About Our Compliance & Privacy Advisory Team

We honor and remember our dear colleague, Dr. Patrick Sullivan, whose passing on February 12, 2025, was sudden and heartbreaking. For over two decades, Patrick was more than an expert in information security and privacy — he was a mentor, a collaborator, and a friend. His impact will never be forgotten.

Patrick F. Sullivan is a recognized subject matter expert in planning, implementing, evaluating, and helping customers improve information security and privacy governance, risk management, and compliance systems. He has extensive experience as a lead auditor for ISO 27001 and ISO 20000 as well as extensions for ISO 27701, and GDPR.

Certifications

• IRCA-qualified ISO/IEC 27001 auditor
• APM/ITSMF International-qualified ISO/IEC 20000 auditor
• PhD, Philosophy, University of Kentucky, 1988

Career Accomplishments

• Customers include Fortune 500 companies in pharmaceuticals, financial services, travel, industry-specific data management and analytics, and telecommunications
• Worked with government agencies and regulatory oversight bodies in the U.S., Hong Kong and Canada
• Provided project implementation planning consulting for successful ISMS certification projects
• Managed ISO 27001/27701 and ISO 20000 internal audits
• Delivered onsite ISO 27001 implementation and audit training
• Supported the Privacy Act Office of a U.S. federal agency with compliance with the Privacy Act of 1974
• Helped launch the global Privacy Practice as a senior manager at one of the Big Four professional services firms

Skills & Expertise

• Designs and implements business-driven, standards-based Information Security Management Systems (ISMS) and Privacy Information Management Systems (PIMS)
• Develops and implements information security risk management methodologies
• Experience with privacy and security governance, risk management, and compliance program design consistent with U.S. and international law
• Over fifteen years' experience in university-level teaching and academic research

Brock Griffin is an innovative, forward-thinking leader with over 20 years of technical engineering, IT architecture, cybersecurity operations and leadership experience.

Certifications

• Certified Data Privacy Solutions Engineer (CDPSE)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified ISO 27001 Lead Auditor

Career Accomplishments

• Strong proficiency in IT architecture and cybersecurity operations as well as significant background in reporting frameworks such as NIST, ISO and PCI
• Uniquely qualified to bridge gaps across technology, automation, process, and people to enable transformational business security solutions

Skills & Expertise

• Skilled at technical architecture and security operations of public and private cloud infrastructure including PaaS, IaaS, and SaaS architectures in Google, Amazon, and Microsoft public clouds
• Exceptional ability to grasp concepts quickly, understand the strategic value of "the big picture," and adapt to complex environments while staying calm and resolute through stressful times
• Significant experience with building and maintaining security compliance programs in three highly regulated industries: Restaurant, Financial, Healthcare
• High level of experience in network security, risk and compliance frameworks including PCI, SOX, HIPAA, NIST, ISO 27001, ISO 27701, CIS, FINRA, SEC, FDA and SOC I & II

Professional Affiliations

• International Association of Privacy Professionals (IAPP)
• Center for Internet Security (CIS)
• Information Systems Audit and Control Association (ISACA)
• International Information Systems Security Certification Consortium (ISC2)
• SANS Institute (SANS)
• InfraGard

John is an IRCA-certified ISO 27001 Information Security Auditor and British Standards Institute-qualified in Implementation with more than thirty years' experience in Internet and Information Security.

Certifications

• Certified as ISO 27001 Lead Auditor
• Certified as ISO 20000 Lead Auditor
• Certified Information System Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Protection Professional (CPP)
• Certified Information Security Manager (CISM)

Career Accomplishments

• Led ISO 27001 Implementation and preparation for dozens of successful third-party certifications
• Conducted over 400 days of ISO 27001 certification audits for multiple registrars as lead assessor
• Provided ISMS implementation consulting from project initiation through registration for an industry-leading company that achieved ISO 27001 certification on the first audit
• Provided Business Continuity Management consulting to companies in energy, manufacturing, software development and other sectors
• Worked with a Fortune 50 international telecommunications client in Japan to successfully develop Information Security Metrics and an ISO-conformant incident response program
• Collaborated on a HIPAA Security Risk Assessment for a large health plan provider
• Consulted on GLBA, SOX and other regulatory compliance issues for multiple clients
• Former Director, Qwest Worldwide and IP Network Security

