Information Security

Information Security Can’t Rely on Pinky Swears

This article was originally published on LinkedIn.

“We hire great people” is something we all hear companies regularly communicate.

How do you feel about a hypothetical company that believes the risk of an information security breach is low largely because they hire good people? In other words, their information security strategy is to hire good people and trust them individually to do the right thing. Maybe they even sign a paper pinky swearing they’ll always do what’s right.

Let’s say this hypothetical company houses some of the most sensitive data about you and your family or company that exists. Your information is passed around via email or attachments inside and outside the company. Information is even passed between teammates via chat tools sometimes. Said information is also accessible, editable and exchangeable between partner/vendor companies in the background. This data is unencrypted when stored (at rest) and when passed around (in transit).

Do you know about companies like this? Is this your company? Is a company like this minding your personal data?

While information security is everyone’s responsibility, it is first the responsibility of the company itself. Hiring great people does not alleviate, or defer, the responsibility an organization has to be compliant with information security policies, legislation and industry best practices. If we can’t trust a company to do the right thing, why would we value their brand?

Interesting Things We’ve Heard Through the Years:

  • “Our people, vendors, and partners do the right thing. That’s why we work with them. I don’t think we have anyone in the company who would abuse our customer data.”
  • “First, we must get product to market and prove the idea is viable. We’ll validate viability of our product by customer adoption velocity and demand for new features. If the numbers suggest customers want to buy and use our product, then we’ll figure out what security we need thereafter.”
  • “We’re going to wait and see if this policy/legislation has any teeth. If we start getting fined for non-compliance, then we’ll begin considering if, how and to what extent we need to invest in information security.”
  • “Our industry is not very interesting to most folks. We don’t believe our company, products or services are really a threat to anyone. And we believe the likelihood of being attacked or otherwise exploited is pretty low to non-existent. We’ll wait until it makes sense before investing in some of the information security measures we hear about. It all sounds so expensive anyway.”
  • “It is actually cheaper for us to pay the fines.”
  • “Our customers don’t know any better.”

“Security first” or “security by design” is a choice. And it must first be the choice of the governing board and company leadership before it will become a reality for employees, partners and vendors. If it is not a top-down, constantly communicated, verifiable expectation, it does not exist.

7 Steps to Become a Security-First Organization

1. Internally declare that your company will become “security-first”

When initiatives start at the bottom of the company, they risk dying out due to lack of energy, resources, and attention. Sometimes they risk actually burning up the people trying to get the changes implemented as hope turns into apathy. It is the proverbial “fight against the man.”

As a Board or Senior Leadership of a company, what is important to you is important to the company. If it isn’t, that is a different problem altogether.

For a company to become a security-first focused organization, the declaration of importance, direction, and expected actions must come from Senior Leadership first.

An example “From the CEO” communication:

“Folks, effective immediately, we will put security, privacy, and compliance first in our daily operations. This means with every product, service, interaction, and communication, internally and externally, we will consider what must be secured, how it must be secured and under what conditions we must secure it – data, systems, teams, company and client interests inclusive. It is not a task to accomplish and be done. This must be our DNA. It must be our daily lifestyle. And it will take time to get to a proper baseline of competency and time to maintain, evolve and increase it.

From this day forward there will exist training expectations that must be pursued and accomplished monthly, quarterly and annually. Look for them in your Learning Management System (LMS) assignments. All roles, titles, and capacities. No exceptions. Me included.

And from this day forward you will see our CISO take a more prominent role in defining our pursuits, our strategies and validation of our compliance readiness. We as a leadership team choose to proactively educate our teams, protect our assets and behave in a manner expected by our Founders and those who have come before us to build this great company.

Thank you for your commitment to being the best.”

Top-down declarations become realities.

2. Determine what industry regulations apply to your company

Information Security / Regulatory Compliance is a career. And there is a shortage of people who do this type of work. Find them. Hire them. Leverage them. Knowing what you must align to will save you money. Knowing what you need not align to will also save you money.

There are quick determinants to flush out directions, follow-up actions, and investment. The road will not be small, nor easy; though this list will help point you in a direction of what matters, when it matters and to what extent.

  • In what industry do you operate?
  • Is your business localized to your state only? Your country only?
  • Do you do business internationally? What countries?
  • Do you exchange money with customers?
  • Do you ask for and store personally identifiable information?
  • Are you working with non-governmental organizations? Charities? Governments? Militaries? Public companies? Private companies?
  • Have you failed any previous compliance audits?
  • Have you been fined by a third-party organization for non-compliance?

3. Determine what industry best practices will help your company

You may discover your information security folks want impenetrable castle walls, which eventually mean your employees are unable to use the bathroom in the name of security. An extreme.

You may also discover your engineers want the freedom to use anything at any time for any reason in the name of innovation, digital transformation or being competitive. Probable.

