James Tarala

James Tarala is a principal consultant with Enclave Security based out of Venice, Florida, and a SANS Senior Instructor. As a consultant, he has spent the past several years designing large enterprise security and infrastructure architectures, helping organizations to perform security assessments, and communicating enterprise risk to senior leadership teams. He is the author and an instructor for SEC566: Implementing and Auditing CIS Critical Controls, SEC440: CIS Critical Controls: A Practical Introduction, and a co-author and instructor for MGT415: A Practical Introduction to Cyber Security Risk Management.

More About James


With a Bachelor of Science in Linguistics, James originally set out to be an educator in remote global locations that did not have access to the resources enjoyed by most of the first world. He spent time in South America, Africa, and Europe, eventually returned to the States. Knowing he was born to teach, he turned his attention to his boyhood hobby of computers by educating technology students in the classroom of a trade school on databases, servers, security and more, as well as business leaders in the board room through consulting primarily with a large hospital system. Over time, James eventually deciding to focus solely on cybersecurity risk. It was during this time that he was introduced to the SANS Institute and was given the opportunity to continue to educate through their forums. During his journey with SANS, he met his wife Kelli, who has ever since been his partner at SANS, in security research, and in consulting through Enclave.

Having spent a large amount of time consulting with organizations to assist them in their security management, operational practices, and regulatory compliance issues, James often performs independent security audits and assists internal audit groups in developing their internal audit programs. Given this experience, combined with his natural propensity as an auditor, James views the cybersecurity space not as wizardry, but as a disciplined problem that can be solved. While there’s no one silver bullet, James believes there’s a formula that anyone can follow to take the mystery out of the chaos.

James is driven by a good challenge. Since the cybersecurity industry is ever evolving and requires constant attention to stay relevant, James thrives in this space. He wants his classroom to be an opportunity for mentoring and conversations, where students can ask questions, express concerns, and learn from and teach each other along the way – providing far more value than a YouTube video. James feels the biggest challenge his students face is simply focus. There are so many distractions in the field that it's easy for practitioners to over-engage the trends. So much of information security is being disciplined and “eating your vegetables”. James wants to help students remember what is important and stay focused on the things that make a difference.

James holds a master’s certificate in Information Assurance from the University of Maryland along with a Master’s in Information Security Engineering from The SANS Technology Institute. Additionally, James holds numerous professional certifications including 14 GIAC certifications, GSE, CISSP, CISA, and PMP. Since 2008, James has been an author, reviewer, and supporter of the Center for Internet Security’s Critical Security Controls.

When not in front of a computer, James enjoys being outdoors, especially in his home state of Florida. Whenever they can, James and Kelli enjoy being on the water, boating, paddle boarding, or simply exploring the natural environment – even when it feels like 100 degrees outside.

Listen to James in his latest webcast "How to Present Cyber Security Risk to Senior Leadership".



Cybersecurity Standards Scorecard (2021 Edition), Nov 2021

Measuring Risk Using the Open, Collective Risk Model (CRM), Aug 2021

Understanding CMMC Compliance for DOD Contractors, July 2021

Rekt Casino Hack Assessment Operational Series – Putting It All Together, March 2021

Rekt Casino Hack Assessment Operational Series – What?! There are Critical Security Controls We Should Follow?, March 2021

How to Present Cyber Security Risk to Senior Leadership, July 2020

Understanding the 2018 Updates to the CIS Critical Security Controls, June 2018

Cyber-Hygiene and Standards of Care: Practical Defenses for Healthcare, Aug 2016

Using the Critical Security Controls to Prevent Ransomware in Healthcare, May 2016

The CIS Critical Security Controls: The International Standard for Defense, Dec 2015

Security Best Practices for Implementing Network Segmentation in a Healthcare Environment, Oct 2015

Using an Open Source Threat Model for Implementing the Critical Controls, May 2015


The Center for Internet Security Critical Security Controls

Multiple CIS Critical Security Controls Practice Aids

The Open Threat Taxonomy