Skills & Expertise

• Lead ISO 27001 Implementation and preparation for third-party certification
• Assists companies to achieve their business objectives by effectively and efficiently managing risk to their information assets
• Provides Information Security Risk Assessment of critical business processes and security policy supporting corporate governance initiatives
• Designs, develops and deploys business-driven, standards-based Information Security Programs
• Provides Security Assurance expertise in regulated vertical markets: Financial (GLBA), Healthcare (HIPAA), Public companies (SOX), Health-related manufacturing (FDA)
• Disaster Preparedness/Business Continuity Planning and Incident Response subject matter expert
• Over thirty years' experience providing Information Security consulting in North and Central America, Europe and the Far East

Professional Affiliations

• International Information System Security Certification Consortium (ISC)2
• Information System Security Association (ISSA) — past Program Director, Minnesota Chapter
• Information Systems Audit and Control Association (ISACA)
• International Information Systems Forensics Association (IISFA)
• American Society of Industrial Security (ASIS)
• Computer Security Institute (CSI)
• FBI InfraGard — past VP on the Executive Board of Directors, Minnesota Chapter

Cynthia Kriha has a diverse career in technology leadership focusing on operational excellence, information security, business systems efficiency and continuous improvement. She is a trusted partner of customers, ensuring development and delivery of actionable plans that meet business objectives and industry standards.

Certifications

• Master's degree in International Management (MIM), University of Saint Thomas

Career Accomplishments

• Contributed to ISO 27001 compliance implementations as a program manager, ensuring consistent communication and preparation for third-party certification
• Key contributor of the ISO 9001 implementation team at NCR that resulted in the first location certified world-wide
• Received Distinguished Technical Achievement Award for ISO 9000 certification efforts
• Defined and directed work activities for teams from three to 600 employees and 1000 contractors
• Managed technical and marketing programs completed on time and on budget including corporate identity and branding studies
• Managed an expense budget of more than $110 million and a capital budget of over $450 million
• Involved in three company mergers and related integration activities
• Past member of Corporate Security Governance Board of a large public company

Skills & Expertise

• Knowledge of information security and related international standards and trends driving the focus on information governance and privacy
• Leads ISO 27001 implementations in a program manager role
• Assists customers with expanding their information security and privacy postures
• Researches and analyzes industry trends and drives new opportunities to deliver expanded services
• Manages strategic programs by identifying appropriate methodology and articulating tactical actions
• Designs and implements business-driven standards-based quality programs with measurable results
• Understands technology and other complex topics in enough depth to lead experts and view the business holistically
• Manages supplier and partner relationships to ensure maximum productivity from relationships

For over two decades, Robert has been a critical part of the JBW Group family and instrumental in the founding of the company and its success over the years. Robert is an internationally recognized expert in the design, delivery, implementation, and audit of cybersecurity, privacy, and data protection conformance and compliance programs with more than 50 years of experience.

Certifications

• IRCA-Certified Auditor for ISO 9001, ISO 20000, ISO 27001, and ISO 27701
• Certified Cybersecurity Maturity Model Certification Professional (CCP)
• Certified ISO 27001 Trainer — RABQSA International (now Exemplar Global)
• ISC2-Certified Information System Security Professional (CISSP)
• Certified HIPAA Security Professional (CHSP)
• BCS/ISEB Certificate in International IT Law
• ISC2-Certified CISSP Trainer
• Certified Defense Industrial Security Program — Facility Security Officer (FSO)
• Law Enforcement Association of America (LEAA) Expert Witness — Computer Security and Privacy

Career Accomplishments

• Worked with more than 120 Fortune 500 corporations in the United States
• Completed more than 3,000 ISO 27001, ISO 27701, and ISO 20000 registration audits as a principal auditor
• Experience with critical infrastructure clients in financial services, insurance, telecommunications, transportation, manufacturing, gas and oil, chemical, pharmaceutical, government, and education

Skills & Expertise

• Expertise in healthcare, pharmaceutical, IT, CRM, automotive, gas and oil, and financial services under multiple legal and regulatory requirements (GDPR, CMMC, NIST, GLBA, HIPAA, ISO, SOX, PCI, etc.)
• Strong knowledge of International Legal and Regulatory, U.S. Federal, State, and Sectoral security and privacy law and regulation
• SOC General and IT Control Audits and Reviews
• Network Vulnerability and Penetration Testing
• Business Continuity Management and Planning
• Executive Risk Profiling, Protection, Planning, and Management
• Incident Planning, Management, Response, and Reporting

Professional Affiliations

• CMMC AB/CYBER AB
• International Information System Security Certification Consortium (ISC2)
• Information Systems Audit and Control Association (ISACA)
• Computer Security Institute (CSI)
• Institute of Internal Auditors (IIA)
• Institute of Quality Assurance
• RABQSA International
• International Register of Certificated Auditors
• Guest Speaker at numerous Conferences and Professional Meetings

George Bakalov is uniquely adept at aligning security initiatives with organizational goals stemming from his many years of working with distributed, cross-functional teams and a focus on cybersecurity, risk management and regulatory compliance.

Certifications

• Certified virtual Chief Information Security Officer (CvCISO)
• Certified in Cybersecurity (CC)
• Certified in Cybersecurity from the University of Wisconsin

Career Accomplishments

• Designed and implemented comprehensive information security programs that enhanced the overall security posture and operational resilience
• Identified and mitigated project risks, resolving issues swiftly to avoid delays or cost overruns
• Contributed to strategic initiatives by participating in the development and execution of company strategies related to client delivery and service offerings
• Optimized high-quality delivery by implementing quality control measures to ensure services met or exceeded client expectations
• Gathered and analyzed customer feedback to continually improve service delivery and client satisfaction

Skills & Expertise

• Client Delivery — client relationship management, project management, quality assurance and strategic planning
• Executive Advisory — provides strategic guidance to leadership on information security risk management
• Reporting and Metrics Capabilities — develops reporting capabilities based on risk metrics
• Policy and Procedure Development — authors and enforces security policies and procedures
• NIST Compliance Achievement — directs organizations through NIST compliance as a self-reporting Managed Service Provider
• Risk Management and Remediation — conducts thorough risk assessments and managed remediation roadmaps
• Security Stack Management — oversees selection, implementation, and maintenance of security technology stack
• Cybersecurity Awareness Training — develops and delivers cybersecurity training programs
• Incident Response Preparedness — leads tabletop exercises to enhance incident response readiness
• Ransomware Demonstration — designs and presents live ransomware simulations

Professional Affiliations

• International Information System Security Certification Consortium (ISC2)
• Information Systems Audit and Control Association (ISACA)
• CvCISO CommUnity, Minnesota Chapter

Kathy Braun is an experienced cyber risk management consultant, computer forensic investigator, and incident response senior advisor with more than twenty-five years of practical experience. Her guidance transforms risk management and compliance programs, providing strategic oversight and practical management.

Certifications

• Certified Computer Examiner (CCE)
• Certified Forensic Computer Examiner, Key Computer Systems / Kennesaw State University, Atlanta
• Certificate in Risk Project Management, George Washington University, Washington, DC

Career Accomplishments

• Head of Enterprise Risk Management as business cybersecurity advisor building the program from the ground up
• Provided strategic cyber and risk advisory services in a global organization
• Acted as principal cybersecurity consultant for corporate and academic customers in financial industry, healthcare, universities and Big 4 consulting firms
• Conducted cybersecurity investigations and risk assessments for a large financial services company
• Managed CERT Incident Response teams in handling malware attacks, insider threats, intellectual property, and criminal cases
• Managed a cybersecurity business for more than twenty years in both the public and private sectors

Skills & Expertise

• Develops strategic plans for data protection and privacy programs
• Guides organizations to manage regulatory requirements such as FFIEC, NYDFS, GDPR, ISO 27001, PCI and SOC2 compliance
• Oversees Incident Response and E-discovery functions and acts as a liaison between Legal, Risk Management, and Executive staff
• Develops third-party risk management programs for enterprise-wide solutions
• Frequent conference speaker on both cybersecurity and global cross-functional communication

Professional Affiliations

• Metro InfraGard Members Alliance, Inc.
• International Society of Forensic Computer Examiners (ISFCE)
• High Technology Crime Investigation Association (HTCIA), New York Metro Chapter

Mark Eckel's business continuity and disaster recovery planning expertise was forged in the aftermath of the 9/11 attacks. For more than 25 years, Mark has applied extensive knowledge working with a wide range of customers to optimize and test their plans to protect people, property and operations from risk and disruption.

Certifications

• Certified Business Continuity Lead Auditor (CBCLA), Disaster Recovery Institute International
• Certified Business Continuity Professional (CBCP), Disaster Recovery Institute International
• Industrial Security Professional (ISP), National Classification Management Society
• Project Management Professional (PMP), Project Management Institute
• Master of Business Administration (MBA), Concordia University, 2013
• Master of Arts in Organizational Management (MAOM), Concordia University, 2004

Career Accomplishments

• Led dozens of organizations through risk assessment and business impact analysis processes
• Trained, mentored, and coordinated dozens of disaster recovery/business continuity planning teams supporting multi-billion-dollar business units
• Facilitated annual certification tests and debriefings after actual plan activations
• Managed the construction of several new Federal SOCs, NOCs and SCIFs
• Ensured support facilities were equipped with all federally mandated physical security features
• Planned and managed the design, construction, operation and evolution of complex briefing and product demonstration facilities