And your business unit leaders? You’re expecting them to grow the business, delight the industry and client base. They want to do whatever is necessary and appropriate to meet the goals expected of them as well.

Security, innovation and growth are not mutually exclusive. They must be collaborative and it will require constant, purposeful and involved leadership. Otherwise, it is just theater.

Regulated industries communicate best practices and compliance expectations, which makes it easier to know what matters and what doesn’t. Where your time will be spent is determining how tightly to dial up the security requirements on your operation and how they will impact friction, flow, deliverable velocity and value from the organization.

Unregulated industries still have communicated best practices and compliance recommendations. In the absence of all knowledge, ask the following questions of your Chief {Information Officer, Information Security Officer, Product Officer, Technology Officer}:

  • Against what information security / regulatory compliance standards must we be measuring ourselves?
  • How are we training our people to be predictably and repeatably compliant with these expectations in our everyday lives?
  • How can we regularly prove that what we expect is actually being employed?
  • How do we culturally make security and compliance a behavioral assumption versus a Learning Management System (LMS) assigned task?

4. Implement role-based security awareness training

No one is exempt from information security. No person, role or title. Like leadership and teams, security is a “we” endeavor.

Not all roles in the company have the same requirements. Some roles are specialized while others are more general. Below is a simplification of this idea.

Specialized: Information Security folks may say higher-level things like confidentiality, integrity, and availability. They may roll out policies, procedures and learning courses while facilitating internal and third-party audits. They’ll even be discussing Plans of Actions & Milestones (POA&M or POAM) items resultant from audits. They’ll need to know frameworks, behaviors, implementations, monitoring methods, and reaction/response ladders and industry standards like NIST-CSF, PCI-DSS, HIPAA and so many more.

Specialized: Engineers who focus on infrastructure, networks, data, and software technology stacks need to know about the what, but more importantly, they need to understand the why and how as they do their work. For example, data encryption at rest and in transit, authorization, and authentication, securing failover infrastructures, hybrid cloud solutions, bring your own device security, separation of duties, least privilege and need-to-know principles. There is more than one way to implement any one of these concepts and Engineers need to know them.

Generalized Awareness: Everyone else.

Figure 1. The diagram above demonstrates at a high level how role-based security awareness training could be rolled out and that everyone is a part of it. No one ever gets to be “clueless.”

5. Include the information security role in solution delivery teams

Whether your company calls them Scrum, Strike, AgileProduct or Project Teams, the team construct used to deliver an idea from inception to conclusion often contains multiple roles and therefore multiple people.

In order to become a security-by-design or security-first company, your teams must be shaped to enable the desired outcome. Which then suggests that an information security/regulatory compliance expert must be included from project inception through the course of the project.

This conversation is less about the recipe for roles and teams and more about the desired outcome. Context-driven teams influenced by desired outcomes.

Strike Team Delivery Model
Figure 2. Trility’s preferred team pattern is the use of a Strike Team that always includes an Information Security/Regulatory Compliance expert involved throughout the lifecycle of the project or product. While we tend to construct teams based upon the desired project outcomes, we include an Information Security expert on the team by default.

If the information security people are technical, they may be helpful with design, development, and implementation every step of the way, all day every day. If the information security people are non-technical, they may be more aptly leveraged in a principle-based guidance role during iteration planning, stand-ups, demos and reviews to ensure the project continues to move forward between the fences.

Either way, there must be a full-time champion for the company and clients in terms of privacy, compliance and best practices to achieve the desired outcome.

6. Determine how you will proactively test your ongoing compliance

There are any number of methods to test ongoing compliance. Blind trust. Word of mouth. Internal (infrequent) manual inspection. Third-party annual inspections. Or continuously through automation.

Our typical practice is to identify what attributes of compliance must continually exist, automate those attributes into a series of tests that are called, executed, logged and tagged every time new infrastructure and applications are built. When non-compliance happens, alert someone (as shown below). Otherwise, keep moving. We have some examples out there in the ether for you to thoughtfully consider.

Automated Security Tests
Figure 3. The diagram above shows how you can build-in automated security/compliance tests such that every build now has the capability of logging activity, events, alerts and compliance status.

7. Attach quality and compliance tools to the delivery pipeline

Continuous delivery pipeline behaviors are not new. Wide-spread awareness and adoption of new concepts takes time to expand across industries, companies, leaders, and teams. As more companies implement continuous delivery principles, more of the things many companies used to exclude because it took too much time, or did perform, but manually in arrears and infrequently, will be automated providing real-time information radiators.

Look for vendors and tools that are API-driven, have a great online community, openly available developer and administrative documentation, as well as, active tool support. These tools enable you to perform automated analysis-refactor loops now versus waiting until later and hoping for the best. It is worth your money to know your risk exposure now.

Continuous delivery pipeline with security built-in
Figure 4. This diagram illustrates wherein the continuous delivery pipeline predictable, repeatable and auditable security behaviors may be baked into the solution delivery process now versus waiting until later.

