michael werneburg




In 2017, my first and only published peer-reviewed journal article appeared in ISACA's "Journal". The Journal article is available by permission here.


Also in 2017, I co-authored a guide for investment firms on the evaluation of cyber security readiness in industry vendors. This is proprietary to the Investment Industry Association of Canada, but I can make this available upon request depending on the circumstances.

Masters dissertation

In 2014, I completed a masters degree in risk management with Birmingham City University by completing a survey of seven technology vendors in regulated industries across North America. I was attempting to understand whether implementing a risk management function at a technology vendor in a regulated industry would help the vendor improve the overall delivery of its service. That turned out to be the case, but the study found that the #1 impact was actually in sales and marketing! If you like to read thousands of words, I've got some here.


Over the years, I've written articles once my own research into a particular matter seemed to bear something worth sharing. Some are now a bit dated–for instance I've come to the view that catalogs of internal controls are potentially counter-productive to IT risk management–but that just gives me an opportunity to write some more articles!

choosing a disaster recovery office


I had some remarks when opening a second IT office for the first time in the company's history.

the economics of IT systems reliability


Making an investment in reliable systems can be difficult if the leadership can't put a price on the value of that reliability. By depicting the economics of recovery accurately, you can help clarify the problem and produce an accurate decision.

the trouble with Tenable


Automated vulnerability and configuration/hardening scanning can be a boon but can also go wrong in many ways. These are my recommendations.

the project graveyard


A catalog of past projects is a document or collection of documents that lists and provides information about the various projects that have been completed - and importantly, those that failed.

a non-profit risk management process manual


Non-profits require processes monitoring the enterprise for loss, including missed opportunity. I have written a manual for doing so that avoids common pitfalls in risk management.

fracking the human being


Don't treat people like they're expendable, treat them like you want to be treated–with respect and dignity.

obtaining SOC-2 reports at a technology vendor


A technology provider can get nowhere in a regulated industry despite having a great product if the clients lack trust. This is where a SOC-2 audit report can help.

tracking vulnerability fixes to production


Application vulnerability fixes should be a no-brainer, right?

20 Questions for Vendor Cyber Security


This is a guide to evaluating a service organization's cyber security capabilities.

third party risk


This guide on third party risk was written towards controlling a range of risks can possibly arise from the outsourcing of core functions

Peter Drucker on risk


Peter Drucker was a prolific and talented business writer who has much to teach us about strategic risk.

on strategic risk management


Strategic risk management is a hard subject to grasp. These matters are so big it's a problem even understanding where to start.

risk, opportunity, and the service organization


How specialist technology services organizations are required to operate with the risk management capabilities of the regulated industries they serve. This is the first in a chain of articles