For the past two days, I joined a client's executive team and board on a strategic retreat that started with "What do we do as a company?" (which led to a substantial revelation) and followed that all the way to which executives would own what crucial initiatives this year, and which would follow on through the next two years.
Today I read an excellent post on getting things done, by a City of Toronto executive.
oracle cloud is unavailable2018.09.01
I'm jobsearching, and came across this odd warning when following a lead: As my friend and former colleague Adrian put it, "Nice, a dinosaur caught in a tar pit".
CIA for five years2018.08.28
It's been five years since I wrapped up a year—and five hundred hours of study—toward the Certified Internal Auditor designation.
a new website2018.08.22
I've put together a new website for my consulting business.
fracking the human being2018.05.19
Discretionary energy is a term used to describe optional effort that an employee might put into their job.
privacy at Facebook2018.04.02
The recent flap about the Cambridge Analytica breach at Facebook has people talking about privacy issues pertaining to that website.
the planning fallacy2018.03.04
Today, while pursuing one of my hobbies, I discovered something called the planning fallacy.
Valentine's day vm backup plan2018.02.14
I'm working on a project in which the data set is so sensitive that backups to long-term media – or outside the production network segment – aren't permitted.
Facebook is troubling2018.02.12
The other day, I realized that my regular use of Facebook as part of my advocating for safe cycling infrastructure in Toronto was having some negative effects.
the unsafe workplace and the body's response2017.11.11
Simon Sinek gives some interesting insights into how unsafe environments (such as a workplace with infighting) has a deleterious effect on our health through changing the chemical balance of our bodies.
ISACA article is live2017.10.12
I've had permission from ISACA to re-publish my article, which appeared in ISACA's Journal earlier this year (volume 5, 2017).
ISACA's sent me some copies of the issue of their Journal that includes my article.
the Equifax breach2017.09.23
I've gotten questions from a variety of people about the Equifax breach, and what it means to them in terms of potential ID theft.
Tracking Vulnerability Fixes to Production2017.09.18
As an IT auditor at a software company, I discovered that security vulnerabilities in our bespoke product had not been getting released to clients on a timely basis.
evaluating third party cyber risk2017.08.31
The Investment Industry Association of Canada has issued new guidance on evaluating cyber security readiness in third parties.
de-identifying health information2017.07.19
I currently have a contract with a firm that "de-identifies" health information prior to it being shared with third parties such as marketers, drug manufacturers, and researchers.
that's a lot of tracking!2017.07.07
I have this browser plugin that blocks third-party tracker systems from the websites I visit.
gaming Google news2017.06.27
two of four articles are spam? Kudos to whoever figured out how to game Google's aggregator this badly.
privacy in this day and age2017.06.21
Sometimes people get emails that make it clear their personal network is known to various websites or agencies.
another record breach2017.06.20
A data analytics company leaked personal information on 200 million voters.
writing an industry standard2017.06.14
The Investment Industry Association of Canada is producing a two-document guide on evaluating cyber risk in their third party (vendor) arrangements.
Covey time-management quadrants2017.05.30
Where oh where has the four-quadrant Franklin Covey time management system been, all my life? It puts many of my thoughts into a concise guide! Franklin Covey time matrix .
an ISACA article2017.05.18
Tomorrow's the deadline for the next issue of ISACA's "Journal".
my guide on managing third party risk2017.04.22
I've written a guide on managing third party risk, that is, the risk that comes with sharing your data with third parties such as service organizations.
PMP for five years2017.04.19
Today is the five year anniversary of my long slog through the PMP exam.
metrics that matter2017.04.15
The article I placed on LinkedIn about losing my job has now been read well over 1,000 times.
720 reads in 48 hours2017.04.12
My previous post (which was cross posted to LinkedIn) regenerated over 700 reads in under two days.
I lost my job2017.04.10
Last Tuesday, I lost my job during a restructuring at PortfolioAid, a compliance solutions firm.
get cyber safe2017.02.09
The government of Canada has produced some guidance for small-medium enterprises which is a) quite good and b) surprisingly readable.
