Rockie Brockway

Practice Lead, Office of the CSO

Experience

Experienced 25-year veteran of IT/IS and highly technical Information Security Analyst, Design Architect/Assessor specializing in Business Systems/Impact Analysis. Through an understanding of business needs in relation to protecting business critical data (Brand Protection), he assists organizations in achieving their desired business outcomes. He has consulted in nearly every vertical and marries a strong technical background with outstanding creativity, communication skills, leadership, team building/teamwork skills and business acumen.

Technology Background and Skillsets
• Enterprise Security Architecture
• Red/Purple Team Penetration Testing (PTES utilized)
• Adversary Emulation
• Threat/Vulnerability/Identity Management
• Monitoring and Incident Response
• Threat Intelligence
• Threat Modeling
• Data Classification Business Background and Skillsets
• Business Owner/President/CTO
• Business Systems Analysis
• Adversary Analysis
• Business Impact Analysis (FAIR utilized)
• 3rd party Risk Management
• Advanced Business/Security Metrics Development
• Outcome Oriented Strategic Business Initiatives

Education & Certifications

Case Western Reserve University, BA, Computer Science Currently none of the 30+ certifications achieved in the past 25- year career, including GSEC, GCIH and GSNA, are active. Actively working towards OSCP and EMBA.

Professional Affiliations

President, Secure Cleveland; Governing Board Cleveland CISO Executive Summit; BSides Cleveland Conference Organizer;  Infragard member (since 1998); SANS GIAC GSEC Mentor (taught three times); Cisco Partner Technology Advisory Board, Security

Industry Contributions

Security Conference Speaker at DerbyCon, GRRCon, CircleCityCon, RVASec, CONVerge Detroit, ShowMeCon,  Information Security Summit, BSides Boston/Rochester/Cleveland/Detroit, Ohio ETech

Passion for Security

Even before my first computer at the age of 12 (Apple II+) I have been fascinated and drawn towards figuring out how things work and if they can be made to do “other” things. Early exposure to a computer quickly led to changing settings on games with sector editors and programming rudimentary programs in BASIC. These gateway drugs led me to Case Western Reserve University to study Computer Science, where I was lucky enough to be introduced to Dr. Peter Tippett and interned at his company Certus International in 1992. Certus was one of the first Anti-Virus companies (later sold to Norton) and once I was exposed to the underground BBS world of computer virus sharing, reverse engineering and creating malicious Assembly code there was no turning back. My Network, Systems and Scripting basics were honed in the 90’s where I was the first employee of one of Ohio’s first ISPs. In 2000, I started my own security services focused company where I honed the higher-level skills of penetration testing, incident response, and forensics as well as jumping into the fire of owning and running a business. After we sold that company in 2007 I continued to hone those technical skills, but my attention started leaning towards the business side of infosec. Why is security so hard? Why does the business look at security as an obstacle rather than an enabler? How does this relate to basic human nature? Risk became an obsession and I started realizing the ties to group theory, natural systems, and adaptation. The past decade I have been working these theories out (with others) and applying them in real-world enterprises as a strategic and tactical advisor. This stuff is fascinating and I believe weaving these theories in with a solid Enterprise Security Architecture model provides the most value to our clients and sets us apart from other consultants who are not looking at the larger client business outcomes. Don’t get me wrong – I still love a good DNS TXT C2 Beacon and the rush of breaching a physical target. Just don’t ask me what 8086 DOS Int 21 does these days unless I can Google it.

Recent Blog Posts

Crossover Sec: Breaking Down the Silos

By Rockie Brockway
In Business Risk Assessment, Program Development, Security Program Assessment, Virtual CISO
People who know me well, or who saw the Derbycon 6 talk I gave with Adam Hogan, “Adaptation of the Security Sub-Culture,” know of my non-InfoSec hobby and history of playing in loud bands that recorded and toured across the U.S. and Canada, mostly in the 90s. It was music in the 80s that had...
Read
network map

Preparing for (IoT) Segmentation: Six Steps to Get Your Functional Requirements Right

By Rockie Brockway
In IoT Security Assessment, Managed Services, Operational Performance Maturity Assessment, Program Assessment & Compliance, Program Development, Program Maturity Assessment, Security Program Assessment, Security Program Management, Security Testing & Analysis
Recently, a client of ours expressed interest in segmenting their existing, flat network. The existence of these types of non-segmented networks is still very prevalent, especially in the manufacturing, supply chain, and medical verticals. The primary reason the organization wished to move on this initiative was in an effort to reduce the scope of their...
Read
cyber security threats icons

How to Leverage Threat and Attack Intelligence in your Risk Assessments

By Rockie Brockway
In Business Risk Assessment, Program Assessment & Compliance, Threat Hunting
Risk assessments methodologies in general are built before much of the information we have today was available.  Thus, we need to take advantage of the latest advances in threat intelligence and attack intelligence to make security risk assessments more valuable and aligned with real-life.  “What the hell do you know about TCAP?” Based on my...
Read
View all posts from Rockie

Recent Webinars

Resilience in the Middle of the Storm—Preparing Security Teams for Disaster

This webinar was recorded on 3/19/20. As populations are affected by disaster, what can you and your organization do now to mitigate security risk? Preparing for the worst For those who aren’t fully prepared, what are the major areas that...
Watch

Using MITRE ATT&CK(TM) for Coverage and Effectiveness Assessments

Recorded on February 13th, 2019, AT 1:00 PM EST What is the MITRE ATT&CK(TM) Framework? The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKTM) Framework (https://attack.mitre.org/) is “a globally-accessible knowledge base of adversary tactics and techniques” that is “open and available...
Watch

vCISO vs CISO - Which is the right path for you?

Recorded October 17th, 2018 at 1:00 PM EDT Organizations are facing a dangerous combination of mounting cybersecurity threats and a widening gap in the skills required to identify and combat them. There is continuing pressure to keep our information secure...
Watch
View all webinars from Rockie

Recent Podcasts

TrustedSec Security Podcasts

Security Outlook Cloudy

April 03, 2020

(For Workgroups) Ghidra, Citrix and Beto Oh My!

April 03, 2020

What's Hidden In Your Cart?

April 03, 2020
Rockie Brockway

Want to work with Rockie Brockway or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us