Fattis N. Mann
Verified Expert in Engineering
Information Security Executive and Developer
Fattis is one of the most talented and seasoned information security executives in the market today. Having worked as a vCISO and a BISO director of business enablement and resilience for a Fortune 500, he brings together solid project management, communication, and documentation skills, specifically leveraging cybersecurity in business settings. Fattis is CAP, CDPSE, CISSP, and CRISC certified and is highly effective in communicating cybersecurity to both technical and non-technical staff.
Windows, Zoom, Teams, CISO, ISO 27001, Information Security, Cybersecurity, IT Security, Compliance, Security, Certified Information Systems Security Professional
The most amazing...
...project I've led involved building a BISO team, aligning 60 champions across nine BUs to help the enterprise accept the use of disruptive security technology.
IT Security Engineer/Consultant for a Social Help Platform
Computer Data Services, LLC
- Conducted a security risk assessment of the Social Help Platform which was a review of the as -is network, application, third party IVR and database security controls.
- Identified data base service account access risks, website security controls enhancements, access and authorization administration risks and made recommendations for remediation.
- Provided organizational security strategy and initiative roadmap components to drive an audit once and report many attestations to customers and business partners.
Cybersecurity and Business Resilience Director
Science Applications International Corporation (SAIC)
- Built the first Business Information Security Office (BISO) team to manage cybersecurity. Although we were a Windows endpoint and an Azure platform standard enterprise, we evaluated and deployed MacOS endpoints and AWS as BU/department standards.
- Integrated the business resilience and disaster recovery teams to align cybersecurity with a budget of $4.7 billion in the defense and civilian sector and $2.7 billion in national security and space.
- Deployed secure technologies to transform the 27,000-member workforce from 80% on-site to remote, post-COVID, reducing the brick-and-mortar footprint recurring investment by $20 million without compromising company and customer data or health.
- Sourced positions for the BISO team to represent cybersecurity on in-process reviews (IPRs) for all programs above $750 million to $1 billion in contract values.
- Promoted better cyber hygiene through cybersecurity communication, awareness, resilience, and training.
- Launched the first governance, risk, and compliance (GRC) organization, integrating former internal audit and cyber compliance personnel and functions.
- Led the security integration team through the $2 billion Scitor M&A to perform post-acquisition security network connectivity.
- Introduced a SOX monitoring solution to the risk management team and directed the review of all legacy SAIC applications. Insourced incident response (CIRT), security operations center (SOC), and SOX monitoring functions from Leidos Cyber BU to SAIC.
- Approved all program and developer-specific non-enterprise standard technology requirements by risk-based exception management and alternative architecture designs and implementations (e.g., micro-segmentation, NSVPNs, open source, sandboxes, et al.).
Senior PCI Security Consultant
- Addressed compliance issues, including the lack of an existing compliance program for managing credit card transaction processes. Conducted a risk assessment for the cardholder data environment (CDE) and defined the POS and device requirements.
- Defined the 21,000 node CDE by compiling the CDE's device inventory and pricing and budgeting security tools—enabling us to make purchases based on a CDE risk assessment and attestations of compliance from JetBlue business partners and suppliers.
- Developed a $3 million budget strategy for security tools. Secured $1.9 million in consultant fees, creating the 1st ROC and ending quarterly fines of up to $100,000 to VISA and MasterCard before the granting of a Trustwave quality security assessor.
- Completed monthly PCI DSS compensating control worksheets, self-assessment reports, and compliance requirement checklists until ROC was granted. Maintained PCI cyber activity/posture to support the company's first QSA-certified ROC.
Director, IT Security and Compliance
Broward Board of County Commissioners
- Oversaw IT security operations for a $3+ billion government organization. Delivered the 1st budget proposal for the county commissioner and the executive IT security and compliance program.
- Supported IT security and compliance initiatives for the above-mentioned project, impacting 84 agencies.
- Developed the 1st budget document ever submitted in Broward county to secure $2 million in funding and build the 1st IT security, compliance, and disaster recovery team. Became the FEMA-certified NIMS technology incident commander (aka the CISO).
- Collaborated with revenue-generating agency security teams to propose enterprise economies of scale for existing siloed multimillion-dollar budgets for airport and seaport security, water wastewater utility SCADA networks, and mass transportation.
- Resolved multiple conflicts and saved millions of dollars in McAfee and Microsoft tool procurements/investments for the county, including decreasing privileged accounts from over 20% to less than 6%—closer to the industry benchmark.
IT General Manager, Public Safety, Applications and CISO
City of Detroit
- Established and directed the IT department's 1st public safety division. Implemented a technology plan that targeted IT for law enforcement, public safety, and judicial information systems to sustain federal grant funding levels of over $20 million.