Hire great people. Cast a vision, communicate desired outcomes, define clear objectives, give them the resources to be successful, give them rules of engagement and stay involved.

Great people make mistakes. And even great people some times do not know what to do. Security frameworks help mitigate oversights, mistakes and provide guidance when people are in new, different and complex situations.

I drink a lot of caffeinated coffee and tea. And I’m on airplanes a lot. Drinking coffee and tea. I’m making a commitment to write more articles in 2020 – and increase the number of speaking engagements at which I drink coffee and tea. It is material we discuss every day at Trility and with our clients. It is material that you may find helpful as well. If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or we can send you an email

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us.


Leadership In Absentia

This article was originally published on LinkedIn.

Hire new people. Separate them from the rest of the company. Give them a landfall budget. Tell them to innovate using the newest cool words. Maybe all of the words at the same time. Tell them they do not need to care about the existing people, teams or operations that currently and historically generate revenue for the company. Do not give them a time limit to show results. Don’t create it, but allow a “they are special” mentality in the culture. Tell the folks on the existing (legacy) side of the house to “keep the lights on” while the new folks bring fresh ideas, play with all the new technologies and receive the accolades.

If you want people to leave, let them know they aren’t working on the most important things, aren’t valued as much as the others and there is no budget to explore ideas for improving their situation. Just tell them to keep working. For good measure, yell at them.

This recipe sounds horribly negative and absolutely does not value people.

There will be no culture that builds a company using this recipe because there will be no people. Taking a company and splitting it down the middle using, “old stuff” and “new stuff” mentalities breaks the culture, the loyalty, commitment and positive outlook of the people. And it guarantees time and money will be spent. Not guaranteed is whether the company will be better in the end.

A healthy company is “we.” An unhealthy company is “us/them.” Which one you experience is attributable either to active, purposeful leadership or leadership in absentia.

No one does that. Do they? Sadly it happens in the conversations which also use the words “innovation” and “digital transformation”. The goal is quite logically to move a culture and company into the next chapter of life.

We see quotes from Peter Drucker, Lee Iacocca, Bill Gates, Steve Jobs, Richard Branson or Jim Collins floating through social media and other published material regularly. They are leaders with a history of influence and success. And what we often hear they said is, “Hire great people and get out of the way.”

What we do not hear in the same conversations is, “getting out of the way” is predicated by giving people the direction, parameters, latitude and resources to do great things and then get out of the way. “Hire great people and get out of the way” makes it sound like people require blank checks, blue skies and absolutely no friction, pressure, expectations, knotholes, constraints, guiding attributes, parameters or leadership.

Getting out of the way still requires active leadership.

Getting out of the way as a leadership tenet still requires two crucial attributes: (1) there must exist a clear objective, and (2) there must exist rules of engagement.

Before you cast off this material as drivel, ask yourself this: If you needed to liquidate personal assets to grow a company, would you want clear objectives and rules of engagement to exist before your personal money left the bank? As you spend your employer’s money, are you similarly disciplined?

The recipe for growing and transforming people and companies isn’t hard. It is time-consuming. It will require active planning, re-planning, leadership and management. It will require communication and over-communication. As many companies attest, there is no shortcut. Organizational change must be all-in, top-down, on-purpose.

It will absolutely require work.

1. Cast the Vision (What)

A vision tells people at a high level where you want to go compared to where you are.

Examples of vision:

  • Build a shareable smart city platform.
  • Move us completely into the cloud and out of brick and mortar.
  • Practice test-driven development for all product development and evolution.
  • Be EBITDA positive.
  • Implement a document management solution for our enterprise.
  • Implement an automated build, bundle and delivery process.

2. Describe the Outcomes (Why)

Outcomes tell people what it will look like when the desired vision is reached.

Examples of outcomes:

“By building a shareable smart city platform, we will enable approved third-party partners and vendors to work with us to serve our clients through real-time bi-directional sharing of information, more systemic feature and function opportunities, greater influence over the direction of the smart city industry, as well as, increasing the value of our data and brand along the way.”

“We are an insurance company. We irrevocably owe it to our clients to manage data privacy, provide real-time interactions and always be available to their needs at all times. We also owe it to them to be wholly focused, wholly available for their needs. We do not want to be in business of owning and managing physical data center assets in the future. By moving into the cloud we enable a larger percentage of our company team members and assets to focus on serving the real-time, interactive insurance needs of our clients than ever before.”

3. Identify Desired Objectives (Attributes of Done)

Objectives are explicit statements that are tangible, have a clear definition of done and are usable/useful solutions in the end.

Example objectives:

  • Enable a complete digital exhaust picture for all documents that enter, exist within, and exit our corporation including, but not limited to: when create, edit, delete, by whom, from where, sent/shared to whom or to what.
  • Enable a complete digital exhaust picture for all software that enters, exists within and exits our corporation including, but not limited to: create, edit, delete, by whom, from where, to whom or what, how and when tested, how and when statically and dynamically inspected, how and when assessed for vulnerabilities, how and when penetration tested, when deployed, what was in the bundle, sent where.

