Risk Topics Blog

by Michael Werneburg

You are here:
Risk topics
» Risk topics blog
 
getting it wrong with R
2017.07.23
I'm taking a "MOOC" on Coursera in data science.
de-identifying health information
2017.07.19
I currently have a contract with a firm that "de-identifies" health information prior to it being shared with third parties such as marketers, drug manufacturers, and researchers.
that's a lot of tracking!
2017.07.07
I have this browser plugin that blocks third-party tracker systems from the websites I visit.
gaming Google news
2017.06.27
two of four articles are spam? Kudos to whoever figured out how to game Google's aggregator this badly.
privacy in this day and age
2017.06.21
Sometimes people get emails that make it clear their personal network is known to various websites or agencies.
another record breach
2017.06.20
A data analytics company leaked personal information on 200 million voters.
writing an industry standard
2017.06.14
The Investment Industry Association of Canada is producing a two-document guide on evaluating cyber risk in their third party (vendor) arrangements.
ISACA article accepted
2017.06.13
The ISACA article has been accepted.
Covey time-management quadrants
2017.05.30
Where oh where has the four-quadrant Franklin Covey time management system been, all my life? It puts many of my thoughts into a concise guide! Franklin Covey time matrix .
safe harbor de-identification of health data
2017.05.24
The health industry works with a standard called the "Safe Harbor" for de-identifying personal information.
an ISACA article
2017.05.18
Tomorrow's the deadline for the next issue of ISACA's "Journal".
my guide on managing third party risk
2017.04.22
I've written a guide on managing third party risk, that is, the risk that comes with sharing your data with third parties such as service organizations.
PMP for five years
2017.04.19
Today is the five year anniversary of my long slog through the PMP exam.
metrics that matter
2017.04.15
The article I placed on LinkedIn about losing my job has now been read well over 1,000 times.
720 reads in 48 hours
2017.04.12
My previous post (which was cross posted to LinkedIn) regenerated over 700 reads in under two days.
I lost my job
2017.04.10
Last Tuesday, I lost my job during a restructuring at PortfolioAid, a compliance solutions firm.
farewell, SIRA board
2017.03.27
My first term as a non-profit board member ends on March 31.
the message and the medium
2017.03.27
A former colleague on the SIRA board published this article to LinkedIn.
an interesting take on consulting
2017.03.11
I've started reading Peter Block's "Flawless Consulting".
the ever-expanding sh*tlist
2017.02.27
These are the 64 IP addresses that I current block on my websites.
claiming professional expenses in Canada
2017.02.24
In Canada, anyone on the treadmill of maintaining professional designations gets a couple of tax incentives.
get cyber safe
2017.02.09
The government of Canada has produced some guidance for small-medium enterprises which is a) quite good and b) surprisingly readable.
the flight of the wealthy
2017.02.08
It looks like the wealthy are planning on pulling the plug on the US.
virtual kidnapping
2017.01.23
In addition to CEO fraud emails, now there's virtual kidnapping.
financial industry vendor management
2017.01.11
Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk.
securing your life
2016.11.22
The New York Times recently ran a piece with practical information about protecting your online life.
yet another reason to patch
2016.11.18
Today I had an illuminating call with our insurance broker and carrier about an exclusion in our errors &omissions insurance pertaining to unlicensed data and software.
DNS subdomain discovery
2016.10.24
This weekend, I found this interesting little tool called DNS Dumpster.
fintech and information risk
2016.10.17
An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech.
on failed persons
2016.09.27
The Basel definition of operational risk is this: "Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
how to sabotage innovative projects
2016.07.11
One of my favorite books on internal control; sorry, the only good book I've ever encountered on internal control is "Intelligent Internal Control and Risk Management" by Matthew Leitch.
no fix for cyber security in our lifetime
2016.06.23
An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime.
gane's law on the passage of data and meaning
2016.05.16
Gane's Law: "Any information that must be passed through two levels of management shall be mooted by the voyage, for it shall be diluted and misconstrued.
is risk management a profession
2016.04.25
A risk practitioner vastly senior to me posited the question on LinkedIn whether risk management is even a profession.
the problem of entitlements
2016.04.25
Virtually every organization has the problem of managing IT asset entitlements.
failed your PMP exam?
2016.04.22
That sucks.
evaluating a vendor's SOC-2 report
2016.04.11
Someone asked me how to evaluate a service organization's SOC-2 report.
head of state, athlete, billionaire, or drug lord
2016.04.04
A headhunter once put it simply as he could: "What's your career trajectory, CEO, COO, or CFO?" I recoiled at the thought at the time, though I now know the answer and I'd have to put "missed" or "failed" in there somewhere.
SOC-2 versus SIG
2016.03.31
My team has been spending some time reviewing the forthcoming SOC-2 control standards.
governance &board positions
2016.03.22
I've joined the board of Cycle Toronto, an advocacy association of city cyclists who are pushing for a safer city in which to ride.
case study on advanced persistent threats
2016.03.02
In the middle of 2015, I produced an analysis of my employer's readiness regarding risk due to "advanced persistent threats" in the cybersecurity space.
