Jennifer L. Bayuk, PhD

25 Redding Place

Towaco, NJ 07082

Profile A cybersecurity risk management thought leader and subject matter expert. Experienced in managing and measuring large-scale cybersecurity programs, system security architecture, cybersecurity tools and techniques, cybersecurity forensics, audit of information systems and networks, and technology control processes. Skilled in cybersecurity risk and performance indicators, technology risk awareness education, risk management training curriculum, and system security research. Masters degrees in Philosophy and Computer Science. Ph.D. in Systems Engineering. Certified in Information Systems Audit, Information Systems Security, Information Security Management, and IT Governance. NJ Licensed Private Investigator.

Experience

Independent Technology Risk Management Consultant, New Jersey, 6/08 to present.

Engaged in a wide variety of projects ranging from security policy and metrics for financial institutions to research in systems security engineering for government contractors. Develop systems security architecture. Perform cybersecurity risk and regulatory compliance assessments. Develop and teach courses in various aspects of cybersecurity for academic institutions and industry associations. Lecture at conferences. Participate in public and private security-related committees. Assist entrepreneurs on Zero Trust Architecture, Technology Risk Management, and secure Cloud and Mobile requirements. Provide expert witness and legal consulting services. Exemplar projects:

Decision Framework Systems, Inc., New Jersey, 1/18 to present.

Designed, developed, and implemented FrameCyber®, a complete cyber risk management life cycle system used in my consulting practice and by SaaS customers. FrameCyber® is a cloud software product designed to be used continuously with full retention of data and actions. It includes functions for cybersecurity risk assessment, event tracking, issue management, organization inventory, control inventory, risk registration, risk analysis, risk reporting, risk measures and metrics, and associated correlation of information and data in those domains required to perform cybersecurity risk management.

Expert Witness, various law firms, 7/09-present.

Professional expert witness case experience includes but is not limited to: opinions on the validity of digital signatures, whistleblowing claims of cybersecurity staff, forensic investigation of alleged cybersecurity attack, whether patented security software was unique, provenance of allegedly fraudulent email, class action cybersecurity breaches, and compliance with settlement terms that include cybersecurity controls.

Confidential Financial Services, 3/20-present.

Specify, implement, and maintain Cybersecurity Metrics program spanning the NIST Cybersecurity Framework and ISO27001 Information Systems Management System. Includes periodic management and BoD level metrics for Access, Assessments, Incidents, Issues, Risks, Skills, Vulnerabilities and Zero Trust.

Quinnipiac University, Hamden, CT, 1/19-present.

Created graduate laboratories in Amazon Web Service for Cybersecurity Risk Management and Operating Systems Security courses in the School of Engineering. Created Architecture Requirements to establish a cloud-based cybersecurity laboratory, and implemented ~twenty lab classes in AWS ranging from network security through secure software to cybersecurity risk management. Current adjunct professor.

TAG Cyber LLC, Byram, NJ, 7/19-4/23.

Advise and contribute to cybersecurity industry research and provide consulting on a pro re nata basis.

Sandia National Laboratories, Albuquerque, NM, 9/24-present

Cybersecurity subject matter expert participant in an External Advisory Board (EAB) to support the Digital Assurance for High Consequence Systems (DAHCS) Mission Campaign (MC), a strategic Laboratory Directed Research and Development (LDRD) to solve important national cybersecurity challenges.

G. A. Baird Partners & Co, Stamford, CT, 6/17-11/17.

Created Cybersecurity and Technology Risk tools, techniques, and programs for a de novo Bank. Specified systems security architecture for Digital Banking Architecture and Third Party Integration, focused on Cloud and Mobile Security Technologies.

Delta Risk, Chicago, IL, 7/09-1/13.

Provided business requirements, testing, and analysis for Securities Industry and Financial Markets Association (SIFMA) Quantum Dawn Cybersecurity Exercises. Assisted in the development of DECIDE simulation environment for experiencing cyber-attack scenarios, and the scenarios used by SIFMA.

Managing Director, Cybersecurity Governance, Risk &Control, JPMorgan Chase, NY, NY, 10/16 to 6/17.

