MIS Research Center Seminar Series
8:30 AM - 11:15 AM
1st Floor Auditorium, Carlson School of Management

Abstract

Information Security continues to attract the attention of upper and middle management. Information security is no longer considered just a technology focused problem, it has become the basis for business survival and therefore risk and controls are paramount in IT Governance for supporting and understanding business activities and requirements. Regulation, standards and best practices have a significant impact on IT organizations today! How do we effectively understand and manage these to support the overall business needs. What do we need to do and what skills are required to achieve success.

We will look at the influencing standards and guidelines affecting IT Governance, specifically the new ISO/IEC 38500 standard for IT Governance and associated Compliance Principles. We will also determine a typical Governance program for IT and understand relationship to the rest of the business.

Biography

CEO – Consult2Comply, LLC
scrutchley@consult2comply.com

Qualifications
Educated in the UK. Academic Equivalent in the United States;
Bachelor of Science in Management Information Systems (B.Sc. Management Information Systems) with the concentration in Information Security. Certified in the Governance of Enterprise IT (CGEIT) Certified Information Security Manager (CISM)
Certified and endorsed ISC² Security Subject Matter Expert-II (SSME-II) Qualified Lead Auditor for BS 7799/ISO 17799/ISO 27001
Instructor for the IRCA 802 Certified Lead Auditor for ISO 27001 and ISO 27001 Implementation Courses
Instructor for ISO 20000 IT Service Management Internal Audit and Implementation courses. Qualified Auditor for ISO 20000
ISACA Accredited Trainer for CobIT
Approved trainer and implementer for BS 25999 BCM standard
Steve has in excess of 39 years experience in IT, much of this spent working internationally in the USA, Europe, South Africa and the Middle East. Steve is also a content expert related to regulations, standards and best practices. Steve recently completed the transition of 4FrontSecurity’s technology purchase to Symantec. He was previously the President and CTO and co-owner of 4FrontSecurity Inc. a US based global information security infrastructure consultancy and services firm. Steve is currently the founder and CEO for Consult2Comply a specialist Risk, Governance and Compliance firm with its HQ in Herndon Virginia and offices in the UK.

With more than 20 years experience in Business Protection, combined with an extensive knowledge of the industrial, commercial, government and financial areas, Steve has dedicated his skills over this time to be highly focused on risk, governance, compliance, information security and information assurance. Steve’s intuitive skill is to provide management with tools and techniques that enable them understand the intricacies in an area where competence and expertise is in short supply worldwide. There is a clear need for executives to understand compliance and risk as it relates to, and serves their organization. As the threats and vulnerabilities increase, and the laws and regulations become more complex, risk increases dramatically. Steve is a specialist in information compliance and security solutions ranging from strategies, policies, and architectures with specific emphasis on content and international standards, which encompass the multiple disciplines within the industry. Steve also has a solid understanding of e-commerce and the Law as it stands today. With extensive experience in Business and Security Management Steve was involved in Government infrastructures providing security and privacy advice. Steve has worked closely with all the major security solutions providers and has created skilled teams of security professionals that can support e-commerce business structures. He was also instrumental in the first major PKI roll out in South Africa.

Steve has held senior positions in government, corporate and private businesses for many years and has a solid track record of prior achievements. Although his experience was developed from being technology related, his roles have been various, from operational support, service management, through to sales and marketing, business development and executive management. This has provided him with the breadth and depth of knowledge required to drive Information Assurance and IT initiatives in today’s challenging times. In a sector where the noise is mixed and confusing, Steve is able to help organizations navigate through the business protection (security) and compliance maze and assist them to select and deliver the processes and solutions that will mitigate risk and support corporate governance. Steve has significant skill in various standards and control structures including, but not limited too; ISO 27001, ISO 20000, BS 25999, COBIT, ISF, COSO, GLBA, HIPAA, NERC, PCI. Steve has deep International expertise, which is a key differentiator in business protection and security today.

SME Experience

Member of the South African Digital Signature Law Advisory Committee representing the interests of Information Security Businesses in relation to government policy. Produced Green Paper for the South African Government on Security and Privacy in e-Commerce environments
Managing Director for a publicly listed IT Service Bureau in South Africa Certified in numerous security technologies TV appearances for CNBC related to hacking and security issues TV appearance for FOX 5 – Virus Protection recommendations Contributed to Network Middle East publication – regular monthly column related to security issues Contributor to Secure Computing magazine in the USA and UK for security articles
Presented at NetSec 2002, San Francisco – IDS –v- Forensics Sector 5 Presenter – Washington DC – August 2002
Conducted Webinar for TechTarget on “How to measure Security” September 2002
Conducted Webinar for TechTarget on “IDS –v- Forensics” October 2002
Conducted Webinar for TechTarget on “Vulnerabilities- Lets Look Internally” June 2003
Appointed to Prince George’s Community College as Lead Advisor for Faculty Education for Cyber security Colloquium
Computerworld article – The Value of Security - Peer to Peers
SME for ITsecurity.com Security Clinic Book and Product Reviewer for ITsecurity.com
Speaker for ITAA SPEAKERS BUREAU
Seminar Speaker for Purdue University, Center for Education and Research in Information Assurance
and Security - CERIAS – December 2002 and April 2003
FEAC – Member of the adjunct Faculty, developing course material for Enterprise Architecture certification, specializing in Information Security
Developed a Enterprise Security Architecture model for integration into existing Enterprise Architectures
RSA 2003 Conference Speaker – Taking Security to the Boardroom
IQPC Workshop Presenter and Conference Speaker September 2003
Member of the Council of Advisors for the Gerson Lehrman Group – a membership association of
thought leaders to help industry professionals exchange data and knowledge with each other, as well as financial analysts
Keynote speaker for “Enterprise Wide Integrity Strategies” http://www.cimcor.com/integrityseries/
September 2003
Book and Product Reviewer for ITSecurity.com
Conference speaker – Middle East Business Continuity Conference May 2004 – Dubai, UAE
Keynote speaker – IT Security Summit 2004 – Knowledge Village, Dubai Internet City, UAE
Conference Speaker – Gitex 2004 – Dubai UAE
Conference Speaker – IT Security Summit, Dubai, UAE – February 2005
Conference Speaker and trainer for FutureIT Conference, Bahrain – May 2005
Product Architect for 4FrontSecurity Inc. Assessment Manager
Product Architect for 4FrontSecurity Inc. Asset Risk Calculator
Developed Assessment Manager Modules for assessments, audit and risk alignment to various regulations, standards, and processes.
Developed various mapping for standards and regulatory requirements for International Businesses
Conducted various Webinars on behalf of BSI Americas and BSI Mexico
Speaker and trainer at the Symantec annual sales conference in Las Vegas
Speaker at Rendez-vous de la Sécurité de l'information 2006 (RSI) – Montreal Canada