Meet Thad Wellin, Lead Cybersecurity Analyst & CMMC Lead

Modified on: March 24, 2020

Thad Wellin - Headshot

Thad Wellin, CISSP, SEC+, Certified Expert RMF Professional (CERP)
Lead Cybersecurity Analyst in Tampa, FL
Specializing in RMF, CUI (CMMC)

Joined SecureStrux February 2020

If cybersecurity was a discipline in healthcare, Thad Wellin would be an internist. His decades-long tenure of optimizing and securing internal and co-located DoD networks and coordinating global exercises across units and technology platforms with the US Air Force has provided him with an acute understanding of the essential elements that assure information security for both the public and private sector.

“Policy and procedure should come first, then security tools,” says Thad. His persistent ‘thirst for knowledge’ compels him to analyze after action reports for major breaches as a hobby to more thoroughly understand the forensics and better prepare him to identify vulnerabilities and mitigate risks for his clients.  He’s learned that multi-million-dollar commercial breaches are often caused by passive attitudes and could have been prevented by basic protocol. “Never believe that it can’t happen to you. Everyone is vulnerable.”

As the Lead Cybersecurity Analyst for SecureStrux’s CUI-CMMC Division, Thad works closely with his clients to ensure compliance with Federal requirements for performing on government contracts per the NIST guidelines for Risk Management Framework (SP 800-53) and Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (SP 800-171), as well as Cybersecurity Maturity Model Certification (CMMC) assessments. 

“Companies are scrambling to certify to new requirements so they can compete for contracts… I expect the field of small and midsize businesses will be thinned out.” Thad says that many companies won contracts with a low bid, but were not actually performing to the highest standards leaving government data and systems vulnerable to attack. “It’s important to really dig in to understand threats and mitigate them across all industries, and not just provide a patch or superficial monitoring tool. We need to know the various motivations and actions whether they be political, financial, a thrill factor, privacy breach, etc. to effectively prevent intrusions and loss.”

Thad believes that organizational security should not be addressed in a vacuum. Business continuity plans need to be multi-disciplinary and require input from all stakeholders. “I help organizations to understand Tier I, II, III users and protections… I love solving problems.” Thad’s experience with Joint Forces Special Operations and private-sector consulting qualifies him to connect the dots between the executive office, IT, physical security, supply chain, human resources, and front-line personnel to ensure all facets of the operation are involved.

“Cybersecurity is constantly changing, and I am always having to learn something new,” says Thad. To that end, he stays current by presenting at NCMS, ISC2, and AFCEA industry events, as well as exchanging best practice through relevant open source knowledge bases. Above-and-beyond his position as an accomplished practitioner, Thad shares his expertise with the next generation of cyber professionals as an adjunct professor and looks for opportunities to mentor others. He says, “It’s important to support their interests to learn more and evolve, and provide a path for longevity.”

What I’m loving right now:

Books: Anything by Stephen King, Tom Clancy, Dan Brown

Podcast:  DevSecLead