Skills & Expertise

• Expert guidance on all areas of business continuity, disaster recovery, fire/life safety and emergency management
• Assesses business continuity planning effectiveness and physical security requirements as part of ISO 27001 internal audits
• Manages projects related to technology implementation, business continuity, fire/life safety, physical security requirements and process development
• 25+ years of experience as a business continuity manager for a large telecommunications company
• Extensive experience with hiring, building and leading high-performance teams

Professional Affiliations

• Disaster Recovery Institute International (DRII) — Member since 2009
• National Classification Management Society (NCMS) — Member since 2016, Chapter Chair of the Mentoring Committee since 2018
• Project Management Institute (PMI) — Member since 2012
• National Fire Protection Association (NFPA) — Member since 2024

Ainsley A. McKay is an ISO 27001 lead auditor and knowledge and document management expert with significant experience in the design, delivery, implementation, and audit of ISO 27001 security and compliance programs. She has conducted more than 1,400 hours of ISO internal audits.

Certifications

• Certified ISO 27001 Lead Auditor, awarded September 30, 2019
• Exemplar Global Certificate of Attainment — IS Information Security Management Systems, AU Management Systems Auditing, TL Leading Management Systems Audit Teams
• Master of Arts in Teaching (MAT), English Education, Georgia College and State University
• BA in English, Georgia College and State University

Career Accomplishments

• More than 1,400 audit hours as Team or Lead Auditor on customer ISO 27001 internal audits
• Information Security Program Manager for a company providing technology support to U.S. and international law firms
• Security Program Administrator for a regional technology solutions company

Skills & Expertise

• More than a decade of experience in security and technology
• Certified ISO 27001 lead auditor and JBW Group's knowledge management subject matter expert
• Assists with document creation and consulting for ISO 27001, ISO 27701, ISO 27017, ISO 27018, ISO 20000 policies and procedures
• Guides customers on implementation of Information Security Management Systems (ISMS) and Privacy Information Management Systems (PIMS)
• Works with customers in multiple verticals to guide document management efforts and capture critical institutional knowledge

Keith Parkman is an IT professional, information security leader and trainer with proven experience implementing and auditing management systems. He has more than 20 years of IT experience with over 14 years focused on information security.

Certifications

• Certified ISO 27001 Lead Auditor, awarded 2022
• Certified ISO 42001 Lead Auditor, awarded 2025
• Certified ISO 9001 Lead Auditor, awarded 2021
• Certified Information Systems Auditor (CISA)
• Certified Data Privacy Solutions Engineer (CDPSE)
• BS in Workforce Education and Training, Southern Illinois University
• MBA, University of Phoenix

Career Accomplishments

• Led ISO 27001 and ISO 42001 implementation projects and internal audits across diverse industries
• Developed and delivered customized IT audit and compliance training programs for international financial and government entities
• Streamlined third-party vendor risk assessment processes
• Designed and launched ISO 27001 security awareness programs
• Successfully managed complex IT controls testing across multiple frameworks including SOX, NIST, PCI DSS, and HIPAA
• Provided reliable guidance on GDPR, CCPA, and the EU Privacy Shield

Skills & Expertise

• Expert advisor for ISO 27001 and ISO 42001 Security Program Design and Implementations
• Experience with ISO Internal Auditing
• Extensive knowledge of regulatory requirements including PCI/DSS, HIPAA, SOX, and NIST 800-53
• Capability Maturity Model Integration (CMMI)
• Risk and Compliance Management
• Policy and Procedure Development
• Third-Party/Vendor Security Assessments
• Privacy Compliance (GDPR, CCPA)
• Over 14 years of experience providing Information Security expertise in North America, European Union, and United Arab Emirates

Chelsey Pozarnsky has extensive internal auditing experience within corporate finance, operations, information security and field audits. She has worked in many industry segments including retail, manufacturing, restaurants and insurance.

