Craftsmanship in Music and Compliance

If you’ve been on stage for a speech or performing arts, you know stage fright is real. Businesses can get nervous when they hear the word “audit” in the same way musicians can get nervous before a performance. However, there is one great way to alleviate that fear: preparation. If your business prepares well, you[…]

An Introduction to Active Defense

Global research and advisory firm, Gartner, forecasts that information security spending will exceed $124 billion in 2019, yet cyber defenses continue to fail. Organizations large and small continue to experience breaches of all varieties resulting from zero-day exploits, failures in vulnerability patching, and phishing. The market has responded with a variety of security governance and[…]

What Are Your Privacy KPIs?

Identifying and maintaining measures of success in privacy programs. The publication of ISO 27701 is an exciting development for all companies looking to enhance and potentially certify their privacy programs.  As companies race to digest and implement the new standard, many questions arise around how to address some of its particular requirements.  One such area[…]

Five Ways to make the Board of Directors and Executives Very Happy

Unless you are part of senior management the closest most of us come to the Board of Directors (BODs) or executives is reading their Ivy League bios on the company website. But a good consultant knows the way to your bosses heart is by making the BODs very happy. The good news is making the big-whigs[…]

Top 10 IT Risk Frameworks and Resources

I have an entire folder full of risk frameworks that I draw from for inspiration when I’m performing a risk assessment or internal audit project. Here’s a few links that I hope you find helpful. If you have something useful not listed below please share in the comments! NIST Cybersecurity Framework Here NIST Cloud Computing[…]

Managing India’s Growing IT Presence

For the past two weeks I have been in Mumbai, India (Bombay) working on an IT security project. The trend of U.S based companies doing business in India is an ever growing phenomena, but comes with its own set of logistical and technology issues that must be carefully balanced with monetary savings. Here are some of[…]

Application Risk Management

Many large and medium sized businesses have the interesting problem of understanding and inventorying the various applications in use across diverse regions and departments. Without this clear understanding of how these applications are being used, who owns them, what type of data is stored inside, and the management of each application, CIOs and management’s ability[…]

How to Design the Perfect Audit Information Request List (and status tracker)

Any consultant or auditor will tell you that the most difficult part of the job is getting the right information from clients. That is why designing an effective information request list (a.k.a. PBC List) is so important. Oddly enough – it is also a skill that is never formally “taught” to new associates. So here’s[…]

Creating an IT Risk Dashboard in Excel

One of the most valuable tools in my “IT Audit Arsenal” is the ability to easily identify and communicate risk patterns with a Risk Dashboard. A Risk Dashboard helps drive decisions (like what projects you take on, where company risk resides) and has become an easy way to communicate status and progress reports to the[…]