I help businesses build security programs that fit: practical controls, credible compliance, and no more process than the business can actually carry.
About
I've spent eleven years leading information security work and more than twenty on software development teams, which means I can translate between technology, security, and business to help organizations pick controls that are effective and reasonable for their situation.
I started as a software developer and worked at both Borland and Netscape. I also wrote three of the first books on Windows programming. Later I built the first application security team at WorkBoard, a hypergrowth Silicon Valley startup, and served as HIPAA Security Officer at WebMD Health Services, where I helped the company achieve and maintain HITRUST certification. As a consultant I've guided companies through SOC 2, HIPAA, secure design, and secure development.
Member of ISACA and ISC2.
What I Do
A good security program protects users, satisfies customers, and meets compliance requirements while minimizing the impact on business operations.
Security programs
- Compliance — SOC 2, NIST, HIPAA
- Interim and fractional security leadership
- Risk management and maturity assessments
- Customer security questionnaires and RFPs
- Security controls, policies, and procedures
- Incident response and tabletop exercises
- Security awareness training
Secure development
- Secure development lifecycle
- Developer security training
- Penetration test coordination
- Vulnerability management
- Security champions programs
Clients & Results
Named with permission:
- WebMD Health Services
- WorkBoard
- Websec
- PLUS QA
- Guided a SaaS startup through its first SOC 2 audit, from gap assessment to report.
- Helped startups entering the HIPAA ecosystem protect patient, physician, and researcher data.
- Provided interim security leadership through transitions — audits, RFPs, customer engagements.
- Defined risk management programs: policies, procedures, risk register, assessment methodology.
- Assessed secure development practices with OWASP SAMM and trained developers on the OWASP Top Ten.
Brian Myers is one of the most competent security leaders I’ve had the pleasure of working with.
It was the first time going through the process for us, and your expertise was invaluable in explaining things in a simple way we could understand… I started to “think like an auditor.”
Talks
I have spoken on security and governance at BSides (San Francisco, Seattle, Portland, Idaho Falls), the Oregon Cyber Resilience Summit, the Portland chapters of OWASP and ISACA, PNSQC, and elsewhere.
Waking Up to AI: An Adventure in Governance
A fictional SaaS company’s messy, revealing journey through AI risks, missteps, and gradual governance.
Kidnapping a Library: How Ransomware Taught the British Library to Follow Well-Known Best Practices
A cautionary tale about how a ransomware attack crippled a major cultural institution, and the measures taken to recover.
A Minimum Viable Security Program: The Critical Early Steps
How startups can apply lightweight, risk-based practices to achieve real security long before pursuing compliance.
What Goes Wrong? Common Security Problems in Web Applications
A developer-focused walkthrough of web security risks using OWASP Juice Shop — satisfies developer-training expectations in SOC 2, NIST, and ISO 27001 programs.
Beyond the Hacker Stereotype: Exploring Cybersecurity Careers You Didn’t Know Existed
A fast-paced introduction to cybersecurity roles with different skill requirements, for people finding their path.
Also: Starting a Security Program on a Shoestring, Starting to Think Like a Hacker, Everyday Ethics, XXE for Dummies — the full archive, with slides and example documents, is on GitHub.