Papers & Publications
NOTICE: There is a publication gap from June 2013 to March 2015 due to my time spent with Gartner.
- Contributing Author, Contributing Editor: Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (2011, ABA Press, ISBN: 978-1-61632-807-8)
- Contributing Author: Data Breach and Encryption Handbook (2011, ABA Press, ISBN: 978-1-60442-989-3)
- Author: "Maddening Methods: Fundamentals of Risk Assessment and Analysis" (The ISSA Journal, July 2010, [PDF])
- Author: "De-Operationalizing InfoSec: Living in an Imperfect World" (The ISSA Journal, June 2010, [PDF])
- Author: "Architecting Adequacy: When Good Enough Really Is" (The ISSA Journal, March 2010, [PDF])
- Author: "Dysfunction Junction: Do Standards Function?" (The ISSA Journal, October 2009, [PDF], and cover of February 2010 "Best of 2009" issue)
- Author: "Elasticity: Will your organization bend or break?" (cover story for The ISSA Journal, September 2009, [PDF])
- Co-Author: "The Biometric Devil's in the Details" (Security Management, December 2008, with Ben Rothke)
- Author: "Key Management: The Key to Encryption" (The EDP Audit, Control, and Security (EDPACS) Newsletter, Volume 38 Issue 4, October 2008, [PDF])
- Co-Author: "Information Security and the Importance of Context" (CSO Online, August 2008, with Ben Rothke)
- Author: "Evolving Risk Resilience" (BT Initiatives Newsletter, May 2008)
Work-Related Articles, Interviews, Quotes, Bylines, Etc.
- Quoted - CSO Online "The CSA is the new VIP of information security" (July 2013)
- Byline (ghosted) - Milton Security Blog "Kübler-Ross and the Path to Security Maturity" (July 2013)
- Byline - Norse Security Blog "It's Time to Kill the General Purpose Browser" (June 2013)
- Quoted - SC Magazine "Deciphering Cloud Strategy" (Apr 2013)
- Quoted - GFI "Tech Talk To Me" Blog "Hear! Hear! Tips from THE IT Security Experts" (Mar 2013)
- Byline (ghosted) - CSO Online "Integrating business continuity management with IT risk management" (Feb 2013)
- Quoted - DarkReading.com "Better Integrate IT Risk Management With Enterprise Risk Activities" (Dec 2012)
- Quoted - Insurance & Technology "What Fuels ERM? More Data" (Dec 2012)
- Byline (ghosted) - CRN "How To Offset Your Customers' BYOD Risks" (Dec 2012)
- Interview (ghosted) - Business Finance "Risk Chat: How to Minimize Security Risks in a BYOD Culture" (Nov 2012)
- Also cited here: FierceComplianceIT "Current State of IT GRC" (Dec 2012)
- Quoted (very briefly) - DarkReading.com "7 Risk Management Priorities For 2013" (Nov 2012)
- Quoted (very briefly) - CIO.com "BYOD Privacy: Are You Being Watched?" (Oct 2012)
- Guest Post - GovTech "Beware the Super-Metric, and Other Analytics Advice" (Oct 2012)
- Byline (ghosted) - IT Business Edge "Human Risk: Are Employees the Weakest Security Link?" (Oct 2012)
- Byline (ghosted) - SC Magazine "Adding second-tier analysis to harness Big Data" (Jul 2012)
- Quoted - DarkReading "The Compliance Officer's Dirty Little Secret" (Jun 2012)
- Interview - CIO.com "BYOD Stirs Up Legal Problems" (May 2012)
- Guest Post - VentureBeat "BYOD and the security fun-sponge" (May 2012)
- Article (ghosted) - Healthcare Technology Online "Healthcare Compliance Secrets" (Apr 2012)
- Interview - SearchHealthIT "Comparing health care data security compliance to other industries" (Apr 2012)
- Byline - SC Magazine "Manage your risk, not somebody else's" (Apr 2012)
- Quoted - DarkReading "2012 Compliance Checklist" (Dec 2011)
- Interview: "Risk Chat: Is Your GRC in the Cloud?" (Big Fat Finance Blog, October 2011)
- Guest Post - CRN "How to Manage Cloud Risk" (Oct 2011)
- LockPath white papers, available from www.lockpath.com/about/downloads:
- "Building a Better Vulnerability Profile"
- "Enabling ISO/IEC 31000 Adoption with the LockPath Keylight Platform"
- "Leveraging GRC for PCI DSS Compliance"
- "PCI: Requirements to Action" (May 2009 for Truth to Power Association, sponsored).
- GWU Masters Thesis: "The Total Enterprise Assurance Management (TEAM) Model: A Unified Approach to Information Assurance Management" ABSTRACT: This research thesis addresses the problem of identifying or creating a unified information assurance management model that harmonizes the key competency areas of enterprise risk management, operational security management, and audit management. The research was conducted by performing a literature review of existing information assurance related models, frameworks, and methodologies; creating a new model to unify the three competencies (given the absence of such a model); and, validating the research results with subject-matter experts (SMEs). The research concluded with the development of the Total Enterprise Assurance Management (TEAM) model, which was well validated by the SMEs. Survey results include that the work was overwhelmingly viewed as favorable and logical, and that a majority of respondents agreed that all four hypotheses of the research had been achieved.
- "Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies" ABSTRACT: This paper will provide a US-centric overview and analysis of commercially-oriented information security models, frameworks, and methodologies. As a necessary component of the analysis, a cursory look is taken at a sampling of applicable laws within the US, such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Additionally, industry standards will be weighed, such as the Payment Card Industry Data Security Standard, as adopted by Visa and MasterCard. The paper will attempt to thoroughly describe the goals of these models, frameworks, and methodologies, contextualizing them within the current business, regulatory, and legislative environment, helping to identify the usefulness of each model, framework, and methodology. The analysis will demonstrate the value of each model, framework, and methodology and where application of each would benefit an organization.
- DRAFT v2.0: "Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies" (abandoned)
Grad School Papers
Disclaimer: The following papers are original works of research and analysis. Attribution is given whenever appropriate. These works are independent of my current employer. Any similarities that may exist between language or structures represented within a work and language or structures represented within my employer are purely coincidental.
- "The GWU Code of Academic Integrity and U.S. Copyright Law," prepared for EMSE 315 (Professor Dan Ryan) on September 27, 2004. This is the first paper I wrote for my graduate program at GWU. It represented a "best effort" at the time but is not one of my better works.
- "Use of Licensed Software: Policy and Policy Analysis," prepared for EMSE 315 (Professor Dan Ryan) on October 11, 2004. This is the second paper I wrote for my graduate program at GWU. It represents a significantly better effort than my previous paper.
- "Acceptable Use of Computing Resources: Policy and Policy Analysis," prepared for EMSE 315 (Professor Dan Ryan) on November 1, 2004. This is the third paper I wrote for my graduate program at GWU.
- "Research Paper: Information Security Technologies," prepared for EMSE 218 (Professor Dave Carothers) on November 10, 2004. This is the only paper required for the course. The paper provides basic overview and analysis on thirteen (13) different security technologies.
Other / Miscellaneous