Designed, managed, and measured a Cybersecurity Risk Management framework in support of $600M Firmwide Cybersecurity Program. Managed the evolution of cybersecurity and technology risk policies and standards in coordination with cybersecurity product managers and the broader Technology Control organization. Globally coordinated cybersecurity regulatory, audit, client, and partner engagement in coordination with Technology Control and Cybersecurity Regional leads. Managed governance and control processes applicable to the Cybersecurity organization, including but not limited to self-assessment, resiliency and recovery, issue management, third party oversight, and inter-affiliate agreements.

Managing Director, Operational Risk Management, Citi, New York, NY, 3/13 to 10/16.

Developed and coordinated technology risk management program to identify, measure, monitor, and manage key operational risks within Citi’s Enterprise Operations and Technology (O&T) division (~60 distinct Global and Regional operational entities). Proactively engaged management to address risk due to business dependency on technology and centralized operations. Participated in forums such as the Information Security Committee and Fraud Oversight Committee. Advised multiple levels of executives on a wide variety of topics related to global risk management program strategy and execution. Escalated and tracked issues. Devised and directed the development of Technology Oversight Procedures and Technology Metrics used firmwide for Management Control Assessment and Operational Risk Analysis.

Associate Professor, Stevens Institute of Technology, Hoboken, NJ, 9/09-present.

Created a new graduate curriculum in cybersecurity architecture and engineering for the School of Systems and Enterprises. Led research in systems security engineering, including a roadmap for the Department of Defense Systems Engineering Directorate. Created a security engineering laboratory. Occasional adjunct.

Senior Managing Director, CISO, Bear Stearns & Co., Inc., Whippany, NJ, 4/98 to 6/08.

Designed and implemented firmwide processes to protect, detect, and recover from harm to information. Established and maintained enterprise-wide security, change control, and business continuity metrics. Chair of the Firmwide Information Protection Committee and member of the Global Outsourcing and Firmwide Emergency Response Committees. Drafted, negotiated, and issued global security policies and processes. Devised tools, techniques, roles, responsibilities, and awareness materials for all security processes including digital identity, application inventory and information systems risk management. Provided technical requirements and test programs for new security products and security features of new applications. Directed the activities of development and infrastructure officers globally with respect to security tools and techniques. Directed cybersecurity investigations and remediation activities in coordination with human resources, legal and compliance. Coordinated emergency response teams for cybersecurity events. Reviewed physical security efforts in support of data center protection. Contracted and managed penetration tests. Guided management through information technology (IT) audits. Performed due diligence in support of merger, acquisition, research analyst, and investment banking activity. Testified on due diligence efforts when required by regulators. Prepared materials on security measures for prospective clients. Coordinated industry efforts in support of firm goals for information security improvements. Chaired the FS-ISAC R&D Committee. Directly managed department budget (~3M) and security tollgates over all projects in IT budget (~600M). Chief Information Security Officer title achieved in 2002.

Manager, Information Systems Business Controls, AT&T Capital Corporation, Morristown, NJ, 2/97 to 4/98.

Led and executed the company’s global internal audit and control assessments with respect to information systems. Conducted security investigations. Provided direction and guidance on systems control issues for the company’s strategic leaders, including the Technology Leadership Team and corporate legal counsel. Developed COSO & COBIT compliant systems audit approach for AT&T Capital that includes quantitative communication of systems vulnerabilities. Evaluated and developed tools for operating system, database management system, and network security testing as well as data analysis, incident tracking, and reporting.

Information Systems Risk Manager, Price Waterhouse LLP, Morristown, NJ, 1995 - 1997.

Managed a variety of security consulting and audit projects for the Price Waterhouse Information Systems Risk Management Practice, including pentests and physical infrastructure reviews. Performed systems infrastructure analysis directed at improving security architecture, security management processes, and information system operational risk management. Developed methodology for evaluating the effectiveness of security management processes and trained both consultants and senior managers on its use. Wrote and customized programs for security testing. Evaluated various types of commercial security software.

Information Security Technical Staff, AT&T Bell Laboratories, Holmdel, NJ, 1990 - 1995.

Led diverse, cross-organizational teams focused on cybersecurity and data integrity, including the AT&T Network Security Requirements Team, the Security Analysis of the Network Environment Team, and the Security Assessment Team. Envisioned, designed, specified, developed, demonstrated, tested, and documented software for expert systems, graphical user interfaces, databases, and network monitors.

