Jennifer L. Bayuk, PhD

25 Redding Place

Towaco, NJ 07082

jennifer@bayuk.com

 

Profile A cybersecurity risk management thought leader and subject matter expert. Experienced in managing and measuring large-scale cybersecurity programs, system security architecture, cybersecurity tools and techniques, cybersecurity forensics, audit of information systems and networks, and technology control processes.  Skilled in cybersecurity risk and performance indicators, technology risk awareness education, risk management training curriculum, and system security research. Masters degrees in Philosophy and Computer Science. Ph.D. in Systems Engineering. Certified in Information Systems Audit, Information Systems Security, Information Security Management, and IT Governance. NJ Licensed Private Investigator. 

Experience

Independent Technology Risk Management Consultant,  New Jersey, 6/08 to present.

Engaged in a wide variety of projects ranging from security policy and metrics for financial institutions to research in systems security engineering for government contractors. Develop systems security architecture.  Perform cybersecurity risk and regulatory compliance assessments. Develop and teach courses in various aspects of cybersecurity for academic institutions and industry associations. Lecture at conferences. Participate in public and private security-related committees. Assist entrepreneurs on Zero Trust Architecture, Technology Risk Management, and secure Cloud and Mobile requirements. Provide expert witness and legal consulting services.  Exemplar projects:

                Decision Framework Systems, Inc., New Jersey, 1/18 to present.

Designed, developed, and implemented FrameCyber®, a complete cyber risk management life cycle system used in my consulting practice and by SaaS customers. FrameCyber® is a cloud software product designed to be used continuously with full retention of data and actions. It includes functions for cybersecurity risk assessment, event tracking, issue management, organization inventory, control inventory, risk registration, risk analysis, risk reporting, risk measures and metrics, and associated correlation of information and data in those domains required to perform cybersecurity risk management.

Expert Witness, various law firms, 7/09-present.

Professional expert witness case experience includes but is not limited to: opinions on the validity of digital signatures, whistleblowing claims of cybersecurity staff,  forensic investigation of alleged cybersecurity attack, whether patented security software was unique, provenance of allegedly fraudulent email, class action cybersecurity breaches, and compliance with settlement terms that include cybersecurity controls.

                Confidential Financial Services, 3/20-present.

Specify, implement, and maintain Cybersecurity Metrics program spanning the NIST Cybersecurity Framework and ISO27001 Information Systems Management System. Includes periodic management and BoD level metrics for Access, Assessments, Incidents, Issues, Risks, Skills, Vulnerabilities and Zero Trust.

                Quinnipiac University,  Hamden, CT, 1/19-present.

Created graduate laboratories in Amazon Web Service for Cybersecurity Risk Management and Operating Systems Security courses in the School of Engineering. Created Architecture Requirements to establish a cloud-based cybersecurity laboratory, and implemented ~twenty lab classes in AWS ranging from network security through secure software to cybersecurity risk management. Current adjunct professor.

                TAG Cyber LLC,  Byram, NJ, 7/19-4/23.

Advise and contribute to cybersecurity industry research and provide consulting on a pro re nata basis.

                Sandia National Laboratories, Albuquerque, NM, 9/24-present

Cybersecurity subject matter expert participant in an External Advisory Board (EAB) to support the Digital Assurance for High Consequence Systems (DAHCS) Mission Campaign (MC), a strategic Laboratory Directed Research and Development (LDRD) to solve important national cybersecurity challenges.

                G. A. Baird Partners & Co, Stamford, CT, 6/17-11/17.

Created Cybersecurity and Technology Risk tools, techniques, and programs for a de novo Bank. Specified systems security architecture for Digital Banking Architecture and Third Party Integration, focused on Cloud and Mobile Security Technologies.

                Delta Risk, Chicago, IL, 7/09-1/13.

Provided business requirements, testing, and analysis for Securities Industry and Financial Markets Association (SIFMA) Quantum Dawn Cybersecurity Exercises. Assisted in the development of DECIDE simulation environment for experiencing cyber-attack scenarios, and the scenarios used by SIFMA.

 

Managing Director, Cybersecurity Governance, Risk &Control, JPMorgan Chase, NY, NY, 10/16 to 6/17.