4. Provide Resources

To enable success for any team, they need access to the resources necessary to achieve desired objectives and outcomes. Sending them off with duct tape, hope and zeal will have results. Whether they are the results you desire remains to be seen.

Great People + Clear Objectives + Required Resources = High Probability Outcomes

This is the step people sometimes mistake as the entire recipe for, “Hire great people and get out of the way.” If we give them time, people, money and latitude, magical things will happen.

If you want dependable outcomes, the “hire great people and get out of the way” mantra also requires clear rules of engagement.

5. Set Rules of Engagement

Rules Of Engagement (ROE), also known as constraints, parameters or attributes, help define the context and conditions of done. They are not designed to limit innovation opportunity or success. Rather, ROE help direct all of the great people, time, energy and resources into a direction that is most beneficial for the context.

Examples of bad/no constraints:

  • Hire a building contractor. Whether they build homes or commercial buildings you don’t know. Write them a check. Tell the contractor, “You have one year. Surprise me.”
  • Schedule an appreciation party for your project team. Hire a chef. Tell the chef to prepare enough food for twenty people. Tell the chef your folks like exotic meat and hot, spicy things and to make it memorable.

Examples of good constraints:

  • Our time to market must be six months
  • Our time to revenue must be nine months
  • Use only open-source software
  • Ensure we are NIST-CSF compliant for Day 01 launch

6. Create Teams that Consider the Whole Company

Oversimplified, there are two types of people in companies:

1) Those who only see what is in front of their face (component thinkers); and

2) Those that know what is in front of their face is only a fraction of what can be seen in the larger landscape (systems thinkers).

Hire people who naturally think about the whole business and client experiences, not just the parts they want to think about. Set clear expectations with teams and projects that they must consider end to end implications of decisions and solutions, not just the parts they know about. Create cross-company teams that consider yesterday, today and tomorrow to ensure you bring along your people, your company, your clients and your future.

If you truly value your people, include them in defining tomorrow so that they take ownership of the journey and the result.

7. Stay Actively Involved

When leaders hire people they trust, it is easy to step back, get out of the way and just believe all will be well. If leadership defines the vision, outcomes, and objectives for the company, leadership must stay involved in the journey until realization as well – that is leadership.

  • Regularly meet with the teams to let them know the project is important, their contribution and effort is important and that you want to hear what they have to say regarding activities, challenges, roadblocks, and progress.
  • Request and expect to see tangible, demonstrable output on a regular basis. Do not take someone’s “word” that progress is happening; nor should you accept status reports, presentations or glossy materials discussing output. See the output or there is no output.
  • Regularly ask people how they are making the business better, how they are making better experiences and solutions for clients and what the time to value, time to market, time to revenue will be as a result of this investment.
  • Eliminate toy boxes. All money must lead to a return on investment in some way that benefits the people, business and/or clients. If there is no evidential relationship between investment and return, the effort is likely a toy project for someone, but not a high-value proposition for the business. Eliminate toy boxes or they will eliminate your money.

8. Know When to Say When

Knowing when to stop investing in an idea is something you must determine before the investment begins. After you’ve been on the journey for a while, it has the propensity to become personal. After all, you’ve labored over this idea, spent time, money, blood, sweat and tears.

Decide before the effort begins and regularly and iteratively ask the same questions:

  • What do we want to see from the team that shows us this is a worthy investment?
  • How much time and money is enough to validate, refactor or trash the idea?
  • How much risk exposure exists now and will exist as a result of the current solution direction? Will this solution increase or decrease our business and technical risk exposure? What is our risk appetite?
  • What are the triggers that make this investment good, at-risk and a candidate for termination?

Active leadership is a great deal more than getting out of the way. It means you hire great people. You don’t leave others behind. And you go on the journey with them once you’ve cast the vision, expressed the desired outcomes, provided the ROE and resources to be successful. 

If you truly value your people, include them in defining tomorrow so they take ownership of the journey and the result.

If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or sign up to receive our emails

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us


Veterans Day: Honoring those who understand “true requirements” of service

The majority of Americans will never experience the true requirements of service. But we are surrounded by those who do in our day-to-day lives. Today, we say thank you.

Our office is closed today for Veterans Day. We’d like to share something one of our team members, Jennifer Davis, shared last week reminding our team about today.

“On November 11th, our company will observe Veterans Day. First and foremost, if you are a Veteran, we here at Trility want to thank you for your service. For those of us who haven’t served, we can never fully understand the sacrifices you’ve made for our country, our safety, and our freedoms.

Thank you.