In addition to CEO fraud emails, now there's virtual kidnapping.
financial industry vendor management2017.01.11
Today I attended an wealth management industry committee meeting in which we're looking at an industry-wide approach to managing third party risk.
securing your life2016.11.22
The New York Times recently ran a piece with practical information about protecting your online life.
yet another reason to patch2016.11.18
Today I had an illuminating call with our insurance broker and carrier about an exclusion in our errors &omissions insurance pertaining to unlicensed data and software.
fintech and information risk2016.10.17
An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech.
on failed persons2016.09.27
The Basel definition of operational risk is this: "Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
how to sabotage innovative projects2016.07.11
One of my favorite books on internal control; sorry, the only good book I've ever encountered on internal control is "Intelligent Internal Control and Risk Management" by Matthew Leitch.
no fix for cyber security in our lifetime2016.06.23
An article landed in my inbox today in which an expert from Marsh was quoted as saying, "Cyber as a pervasive risk will likely not be solved in our lifetime.
is risk management a profession2016.04.25
A risk practitioner vastly senior to me posited the question on LinkedIn whether risk management is even a profession.
head of state, athlete, billionaire, or drug lord2016.04.04
A headhunter once put it simply as he could: "What's your career trajectory, CEO, COO, or CFO?" I recoiled at the thought at the time, though I now know the answer and I'd have to put "missed" or "failed" in there somewhere.
SOC-2 versus SIG2016.03.31
My team has been spending some time reviewing the forthcoming SOC-2 control standards.
governance and board positions2016.03.22
I've joined the board of Cycle Toronto, an advocacy association of city cyclists who are pushing for a safer city in which to ride.
management consulting vs internal audit2016.02.20
I've just completed a three day intensive course on management consulting, which covered the twin streams of a) diagnosis and b) change management.
In the past few months, I've dropped three of the professional associations I'd belonged to.
Tonight I moderated a panel of experts on the role of the board in setting strategy.
Vtech data breach2015.12.01
I sent a friend a note about the latest data breach that's in the news: Vtech.
I'm constantly amazed at how difficult it is to break free of the straightjacket of the immediate.
hiring for many talents2015.11.06
I've repeatedly been faced with the difficult task of hiring for ambiguous roles where a range of different skills are required.
agility and risk2015.10.16
Dave Thomas, one of the originators of the "Agile Manifesto", gave a talk in January that explains where the Agile movement has gotten off the rails (no pun intended).
In an audit of my employer's cybersecurity stance, I found things to be generally quite good.
the common law of business practice2015.05.20
Someone* once said this of choosing a vendor's solution based on price alone: "There is hardly anything in the world that someone cannot make a little worse and sell a little cheaper, and the people who consider price alone are that person's lawful prey.
my pilgrimage is complete2015.04.24
Someone at RSA called it a pilgrimage that is mandatory but that you only have to do once.
I skipped another afternoon of "keynotes" to meet with a succession of people.
on "How to avoid a breach"2015.04.05
I recently saw a LinkedIn post to an article titled, "Data breaches – how to effectively avoid them and manage them if they happen".
cutting off your nose2015.03.23
This article suggests that we should no longer use email, because it's not safe.
SIFMA makes the first move2014.12.05
Over the past couple of years, I've been watching for a "guidance note" from one of the regulators on cyber security.
a risk practitioners' uprising2014.10.10
I took a couple of vacation days to go to Minneapolis and join the third annual conference of the Society of Information Risk Analysts, an interesting group of risk practitioners that is putting together what seems to be not exactly a people's uprising but a practitioners' uprising in the information risk management field.
Are audit reports all about marketing2014.04.29
Are audit reports all about marketing? I am writing a dissertation on the impacts of implementing an enterprise risk function at service organizations.
Are risk registers obsolete2014.02.21
Are risk registers obsolete? I founded the risk management function at PortfolioAid—a provider of technical solutions to the financial industry—just as the firm was entering a period of aggressive growth.
solving the BYOD riddle2012.07.19
This article presents a policy that allows employees to bring their own mobile devices to work, while at the same time avoiding the security and support issues raised.