Designed, managed, and measured a Cybersecurity Risk Management framework in support of $600M Firmwide Cybersecurity Program. Managed the evolution of cybersecurity and technology risk policies and standards in coordination with cybersecurity product managers and the broader Technology Control organization. Globally coordinated cybersecurity regulatory, audit, client, and partner engagement in coordination with Technology Control and Cybersecurity Regional leads. Managed governance and control processes applicable to the Cybersecurity organization, including but not limited to self-assessment,  resiliency and recovery, issue management, third party oversight, and inter-affiliate agreements.

Managing Director, Operational Risk Management, Citi, New York, NY, 3/13 to 10/16.

Developed and coordinated technology risk management program to identify, measure, monitor, and manage key operational risks within Citi’s Enterprise Operations and Technology (O&T) division (~60 distinct Global and Regional operational entities). Proactively engaged management to address risk due to business dependency on technology and centralized operations. Participated in forums such as the Information Security Committee and Fraud Oversight Committee. Advised multiple levels of executives on a wide variety of topics related to global risk management program strategy and execution. Escalated and tracked issues. Devised and directed the development of Technology Oversight Procedures and Technology Metrics used firmwide for Management Control Assessment and Operational Risk Analysis.

Associate Professor, Stevens Institute of Technology,  Hoboken, NJ, 9/09-present.

Created a new graduate curriculum in cybersecurity architecture and engineering for the School of Systems and Enterprises. Led research in systems security engineering, including a roadmap for the Department of Defense Systems Engineering Directorate. Created a security engineering laboratory. Occasional adjunct.

Senior Managing Director, CISO, Bear Stearns & Co., Inc., Whippany, NJ, 4/98 to 6/08.

Designed and implemented firmwide processes to protect, detect, and recover from harm to information. Established and maintained enterprise-wide security, change control, and business continuity metrics. Chair of the Firmwide Information Protection Committee and member of the Global Outsourcing and Firmwide Emergency Response Committees. Drafted, negotiated, and issued global security policies and processes. Devised tools, techniques, roles, responsibilities, and awareness materials for all security processes including digital identity, application inventory and information systems risk management. Provided technical requirements and test programs for new security products and security features of new applications. Directed the activities of development and infrastructure officers globally with respect to security tools and techniques.  Directed cybersecurity investigations and remediation activities in coordination with human resources, legal and compliance.  Coordinated emergency response teams for cybersecurity events. Reviewed physical security efforts in support of data center protection. Contracted and managed penetration tests.  Guided management through information technology (IT) audits. Performed due diligence in support of merger, acquisition, research analyst, and investment banking activity. Testified on due diligence efforts when required by regulators. Prepared materials on security measures for prospective clients. Coordinated industry efforts in support of firm goals for information security improvements. Chaired the FS-ISAC R&D Committee. Directly managed department budget (~3M) and security tollgates over all projects in IT budget (~600M). Chief Information Security Officer title achieved in 2002.

Manager, Information Systems Business Controls, AT&T Capital Corporation, Morristown, NJ, 2/97 to 4/98.

Led and executed the company’s global internal audit and control assessments with respect to information systems.  Conducted security investigations.  Provided direction and guidance on systems control issues for the company’s strategic leaders, including the Technology Leadership Team and corporate legal counsel.  Developed COSO & COBIT compliant systems audit approach for AT&T Capital that includes quantitative communication of systems vulnerabilities.  Evaluated and developed tools for operating system, database management system, and network security testing as well as data analysis, incident tracking, and reporting.

Information Systems Risk Manager, Price Waterhouse LLP, Morristown, NJ, 1995 - 1997.

Managed a variety of security consulting and audit projects for the Price Waterhouse Information Systems Risk Management Practice, including pentests and physical infrastructure reviews.  Performed systems infrastructure analysis directed at improving security architecture, security management processes, and information system operational risk management.  Developed methodology for evaluating the effectiveness of security management processes and trained both consultants and senior managers on its use.  Wrote and customized programs for security testing.  Evaluated various types of commercial security software.

Information Security Technical Staff, AT&T Bell Laboratories, Holmdel, NJ, 1990 - 1995.

Led diverse, cross-organizational teams focused on cybersecurity and data integrity, including the AT&T Network Security Requirements Team, the Security Analysis of the Network Environment Team, and the Security Assessment Team.  Envisioned, designed, specified, developed, demonstrated, tested, and documented software for expert systems, graphical user interfaces, databases, and network monitors.

