My take on what works in infosec and other general musings
Type and press enter to search
Why work with me?
20+ years in information security and program management. As a consultant and CISO, I’ve implemented over 10 security programs for all types of companies. Most recently, I spent 2.5 years as CISO for Frontline Education where I established the company’s first security program, achieved SOC2-Type 2 certification for all products and have made the security program a competitive differentiator. See my LinkedIn Profile: https://www.linkedin.com/in/kenfbrown/.
Hands-on CISO with practical experience in software development, systems administration, DevOps/CI/CD, AWS, privacy law and project management.
My approach is practical and will get a team focused on high impact-low effort results. Build processes that can be run with as little impact to business while managing risk. Do the basics well with what you have in place, don’t throw money into tools with unclear ROI.
Independent consultant – no agenda to sell technology/tools or promote specific vendors.
More than an insurance policy – I can work with your marketing team to differentiate your company in the market and be an ongoing resource to address new risks.
Governance Risk and Compliance Services
Customized training and simulated phishing
KPI dashboards spanning all aspects of program
Quantitative risk modeling to justify investment and develop business cases for executives and BoD
Unified control framework based on NIST CSF and CSA CMM (for compliance with SOC2, ISO27001, HIPAA/HITECH, FERPA, NIST 800-53, PCI DSS)
Use Objectives & Key Results (OKR) framework to drive results
Software Development Security
Container security (Twistlock and Chef Automate/InSpec)
Vulnerability prioritization and remediation
Red teaming and simulated attacks
Static code analysis (SonarCube)
IAST and RASP tools (Contrast Security)
GitHub code review triggers (Jira integration)
OWASP Dependency Checker
End-point detection and response (CarbonBlack)
AWS security services (GuardDuty, Inspector, Config/CloudWatch, IAM and Well-architected standards)
Security Operations Services
Establish comprehensive security monitoring and incident management capability
Create playbooks, scripts and communication protocols to ensure all incidents receive quick and adequate response
Conduct ongoing table top exercises and simulated attacks
Security Testing and Validation
Conduct simulated attacks to find your information asset soft spots
Implement latest software development testing tools like Interactive App Sec Testing (IAST) and build automated test cases
Assess major product releases with an independent stamp of approval
Security Marketing and Sales
Evangelize and promote your security program with current and prospective customers
Work with marketing teams to create content for sales and provide thought-leadership through blogging, webinars and customer meetings