital budgets; was accountable for managing his portion of the budget
Supervisor who provided staffing, interview, hire, scheduling, tracking, conflict resolution, performance appraisal, project assignment, staff development, corrective counseling and termination activities
Facilitator who presented to stakeholders the status of key projects, led and/or actively participated in meetings within the scope of his assigned role
Built strategic relationships with senior management through regular proactive communicationsFUNCTIONAL EXPERIENCE
2 | P a g e
David Brown, CISSP, ITIL
Cyber Security – David is a skilled risk assessor/validator who leverages his detailed knowledge of information system operations to focus security efforts to limit negative disruption while delivering required security safeguards. Years of system design, testing and remediation success inform each recommended action yielding a practical approach to the potentially complex.
Risk – David delivers business outcomes in many functional areas by understanding the relationship between risk and reward. Regarding IT risk; the most certain risk (the issue) is that poorly-implemented/ managed IT programs increase cost, delay value delivery and reduce business impacts. David reduces the negative impacts of IT by working closely with stakeholders to prioritize potential actions, focus impacts to the few most useful actions, and continuously improving the maturity of the program.
Operations – David creates and maintains a culture of continuous improvement, where risk-informed decisions are rewarded when they succeed and reviewed when they fail. Empowerment of peers and direct reports encourages them to gather facts, articulate opportunities and take actions.
DevOps – David balances the demands of operations with the requirements coming into development. By targeting development opportunities to improve operations, the development impacts of operations improvements more readily compete for development resources. Leveraging the benefits of continuous build/test the cycle time to remediation is compressed.
Privacy – David defends the privacy of information, systems, and people by applying industry best practices, remaining abreast of the ever-changing threat horizon and tailoring privacy safeguards to the specifics of the situation at hand. “One-Size Fits All” is a concept ill-suited to the present business climate.
Configuration Management – David understands “control over configuration enables the organization to focus on the target at hand.” Configuration control creates the foundation needed for agile outcomes.
Strategy – David embraces the balance between People, Process and Technology; understanding investment in one requires consideration of all. Incremental improvement needs the guiding vision of its executive stakeholder(s); information flow is critical to focus each action, which in turn yields its optimal impact.
Architecture – David designs and delivers framework and system (network, hardware, and applications) solutions tailored to the opportunity at hand; leveraging stakeholders (accountability-authority intersections) to manage their associated people, process and/or technology. Engaging stakeholders helps ensure near-term investments continue to yield during operations.
Finance – David refines raw accounting to readily consumed metrics responsive to business controls. Each business leader operates to specific outcomes unique to their circumstance; through tailored views, trends and analysis each leader is empowered to manage using near-real time accounting feedback.
Manufacturing – David thrives on the transformation of raw materials into business value; having experience in sheet metal fabrication, heavy assembly, and chemical manufacturing. He benefits from more than eight years of experience working alongside, managing and supporting shop floor workers.
Agile Coaching – David embodies the essence of agile management, refining intent to business value, within a variety of business areas. Beyond its application development origins, David has harnessed agile impacts for IT Security, Requirements Management, and Project Management purposes. Most organizations already apply the
3 | P a g e
David Brown, CISSP, ITIL
simple principles behind agile, however, orchestrating them into an organizational framework is a task not lightly taken.
PROFESSIONAL EXPERIENCE
Agile Assurance 2014 - PresentJohnson City, TNOwner/Independent Consultant
Agile Assurance is a provider of professional services: Coached an IT department of a Fortune 500 company on Agile practices Director of IT Security Services for a healthcare system. Implemented HIPAA and HITECH controls.
Conducted Meaningful Use assessment Conduct vendor risk assessments Developed HIPAA/HITECH security policies Developed security training Encouraged teams and individuals to remain security minded in both their methods and practices,
helping people rethink and change the way they deliver security services. Clients:
Mountain State Health Alliance American Cancer Society Michelin
United States Department of Defense 2009 - 2014 Assurance Risk Manager This Department of the Navy activity operates as a federal consulting group (to Defense, Treasury, Commerce, Transportation, State, DHS, NSF to name a few) providing advanced information technology design-build services.