Education

PhD Systems Engineering, Stevens Institute of Technology, 2012, Thesis: Measuring Systems Security, GPA 3.9.

MS Computer Science, Stevens Institute of Technology, 1992, GPA 3.9.

MA Philosophy, The Ohio State University, 1986, GPA 3.5.                                          

BA Computer Science & Philosophy, Rutgers College, Rutgers, the State University of NJ, 1985, GPA 3.59.

Certified Information Systems Auditor (CISA), 1996, current

Certified Information Security Manager (CISM), 2002, current

Certified in the Governance of Enterprise IT (CGEIT), 2008, current

Certified Information Systems Security Professional (CISSP), 2008, current

 

Books

March 2024                  Stepping Through Cybersecurity Risk Management, Wiley.

December 2018           Financial Cybersecurity Risk Management, coauthor, Springer Apress.

April  2012                   Cyber Security Policy Guidebook, lead of five authors in different areas of cybersecurity Policy Expertise, Wiley.

September 2010           CyberForensics, Understanding Information Security Investigations, edited this collection of articles by industry experts and provided an introductory framework, Springer.

January 2010               Enterprise Security for the Executive: Setting the Tone at the Top, Praeger.

March 2009                  Enterprise Information Security and Privacy, Artech House, co-edited this collection, and wrote chapter on “Information Classification.”

November 2007           Stepping Through the InfoSec Program,  Information Systems Audit and Control Association (ISACA), peer-reviewed book.

January 2005               Stepping Through the IS Audit, A Guide for Information Systems Managers, 2nd Edition. 

                                        Book published by the Information Systems Audit and Control Association.

January 2000               Stepping Through the IS Audit, A Guide for Information Systems Managers. 

                                        Book published by the Information Systems Audit and Control Association (ISACA).

Courses Developed, Listed By Initial Launch     

September 2023           Zero Trust, Information Systems Audit and Control Association (ISACA), NJ Chapter

June 2023                      Cybersecurity Risk Management, Professional Risk Managers International Association

September  2019          Cyber Threats, Quinnipiac University

September  2019          Cyber Defense, Quinnipiac University

October  2019              Cyber Policy, Quinnipiac University

February  2019             Operating System Security, Quinnipiac University

September  2018          Risk Management for Financial Cybersecurity, Stevens Institute of Technology

June  2018                     Technology’s Role in Enterprise Risk Management, ISACA NJ Chapter

June 2015                      Loss Capture for Technology-Related Events, Citigroup Internal Online Training.

January 2015                Technology Oversight Procedures, Citigroup Internal Online Training.

August 2014                 Manager’s Control Assessment, Citigroup Internal Online Training.

June 2014                      Information Security Architecture, Citigroup Internal Online Training.

November 2013           Information Security Metrics, Citigroup Internal Online Training.

March 2012                  System Security Management, University of Virginia Accelerated MS Systems Engineering.

June 2012                     Information Security Governance at Board Level, seminar for ISACA & IIA NJ Chapters.

April 2012                    Security Documentation, ISACA Philadelphia & New Jersey Chapters Spring Conference.

Spring 2011                  Systems Security Architecture and Design, Stevens Institute of Technology

Spring 2011                  Fundamentals of Security Systems Engineering, Stevens Institute of Technology

Spring 2011                  Secure Systems Laboratory, Stevens Institute of Technology

June 2010                     Metrics That Actually Improve Security, Computer Security Institute.

Spring 2009                  Secure Systems Foundations, Stevens Institute of Technology

March 2009                  Information Security Metrics, ISACA, NY Chapter

March 2009                  Information Security Governance, ISACA, NJ Chapter

January 2009                Information Asset Classification, ISACA, NY Chapter.    

April 1998                    CISA Exam Certification Course, Domain 4: Information Systems Integrity, Confidentiality, and Availability, ISACA North Jersey Chapter (Also taught in April 1999 and April 2000).

Current Affiliations 

Information Systems Audit and Control Association (ISACA), Member, Author, Instructor, Contributor on a wide variety of technology risk topics.

Information System Security Certification Consortium, (ISC²), Member.

Metricon Program Committee Member, and Chair for Metricon 4.0, MiniMetricon 5.5  (www.securitymetrics.org).

