My name is Bill Frank. I’ve been an Information security specialist since 1999. I am Vice President of Security Services at INNO4 LLC, a national IT solutions and services provider headquartered in Boston. For more background about me, go to my LinkedIn profile,

Why “RiskPundit?” I chose the “risk” part of because I believe all information security administrative and technical controls should be chosen primarily for their abilities to reduce information security risk. The “pundit” part was chosen facetiously, but as homage to the early bloggers that used “pundit” in the title of their blogs.

While the value and even the definition of risk is still hotly debated, for me the key question is, are you managing risk implicitly or explicitly? In other words, the human brain is “wired” to do risk management (at least the threat part) without conscious thought. Daniel Kahneman calls it “System One” in his book, Thinking Fast and Slow. It seems to me, you’ll do a better job of it if you take a more thoughtful, “System Two” approach.

I have three goals when helping my clients:

  1.  Mitigate security risks created by changes in business needs, technology, threats, and compliance requirements. The key word is “changes.”  As Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”
  2. Improve the infosec team’s responsiveness to new business initiatives. Too often, line of business managers and even CIOs see infosec as an impediment to implementing progress.
  3. Improve the quality of Security Operations. Typically, the staff of Security Operations Centers are (a) overwhelmed with alerts, most of which are false positives, which reduces effectiveness, and (b) encumbered by slow, non-responsive tools, which reduces efficiency.

Finally, successful IT projects are always about people, process, and technology. Most consultants place process ahead of technology. In other words, they look to improve a process, and then select technology to fit the new process. I see this as backwards. New information security technology, i.e. technical controls, actually enable more effective and efficient processes. What I am really doing is leveraging tens of millions of dollars of R&D to accomplish my goals.

If you disagree or would simply like a more detailed explanation, please contact me through LinkedIn –