J.R. Cunningham

VP, Product Management

J.R. Cunningham is an accomplished innovator and premier thinker in cyber security and risk management. As vice president of product management, Cunningham is responsible for maintaining Optiv’s industry leading advisory services offerings and developing innovative and practical solutions that solve real-world security challenges.

 

Caught Between a ROC and a Hard Place

· By J.R. Cunningham ·

It’s important to understand the perspective of both the business and the security leader. Merchants invest heavily in PCI compliance and it’s money well spent. However, they continue to struggle with prioritizing, implementing and supporting vital payment security programs. The business perspective is that PCI compliance is a necessary evil, both because non-compliance risks increase credit card transaction fees from the acquirer, and because it’s perceived to be one of those “have to” regulatory requirements such as the Sarbanes-Oxley Act (SOX), Health Information Technology for Economic and Clinical Health Act (HITECH), or Federal Information Security Management Act (FISMA) (even though, frankly, it’s not).

Continue reading

Inside and Outside the Cardholder Data Environment

· By J.R. Cunningham ·

Businesses have spent an enormous amount of money on PCI compliance. It is time to leverage these existing investments and expand them to include payment security. Therefore, it’s important to find the common ground where PCI compliance and payment security can benefit one another. The quickest way for cyber security professionals to get thrown out of the board room is to say, “Remember that PCI thing? Well, scratch that, we need funding for a whole new security approach.”

Continue reading

Data is the New Currency 

· By J.R. Cunningham ·

In today’s digital world, data is currency. Nowhere does this phenomenon show itself more clearly than in the world of payment transactions. Payment forms have taken a variety of identities from mobile pay, cryptocurrency, stored transactions, in-app transactions, money transfer apps, etc. And, yes, credit cards are still used, albeit with a few new features such as chip and pin number.

Continue reading

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

· By J.R. Cunningham ·

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strategy. During hundreds of strategy, risk and compliance engagements, we have seen that security programs (of different levels of maturity) are most successful when they participate in regular tune-ups to keep up with the business. In this installment, we will discuss the “how”—understanding the business, the role of the threat, current steps and the best way to approach the gaps, which doesn’t necessarily mean filling them.

Continue reading

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

· By J.R. Cunningham ·

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about control frameworks and standards by our clients. Such topics often center on which of these frameworks and standards are most appropriate for a particular organization, which specific controls are most important, and in what order and to what depth an organization should pursue maturity with a particular set of controls. In this two-part blog series, I’d like to share some field observations on this topic gathered by Optiv’s strategy, risk and compliance teams.

Continue reading

The GDPR 90-Day Countdown is On! (No Need to Freak Out)

· By J.R. Cunningham ·

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the “go-live” date for the European Union’s General Data Protection Regulation (GDPR). As I previously wrote, this truly is a groundbreaking piece of legislation that should be taken very seriously. And if you read the countless GDPR-related research reports and surveys, it’s clear that few (if any) US companies impacted by the regulation will be fully compliant in the next 90 days.

Continue reading

Want to be a Great Security Leader? You Need a Great Lawyer

· By J.R. Cunningham ·

Information security continues to evolve as a profession, and this is certainly evident in the role that legislation, privacy, third-party risk and incident management play in the daily life of the information security leader. More often, as I meet with clients to discuss security strategy and risk, security leaders are struggling with the myriad of compliance requirements, various state and national privacy laws, and their relationship with the information security program.

Continue reading

GDPR Part 3: GDPR and the Information Security Program

· By J.R. Cunningham ·

In this third and final part of the series, we’ll spend some time bringing GDPR and its various requirements back into the information security program in an effort to identify areas where GDPR compliance may become a side-effect of a business-aligned, risk-based, data-centric and threat-aware information security program.

Continue reading

GDPR Part 2: The Six Information Security Pillars

· By J.R. Cunningham ·

In this second part of the series, we will discuss Optiv’s Six Information Security Pillars for GDPR compliance. For the information security professional, these six pillars will look familiar as standard components of an effective information security program. For this discussion, however, we will be relating these components of the information security program to the various applicable components of the GDPR.

Continue reading

GDPR Part 1: A Legal, IT, or Information Security Issue?

· By J.R. Cunningham ·

The General Data Protection Regulation (GDPR) is a new regulation affecting organizations that reside in the European Union (EU) or merely transmit EU citizen data. The regulation is designed to strengthen data protection of this personal information and non-compliance comes with hefty penalties. Fines for the most serious infringements of GDPR are 20 million EUR or four percent of global revenue, whichever is greater.

Continue reading
(12 Results)