NJ Licensed Private Investigator, since 2012

Past Affiliations

COSO Enterprise Risk Management Advisory Committee, representing ISACA, 2016-2017.

Computers and Security, an Elsevier publication, Editorial Board Member, current occasional reviewer.

Financial Services Information Sharing and Analysis Committee (FS-ISAC) and Financial Services Sector Coordinating Council (FSSCC), member 1999-2006, 2013-2017, chair FSSCC R&D Committee 2006-08.

Information Security Forum (securityforum.org), member, participant in Information Security Architecture Project.

International Council on Systems Engineering (INCOSE), co-chair, Security Working Group, 2010-2011.

IEEE Computer Society, member, participant in Smart Grid Vision Project.

Securities Industry and Financial Markets Association (SIFMA), Information Security Committee Chair, 2003-2008.

 

Select Articles & Speaking Engagements     

February 2024              Stepping Through Cybersecurity Risk Management, Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS)

June 2023                     Risk/Control, Audit Management, SECON, ISC2 & ISACA NJ joint annual conference

December 2022           Secure Linux in the Cloud, Cloud Security Alliance, NJ Chapter

October 2022               Cybersecurity Metrics: What Good Looks Like, TAG Cyber Quarterly Q4-2022

June 2022                     Chinese Attacks on US Technology, TAG Cyber Quarterly Q3-2022

April 2022                    Cybersecurity Tool Portfolio  Friend or Foe?, TAG Cyber Quarterly Q2-2022

April 2022                    Cyber Safety in 2022, Solution Driven Wealth

February 2022             Cybersecurity Metrics: What Good Looks Like, ISSA-Chicago

September 2021           History of Cybersecurity Metrics, Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS)

September 2021           History of Cybersecurity, Mind the Sec 

June 2020                     Cybersecurity Metrics History, CyberGreen and R Street Institute

October 2019               Cybersecurity Framework Integration. ISSA International, CISO Summit

May 2019                     A Framework for Cybersecurity Risk, SIRACON.

March 2019                  Assigning Probability to Cybersecurity Risk, Metricon X.

August 2018                 Cybersecurity Risk Management: Putting Principles into Practice, Information Security Media Group Security Summit.

March 2018                  Technology’s Role in Enterprise Risk Management, ISACA Journal, 2018 Volume 2

March 2013                  Security as a Theoretical Attribute Construct, Computers and Security, Volume 37.

January 2013               Measuring System Security, Systems Engineering, V16, Iss.1, Best Paper of the Year

November 2012           Overcoming Challenges for Superior System Security Metrics, ISACA NA ISRM/IT GRC

February 2012             System-Level Security, Canadian Financial Institutions Computer Incident Response Team (CFI-CIRT) Annual Conference.

March 2012                  Security via Related Disciplines, Conference on Systems Engineering Research (CSER).

November 2011           Measuring Cyber Security in Intelligent Urban Infrastructure Systems, International IEEE Conference & Expo on Emerging Technologies for a Smarter World (CEWIT).

Fall 2011                       An Architectural Systems Engineering Methodology for Addressing Cyber Security, Systems Engineering, Volume 14, Issue 3.

July 2011                      Systems-of-Systems Issues in Security Engineering, INCOSE Insight, Volume 14, No 2.

June 2011                     Cloud Security Metrics, IEEE Systems of Systems Engineering Conference (SoSE2011).

April 2011                    A Cyberforensics Framework, The Computer Forensics Show.

March/April 2011       On the Horizon - System Security Engineering, IEEE Security & Privacy Magazine, Volume 9 Issue 2.

August 2010                 Systems Security Engineering, A Research Roadmap, Final Technical Report, principal investigator for DoD-sponsored publication for the Systems Engineering Research Center (www.sercuarc.org).

November 2010           Systems Security Engineering Roadmap, Rethinking Cyber Security: A Systems-Based Approach, Workshop sponsored by the Center for Risk Management of Engineering Systems and the Institute for Information Infrastructure Protection (I3P), University of Virginia.

October  2010              The Utility of Security Standards, IEEE International Carnahan Conference on Security Technology (ICCST).

August 2010                 Systems Security Engineering, A Research Roadmap, Final Technical Report, primary author for DoD-sponsored publication for the Systems Engineering Research Center (www.sercuarc.org).

June  2010                    Pairing Organizational Strategy with Security Solutions, CSO Executive Seminar.

