Joshua Kroger Home 
Head of Information Security

Results-driven Cybersecurity Leader with over 20 years of progressive experience leading and building security programs that align with and accelerate mission objectives.
Proven expertise in proactive risk-based strategy and program management, incident response, security governance, and regulatory compliance, including SOC II, NIST, and CIS. Skilled in developing and mentoring high-performing security teams while driving enterprise-wide security initiatives through collaborative leadership. Strong background in cloud security, AI security governance, Secure Software Development Life Cycle, and security automation and orchestration through APIs using Python, PowerShell, Bash, and commercial SOAR tools. Experienced in enabling business growth through strategic security investments, vendor management, and contract negotiations that accelerate digital transformation while optimizing security budgets. Adept at communicating security risks and strategies to executive leadership, legal teams, and business stakeholders. Lead high-stakes incident response efforts, managing legal, cyber insurance, and crisis communication teams to minimize impact. Drive third-party risk management and software supply chain security, vulnerability management and validation, and application security programs to strengthen organizational resilience. 
      


Areas of Expertise

•   Team Leadership & Development
•   Cybersecurity Strategy Development 
•   Vulnerability Management
•   Information Security Governance, Risk, and Compliance (GRC)
•   Security Operations (SecOps) 
•   S-SDLC & Application Security   •   Networking protocols with IDS/IPS
•   Risk Management
•   Threat Intelligence
•   Penetration Testing
•   SIEM & log management   •   VPN/ZeroTrust for Remote Access
•   Executive Stakeholder Engagement
•   Incident Response & Forensics
•   Vendor & Third-Party Risk Management
•   Data Protection, Privacy, and Encryption
•   Compliance & Regulatory Framework
    


Key Accomplishments

•   Operationalized a comprehensive Data Loss Prevention (DLP) program: Established DLP across endpoints and cloud collaboration platforms, reducing data-related security incidents by 93% and strengthening protection of sensitive information.
•   Built and led a hybrid 24x7 Security Operations Center: Established the SOC by integrating in-house staff with Managed Services, reducing operational costs by over 25% while enhancing coverage. Designed traditional and AI-automated SOC workflows and playbooks, trained and mentored Sr. Analysts & Engineers, and ensured effective alignment of tooling to detection use cases.
•   Establishing an Enterprise Secure Software Development Life Cycle program: Designed and implemented a Secure Software Development Life Cycle (S-SDLC) Program to integrate security within the software development lifecycle. Embedded security tools into CI/CD pipelines, strengthening application security and supporting CapTech’s transformation toward a SaaS-based delivery model.
•   Advancing AI Security Governance for Enterprise Applications: Developed an AI Security Governance Framework to manage emerging risks and regulatory compliance. Established security controls and risk assessment methodologies to align AI initiatives with enterprise cybersecurity strategy.
•   Orchestrating High-Impact Incident Response and Crisis Management: Directed incident response operations to contain security breaches and minimize business disruption. Led forensic investigations and coordinated legal, cyber insurance, and crisis communication efforts to mitigate impact.
•   Founding and chairing the IT Risk Committee: Integrated IT and business-side risk assessments for escalating high-impact issues to the Enterprise Risk Management Committee and Executive Leadership, fortifying enterprise-wide risk governance and visibility.



Career Experience


CapTech Consulting, Remote  Jun 2017 – Present

Head of Information Security (Current Title)
Security Engineer → Sr. Security Engineer → Manager, Information Security → Sr. Manager, Information Security → Head of Information Security


Orchestrate the development and execution of a robust Cybersecurity program, aligning technical initiatives with business objectives and regulatory mandates. Cultivate and mentor a high-performing security team, driving operational excellence and cross-functional collaboration. Establish governance frameworks, enforce security policies, and advance risk management strategies to strengthen the organization’s cybersecurity posture. Oversee 7-figure budget allocation and lead vendor management efforts, negotiating contracts, optimizing procurement, and ensuring seamless deployment of security solutions. Direct incident response operations, coordinating with legal counsel, cyber insurance providers, and crisis communication teams to mitigate security events. Implement and refine cloud security strategies for hybrid environments, leveraging Azure and AWS security capabilities. Champion AI security governance, ensuring compliance with industry standards and safeguarding sensitive data.