Certifications

• Certified Internal Auditor (CIA)
• Certified ISO 27001 Lead Auditor
• BS in Accounting with a minor in Fraud Accounting, North Dakota State University

Career Accomplishments

• Implemented Auditboard and Workiva software to streamline processes and add value in audit operations
• Identified risks, created controls, and implemented test plans for a transition from SAP ERP to SAP S4 platform
• Evaluated existing controls environment and developed risk and control matrices
• Coordinated testing efforts, walkthroughs, and control questions with External Auditors
• Designed restaurant audit programs and action plans for complex labor laws, operations, and compliance
• Created audit programs for insurance companies and risk programs related to franchise royalty collections and contract compliance
• Analyzed effectiveness of SOX controls and led testing efforts

Skills & Expertise

• Sarbanes-Oxley Act (SOX) compliance including IT and financial controls
• Conducts ISO 27001:2022 internal audits
• In-depth knowledge of Generally Accepted Accounting Principles (GAAP)
• Risk and Control Matrix (RCM) facilitation
• Financial/Operational Auditing
• Compliance activities and Risk Assessments
• Auditing of Software Implementations
• Training and Coaching

Professional Affiliations

• The Institute of Internal Auditors (IIA)

Milinda Rambel Stone is an executive security leader with proven experience building and leading security programs and teams, with more than 20 years in technology, healthcare, and financial services.

Certifications

• Certified ISO 27001 Lead Auditor, awarded 2024
• Certified ISO 42001 Lead Auditor, awarded 2025
• Certified Information Security Manager (CISM)
• Certified Information Security Auditor (CISA)
• Certified Risk Information Security Control (CRISC)
• MBA in Computer Information Security, North Central University
• Master of Science in Software Engineering, University of Minnesota
• PhD doctoral student in Cyber Defense, Dakota State University — Research focus in Digital Forensics and Artificial Intelligence

Career Accomplishments

• Developed strategy and led oversight for AWS Environment (NIST 800-53, RS & CIS AWS)
• COVID-19 Task Force member charged with business continuity and employee safety
• Developed healthcare cloud security program, achieving ISO 27001 Certification, SOC 2 Type II & HIPAA Attestation
• Created and implemented security program for supply chain SaaS organization, ensuring HIPAA & SOX compliance resulting in ISO & SOC 2 certifications
• Built three separate Security Internship Programs that created pipeline for hiring security talent
• Delivered over 1,000 hours of corporate software engineering and security training

Skills & Expertise

• Expert advisor for ISO 27001 Security Program Design and Implementations
• Leads multiple ISO 27001 Implementations and successful preparations for third-party certification
• Extensive knowledge of regulatory requirements including GLBA, HIPAA, SOX, NIST CSF, and NIST 800-53
• Leads successful AWS and Azure Cloud Security Control Implementations
• Development and implementation of Information Security operations programs
• Builds and leads Security Incident Response Programs
• Cloud Security and DevSecOps product management
• Risk Management Program strategic development and oversight of enterprise information assets
• Over twenty years' experience providing Information Security expertise in North America, Canada, and Ukraine

Professional Affiliations

• Adjunct Faculty, Dakota State University — Cyber Defense Program
• Cyber Security Summit Think Tank Member
• Advisory Council Member, SecureWorld Expo
• PCs for People Board Member
• Information Systems Audit and Control Association (ISACA) — Platinum Member
• CISO Executive Network Member
• Member of the CybHER Institute, Dakota State University

We honor and remember our dear colleague, Dr. Patrick Sullivan, whose passing on February 12, 2025, was sudden and heartbreaking. For over two decades, Patrick was more than an expert in information security and privacy — he was a mentor, a collaborator, and a friend. His impact will never be forgotten.

Patrick F. Sullivan is a recognized subject matter expert in planning, implementing, evaluating, and helping customers improve information security and privacy governance, risk management, and compliance systems. He has extensive experience as a lead auditor for ISO 27001 and ISO 20000 as well as extensions for ISO 27701, and GDPR.

Certifications

• IRCA-qualified ISO/IEC 27001 auditor
• APM/ITSMF International-qualified ISO/IEC 20000 auditor
• PhD, Philosophy, University of Kentucky, 1988

Career Accomplishments

• Customers include Fortune 500 companies in pharmaceuticals, financial services, travel, industry-specific data management and analytics, and telecommunications
• Worked with government agencies and regulatory oversight bodies in the U.S., Hong Kong and Canada
• Provided project implementation planning consulting for successful ISMS certification projects
• Managed ISO 27001/27701 and ISO 20000 internal audits
• Delivered onsite ISO 27001 implementation and audit training
• Supported the Privacy Act Office of a U.S. federal agency with compliance with the Privacy Act of 1974
• Helped launch the global Privacy Practice as a senior manager at one of the Big Four professional services firms

Skills & Expertise

• Designs and implements business-driven, standards-based Information Security Management Systems (ISMS) and Privacy Information Management Systems (PIMS)
• Develops and implements information security risk management methodologies
• Experience with privacy and security governance, risk management, and compliance program design consistent with U.S. and international law
• Over fifteen years' experience in university-level teaching and academic research