June  2010                    Information Security Metrics, in Readings and Cases in Information Security Management – Legal and Ethical Issues,  Course Technology, edited by Mattord and Whitman.

May 2010                      Systems Security Engineering, Tenth Annual High Confidence Software and Systems Conference, sponsored by the National Security Agency.

December 2009            Critical Infrastructure Protection Issues in the Financial Industry, Global Conference on Systems and Enterprises, Stevens Institute of Technology.

September 2009            Prevention Is Better Than Cure, Business Trends Quarterly.

June 2009                     How to Write an Information Security Policy, CSOonline.com.

May 2009                     Information Systems Audit: The Basics, CSOonline.com.

May 2009                     Third Party Data Handling, ISACA Control Journal.

March 2009                  Data-Centric Security, Computer Fraud and Security.

November 2008           Security Through a Time of Crisis, Computer Security Institute Annual Conference.

October 2008               Key Data Points for IT Governance Metrics, ISACA IT GRC Conference.

July 2008                      Metrics for Risk Management versus Security Attribution,  Metricon Conference.

June 2008                     Third Party Due Diligence,  Securities Industry and Financial Markets Association (SIFMA) Technology Management Conference.

October 2007               Utilising information security to improve resiliency, Journal of Business Continuity & Emergency Planning.

October 2007               Data Classification, Security and Privacy, Securities Industry and Financial Markets Association, Internal Audit Division, Annual Conference.

Sept/Oct 2007              IT Attestation Services: What You Need to Know, Journal of Corporate Accounting and Finance.

June 2007                     CISM Review Manual, Chapter 5: Information Security Program Management,  Information Systems Audit and Control Association.

October 2006               The Homeland Security Front, Securities Industry Association, Internal Audit Division, Annual Conference.

November 2005           Security Review Alternatives.  The Computer Security Journal, Fall 2005, a Computer Security Institute publication.

October 2005               Best Practices for Securing and Controlling Offshore Vendors, Securities Industry Association, Internal Audit Division, Annual Conference.

September 2005           Internal Security Reviews, Fourth Annual FDIC Technology Seminar.

June 2004                     Sarbanes-Oxley for the IS Professional, Securities Industry Association, Technology Management Conference.

October 2003               Metrics for Due Diligence, Best In Class Security and Operations Roundtable Conference, Carnegie Mellon Software Engineering Institute.

May 2003                     Security Forum 2003, The Secure Enterprise, Wireless LAN Panel,                                  Technology Managers Forum.

April 2003                    Introducing Security at the Cradle, SANS (System Admin, Audit, Network,                  Security Institute) Security and Audit Controls that Work Conference.

Summer/Fall 2002      Productive Intrusion Detection, The Computer Security Journal Vol XVIII, No 3-4, a Computer Security Institute publication.

May 2001                     Security Forum 2001, Information Risk Management, Risk Management and                 Security Metrics Panel, Technology Managers Forum.

May 2001                     Measuring Security, Information Security System Rating and Ranking, an                     Applied Computer Security Associates (ACSA)Workshop.

January 2001               Security Metrics, The Computer Security Journal, Vol XVII, No 1, a CSI publication.

August 2000                 Assurance and Monitoring of E-business: Technical Control Points, Seminar sponsored by Information Systems Audit and Control Association (ISACA) and the Association of Government Accountants (AGA).

June 2000                     Security Metrics: An Audit-based Approach, Computer Systems Security and Privacy Advisory Board (CSSPAB) Security Metrics Workshop (Sponsored by NIST, the     National Institute of Standards and Technology).

October 1999               Infrastructure Monitoring Challenges, 22nd Annual National Information Systems       Security Conference.

May 1999                     Successful Audits in New Situations, ISACA Control Journal, (v.III).

November 1998           How to Survive an IS Audit, Computer Security Institute Conference, Chicago, IL.

June 1997                      Oracle Database Control Issues, Vanguard Information Security Expo, Orlando, FL.

January 1997                Audit & Control of Sybase and Oracle, ISACA NY Metropolitan Chapter.

January 1996                Security Controls for a Client-Server Environment, ISACA North Jersey Chapter.

October 1996                Security Through Process Management, 19th Annual National Information Systems     Security Conference, Baltimore, MD.

Many of these publications are available for download at http://www.bayuk.com