Changing the Mindset: Creating a Risk-Conscious Culture

John Pironti

Tue, 30th July 2013


Speaker Bio 1:
John P. Pironti is the President of IP Architects, LLC. He has designed and implemented enterprise wide electronic business solutions, information security and risk management strategy and programs, enterprise resiliency capabilities, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, insurance, energy, government, hospitality, aerospace, healthcare, pharmaceuticals, media and entertainment, and information technology on a global scale for over 20 years. Mr. Pironti has a number of industry certifications including Certified in the Governance of Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information System Control (CRISC), Information Systems Security Architecture Professional and (ISSAP) and Information Systems Security Management Professional (ISSMP).

Mr. Pironti frequently provides briefings and acts as a trusted advisor to senior leaders of numerous organizations on information security and risk management and compliance topics and is also a member of a number of technical advisory boards for technology and services firms. He is also a published author and writer, highly quoted and often interviewed by global media, and an award winning frequent speaker on electronic business and information security and risk management topics at domestic and international industry conferences.

Learning Objectives:

John will explain:

  • Key considerations when creating a risk aware and security conscious culture
  • How to use risk management as a concept and tool to remove the fear of security in organizations
  • The value and benefits of developing an information risk profile
  • Understanding of the current behaviors of organizations and whey they exist in regard to information security
  • Effective approaches to change behaviors and culture within organizations
  • How to leverage users effectively as an beneficial asset in supporting risk management and security activities
  • How to use threat and vulnerability analysis to identify and educate organizations on the highly probable and business impacting threats can effect them
  • Using control objectives as an approach to effectively manage information risk in a way that will be embraced by organizations.

Resources and materials:


Max, Concise Courses:
What have you found to be the most effective emotional trigger with regards to actually getting a client to purchase your services? There was a number you mentioned, including empowerment but is there a hot button, can you zero-in on that?

John Pironti:
It’s is not about business development or marketing, it’s about doing this well. I am a geek at heart; I can go bits and bytes with the best of them. I attack systems and, but I have learned as I have gotten through my processes and I have learned where my success criteria has come from is ‘how do I touch the hearts?’ That personal benefits approach, as much as it sounds like it’s not so interesting, sexy or some ‘technological widget’, it is my number one thing that I use right now. It is the number one thing that I can put in place immediately. Helping people understand how to help themselves in their personal lives and we see this behavor automatically switching into their professional lives without having to grind them down with oversight and technologies, because they recognize this as a good idea because they see it helping their own personal lives.


Max, Concise Courses:
What have you found to be the most effective way to get your message out? How are you getting your expertise out there?

John Pironti:
My team and I, we are well recognized and well known for what we do. I have helped to build information security management security programs all over the world for over 20 years. I am well published and well spoken in this space. I have been lucky enough to find people actually coming to me, more so at the business leader level [whilst] not so much the technologist level for these types of services and these types of conversations. It is more of a natural recognition of how do we move forward, so I have been lucky in being able to say that I am not going out and cold-calling and having to do that.

I have more of a word-of-mouth plus a professional recognition working in my favor and my team is mostly ex-CISO’s or Chief Risk Officers as well as well known technologists that I work with, but our message is clear in that this is only one component of how you go after this. I am not saying that you can get rid of technology, I’m not saying to get rid of all the things that we should be doing, what I am saying is “What do we do and when?” and that risk profile has been a winner for many audiences because it is something that both business groups and technology groups can align to.


Max, Concise Courses:
Would you agree that mobile security and having mobiles on a corporate network as being a key vulnerability in the future?

John Pironti:
I love it how we always fear new technologies as they come out. If you remember back in 2001 the first WiFi coming online and everybody was saying “Oh My Gosh! The wireless is the worst possible thing; Jump Drives, the worst possible thing! etc.,” and we go to the default zero. We start turning things off immediately and we start saying no and then over time we realize that that is not the right way, so, I look at mobile technology and BYOD as a natural move forward. If we take a data focused approach and we take a data-business process alignment then whatever technology and whatever conversation we account for is going to be something that we have to deal with. It’s the data that I care about rather than the vessel. Mobile devices does bring a lot of new capability like [the fact that it has] a carrier network that can be leveraged and that is not filtered or aligned and I dAon’t necessarily know what is going out the door, and I’m not going to be able to filter and put in administrative controls necessarily on a personally-owned device.

Maybe I shouldn’t be allowing data on those devices, maybe it should be an asset classification conversation that says, let’s just use basic messaging, basic operations etc. If you want to access anything of a secure nature or sensitive nature then you need to go through a controlled environment with which we are comfortable with, and that’s honestly how we do it in classified environments. We are not going to stop progress and be left behind. Mobile to me has been around for a long time; I look at my mobile like my laptop, I’m a consultant and I bring my laptop into organizations all the time. Mobile just brings a smaller version which comes with a carrier network which is a better exit point for the data but I don’t think it is the biggest risk.

The biggest risk that I run into these days is the view that somehow by buying more widgets and technology is going to solve our problems better instead of looking at more process orientation and saying, ‘hey, how are we going to secure BYOD, how are we going to do data classification models and how are we going to do controls that we are comfortable with.’ I hope that answers the question!


Max, Concise Courses:
Do you guys offer any training?

John Pironti:
I do, I offer one and two day workshops and teach at conferences and chair the InterOP information security management for over the last ten years and I do a lot of stuff through ISACA so yes, I do pure-play training on a regular basis and so do my team members as well.