Pratum Blog

Pratum, Iowa-based information security consulting and managed security services firm, today announced that David A. Cotton, Brigadier General, USAF (Ret) assumed the position of Strategic Security Advisor effective March 19, 2018.

As Strategic Security Advisor of Pratum, David is responsible for helping set the strategic vision for the company’s information security consulting and IT risk management services while simultaneously serving as a Virtual Chief Information Security Officer for multiple clients in various industries.

David A. Cotton, Brigadier General, USAF (Ret)

“David’s vast experience leading cyberspace operations for the US Air Force, along with his deep knowledge and expertise in the areas of strategic planning and crisis management, will provide Pratum’s clients with cybersecurity leadership that is typically only available to the Department of Defense or Fortune 500 companies,” says Dave Nelson, CEO and President of Pratum.

David is a customer-centric cybersecurity, information technology, and change management senior executive with over 20 years of experience leading large, complex, diverse, global operations. He is the former Chief Information Security Officer for Iowa State University; a four-time Chief Information Officer while serving in the US Air Force, retiring as a brigadier general; a corporate cybersecurity VP for TASC Inc., a then-private defense and intelligence contractor focused on cybersecurity, intelligence, surveillance and reconnaissance operations, geospatial intelligence, data analytics; and a member of the Defense Department’s Senior Executive Service and Deputy CIO for Information Enterprise, with the portfolio of developing the policies and governance constructs to enable enterprise services, as well as the upgrade and restructure of the global network security architecture for the military services and Defense Agencies.

The quality and caliber of the Pratum staff has always impressed me, but the hiring of General Cotton shows they will stop at nothing to attract the best talent possible.”

Joey Beech, Executive Director of Ankeny Economic Development Corporation

David will oversee the development of clients’ security programs and work directly with them to improve their security postures. His experience and strategic security vision for the future encapsulates the value Pratum offers clients through its information security services.

Contact Pratum

Individuals serving as officers or directors of an organization have a responsibility to investors and clients to ensure that the organization is being run well. This includes multiple facets of the organization’s operations such as finance, regulatory compliance, people management, and risk management.

There is so much responsibility placed on these individuals that an entire insurance market is devoted to protecting them through the sale of officer and director liability policies. Evidently, the roles of officers and directors are so important that a mistake in their judgment could create significant losses. Why is it that so many in this role continue to allow information security to be a blind spot in their oversight?

Officers and directors need to take a more active role in assessing how well organizations are handling the threat of a data breach.

Take these steps to provide board level visibility into cybersecurity preparedness.

  • Implement an IT risk management program to identify, classify, track and address technology risks within the organization. This not only helps identify risks but also provides a prioritized action list to ensure time and money is being spent on the largest risks, not just pet projects.
  • Require a quarterly or semi-annual report on cybersecurity including any incidents, performance metrics or other data to ensure progress is being made towards your security goals, and that a positive return on investment is being realized for information security expenditures.
  • Ensure the individual responsible for information security has at least a dotted-line reporting structure outside of the technology group. This is extremely important to ensure that security voice is heard and not squashed by the very management it is reporting on.
  • Require a robust incident response plan be generated with predefined team members, third party experts and general counsel. The time to determine how to respond to a breach is not during the breach. Test the plan annually in order to continually adopt to changes in business practices or regulatory requirements.
  • Use a common information security framework such as NIST, ISO, HITRUST or PCI to guide security activities and expenditures. These frameworks have been fully vetted over the years and ensure a consistent approach to information security.
  • Consider using an external security firm to perform a security assessment to ensure the standard of due care and due diligence have been met.

Officers and directors will be called upon more frequently to defend an organization’s information security practices as legal proceedings increase due to data breaches. By requiring a basic level of protection and receiving regular updates on security activities board members will be better prepared to answer questions about the maturity of their organization’s cybersecurity posture.

Pratum receives SOC 2 Type II report for 2nd consecutive year.

We are pleased to announce that Pratum has received its SOC 2 Type II report for the second consecutive year.

For those who are not familiar with SOC 2 , the report is intended to provide interested parties (i.e. clients, vendors, partners) with independently-verified information that ensures the reported organization has appropriate security controls in place to properly handle and secure data.

Performed by a trusted, independent third-party firm utilizing the criteria set forth by the American Institute of Certified Public Accountants (AICPA), the report is based on Pratum’s existing internal controls and verified against the security trust services principle. The completion of this report is a testament to Pratum’s continued focus on ensuring that the company’s internal security practices align with expectations it sets for clients and their security programs.

SOC 2 Type II is the most comprehensive report within the Systems and Organization Controls protocol. The Type II report ensures the assessment of both the design of the security controls as well as their operating effectiveness, over a specified time period. Pratum’s most recent SOC 2 Type II report assessed security controls over a 12-month period, ranging from January 1, 2017 to December 31, 2017.

Receiving a SOC 2 Report

We are proud of our SOC 2 Type II report. It provides great value to our clients and an excellent means of auditing the effectiveness of our internal security controls. If your organization needs help with SOC 2, Pratum’s consultants can perform a SOC 2 readiness assessment to determine if your organization is prepared to undergo a SOC 2 engagement.

Contact Pratum
Get our blog posts delivered to your inbox: