Brian Ventura

Brian Ventura, a Partner at Cyverity, an information security consulting firm specializing in governance, focuses on enterprise information security governance, risk, and compliance. He has more than 30 years of industry experience with a diverse background, including working in large, international organizations, small-medium businesses, government and private sector; advising, architecting, and assessing secure solutions.  Brian has taught various SANS courses over the years, is the author of SEC566: Implementing and Auditing CIS Controls, and is a regular instructor for LDR512: Security Leadership Essentials for Managers.

More About Brian


Starting out as a physics major in college, he took an on-campus job in the computer center with no background at all.  While there, he learned Microsoft Windows, MacOS and Unix, installing his first Linux machine in 1993 and quickly changed his major to information technology and security. His true passion has always been with Unix and Linux, with security becoming a focus over the years. Brian became a systems administrator, which gave him a deep understanding of various technologies.

Administering Linux, Unix and Windows systems required understanding of core services and integration between disparate ecosystems. In 2001 Brian took a role in a global, fortune 100 company to consolidate, enhance, and centrally manage their DNS and later Email systems, comprising more than 350 separate subdomains, DNS servers, and email servers.

In 2004 Sarbanes-Oxley needed technical practitioners and auditors to build management plans, policies and procedures for IT, a first for many IT organizations. The audit role strengthened Brian’s connection and focus on solving business needs and meeting external requirements including information security. Brian is currently focused on the CIS Controls and CyberSecurity Framework as a method to mature and manage an Information Security program.

Coupled with his audit experience starting with SOX and currently focusing on the CyberSecurity Framework (CSF) and the CIS Controls, Brian is able to provide students with rich examples and analogies.  As someone who enjoys figuring out and solving complex problems, Brian is continually thinking about where the next attack will come from and how can he can detect or prevent the attack.

Brian comes from a family of teachers and has always wanted to teach as well. He enjoys sharing concepts and seeing the excitement and understanding come into students’ face when the subject starts to click and a bunch of seemingly random facts come together into a coherent view.  Whether virtual or in-person, Brian views his classroom as a space for a collective conversation and exploration: the class material providing the foundation and plan, the participants affording the path and focus from their perspectives and needs. Together, through conversation and practical activities, Brian and his students explore the concepts and application of Information Security principles and best practice, leveraging real-world scenarios and experiences.

Taking concepts and theories learned in the classroom and applying them to real world issues and attacks can be challenging for students.  Understanding which threats and defenses are most critical today can be daunting and lead to less optimal defenses from well-meaning professionals. Through the classes and conversations, Brian provides real world examples and helps build the thought processes and methodologies to apply information security and privacy concepts in various environments, which delivers value back to management and the organization as a whole.

Brian has been teaching at SANS for over five years.  He is rewarded every time a student achieves their goal or wows their boss.  He regularly receives messages from former students exclaiming their successes. Sometimes these start as questions and build into solving a major issue or overcoming a previously insurmountable hurdle. These conversations encourage and challenge Brian continuously.

Brian is a volunteer with the Center for Internet Security (CIS), designing and contributing to the next version of the CIS Controls. Through the Oregon CyberSecurity Advisory Council, Brian champions programs to provide security services to the Oregon State and Local Governments, as well as small and medium businesses through technology partners, volunteer programs, and legislation.  He provides guidance to Portland Community College in their CIS program via the PCC Advisory Board and also volunteers with the local ISSA and OWASP chapters in Portland Oregon.  Additionally, Brian publishes a GRC management tool focused on the NIST CSF.

Brian completed his Bachelor of Science in Information Technology - Security from Western Governors University and holds various industry certifications including GSEC, GCIH, GCCC, GCFA, CISSP and various other industry certifications.

When not in front of a computer, Brian can usually be found riding his bike around Portland, attending Portland Thorns and Portland Timbers major league soccer games, and when he finds time, he enjoy exploring the wilderness in his 1980 Toyota Land Cruiser FJ40.