Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Draining the Swamp written by Patrick Foley

Patrick Foley

After career path that wound through journalism, secondary school administration and coaching, Pat Foley, while managing several customer service groups in Harvard University’s financial administration, began an increasing involvement in solving business challenges by linking extended technology with better transparency of business intelligence and enhanced operational processes. Several positions managing and implementing enterprise technology projects followed until he became the Program Manager for Fidelity Investments’ fledgling identity management program in 1999.

Armed with a management mandate to deploy a universal identifier, Pat worked closely with a small, talented technical team and an a large number of initially bemused business stakeholders to extend the CorpID program across Fidelity’s global reach and in three years had provided the “one number that does it all” for the widely distributed and diversified financial services firm.

Once CorpID was fully deployed, Pat became, first, the Principal Information Security Risk Analyst and later, Technical Risk Advisor for FMR Co., Fidelity’s investment arm. In these roles, Pat conceived, designed, documented and oversaw the delivery of an integrated access control tool called ARROW that combined fine-grained authorization for Web and fat client applications, databases and an AS400. ARROW enabled on-line access certifications, collected resource metadata and managed the company’s RBAC program.

After leaving Fidelity in 2006, Pat worked briefly in Symantec Corporation’s consulting group before becoming Senior Manager of Access Control and Risk Assessment at Starwood Hotels and Resorts Worldwide where he was involved in securing SOA deployments, identity management, data protection, and application and vendor risk assessments. He is now Director of Global Technology Compliance for Starwood and Program Manager of the Payment Card Industry (PCI) technology remediation program currently underway there.

Pat, his wife, Judi, and daughter, Micaela, live in Milton, MA, near Boston.

Distributed Security for Fun and Profit…

– Global organizations often have challenges creating a comprehensive security program.  Too much central control and the regions either feel ignored, so chafe at security cost allocations and pay only nominal attention to the program, causing great risk to the overall organization.  Or they fill…

A Virtual Certainty…

– Security professionals might be forgiven for having something of an inferiority complex as we are often the last ones invited to all the cool parties, and then once we show up, everyone thinks we’re buzzkills for spending our time looking for the emergency exits, checking the expiration date on…

Security and Audit – BFFLs? Maybe not, but…

– …we may have lots of reasons to work together more closely. Maybe it is just the luck of the draw that at almost every employer for the last 15 years, I have been the one to manage our audit relationships, but I am certainly suspicious my good fortune is other than divinely inspired. …

Down the PCI Rabbit Hole in Search of Better Risk Measurements

– Decision-making is often a product of risk assessment and prioritization.  Currently, I have several deliverables pending for work, a carpentry project at home and this article to write.  As I decide which to address, I quickly, and in many cases, unconsciously, analyze what I am placing at risk…

How Deep in DLP Are You?

– While every security tool a vendor advertises to or demonstrates for you is purportedly the silver bullet that saves your organization from drowning in a virtual sea of hackers, rogues and spies, data-leakage protection – or prevention (DLP) is one for which many electrons have been slain to…