Education

PhD Systems Engineering, Stevens Institute of Technology, 2012, Thesis: Measuring Systems Security, GPA 3.9.

MS Computer Science, Stevens Institute of Technology, 1992, GPA 3.9.

MA Philosophy, The Ohio State University, 1986, GPA 3.5.

BA Computer Science & Philosophy, Rutgers College, Rutgers, the State University of NJ, 1985, GPA 3.59.

Certified Information Systems Auditor (CISA), 1996, current

Certified Information Security Manager (CISM), 2002, current

Certified in the Governance of Enterprise IT (CGEIT), 2008, current

Certified Information Systems Security Professional (CISSP), 2008, current

Books

March 2024 Stepping Through Cybersecurity Risk Management, Wiley.

December 2018 Financial Cybersecurity Risk Management, coauthor, Springer Apress.

April 2012 Cyber Security Policy Guidebook, lead of five authors in different areas of cybersecurity Policy Expertise, Wiley.

September 2010 CyberForensics, Understanding Information Security Investigations, edited this collection of articles by industry experts and provided an introductory framework, Springer.

January 2010 Enterprise Security for the Executive: Setting the Tone at the Top, Praeger.

March 2009 Enterprise Information Security and Privacy, Artech House, co-edited this collection, and wrote chapter on “Information Classification.”

November 2007 Stepping Through the InfoSec Program, Information Systems Audit and Control Association (ISACA), peer-reviewed book.

January 2005 Stepping Through the IS Audit, A Guide for Information Systems Managers, 2^nd Edition.

Book published by the Information Systems Audit and Control Association.

January 2000 Stepping Through the IS Audit, A Guide for Information Systems Managers.

Book published by the Information Systems Audit and Control Association (ISACA).

Courses Developed, Listed By Initial Launch

September 2023 Zero Trust, Information Systems Audit and Control Association (ISACA), NJ Chapter

June 2023 Cybersecurity Risk Management, Professional Risk Managers International Association

September 2019 Cyber Threats, Quinnipiac University

September 2019 Cyber Defense, Quinnipiac University

October 2019 Cyber Policy, Quinnipiac University

February 2019 Operating System Security, Quinnipiac University

September 2018 Risk Management for Financial Cybersecurity, Stevens Institute of Technology

June 2018 Technology’s Role in Enterprise Risk Management, ISACA NJ Chapter

June 2015 Loss Capture for Technology-Related Events, Citigroup Internal Online Training.

January 2015 Technology Oversight Procedures, Citigroup Internal Online Training.

August 2014 Manager’s Control Assessment, Citigroup Internal Online Training.

June 2014 Information Security Architecture, Citigroup Internal Online Training.

November 2013 Information Security Metrics, Citigroup Internal Online Training.

March 2012 System Security Management, University of Virginia Accelerated MS Systems Engineering.

June 2012 Information Security Governance at Board Level, seminar for ISACA & IIA NJ Chapters.

April 2012 Security Documentation, ISACA Philadelphia & New Jersey Chapters Spring Conference.

Spring 2011 Systems Security Architecture and Design, Stevens Institute of Technology

Spring 2011 Fundamentals of Security Systems Engineering, Stevens Institute of Technology

Spring 2011 Secure Systems Laboratory, Stevens Institute of Technology

June 2010 Metrics That Actually Improve Security, Computer Security Institute.

Spring 2009 Secure Systems Foundations, Stevens Institute of Technology

March 2009 Information Security Metrics, ISACA, NY Chapter

March 2009 Information Security Governance, ISACA, NJ Chapter

January 2009 Information Asset Classification, ISACA, NY Chapter.

April 1998 CISA Exam Certification Course, Domain 4: Information Systems Integrity, Confidentiality, and Availability, ISACA North Jersey Chapter (Also taught in April 1999 and April 2000).

Current Affiliations

Information Systems Audit and Control Association (ISACA), Member, Author, Instructor, Contributor on a wide variety of technology risk topics.

Information System Security Certification Consortium, (ISC²), Member.

Metricon Program Committee Member, and Chair for Metricon 4.0, MiniMetricon 5.5 (www.securitymetrics.org).

NJ Licensed Private Investigator, since 2012

Past Affiliations

COSO Enterprise Risk Management Advisory Committee, representing ISACA, 2016-2017.

Computers and Security, an Elsevier publication, Editorial Board Member, current occasional reviewer.

Financial Services Information Sharing and Analysis Committee (FS-ISAC) and Financial Services Sector Coordinating Council (FSSCC), member 1999-2006, 2013-2017, chair FSSCC R&D Committee 2006-08.

Information Security Forum (securityforum.org), member, participant in Information Security Architecture Project.

International Council on Systems Engineering (INCOSE), co-chair, Security Working Group, 2010-2011.

IEEE Computer Society, member, participant in Smart Grid Vision Project.

Securities Industry and Financial Markets Association (SIFMA), Information Security Committee Chair, 2003-2008.

Select Articles & Speaking Engagements

February 2024 Stepping Through Cybersecurity Risk Management, Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS)

June 2023 Risk/Control, Audit Management, SECON, ISC² & ISACA NJ joint annual conference

December 2022 Secure Linux in the Cloud, Cloud Security Alliance, NJ Chapter

October 2022 Cybersecurity Metrics: What Good Looks Like, TAG Cyber Quarterly Q4-2022

June 2022 Chinese Attacks on US Technology, TAG Cyber Quarterly Q3-2022

April 2022 Cybersecurity Tool Portfolio Friend or Foe?, TAG Cyber Quarterly Q2-2022

April 2022 Cyber Safety in 2022, Solution Driven Wealth

February 2022 Cybersecurity Metrics: What Good Looks Like, ISSA-Chicago

September 2021 History of Cybersecurity Metrics, Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS)

September 2021 History of Cybersecurity, Mind the Sec

June 2020 Cybersecurity Metrics History, CyberGreen and R Street Institute

October 2019 Cybersecurity Framework Integration. ISSA International, CISO Summit

May 2019 A Framework for Cybersecurity Risk, SIRACON.

March 2019 Assigning Probability to Cybersecurity Risk, Metricon X.

August 2018 Cybersecurity Risk Management: Putting Principles into Practice, Information Security Media Group Security Summit.

March 2018 Technology’s Role in Enterprise Risk Management, ISACA Journal, 2018 Volume 2

March 2013 Security as a Theoretical Attribute Construct, Computers and Security, Volume 37.

January 2013 Measuring System Security, Systems Engineering, V16, Iss.1, Best Paper of the Year

November 2012 Overcoming Challenges for Superior System Security Metrics, ISACA NA ISRM/IT GRC

February 2012 System-Level Security, Canadian Financial Institutions Computer Incident Response Team (CFI-CIRT) Annual Conference.

March 2012 Security via Related Disciplines, Conference on Systems Engineering Research (CSER).

November 2011 Measuring Cyber Security in Intelligent Urban Infrastructure Systems, International IEEE Conference & Expo on Emerging Technologies for a Smarter World (CEWIT).

Fall 2011 An Architectural Systems Engineering Methodology for Addressing Cyber Security, Systems Engineering, Volume 14, Issue 3.

July 2011 Systems-of-Systems Issues in Security Engineering, INCOSE Insight, Volume 14, No 2.

June 2011 Cloud Security Metrics, IEEE Systems of Systems Engineering Conference (SoSE2011).

April 2011 A Cyberforensics Framework, The Computer Forensics Show.

March/April 2011 On the Horizon - System Security Engineering, IEEE Security & Privacy Magazine, Volume 9 Issue 2.

August 2010 Systems Security Engineering, A Research Roadmap, Final Technical Report, principal investigator for DoD-sponsored publication for the Systems Engineering Research Center (www.sercuarc.org).

November 2010 Systems Security Engineering Roadmap, Rethinking Cyber Security: A Systems-Based Approach, Workshop sponsored by the Center for Risk Management of Engineering Systems and the Institute for Information Infrastructure Protection (I3P), University of Virginia.

October 2010 The Utility of Security Standards, IEEE International Carnahan Conference on Security Technology (ICCST).

August 2010 Systems Security Engineering, A Research Roadmap, Final Technical Report, primary author for DoD-sponsored publication for the Systems Engineering Research Center (www.sercuarc.org).

