BROOK STEPHAN SCHOENFIELD, MBA
Stevensville, MT ●-●-
SENIOR SOFTWARE & IT SECURITY LEADER
ENTERPRISE SECURITY ARCHITECTURE ● SaaS ● ENTERPRISE VULNERABILITY
Track record of success securing nearly every major architectural type from below the operating system to global
clouds. Protect informational and customer servicing assets from external and internal risks. Initiates security initiatives
and projects in alignment with business requirements and initiatives. Develops security strategies and policies. Expert
at planning, execution, and measurement of results, including compliance with Sarbanes Oxley, PCI, NIST 800-53,
and other audit requirements.
Outstanding ability to develop strategies for securing software and assets, customer services delivery, and
regulatory/audit compliance in collaboration with senior executives and board. Manages security vendor and contractor
relationships. Deep and broad system assessment experience; well over unique 500 projects reviewed.
Industry leader: Founding member, IEEE Center for Secure Design, Featured Security Architect at The
National Museum of Computing, Bletchley Park, UK, author of Securing Systems: Applied security architecture and
threat modeling and Secrets of a Cyber Security Architect.
C-Suite & Stakeholder Presentations
Mission-Critical Infrastructure Support
Project Management-Cross Functional Teams
Network Design & Management
Process Improvement
R&D & IT Security & Strategy
Procedure Improvement
Vendor Management
Staff Management, Coaching & Mentoring
Technology Deployment
PROFESSIONAL EXPERIENCE
Independent Consultant
2020-
Provides security architecture leadership for consulting services to and for IOActive, Inc., SEC Consult
America, and True Positives, LLC. Helps to build software security consulting programs and delivers the
program’s services to clients globally. Software security includes assessing client’s current practices and providing
technical and organizational leadership to improve practices. Software security includes all aspects of the Security
Development Life cycle, as may be found in Brook’s (and James Ransome’s) Building In Security At Agile Speed, as
well as Chapter 9 of Core Software Security. Brook leads and provides secure design consulting, including client and
internal consultant training, generating training materials and delivering security architecture consulting and training
services.
IOActive, Inc., Seattle, WA
2018 to 2020
Director of Advisory Services, Master Security Architect
IOActive provides security consulting worldwide. Role was to build a software security program and then manage the
delivery of the program’s services to IOActive clients globally. Software security includes assessing client’s current
practices and providing technical and organizational leadership to improve practices. Software security includes all
aspects of the Security Development Life cycle, as may be found in Brook’s Chapter 9 in Core Software Security. Brook
lead secure design consulting, including client and internal consultant training, generating training materials and
delivering security architecture consulting and training services. Role also included general information security
practices assessments for clients. Brook also performed IOActive’s annual ISO 27001/2 Information Security
Management System audit in 2018 and 2019.
McAfee, LLC., Santa Clara, CA
(formerly, McAfee, Inc., then Intel Security Group)
2012 to 2018
PRINCIPAL ENGINEER, PRODUCT SECURITY ARCHITECTURE LEAD, Product Security Group, Research and
Development
McAfee and Intel’s Distinguished Engineer is titled “Principal Engineer”, a Director-level, juried technical leader. Role
is the senior technology leader to drive secure development lifecycle (SDL) practices throughout engineering and
across every product developed. Strategic responsibility for all aspects of developing secure products, from product
strategy and requirements through architecture and design, and on to security testing. Design the Agile SDL program’s
technical approaches and evangelize, train, coach, mentor the implementation. Provide technical leadership for a
virtual team of 100. Mentor potential technical leaders at Intel.
•
•
•
•
•
•
•
•
•
•
•
Developer-centric security
Innovative risk assessment and threat modeling training and coaching
Final technical point of escalation for security incidents.
Senior mentor for 125+ security architects and engineers.
Consult on major product enhancements and releases.
Provide security architecture strategy and leadership across R&D.
Product portfolio includes architectures from beneath the OS to global cloud services
Assess security products and vendors for fit to product security strategy.
Solution architectures for security implementations.
Secure Development Life Cycle to “build security in”.
Agile SDL to maintain velocity while building security “in”
Autodesk, Inc., San Rafael, CA
2011 to 2012
ENTERPRISE SECURITY ARCHITECT, Infrastructure Architecture. Enterprise Information Services
EIS delivers all IT functions to support business function initiatives. Fully responsible for security strategy for EIS as
well as security for Autodesk SaaS and Cloud product. Hard dotted line to CISO. Hard dotted line to Enterprise
Architect.
•
•
•
•
•
•
•
•
•
•
Member, Enterprise Architecture Governance Board,
Consult on all major IT enhancements and releases.
Provides security architecture strategy and leadership for IT: cloud, virtualization, identity, security systems.
Assess security products and vendors for fit to security strategy.
Solution architectures for security implementations.
Partners with SaaS security department.
Consult with product security efforts.
Consult with IT Project Life Cycle to “build security in”.
Final technical point of escalation for security incidents.
Senior mentor for security engineers.
Cisco Systems, Inc., San Jose, CA
2000 to 2011
SENIOR SECURITY ARCHITECT, Communications & Collaboration Group
CCG delivers unified communications and collaboration products, including WebEx meeting services. Fully responsible
for security strategy for CCG’s product suite and all internal IT projects for the business unit.
•
•
•
•
•
•
•
Member, IT Architecture Governance Board,
Consults on all major product enhancements and releases.
