Security manager
Resume:
Bryan Brake
******@*****.*** +1-619-***-**** CISSP, GCIH, CSPO linkedin.com/in/brakeb
Candidate Summary
● Senior leader who aligns security, privacy, compliance, and business strategy to reduce risk while accelerating product delivery
● Built governance and GRC frameworks for IoT and cloud platforms; led enterprise-level bug bounty and vulnerability programs with measurable metrics and success
● Trusted partner to product, engineering, and business leaders for pragmatic security solutions
● Skilled in evaluating 3rd party vendor risk, policy & control design, audit readiness (PCI, SOC, HIPAA, FedRamp, CMMC, NIST 800-53), threat modeling, and executive risk reporting
● Delivering program-level risk reduction by translating technical findings into business priorities
● Active content creator and infosec community organizer, and volunteer
Organizer of InfoSec Campout - a 2 day security conference in Seattle, WA
Creator of the BrakeSec Education Youtube channel, celebrating 10 years of content creation
● US Navy Veteran, with 8 years of honorable service Work History
Product Security and Bug Bounty Program Mgr – Amazon Oct 2022 - Dec 2022
● Leading a bounty team of 4 people conducting triage, reproduction, and organizing product security incident response (PSIRT) functions for the Amazon Devices and Services bug bounty program
● Organized 6 in-person bounty events showcasing not-yet-released devices that were evaluated by HackerOne researchers in Dublin, Amsterdam, Las Vegas, Dubai, Edinburgh, and Seattle
● Established a process to identify systemic bounty issues across product and business units, engaging with leadership and organized Ring, Blink, FireOS, and Alexa product teams to address found issues, achieving 90%+ fix rate within established SLAs.
● Collaborating with engineering, product management, and business stakeholders to integrate security into development processes & prioritize findings in Atlassian Jira that could affect business reputation or put customers at risk
● Managed program security for the Amazon Sidewalk program, a global IoT platform, from pre-launch to post-launch and maturity, including integration and on-boarding of 3rd party device makers
● Collaborated with data engineers collecting data using Amazon Athena for dashboards, highlighting the effectiveness of the bounty program, utilizing metrics to guide future work & organizational goals Sr. Technical Program Mgr – Amazon Devices Lab126 Feb 2021 - Oct 2022
● Managed $25MM yearly budget, submitted monthly invoicing to Finance, and ensuring budget actuals are within tolerances; monitored burndown for project time and resourcing
● Coordinated IoT device security testing 30+ Amazon lines of business to increase testing efficiency by 20%, saving $50,000 per quarter
● Created metrics showing effectiveness of security assessment vendors, and reporting to leadership trends in findings across business units, product teams, and application services
● Threat modelled 300+ internal and 3rd party tools and applications for use in internal Amazon environments, and advising on proper implementation and use of currently vetted 3rd party solutions
● Drafted contracts and on-boarded two external security assessors to assist with scaling the internal security assessment efforts, working with Amazon Legal, and vetting them for suitability
● Reviewed 50+ 3rd party Vendor SIG questionnaires, vetting vendors for suitability for use Engagement Technical Program Mgr – Leviathan Security Apr 2018 - Feb 2021
● Initiated an internal projects program that enabled continuous improvement and modernization of the business and PMO
● Briefed customers on engagement findings and advised on prioritizing engagement discoveries
● Managed a team of 5 on-site at a customer to review 3rd party security assessments to verify testing scope and advise product teams on scope changes or if follow-on testing was required
● Conducted threat modeling and assessment of complex systems to advise customers on testing scope
● Managed multiple on-going engagements from startups, healthcare, and Fortune 50 companies Senior Vuln Management Eng – CrowdStrike, Inc. Oct 2014 - Apr 2018
● Designed the initial vuln management program to replace existing ad-hoc program
● Overseeing the Vuln management process, reducing workload on IT & infrastructure departments
● Created gap analysis of existing controls against FedRamp, ISO 27001 and 27002 standard
● Vetted new vendor solutions for viability, looking at security posture, supply chain security issues, and compliance criteria, filling out SIG and CAIQ questionnaires for customers to evaluate Falcon Endpoint
● Created dashboards and metrics reporting for vulnerabilities, their impact, and status Principal Information Security Engineer – Xerox/ACS Corp. Aug 2012 - Oct 2014
● Managed a team of 2 people in passing and maintaining PCI and SOC 2 compliance
● Created mitigation plans for vulnerabilities and addressing PCI gaps
● Threat modeling proposed designs to bolster overall system security
● Regular audits of access control and firewall rulesets to reduce attack surfaces in data centers
● Trained developers on the use of Burp Suite to reduce security involvement in reviewing applications
● Created security test plans and user scenarios to check for web application vulnerabilities, like XSS, CSRF, token/cookie theft, and other OWASP Top 10 issues Information Security Pre-Audit / Consultant – CynergisTek Dec 2011 - Jun 2012
● Reviewed Healthcare system architecture, physical access controls, and identified threats, and made recommendations for improvements
● Conducted on-site audits and risk assessments of 12 hospital systems
● Interviewed IT, senior leadership, medical personnel to discover HIPAA deficiencies
● Briefed senior leadership on findings and created deliverable based on CMMI maturity framework
● Assessed health systems according to HIPAA, HITECH, and ISO standards, using a custom maturity model based on CMMI
Educational Initiatives, Speaking Engagements and Volunteering Defcon Safety Operations Command (Goon)
Defcon 2023 Conference (Las Vegas)
● Physical security sweeps ensure attendees get assistance and safety
● De-escalation of conflicts during the event
● Crowd management
Aug 2023 - Present
CISSP Boot Camp facilitator Oct 2023 - Present
Virtual, partnering with ISC2 and ISSA Puget Sound (Seattle, WA)
● Mentored 40 people through 2 modules of the CISSP BOK over 3 weekends
● Curriculum development for presentation via online & classroom methods Panelist, International Wireless Consortium Expo (Virtual) IWCE 2020: Session: Cybersecurity Threats Posed by IoT/Smart X/Connected Products
● “IoT Security and Software Transparency”
Aug 2020
Keynote Speaker, Bsides Springfield, MO
● “Community Building in the Infosec Space”
July 2018
Speaker, Panelist, TAG NW Security Summit
● “Opportunities are Made… the Power of Networking”
● Panelist: “Opportunities in IT/Cybersecurity”
Nov 2019
Co-Creator, Organizer, SeaSec and SeaSec East, infosecCampout
● https://www.meetup.com/SEASec-East/
● Monthly Mini-conferences with local speakers discussing security, GRC, privacy, DevOps, and more
Jan 2015 - June 2023
Mentor/Facilitator, SANS Institute
Mentored 3 students in exam prep for the SANS SEC504 (GCIH); all scored above 85%
Mar 2018 - Present
Education and Certifications
Certificate of Specialization in Leadership and Management Harvard Business School Online
Completed July 2023
Certified Scrum Product Owner (CSPO)
Scrum Alliance
Completed Apr 2021
Certified Scrum Master (CSM)
Scrum Alliance
Completed Jan 2021
Certified Change Management Professional (CCMP)
ProSci
Completed Aug 2020
SANS Certified Incident Handler (GCIH)
SANS Training
Completed July 2017
SANS Certified Web Application Pentester (GWAPT)
SANS Training
Completed May 2014
Certified Information System Security Professional (CISSP) ISC2.org #331883
Completed in 2010
Bachelor’s in Information Technology
University of Phoenix
Graduated 2008
Contact this candidate