Rockie Brockway

Practice Lead, Office of the CSO

Experience

Experienced 25-year veteran of IT/IS and highly technical Information Security Analyst, Design Architect/Assessor specializing in Business Systems/Impact Analysis. Through an understanding of business needs in relation to protecting business critical data (Brand Protection), he assists organizations in achieving their desired business outcomes. He has consulted in nearly every vertical and marries a strong technical background with outstanding creativity, communication skills, leadership, team building/teamwork skills and business acumen. Technology Background and Skillsets • Enterprise Security Architecture • Red/Purple Team Penetration Testing (PTES utilized) • Adversary Emulation • Threat/Vulnerability/Identity Management • Monitoring and Incident Response • Threat Intelligence • Threat Modeling • Data Classification Business Background and Skillsets • Business Owner/President/CTO • Business Systems Analysis • Adversary Analysis • Business Impact Analysis (FAIR utilized) • 3rd party Risk Management • Advanced Business/Security Metrics Development • Outcome Oriented Strategic Business Initiatives

Education & Certifications

Case Western Reserve University, BA, Computer Science Currently none of the 30+ certifications achieved in the past 25- year career, including GSEC, GCIH and GSNA, are active. Actively working towards OSCP and EMBA.

Professional Affiliations

President, Secure Cleveland; Governing Board Cleveland CISO Executive Summit; BSides Cleveland Conference Organizer;  Infragard member (since 1998); SANS GIAC GSEC Mentor (taught three times); Cisco Partner Technology Advisory Board, Security

Industry Contributions

Security Conference Speaker at DerbyCon, GRRCon, CircleCityCon, RVASec, CONVerge Detroit, ShowMeCon,  Information Security Summit, BSides Boston/Rochester/Cleveland/Detroit, Ohio ETech

Passion for Security

Even before my first computer at the age of 12 (Apple II+) I have been fascinated and drawn towards figuring out how things work and if they can be made to do “other” things. Early exposure to a computer quickly led to changing settings on games with sector editors and programming rudimentary programs in BASIC. These gateway drugs led me to Case Western Reserve University to study Computer Science, where I was lucky enough to be introduced to Dr. Peter Tippett and interned at his company Certus International in 1992. Certus was one of the first Anti-Virus companies (later sold to Norton) and once I was exposed to the underground BBS world of computer virus sharing, reverse engineering and creating malicious Assembly code there was no turning back. My Network, Systems and Scripting basics were honed in the 90’s where I was the first employee of one of Ohio’s first ISPs. In 2000, I started my own security services focused company where I honed the higher-level skills of penetration testing, incident response, and forensics as well as jumping into the fire of owning and running a business. After we sold that company in 2007 I continued to hone those technical skills, but my attention started leaning towards the business side of infosec. Why is security so hard? Why does the business look at security as an obstacle rather than an enabler? How does this relate to basic human nature? Risk became an obsession and I started realizing the ties to group theory, natural systems, and adaptation. The past decade I have been working these theories out (with others) and applying them in real-world enterprises as a strategic and tactical advisor. This stuff is fascinating and I believe weaving these theories in with a solid Enterprise Security Architecture model provides the most value to our clients and sets us apart from other consultants who are not looking at the larger client business outcomes. Don’t get me wrong – I still love a good DNS TXT C2 Beacon and the rush of breaching a physical target. Just don’t ask me what 8086 DOS Int 21 does these days unless I can Google it.

Recent Blog Posts

network map

Preparing for (IoT) Segmentation: Six Steps to Get Your Functional Requirements Right

Recently, a client of ours expressed interest in segmenting their existing, flat network. The existence of these types of non-segmented networks is still very prevalent, especially in the manufacturing, supply chain, and medical verticals. The primary reason the organization wished to move on this initiative was in an effort to reduce the scope of their...
Read
cyber security threats icons

How to Leverage Threat and Attack Intelligence in your Risk Assessments

Risk assessments methodologies in general are built before much of the information we have today was available.  Thus, we need to take advantage of the latest advances in threat intelligence and attack intelligence to make security risk assessments more valuable and aligned with real-life.  “What the hell do you know about TCAP?” Based on my...
Read
cyber security risk and business

Ensuring Risk Assessments have a (Business) Impact

Risk is a term that gets thrown around quite a bit, and like its distant cousin “pentest”, it has a tendency to be used to describe many very different things. There are many “standard” Risk formulas out in the world today that typically include some combination of the terms Asset, Threat and Vulnerability.  Some of...
Read
View all posts from Rockie

Recent Webinars

Using MITRE ATT&CK(TM) for Coverage and Effectiveness Assessments

Recorded on February 13th, 2019, AT 1:00 PM EST What is the MITRE ATT&CK(TM) Framework? The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKTM) Framework (https://attack.mitre.org/) is “a globally-accessible knowledge base of adversary tactics and techniques” that is “open and available...

vCISO vs CISO - Which is the right path for you?

Recorded October 17th, 2018 at 1:00 PM EDT Organizations are facing a dangerous combination of mounting cybersecurity threats and a widening gap in the skills required to identify and combat them. There is continuing pressure to keep our information secure...

Ensuring Risk Assessments Have Business Value

Recorded May 23, 2018 at 1:00 PM EST There is continuing pressure to keep our information secure and breach-free. At the same time, management often doesn’t see the need of increasing budget if there isn’t an incident occurring or a...
View all webinars from Rockie
Rockie Brockway

Want to work with Rockie Brockway or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us