management consulting vs internal audit
2016.02.20
I've just completed a three day intensive course on management consulting, which covered the twin streams of a) diagnosis and b) change management.
concentrated volunteerism
2016.02.17
In the past few months, I've dropped three of the professional associations I'd belonged to.
at least five problems with security metrics
2016.02.04
Last year, I participated in a panel on "metrics that matter" at RSA.
the risk of false brand identity
2016.01.31
A colleague from the CMC posted some thoughts on brand based on one of Seth Godin's periodic utterances.
studying contractual and financial risk management
2015.12.14
It's true that you get like the people you live with; I've spent a lot of time in the financial industry, and it seems I've picked up a thing or two.
on paneling
2015.12.08
Tonight I moderated a panel of experts on the role of the board in setting strategy.
Vtech data breach
2015.12.01
I sent a friend a note about the latest data breach that's in the news: Vtech.
the straightjacket
2015.11.13
I'm constantly amazed at how difficult it is to break free of the straightjacket of the immediate.
hiring for many talents
2015.11.06
I've repeatedly been faced with the difficult task of hiring for ambiguous roles where a range of different skills are required.
why ERM versus traditional risk management
2015.10.24
I'm studying for a course on risk financing, and have a quibble with an answer "in the book".
agility and risk
2015.10.16
Dave Thomas, one of the originators of the "Agile Manifesto", gave a talk in January that explains where the Agile movement has gotten off the rails (no pun intended).
using a cache server to secure WordPress
2015.09.25
Securing a website that runs on WordPress can be a challenge.
On the Ashley Madison list? Blame it on Target
2015.07.18
It's occurred to me that if someone's name turns up on the user list at Ashley Madison, they can just blame Target.
OpenDNS
2015.06.27
In an audit of my employer's cybersecurity stance, I found things to be generally quite good.
the common law of business practice
2015.05.20
Someone* once said this of choosing a vendor's solution based on price alone: "There is hardly anything in the world that someone cannot make a little worse and sell a little cheaper, and the people who consider price alone are that person's lawful prey.
risk assessment in a nutshell
2015.05.14
A pithy quote on risk assessment.
hiring on LinkedIn
2015.05.04
I recently posted two job openings to LinkedIn.
my pilgrimage is complete
2015.04.24
Someone at RSA called it a pilgrimage that is mandatory but that you only have to do once.
meetings
2015.04.23
I skipped another afternoon of "keynotes" to meet with a succession of people.
RSA Conference panel
2015.04.20
1,200 people showed up for our panel at RSA.
using malware to persecute whistle-blower
2015.04.14
A colleague passed this along.
on "How to avoid a breach"
2015.04.05
I recently saw a LinkedIn post to an article titled, "Data breaches – how to effectively avoid them and manage them if they happen".
speaking at this year's RSA Conference
2015.04.02
I've been asked to join a panel at this year's RSA Conference in San Francisco.
cutting off your nose
2015.03.23
This article suggests that we should no longer use email, because it's not safe.
beyond risk-listing and the ISO31k diagram
2015.03.02
Matthew Leitch is a risk management researcher in the UK I've leaned on more than once when I needed guidance.
what the SEC thinks about information risk
2015.02.27
As a "knowledge worker", it's important to understand how one's output is used.
It looks like "cybersecurity" is here to stay
2015.02.12
I'm not wild about the word "cybersecurity".
Cybersecurity as a systemic risk in the financial industry
2015.01.15
Outsourcing technology service arrangements carry considerable risk to both parties.
the risk of time sheets incomplete
2015.01.05
I work in an industry where records of time spent on distinct projects are required of knowledge workers.
SIFMA makes the first move
2014.12.05
Over the past couple of years, I've been watching for a "guidance note" from one of the regulators on cyber security.
An experiment in risk culture programming
2014.10.30
A large part of my duty as a risk manager is to guide the organization’s approach to risk.
a risk practitioners' uprising
2014.10.10
I took a couple of vacation days to go to Minneapolis and join the third annual conference of the Society of Information Risk Analysts, an interesting group of risk practitioners that is putting together what seems to be not exactly a people's uprising but a practitioners' uprising in the information risk management field.
Are audit reports all about marketing
2014.04.29
Are audit reports all about marketing? I am writing a dissertation on the impacts of implementing an enterprise risk function at service organizations.
Are risk registers obsolete
2014.02.21
Are risk registers obsolete? I founded the risk management function at PortfolioAid—a provider of technical solutions to the financial industry—just as the firm was entering a period of aggressive growth.
Risk, opportunity, and the service organization
2014.01.12
Risk, opportunity, and the service organization Specialist information technology services organizations play a substantial role in regulated industries such as finance.
how to avoid being C-3PO
2013.07.07
I recently came across a bullet list of the three principle jobs of the risk manager.
solving the BYOD riddle
2012.07.19
This article presents a policy that allows employees to bring their own mobile devices to work, while at the same time avoiding the security and support issues raised.