ISACA article is live
I've had permission from ISACA to re-publish my article, which appeared in ISACA's Journal earlier this year (volume 5, 2017).
ISACA's sent me some copies of the issue of their Journal that includes my article.
the Equifax breach
I've gotten questions from a variety of people about the Equifax breach, and what it means to them in terms of potential ID theft.
Tracking Vulnerability Fixes to Production
As an IT auditor at a software company, I discovered that security vulnerabilities in our bespoke product had not been getting released to clients on a timely basis.
evaluating third party cyber risk
The Investment Industry Association of Canada has issued new guidance on evaluating cyber security readiness in third parties.
de-identifying health information
I currently have a contract with a firm that "de-identifies" health information prior to it being shared with third parties such as marketers, drug manufacturers, and researchers.
that's a lot of tracking!
I have this browser plugin that blocks third-party tracker systems from the websites I visit.
gaming Google news
two of four articles are spam?
Kudos to whoever figured out how to game Google's aggregator this badly.
privacy in this day and age
Sometimes people get emails that make it clear their personal network is known to various websites or agencies.
another record breach
A data analytics company leaked personal information on 200 million voters.
writing an industry standard
The Investment Industry Association of Canada is producing a two-document guide on evaluating cyber risk in their third party (vendor) arrangements.
Covey time-management quadrants
Where oh where has the four-quadrant Franklin Covey time management system been, all my life? It puts many of my thoughts into a concise guide!
Franklin Covey time matrix
an ISACA article
Tomorrow's the deadline for the next issue of ISACA's "Journal".
my guide on managing third party risk
I've written a guide on managing third party risk, that is, the risk that comes with sharing your data with third parties such as service organizations.
PMP for five years
Today is the five year anniversary of my long slog through the PMP exam.
metrics that matter
The article I placed on LinkedIn about losing my job has now been read well over 1,000 times.
720 reads in 48 hours
My previous post (which was cross posted to LinkedIn) regenerated over 700 reads in under two days.
I lost my job
Last Tuesday, I lost my job during a restructuring at PortfolioAid, a compliance solutions firm.
get cyber safe
The government of Canada has produced some guidance for small-medium enterprises which is a) quite good and b) surprisingly readable.
In addition to CEO fraud emails, now there's virtual kidnapping.
financial industry vendor management
Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk.
securing your life
The New York Times recently ran a piece with practical information about protecting your online life.
yet another reason to patch
Today I had an illuminating call with our insurance broker and carrier about an exclusion in our errors &omissions insurance pertaining to unlicensed data and software.
fintech and information risk
An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech.
on failed persons
The Basel definition of operational risk is this:
"Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
how to sabotage innovative projects
One of my favorite books on internal control; sorry, the only good book I've ever encountered on internal control is "Intelligent Internal Control and Risk Management" by Matthew Leitch.
no fix for cyber security in our lifetime
An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime.
is risk management a profession
A risk practitioner vastly senior to me posited the question on LinkedIn whether risk management is even a profession.
head of state, athlete, billionaire, or drug lord
A headhunter once put it simply as he could: "What's your career trajectory, CEO, COO, or CFO?" I recoiled at the thought at the time, though I now know the answer and I'd have to put "missed" or "failed" in there somewhere.
SOC-2 versus SIG
My team has been spending some time reviewing the forthcoming SOC-2 control standards.
governance &board positions
I've joined the board of Cycle Toronto, an advocacy association of city cyclists who are pushing for a safer city in which to ride.
case study on advanced persistent threats
In the middle of 2015, I produced an analysis of my employer's readiness regarding risk due to "advanced persistent threats" in the cybersecurity space.
management consulting vs internal audit
I've just completed a three day intensive course on management consulting, which covered the twin streams of a) diagnosis and b) change management.
In the past few months, I've dropped three of the professional associations I'd belonged to.
Tonight I moderated a panel of experts on the role of the board in setting strategy.
Vtech data breach
I sent a friend a note about the latest data breach that's in the news: Vtech.
I'm constantly amazed at how difficult it is to break free of the straightjacket of the immediate.
hiring for many talents
I've repeatedly been faced with the difficult task of hiring for ambiguous roles where a range of different skills are required.
agility and risk
Dave Thomas, one of the originators of the "Agile Manifesto", gave a talk in January that explains where the Agile movement has gotten off the rails (no pun intended).
In an audit of my employer's cybersecurity stance, I found things to be generally quite good.
the common law of business practice
Someone* once said this of choosing a vendor's solution based on price alone:
"There is hardly anything in the world that someone cannot make a little worse and sell a little cheaper, and the people who consider price alone are that person's lawful prey.
my pilgrimage is complete
Someone at RSA called it a pilgrimage that is mandatory but that you only have to do once.
I skipped another afternoon of "keynotes" to meet with a succession of people.
on "How to avoid a breach"
I recently saw a LinkedIn post to an article titled, "Data breaches – how to effectively avoid them and manage them if they happen".
cutting off your nose
This article suggests that we should no longer use email, because it's not safe.
SIFMA makes the first move
Over the past couple of years, I've been watching for a "guidance note" from one of the regulators on cyber security.
a risk practitioners' uprising
I took a couple of vacation days to go to Minneapolis and join the third annual conference of the Society of Information Risk Analysts, an interesting group of risk practitioners that is putting together what seems to be not exactly a people's uprising but a practitioners' uprising in the information risk management field.
Are audit reports all about marketing
Are audit reports all about marketing?
I am writing a dissertation on the impacts of implementing an enterprise risk function at service organizations.
Are risk registers obsolete
Are risk registers obsolete?
I founded the risk management function at PortfolioAid—a provider of technical solutions to the financial industry—just as the firm was entering a period of aggressive growth.
how to avoid being C-3PO
I recently came across a bullet list of the three principle jobs of the risk manager.
solving the BYOD riddle
This article presents a policy that allows employees to bring their own mobile devices to work, while at the same time avoiding the security and support issues raised.