June 2010 Pairing Organizational Strategy with Security Solutions, CSO Executive Seminar.

June 2010 Information Security Metrics, in Readings and Cases in Information Security Management – Legal and Ethical Issues, Course Technology, edited by Mattord and Whitman.

May 2010 Systems Security Engineering, Tenth Annual High Confidence Software and Systems Conference, sponsored by the National Security Agency.

December 2009 Critical Infrastructure Protection Issues in the Financial Industry, Global Conference on Systems and Enterprises, Stevens Institute of Technology.

September 2009 Prevention Is Better Than Cure, Business Trends Quarterly.

June 2009 How to Write an Information Security Policy, CSOonline.com.

May 2009 Information Systems Audit: The Basics, CSOonline.com.

May 2009 Third Party Data Handling, ISACA Control Journal.

March 2009 Data-Centric Security, Computer Fraud and Security.

November 2008 Security Through a Time of Crisis, Computer Security Institute Annual Conference.

October 2008 Key Data Points for IT Governance Metrics, ISACA IT GRC Conference.

July 2008 Metrics for Risk Management versus Security Attribution, Metricon Conference.

June 2008 Third Party Due Diligence, Securities Industry and Financial Markets Association (SIFMA) Technology Management Conference.

October 2007 Utilising information security to improve resiliency, Journal of Business Continuity & Emergency Planning.

October 2007 Data Classification, Security and Privacy, Securities Industry and Financial Markets Association, Internal Audit Division, Annual Conference.

Sept/Oct 2007 IT Attestation Services: What You Need to Know, Journal of Corporate Accounting and Finance.

June 2007 CISM Review Manual, Chapter 5: Information Security Program Management, Information Systems Audit and Control Association.

October 2006 The Homeland Security Front, Securities Industry Association, Internal Audit Division, Annual Conference.

November 2005 Security Review Alternatives. The Computer Security Journal, Fall 2005, a Computer Security Institute publication.

October 2005 Best Practices for Securing and Controlling Offshore Vendors, Securities Industry Association, Internal Audit Division, Annual Conference.

September 2005 Internal Security Reviews, Fourth Annual FDIC Technology Seminar.

June 2004 Sarbanes-Oxley for the IS Professional, Securities Industry Association, Technology Management Conference.

October 2003 Metrics for Due Diligence, Best In Class Security and Operations Roundtable Conference, Carnegie Mellon Software Engineering Institute.

May 2003 Security Forum 2003, The Secure Enterprise, Wireless LAN Panel, Technology Managers Forum.

April 2003 Introducing Security at the Cradle, SANS (System Admin, Audit, Network, Security Institute) Security and Audit Controls that Work Conference.

Summer/Fall 2002 Productive Intrusion Detection, The Computer Security Journal Vol XVIII, No 3-4, a Computer Security Institute publication.

May 2001 Security Forum 2001, Information Risk Management, Risk Management and Security Metrics Panel, Technology Managers Forum.

May 2001 Measuring Security, Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA)Workshop.

January 2001 Security Metrics, The Computer Security Journal, Vol XVII, No 1, a CSI publication.

August 2000 Assurance and Monitoring of E-business: Technical Control Points, Seminar sponsored by Information Systems Audit and Control Association (ISACA) and the Association of Government Accountants (AGA).

June 2000 Security Metrics: An Audit-based Approach, Computer Systems Security and Privacy Advisory Board (CSSPAB) Security Metrics Workshop (Sponsored by NIST, the National Institute of Standards and Technology).

October 1999 Infrastructure Monitoring Challenges, 22nd Annual National Information Systems Security Conference.

May 1999 Successful Audits in New Situations, ISACA Control Journal, (v.III).

November 1998 How to Survive an IS Audit, Computer Security Institute Conference, Chicago, IL.

June 1997 Oracle Database Control Issues, Vanguard Information Security Expo, Orlando, FL.

January 1997 Audit & Control of Sybase and Oracle, ISACA NY Metropolitan Chapter.

January 1996 Security Controls for a Client-Server Environment, ISACA North Jersey Chapter.

October 1996 Security Through Process Management, 19th Annual National Information Systems Security Conference, Baltimore, MD.

Many of these publications are available for download at http://www.bayuk.com