Responsible for delivering assurance services to enable authority to operate as required by FISMA. Work with the details of security and assurance, providing process (how to) and execution (results), my
primary mission is to refine project results to an executive level as evidence of continued proper operation.
Implemented new Agile Assurance, process driven, Security practices which started and ended with People; self-managed through Agile Scrum. Specifically, fostered leadership accountability, and provided visibility into the security control points by providing comprehensive, actionable, improvements and gap analysis within the Assurance Wheelhouse
Worked directly with the Department of Veteran Affairs, Office of Cyber Security, overseeing the cyber assurance for a politically charged / high visibility, $116M+ program, improving the Security, analytics, and the productivity of the project
4 | P a g e
David Brown, CISSP, ITIL
Recognized as the Agile Assurance SME for complex, multidimensional programs; and for mastery of FISMA, NIST, and organizational security requirements through ready refinement into actionable outcomes
Honeywell Technology Solutions, Inc. 2006 - 2009 Assurance Lead Honeywell Technical Services is a wholly owned subsidiary of Honeywell International which provides technical services primarily to local, state and federal government activities. Non-government sectors included banking, utility and industrial customers.
Responsible for delivering security testing and analysis with a specialty in risk management of large complex system which dampens the impact of transient political noise.
Recognized as the first to provide holist Information Assurance Accreditation Services to the Navy’s leading Tactical Transport Program of Record. These services resulted in the survival of this system under targeted attack during time of war; the only means of tactical communication available to the operations theater for a period of more than two weeks
Awarded for establishing the competitive basis for vulnerability management vs capability development decisions
Put to task for breaking from prescriptive scan-fix tradition; developed cooperative-collaborative best effort security practices
Exsil Inc. 2004 - 2006 Department Manager Exsil Inc is a wholly owned subsidiary of Rockwood International which provides specialty chemicals and advanced materials, specifically in Silicon Wafer Reclaim.
Responsibilities included Management over the Information Technology and Materials Departments, and development lead for the web-enabled plant-wide Manufacturing Execution System (MES).
Enabled ISO-9001 / ISO-14001 Registered Manufacturer Certification by tracking customer and consumable materials plant-wide
Established basis for Sarbanes-Oxley Act compliance through technical upgrades and process improvements; provided evidence of proper management of information systems
Recognized for delivering targeted value with minimum operational cost through the skilled use of kaizen events to define process improvement opportunities and solution parameters
Honeywell 1996 - 2004 Process Lead Honeywell Home and Building Controls is a wholly owned subsidiary of Honeywell International, and provides life safety and energy management products and services.
Promoted several times starting in Energy, Lighting, Fire and Security installation designs and programmed control application and ending in my process lead role over interoperability integration of
5 | P a g e
David Brown, CISSP, ITIL
estimating and material ordering/tracking systems. My most interesting activity involved developing a top-down-breakdown of goals and objectives to better enable the annual business planning cycle.
Developed process management tools including: o Web based estimating and material ordering/tracking ($2.5 Mil savings) and Web based user
application trainingo Rebate tracking enhancement to the Oracle reporting application ($500K annual recurring
savings)o Supply Management ($5.8 Mil savings)o AP / AR (write off of $126 Mil uncollectable, NVA cost avoidance $3.2Mil annual recurring)o Service Delivery ($800K annual recurring savings)o System Engineering ($120K annual recurring savings)o Call Center: Customer Support / HR / Recruiting / Workforce Scheduling ($1.5 annual NVA cost
avoidance, $2.5Mil in tax credits, $5Mil direct savings)
EDUCATIONUniversity of Phoenix
Master of Science (MS), Computer and Information Sciences and Support Services East Tennessee State University
Bachelor of Science (B.S.), Electronic Engineering Technology (EET)
6 | P a g e