Almost all of my life, I’ve lived a few minutes from the world’s biggest naval base, Naval Station Norfolk, and close to U.S. Navy master jet base, Naval Air Station Oceana.  I get to see and hear jets fly over regularly. I can watch the Blue Angels and still get excited every year for their powerful display at the Oceana Air Show. From the beach, I’ve watched massive aircraft carriers leaving for or coming home from deployment. With my toes in the sand along the Chesapeake Bay, I’ve seen hovercraft vessels practicing for missions.  

The Blue Angels running laps over my house practicing for this weekend’s air show. – Jennifer Davis

Growing up and into my adult life, these sights and sounds have had a great impact on me. But I’ve only watched from the sidelines. My exposure has been limited to the displays of the awesome power of our Nation’s military. What I haven’t seen are the true requirements of the service itself. As we look forward to Monday, I want to celebrate and honor those who have served. I want to be reminded of what it takes to serve others. I want to be thankful for the freedoms I get to enjoy because of those who have served. And I want to encourage you to do the same.” 

– Jennifer Davis, Director of Operations


Ways To Die While Scuba Diving

Originally published on LinkedIn.

Years ago when I began diving, I had originally viewed diving as blue water with whales, dolphins and gorgeous coral reef. I quickly learned how diverse diving could really be.

I was trained in cold, brown water. Like all forms of diving, cold, brown water diving requires special attention to detail. Gear for staying warm, tools for extricating myself from unplanned situations such as fishing line, vines, branches and roots, multiple lights for seeing in the dark, murky waters and very good compass navigation skills.

As I expanded my learning and experience portfolio, I came to realize the preparation and skills necessary for warm, cold, caving, cavern, blue-water, brown-water, ocean, quarry, lake and river diving may seem the same, but each and every one of them have unique requirements within themselves. What I knew yesterday helped with today, but there was always more to learn. I realized a pattern of behaviors always required: plan, execute to plan, situational awareness and prepare for adversity, always. In all cases, be disciplined before, during, after and between dives.


I enjoyed compass-diving in brown water with 0-12 inches of visibility where many times I couldn’t see my hand when fully outstretched. I loved every minute of it because I never knew for sure what was coming and I needed to be ready for anything, at any time. Blue-water diving in the ocean offered infinite views in all directions. Nothing below, beside or above me other than sunlight coming down through the water – just blue infinity. Night diving meant that sometimes, were it not for my equipment, I could easily be upside down at 100 feet thinking I was right-side-up at 35. Like all forms of diving, all three of these experiences require many of the same skills.


And like all forms of diving, in all three of these experiences, one could become disoriented and make the decision to continue doing what you’re doing, make incremental and adaptive changes, or make poor, reactive and over-corrective decisions, which make things worse immediately. Over and over again diving – and living – came down to education, experience, discipline, planning, situational awareness and the need to make informed, responsive, level-headed decisions.

As I gained more experience, I made more diverse decisions increasing risk, complexity and potential return on decisions. Which then required more experience and more on-going education. To amplify learning diversity, I began to study how divers die and sought to understand how these deaths could have been prevented.

Reasons Divers Die (listed, not rank ordered):

- Failure to plan
- Failure to maintain and improve equipment
- Failure to maintain personal health and fitness
- Failure to keep themselves in check (emotions, ego, risk-taking)
- Failure to practice/improve/increase skills and knowledge

Diving is fun, adventurous, character-building and educational. It does not have to be deadly. The National Center for Biotechnology Information and the Diver’s Alert Network reported 59 diving-related deaths in the United States in 2016. That is a small number. Yet it is 59 too many. I encourage you to explore snorkeling and scuba diving for yourself. Get educated. Be disciplined. Have fun.

Why do you believe leaders and companies fail? It would seem that companies and diving have nothing in common until we compare the lists.

Reasons Leaders and Companies Fail (listed, not rank ordered):

- Failure to plan and adapt
- Failure to maintain and improve themselves, teams and systems
- Failure to maintain and improve personal health and fitness
- Failure to keep themselves and others in check (emotions, ego, risk)
- Failure to improve skills, knowledge and experience

How would you rank this list as it relates to you? Your boss? Your company?

Like diving, leading companies and teams require continuous data and decision-making. And in order to have continuous data that enables decision-making, there needs to exist a plan, situational awareness, a data feed, a pre-meditated, cool-headed ability to make decisions and the willingness to adapt.

Plan Your Dive or Plan For Failure

- Have a plan. Continually evaluate the plan. Be prepared to change.
- Know where you are in relation to the plan. Be prepared to change.
- Continue to purposefully improve yourself, your teams and your company. 
- Practice being thoughtfully responsive versus thoughtlessly reactive.

When you’re the only diver in the water, you are welcome to make any and all bad decisions available to you. You may (or may not) be the only one that will suffer from your mistakes.

However, when you’re in the water with others who rely upon your plan, your ability to see, hear, realize and adapt to incoming data, and they trust that you are capable of making the hard decisions in hard circumstances – your preparation, emotional maturity, adaptability and decisions matter.