Provides security architecture strategy and leadership for the WebEx SaaS, including coding and application
development, web security, and messaging. Collaborates with multiple internal constituencies.
Partners with SaaS customer security departments.
Team Lead and Technical Lead for 8-person security architecture practice.
Senior mentor for security architects across company enterprise.
Charged with Enterprise SaaS security.
Lead Architect & Team Lead, Global Web & Application Security
The team has 30 personnel distributed across Cisco. Led internal consulting on all web and application information
security including creating and leading strategic initiatives for web and application security enterprise-wide,
architectural design and review on internal projects and infrastructures, policy writing, adoption, and enforcement,
authoring procedures and technical papers, and external industry participation and engagement among peer
organizations and the security industry.
•
•
•
Successfully implemented an imbedded security architecture process, a cutting edge developer-centric
application vulnerability assessment program for 1000’s of applications and web developers.
Performed application vulnerability assessments, secured application development, SOA, Security Information
Management Systems, web infrastructures and applications, third-party security reviews and audits, and
Identity Management System architectures.
Designed architectural models and processes utilized by Enterprise Architecture Group.
BROOK SCHOENFIELD-page two
InnoSys, Inc., Richmond, CA
1988 to 2000
TECHNICAL LEAD & NETWORK MANAGER
Responsible for planning, design, implementation and administration of the company network. Duties included primary
responsibility for planning, policy, design, implementation and monitoring of network security.
• To accomplish these tasks, he lead the network administration and intrusion detection and response teams.
LEAD, Windows Device Driver Development Team, Keyspan Consumer Products Division.
• The Windows team design, code and debug software for products including: real-time operating system,
TCP/IP stack, serial communications to USB adapters, IR to USB adapters, and firewire digital video products,
.
DIRECTOR, SOFTWARE DEVELOPMENT, ENGINEERING TEAM
• All aspects of managing a 13 member engineering team: technical strategy and delivery, staff mentoring,
performance review, compensation, department budgeting
EDUCATION
Master of Business Administration, California Polytechnic State University, San Luis Obispo
Graduated at the Top of Class.
Bachelor of Arts, Anthropology, University of Wisconsin, Milwaukee
Graduated with Honors.
PROFESSIONAL CERTIFICATIONS
Global Incident Analysis Center (GIAC) Certified Web Application Security (GWEB) #27
Microsoft Security Administrator
Netegrity Siteminder 5.5 Administrator
GIAC Certified Intrusion Analyst #144
PUBLICATIONS
Building In Security At Agile Speed, Auerbach, April 2021
Threat Modeling Manifesto, co-author, 2020
Secrets of a Cyber Security Architect Auerbach, December, 2019
Tactical Threat Modeling, co-author, SAFECode, 2017
Securing Systems: Applied security architecture and threat models, CRC Press, May, 2015 (CRC best seller, 2020)
Avoiding The top 10 Software Security Design Flaws, co-author, IEEE, Center for Secure Design, August, 2014
The SDL In The Real World, Chapter 9, Core Software Security, Ransome, James, and Misra, Anmol, CRC Press,
2014
Just Good Enough Risk Rating, SANS Security Architecture Smart Guide, 2011 (series out-of-print)
Evaluating External Application Service Providers, SANS Security Architecture Smart Giude, with Vinay Bansal, 2011
Processing External HTTP, SANS Security Architecture Smart Guide, 2010
Assessing Project Security Risk, SANS Security Architecture Summit, 2010
Building an Effective Application Security Practice, SANS What Works in Application Security Summit, 2009
Developer-centric Application Vulnerability Assessment, SANS What Works in Application Security Summit, 2008
Application Oriented Networking (AON) Security, Cisco Systems, Inc. (VOD), 2005
From Web Services to Service Oriented Architectures, Burton Catalyst, 2005
Evaluating Application Service Provider Security for Enterprises, Cisco Systems, Inc., 2005
The Role of an Access Control Policy Sandbox in a SOA, with Hicham Tout, IEEE Multi-Conference, 2004
Numerous blog posts and journal comment requests for various journals, blogs, and publications.
PRESENTATIONS
Guest lecturer San Jose Sate University, University of California, Berkeley, Quinnipiac University, University of
Montana, Missoula, etc.
Client’s internal conference keynotes
ISSA, Silicon Valley Chapter, 2021
Open Security Summit, 2021
OWASP BeNeLux 2021
Opal Group Cyber Security Conferences, 2018, 2019
RSA invited Lab “Threat Modeling Demystified”, 2016, 2017
California AppSec Conference, 2016, 2017, 2018
Intel Software Developers Summit, Keynote, Bangalore, 2011, Keynote, Guadalajara, 2015
Intel Software Professionals Conference, Keynote, Guadalajara, 2015
Facultad Regional Córdoba Ingeniería En Systemas De Informatión, Córdoba, 2015
BSIMM, SANS, RSA,
IBM Rational, Burton Catalyst
Global Security Consortium
Network Applications Consortium
Knowledge Connect Sharing Forums
SOA Roundtable
Amgen Security Summit
Cisco Customer Executive Briefings, Cisco IT Architecture Forum, Cisco on Cisco
Cisco Development Security Conference
TECHNOLOGY
Software Security, threat models, SaaS Security, Cloud Security, DevOps security, Web Security, Web Architecture,
Cisco SAFE, DMZ, PKI, Access Control List (ACL), Identity Management, IDS, IPS, SIMS, Service Oriented
Architectures (SOA)
.