- Managed recruiting, training, resource allocation, and employee assessment functions to transition police IT to central IT. Built and mentored cohesive, qualified teams to meet schedule and budget for forming the 1st IT public safety division.
- Upgraded police CAD applications and infrastructure on mirrored IBM pSeries fully redundant infrastructure and Oracle9i Real App Clustering (RAC) HACMP. The $10 million secure network architecture upgrades included Brocade switches and Shark SAN devices.
- Led the design and implementation of new Motorola 800Mhz digital radio systems for public safety and water departments worth $100 million. Established fleet maps and talk groups for the city's first 10-point DHS plan, 211 and 311 CRM.
- Managed security and app development teams as the 1st CISO, along with maturing QA. Supervised release testing for new applications by providing final approval for bug-free, fully functional city agency solutions.
- Circumvented manual installation of the Norton Antivirus (NAV) on 8,000 endpoints during the Nimda.E virus outbreak. Our CIRT analysis business case justified the purchase of the IBM Tivoli suite to automate and saved $500,000 on dealing with each device separately again.
Constitution of the First Business Information Security Office (BISO) for a Fortune 500 Company
Some of the program-specific security management goals and technical controls required:
• Building an enterprise cybersecurity champion program, leveraging 60 BU-assigned security champions to attend monthly sessions with security updates on business requirements per LOB
• Establishing developer or program-appropriate network micro-segmentations, leveraging software-defined data centers, VMs, and AD groups to enable the business-compelled exception management use of non-enterprise standard apps, open-source software, or unique internet URL access
• Developing a business resilience program, which involved conducting a business impact analysis (BIA) to determine the program app recovery time and point objectives (RTOs/RPOs) and developing and testing the disaster recovery plans (DRPs) for validation by tabletop, test, and exercise rehearsals
Creation of a Cyber Program Risk-tracking Project to Report to the Risk Oversight Committee (ROC)
The project involved:
• Creating the Epics hypothesis and Lean business case to present to the OCIO Intake Review Board for approval as a prioritized enterprise project
• Building a four-tiered priority system to determine the adverse impact of services disruption on the company or customer brand—priority tier one service being running the SOC, security tools and firewall administration, intrusion prevention/detection systems (IDS/IPS), and priority tier four being performing security awareness, training, or system patching
• Developing the template to conduct and report the results of cyber reviews to the BoD ROC
• Using ServiceNow tickets, searching for contracts in Oracle Fusion, and MS Dynamic PM databases and the CRM to flag PM status updates and identify anomalies
• Creating a list of tier 1-4 discovered contracted cyber services to create ready-accessible past-performance narratives for future proposal efforts
• Training PMs
Upgraded Seaport Law Enforcement Information Systems
AWS HA, .NET
DDoS, DevOps, HIPAA Compliance
Amazon Web Services (AWS), Azure, MacOS, Google Cloud Platform (GCP), Windows
Cybersecurity, IT Security, Security, Network Security
Risk, CISO, BIA, Governance, Risk & Compliance, Compliance, Application Security, Information Security, Web Security, Intrusion Detection Systems (IDS), Cloud Security, Configuration Management, Risk Assessment, Stakeholder Management, IT Deployments, Security Architecture, Enterprise Architecture, People Management, Architecture, Cloud Architecture, Certified Information Systems Security Professional, Web App Security, Leadership, Azure Cloud Security, Cloudflare, FedRAMP, SOX, IT Projects, Cloud, Proposals, ISO 27001, Intrusion Prevention Systems (IPS), Mobile Security, VMware VMotion, SOX Compliance, Teams, Technology, SecOps, Disaster Recovery Plans (DRP), Incident Management, Incident Response, PCI Compliance, Risk Models, Law, Writing & Editing, Economics, Statistics, IBM SAN, Unisys Mainframe, PCI, Vulnerability Management, Data, Networks, Desktop Support, Desktop App Design, Apps, IT, ISO 27002, Data Privacy, Privacy, Interactive Voice Response (IVR)
Java Security, React
SQL, Java, HTML, BC
Zoom, Oracle OSM, VPN, Azure Network Security Groups
Database Lifecycle Management (DLM), Database Security, MySQLdb
Bachelor's Degree in Criminal Justice
University of Baltimore - Baltimore, MD, USA
Certified in Governance, Risk and Compliance (CGRC)
Certified Data Privacy Solutions Engineer
Certified Information Systems Security Professional (CISSP)
Certified in Risk and Information Systems Control (CRISC)