Early on in my journey, an old, crusty diver made a dark comment to me that stuck with me permanently and heavily influenced my preparation, maintenance and overall discipline:

“When you’re down there doing what you do and you’ve failed to plan, failed to maintain your equipment, didn’t pay attention to the information in front of you or just plain didn’t keep a cool head, just remember, at 200 feet below the surface, no one can hear you scream.”

His point? Be disciplined. Plan. Be aware. Be adaptive. Keep your head screwed on correctly. Make context-driven decisions. Live to dive again. Make sure others with you have a good experience, learn and live to dive again.

The teams at Trility regularly help people create, modify and implement plans for successful dives, gain access to data in real-time so they can adapt, as well as, equip people with the solutions they need to keep cool heads at 200 feet.

Authors Note: We’re not really going to help you plan your dives. In fact, we may never dive together. You might be crazy. I just wanted to keep the analogy going. If you want to dive, join the military, attend a commercial diving school or reach out to diver training organizations like PADI.

If you want to learn how to digitally transform your company, influence your leaders, train your teams, plan and deliver some of the dirtiest, nastiest, most complex projects from the bottom of the deepest, darkest ocean that no one else wants to do – then do call or email us.

Data Strategy

7 “Not Easy” Steps for Securely Using Data for Real-Time Decisions

Originally published on LinkedIn on Oct. 22, 2019.

Companies have data in many places. And many companies do not know what data they have, where it is stored, who and what has access to it, the trustworthiness of the data or how to organize it in a timely manner into decision criteria for leadership teams.

The easiest way to know if what I’m saying is truth is to ask someone on your technical staff to provide you an asset and access inventory. Ask them the following:

Tell me:

- All software applications used in the company
- All places data is stored in the company
- All hardware used in the company to host, edit and manage both
- Who/what has access to these things and with what levels of power


- How the data is secured in transit and at rest

Give them one business day. Their reaction will reveal your truth.

Running a company minimally requires two things: knowing where you want to go and having access to timely, trustworthy data that will guide your journey. This article discusses the data aspect only.

And as you may already hope, suspect or know, addressing unsecured, unmanaged, disparate applications, data and permissions is a solvable problem. Accessing one view into your company is also solvable. Let’s look at the plan.

1. Find Your Data

Inventory all software applications and data repositories inside and outside your company, as well as, anything interacting with or exchanging data with your applications and repositories.

2. Determine The State of Your Data

What is the technology collecting, managing, editing your data? Where is it hosted? By whom? Is it good, questionable or corrupt data? Who and what has access to it? What are they doing to the data? Who is managing the security and sanctity of the data? How do you know you can trust the data? Is the data current and with what frequency?

3. Secure your data

Is the data managed via role-based permissions or is it wide-open for too many people and systems to manipulate, extract and exploit? Is it direct-connect? Copy-paste? Batch-uploads? API-accessible? Is it secured while at rest? Is it secured while in transit?

Think your company not likely to be attacked, corrupted, ransomed or otherwise exploited? Consider your brand value, consumers, privacy laws and bad company press. Do people trust your brand today? Will they after a breach?

4. Establish a Common Data Format

When data originates from multiple data sources, the structure of the data is usually non-uniform. The first step is to understand the current structure and state of all data at the origination point.

The second step is to determine to what Common Data Format (CDF) all data will be funneled and/or otherwise re-organized. In other words, if your company’s growth strategy has been through Mergers and Acquisitions, you likely have many data stores with similar types of data, but with different states of sanity. If you want one view across all of these data stores, words must have the same meaning for all instances of all data. Establishing the same meaning for all similar instances is “normalization” or “establishing a Common Data Format.”

Many to one.

Only after there exists a common data format are you able to see, understand and make decisions that confidently and consistently take into consideration all parts of the company.

Establish a Common Data Format

5. Extract, Normalize and Put

When you understand all places from which data originates and have a CDF, your teams are then able to write predictable, repeatable and auditable methods of extracting, normalizing and putting data into your new, single source of truth.

To be clear, the methods of extracting data, normalizing data and putting data must be predictable, repeatable and auditable. And the structure into which all data is put is itself the CDF. Anything less and you will simply be creating a new mess that must be managed on top of your existing ecosystem — whatever the state.

6. Pull Data Predictably

Now that you’ve made the effort to ensure all data, from all locations, is secured and normalized, protect it. This means there must exist a predictable, repeatable and auditable manner by which applications, systems and companies access your data. Notice I didn’t say people.

To access data from the single source of truth, there must exist predictable, repeatable and auditable set of actors, permissions and activities. If there is variability in actors, permissions and activities, it will no longer be a single source of truth.

Require anyone or thing that wants access to your data to follow your rules. Non-negotiable. This includes people in Mensa, people with twenty years of tenure who have been there since the company started, the CEO’s nephew and your mom.