•   Led strategic security governance for CapTech's digital transformation initiative, overseeing the secure migration from on-premises to cloud architecture while enabling SaaS delivery capabilities and ensuring seamless integration of cloud security controls across hybrid environments.
•   Enhanced CapTech’s security posture as it transitions to a SaaS provider by integrating application security technologies into cloud-based product development.
•   Partnered with infrastructure and business stakeholders to establish business continuity and disaster recovery strategies aligned to regulatory expectations and operational resilience goals.
•   Directed cross-functional disaster recovery tabletop exercises and business impact analyses to validate preparedness and identify gaps in business continuity plans.
•   Developed cloud security control frameworks in support of CapTech’s cloud-first strategy.
•   Automated security operations leveraging free & commercial API’s using Python, PowerShell, Bash, and commercial SOAR tools, enhancing threat detection and reducing incidence response times.
•   Spearheaded IT Risk Committee governance and risk mitigation efforts—closed 47% of all open IT risks and significantly reduced residual risk exposure across ongoing issues within the first year of founding the committee. Led proactive identification and analysis of emerging risks.
•   Decreased the organization's phishing failure rate from 20% to less than 1% on a weekly basis by launching a comprehensive information security awareness training program.
•   Eliminated over 96% of all identified security vulnerabilities through the creation and enforcement of a strategic Vulnerability Management Program in collaboration with IT and software application owners.
•   Accelerated third-party security assessments by 50% through the implementation of a streamlined Third-Party Risk Management Program.
•   Strengthened regulatory compliance by driving successful SOC II, NIST, and CIS audit preparations and remediations. Expanding to increased SOX compliance in 2026.
•   Instituted AI security policies, ensuring compliance with industry best practices and reducing emerging technology risks.
•   Led end-to-end response to complex security incidents as the senior-most technical escalation point, orchestrating cross-functional teams and making critical decisions to ensure rapid containment and remediation.
•   Serve as CapTech’s HIPAA Security Officer, ensuring appropriate organizational and technical controls are maintained in accordance with regulations.


Central Piedmont Community College, Charlotte, NC   Oct 2015 – Jun 2017

Security Analyst


Conducted vulnerability assessments, penetration testing, and PCI-DSS compliance audits to identify and remediate security risks. Managed and configured security tools, including SIEMs, firewalls, and DNS filtering solutions. Engineered malware analysis workflows, leveraging static and dynamic techniques to prevent infections and improve incident response. Investigated security incidents, applying forensic analysis techniques to uncover threats and implement remediation measures.


•   Minimized malware response time by 75% through the development and execution of an optimized malware analysis process.
•   Enhanced endpoint security by deploying and managing advanced threat detection solutions across a diverse 10K+ Windows, Mac, and Linux environments.
•   Executed web application and network penetration testing methodologies, proactively identifying and mitigating security vulnerabilities before exploitation.
•   Improved security operations by integrating automation and advanced monitoring tools, expediting threat detection and remediation.


Personal Homelab Engineering & Operations   2001 – Present

•   Architected and maintain an advanced home lab environment simulating enterprise-scale cloud infrastructure, including a multi-VLAN, policy-routed firewall, SDN capabilities, VPN, DHCP, DNS, NTP, and LAGG configurations for secure and segmented network control.
•   Designed and deployed a Ubiquiti-based network fabric, integrating 10GbE core switching, multi-AP WiFi with mesh bridging, and redundant gigabit distribution, enabling high-throughput connectivity across clustered compute, storage, and IoT environments.
•   Built a 3-node Proxmox cluster supporting both VMs and LXC containers to host critical services including Unifi Controller, internal DNS/DHCP, GPU-accelerated AI workloads, Git server, multimedia streaming, and home automation platforms.
•   Deployed and orchestrated over 100 Docker containers across multiple hosts for microservices supporting private search, knowledge management, reverse proxies, API integrations, and AI-powered web applications—mirroring modern cloud-native architecture patterns.
•   Integrated 88 TiB of redundant storage across one physical and one virtualized TrueNAS instance, enabling ZFS-backed snapshots, dataset replication, and high-performance SMB and NFS storage services for lab workloads and media.


Education & Certifications

 •   Certified Information Systems Security Professional (CISSP), International Information System Security Certification Consortium (ISC2)
 •   Associate Certified Chief Information Security Officer (Associate C|CISO), EC-Council
 •   Certified Ethical Hacker (CEH), EC-Council
 •   Cybersecurity Certificate, Google
 •   InsightVM Certified Administrator, Rapid7


Professional Affiliations

 •   CISO Executive Level Member, Information Systems Security Association – ISSA
 •   Member, Information Systems Audit and Control Association – ISACA
 •   Cybersecurity Career Mentor, EC-Council
 •   OWASP Member, OWASP Foundation