News

‘Primitive’ Postures

[May 10, 2011]

I don't like arbitrarily assigned "risk scores" to communicate risk and security postures...

There should be no 1-5 nor Low, Medium High..... unless those qualitative or "touchy-feely" ratings as I like to call them are clearly associated and defined with concrete quantitative values.

Walk the Walk, Don’t just Talk & Talk

[Feb 14, 2011]

I am always striving to be open and honest; to do it “my way”.  This article is an effort to continue in that effort...

I often meet with other consultants independent and not within the marketplace (especially if they are in the same area of focus as myself). I am frequently surprised when I hear about someone's extra-wide breadth of expertise; silently laughing at times as they list these “sweet spots” for what seems like pages and pages. Now it is one thing to sit down with a prospective client and discuss one's capabilities; but another to claim expertise and recent experience in dozens and dozen's of business and IT areas.

I wanted to share with you the actual projects I assisted multiple clients with in 2010 alone. It was an exciting year with clients both local and international and travel throughout the U.S. and also to China.

• Developed IT departmental and entity-level policy for higher education institution
• Performed JDE Enterprise One post-implementation reviews across several divisions for global manufacturing client
• Assisted with SOX internal assessment which included GCC, BP, and Entity-Level controls for multiple clients
• Managed & performed PCI Level 2 – Preparation and First-Year Self Assessment for major retailer
• Managed JSOX IT Controls work (audit) for two Japanese Auto Suppliers
• Performed ERP HR System security access review for manufacturing client
• Completed a contract compliance audit for international service-provider
• Designed & managed ERP Segregation of Duties review for an Oracle manufacturing client and JDE Enterprise One manufacturing client
• Lead an evaluation of potential financial SAAS packages for small health clinic 

I hope you can see now that I don't talk the talk before I have walked the walk.

If you have any questions or are interested in how my experience and knowledge of information technology risk & security can assist your organization, please don't hesitate to reach out.

How’s your Information ‘Balance Sheet’ looking?

[Feb 11, 2011]

Like the majority of information system management & practitioners, I am not an accountant. But we all do (or should) have a basic understanding of the financial Balance Sheet. In simple terms, it shows at a point in time the value of assets minus liabilities resulting in equity (value). So how does this relate to information risk?

There is no disputing that in today’s business environment organizations are capturing, storing and moving more information than ever. As a risk-focused professional I immediately see how this information can represent both an asset and also a great liability.

As an example: A retailer which holds a vast database of information on its customer’s purchases, habits, and other information can be a great asset to the retailer’s marketing and management.

However, if that information is poorly managed or secured, the information also becomes a liability.

So I will end with this thought: What attention should be given when one look’s at their balance sheet and finds their liabilities are greater than their assets?