Your single source of truth is special. No one who wants access to the data is special. Despite what their mom told them when they were young.

7. Use Your Data to Inform Your Decisions Dynamically

Attach reporting solutions. Attach streaming solutions. Attach elastic search. Attach dashboards. Follow the rules. Enjoy peace.

Now you can trust that your data has integrity. You can trust it is secure. You can trust your data is predictable, repeatable and auditable. You can trust your company has one message.

And you can trust that you know all applications, repositories, data management and security behaviors, actors, hosting solutions and reports are something upon which you can bank your company’s reputation.

If you would like to take control of your data, secure it and make it dynamically meaningful to everyone in your company, the teams at Trility help companies solve these challenges with a focus on predictable, repeatable and auditable behaviors. Email us at

Information Security

Simplify Compliance Management with New Features in Cybersecurity Solution

July 12, 2019, DES MOINES, IA – Trility Consulting® has launched two new features to the IronBench Compliance Navigator™ product built to enable centralized management and reporting of your organization’s alignment to standards. The Trility team originally set out to simplify how their own teams understand, implement, manage and audit today’s information security/regulatory compliance requirements while building solutions for their clients. The result of this effort rendered a number of new software products including IronBench Compliance Navigator. 

IronBench Compliance Navigator

“Our IronBench Compliance Navigator product targets organizations that want a simple, light-weight and centralized method of managing their organization’s compliance efforts without the complexity and cost many folks experience today. People want the flexibility to handle multiple standards, audits, projects and teams at the same time, understand at a glance where risk exposures exist and to know that as people come and go, data and history will not be lost because a spreadsheet left with the last exiting team member,” says Matthew Edwards, CEO of Trility.

…data and history will not be lost because a spreadsheet left with the last exiting team member.

“We’ve seen the plight of the information security folks who get left behind learning about projects, risks and issues in arrears. We’ve seen amazing people doing amazing things to keep up and ensure their organization is prepared for the next audit or attack. We think it should be easier. That’s why we built IronBench Compliance Navigator.” 

What’s does IronBench Compliance Navigator offer?

  • The California Consumer Privacy Act (CCPA) module shows companies what is required of them to meet California’s new consumer protection law and provides an intuitive, centralized method of managing and reporting your company’s status against this law today and into the future. Take a 1-minute, free assessment to determine if this law impacts your company. If it does, the CCPA module within IronBench Compliance Navigator helps you manage your ongoing compliance requirements in a simple, easy-to-understand manner today and into the future.
  • The Payment Card Industry Data Security Standard (PCI DSS) module shows companies what is required of them to meet today’s payment card industry requirements in an intuitive, centralized method of management and reporting. If your company accepts credit cards as a form of payment, you are expected to evidence compliance regularly. This module helps companies understand what is required, as well as helps manage your organization’s on-going compliance status in a low-friction, easy-to-use experience year after year.
  • The NIST Cybersecurity Framework (NIST CSF) module shows, in everyday language and concepts, private sector companies what is recommended in order to prevent, detect and respond to cyber incidents in today’s critical technology infrastructure. If you are looking for a centralized, easy-to-understand and use method of aligning your organization to the NIST-CSF, this module will guide you through the material and enables you to manage your organization’s alignment as your company, your industry and as the standard itself changes through the years.

    To get started, you can also take a free Maturity Assessment to understand where your organization is along the path to alignment with the NIST CSF. 

IronBench Compliance Navigator guides you through the process of identifying which standards apply to you, where your organization is strong and where it needs work, as well as helps you identify possible solutions to increase your preparedness along the way. Customer benefits include:

  • Track all compliance requirements, risks and responses in one secure location that’s accessible to all of your teams anytime, anywhere
  • Track your organization against multiple standards at the same time, in the same tool, year after year – change history included
  • Stay on top of new regulatory compliance standards in the marketplace, as well as changes to existing standards against which you currently manage your organization
    Delegate responsibility to others to acquire answers instead of having to personally perform each and every step manually

Create a free account to view the available tools in the IronBench Cybersecurity Suite and purchase only the ones relevant to your organization. If you’re interested in a white-label solution or an enterprise version of this tool that meets your specific needs, contact us

The IronBench Cybersecurity Suite of tools, as well as all associated patents and trademarks, are wholly-owned by IronBench LLC. IronBench and Trility Consulting, as well as all associated patents and trademarks, are wholly-owned subsidiaries of Trility Group Holdings, Inc. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward-thinking global businesses.


Welcome Rhonda to the Team!

Trility Consulting, a Trility Group Holdings company, is proud to announce Rhonda O’Connor has joined the Trility Consulting team as Director of Marketing. In this role, Rhonda is responsible for leading and executing marketing strategies to align and meet Trility Group Holdings’ core business objectives. But if you ask her, her role is to keep everyone busy with new opportunities that will become repeat customers.

Rhonda is a strategic marketer with decades of experience formulating and executing strategies. Her most recent experiences in the tech space will assist in scaling Trility’s existing success.

“Rhonda brings a history of solving problems with strategies that deliver optimal results. Her experience in the technology space brings a deep understanding of the marketing and sales process and will help create measurable results and efficiencies in those areas,” said Peder Malchow, Chief Revenue Officer for Trility Group Holdings. “Her ability to clearly communicate the value and benefits of services and products will help our team continue to deliver positive outcomes.”

Trility Consulting is a leading provider of measurable outcomes for C-Suite executives. Trility provides strategic management consulting, digital transformation expertise, and advanced technical solutions for forward thinking global businesses.

For more information, contact Rhonda at or 515-321-4829.


Welcome Alex to New Role!

Trility Consulting, a Trility Group Holdings company, is proud to announce Alex T. Hart has joined the Trility Consulting team in a new role as Vice President of Risk and Compliance. In this role, Alex will be responsible for growing the risk, compliance and information security division of the company. Alex will build, sell and service clients in these facets of the business, as well as, work with the Trility leadership team to grow strategic customer accounts and leverage partner relationships that align with Trility Group Holdings’ core business objectives.

Alex takes on this new role at Trility Consulting after serving as an Information Security Advisor to the firm for the past two years. Alex brings a wide variety of regulatory compliance and privacy experience with him in the health care, insurance, financial services (fintech) and government industries. He also previously served as a staff member to the United States Senate Committee on Finance focused on health policy, finance and information technology.

“Alex brings a great deal of regulatory compliance, threat detection and privacy experience with him which greatly applies to the digital transformation needs of today’s companies,” said Matthew D Edwards, Chief Executive Officer for Trility Group Holdings. “I have worked with Alex in multiple past chapters. I know he thoroughly enjoys working with clients to determine what compliance standards apply to their organizations and to help put operational frameworks in place guiding their compliance behaviors thereafter. It is no small task and Alex enjoys the journey. We’re excited to have him on the team!”

Trility Consulting is a leading provider of measurable outcomes for C-Suite executives. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward thinking global businesses.

For more information, contact Alex directly via or 312-574-0939.


Welcome Kori to the Team!

Trility Consulting, a Trility Group Holdings company, is proud to announce Kori Long has joined the Trility Consulting team as Talent Delivery Lead based in Des Moines. In this role, Kori will be responsible for developing talent acquisition strategies and hiring plans to ensure our team grows methodically to serve the needs of our family of companies and our clients. Kori will be an integral part of our team identifying new talent, locally and nationally, as Trility Consulting expands.

Kori brings a broad range of experience from Client Service Management, Project Management and Recruiting, as well as, being an active member in many community organizations in the technology and quality spaces. Kori will apply her former experiences to her new role at Trility Consulting focusing on engaging with great people in the Business Management and Technology Consulting spaces. Kori’s work will additionally help ensure our company growth, client and employment outcomes are consistently met because of great people, great teams.

“We are very excited to have Kori on the team,” said Brenton Rothchild, Chief Operations Officer at Trility Group Holdings. “Kori has a reputation of finding great people and working with great clients. She is also an active member of the greater Des Moines community working to make Iowa one of the best places to live and work. We’re happy she chose to work with us and look forward to our team and company growth as a result of her work!”

Trility Consulting is a leading provider of measurable outcomes for C-Suite executives. Trility provides strategic management consulting, digital transformation expertise, and advanced technical solutions for forward thinking global businesses.

For more information about the Trility Consulting team or open opportunities, please contact Kori Long at or 641-431-1779.


Welcome Cari to the Team!

Trility Consulting, a Trility Group Holdings company, is proud to announce Cari Thompson has joined the Trility Consulting team as Director of Business Development for the greater Des Moines and Iowa market. In this role, Cari will be responsible for direct sales and client engagements in Des Moines and throughout the state of Iowa. Cari has also been entrusted to grow strategic customer accounts and referral partner relationships that tactically meld with Trility Group Holdings’ core business objectives.

Cari Thompson

Cari brings a broad range of experience to her new position at Trility Consulting, including selling enterprise software and leading client implementations, to leading new business efforts and managing the Des Moines market for a national technology resource and solutions company, to launching a new sales channel to support Fortune 1000 clients with the Top 10 national recruitment advertising agencies in the US.

“We are very excited about Cari’s plans for our direct sales efforts,” said Peder Malchow, Chief Revenue Officer at Trility Group Holdings. “Cari has a stellar track record of successful engagements and is a true trusted advisor for many clients in and around the Des Moines market. She is a driven professional capable of delivering creative solutions to achieve our client’s desired outcomes.”

Trility Consulting is a leading provider of measurable outcomes for C-Suite executives. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward thinking global businesses.

For more information or to connect with Cari Thompson, she can be reached at or 515-707-3967.