Tag Archives: Motorola

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)

This Week’s Acronym is ASOCMM: the MM part should be a giveaway

(AI image from Imagen 3)

I just read a post by SentinelOne, but it’s too early to tell if this is just a string of buzzwords or a legitimate endeavor.

The post about a proposed “Autonomous SOC Maturity Model” (ASOCMM?) includes buzzwords such as “autonomous,” “SOC” (system and organizational controls, or security operations center – take your pick), “agentic AI,” and of course “maturity model.”

Having done my maturity model time during my days at Motorola Solutions predecessor Motorola (although our group stuck with CMM rather then moving on to CMMI), I’ve certainly seen the benefits and drawbacks of maturity models for organizations large and small. Or for organizations large: I shudder at the thought of implementing a maturity model at a startup; the learning curve at the Printrak part of Motorola was bad enough. You need to hit the target between no process, and process for process’ sake.

So what of this autonomous SOC maturity model? Perhaps it can be real.

“At SentinelOne, we see the Autonomous SOC through the lens of a maturity model. We welcome debate on where we, as an industry, are on this evolutionary revolution. We hope most will agree that this is a better way to look at Autonomous SOC innovation and adoption – far better than the binary, all-or-nothing debates that have long fueled analyst, vendor, and industry watcher blogs and keynotes.”

If nothing else, a maturity model approach lends (or can lend) itself to continuous improvement, rather than just checking off a box and saying you’re done. A Level 5 (or Level 4 on a 0-4 scale) organization, if it believes what it’s saying, is ALWAYS going to improve.

Something to watch…and not just with SentinelOne.

(Adapted from original posts on LinkedIn and Facebook)

Contraction

While the words “consolidation” and “contraction” have a similar sound and are often linked, they are actually two separate conditions, as you can see in the identity/biometric industry.

  • Consolidation occurs when separate entities become one. Ping Identity and ForgeRock (Ping Identity). Sagem Morpho and Motorola’s Biometric Business Unit (MorphoTrak). Digital Biometrics and Identix and Viisage and Visionics and Iridian and ComnetiX and don’t forget the ID part of Digimarc and many others (L-1 Identity Solutions).
  • Contraction occurs when an existing entity becomes smaller. Hikvision’s reported layoff of 1,000 employees is a recent and relevant example.

“Ah, but Hikvision is a special case,” you may be saying. “They’re linked to human rights abuses and sanctioned by Western governments. Many identity/biometric players are not sanctioned.”

But I’m not hearing loud celebrations from these other firms.

I’ve privately heard three separate stories, one of which I just heard on Monday, involving major identity/biometric companies. All three stories involve firms that are not sanctioned. In all three cases the firms perform major business with Western governments. And all three stories involve contraction which would have been unthinkable a mere five years ago.

Not too long ago I compiled a list of four significant events that positively impacted the identity/biometric industry. That list included 9/11, the Boston Marathon bombings, Apple’s Touch ID, and COVID.

I’m starting to wonder whether that last event was, in the long term, a net positive or a net negative.

(Tumbleweed image public domain)

In Case You Missed My Incessant “Biometric Product Marketing Expert” Promotion

Biometric product marketing expert.

Modalities: Finger, face, iris, voice, DNA.

Plus other factors: IDs, data.

John E. Bredehoft has worked for Incode, IDEMIA, MorphoTrak, Motorola, Printrak, and a host of Bredemarket clients.

(Some images AI-generated by Google Gemini.)

Biometric product marketing expert.

Identification Perfection is Impossible

(Part of the biometric product marketing expert series)

There are many different types of perfection.

Jehan Cauvin (we don’t spell his name like he spelled it). By Titian – Bridgeman Art Library: Object 80411, Public Domain, https://commons.wikimedia.org/w/index.php?curid=6016067

This post concentrates on IDENTIFICATION perfection, or the ability to enjoy zero errors when identifying individuals.

The risk of claiming identification perfection (or any perfection) is that a SINGLE counter-example disproves the claim.

  • If you assert that your biometric solution offers 100% accuracy, a SINGLE false positive or false negative shatters the assertion.
  • If you claim that your presentation attack detection solution exposes deepfakes (face, voice, or other), then a SINGLE deepfake that gets past your solution disproves your claim.
  • And as for the pre-2009 claim that latent fingerprint examiners never make a mistake in an identification…well, ask Brandon Mayfield about that one.

In fact, I go so far as to avoid using the phrase “no two fingerprints are alike.” Many years ago (before 2009) in an International Association for Identification meeting, I heard someone justify the claim by saying, “We haven’t found a counter-example yet.” That doesn’t mean that we’ll NEVER find one.

You’ve probably heard me tell the story before about how I misspelled the word “quality.”

In a process improvement document.

While employed by Motorola (pre-split).

At first glance, it appears that Motorola would be the last place to make a boneheaded mistake like that. After all, Motorola is known for its focus on quality.

But in actuality, Motorola was the perfect place to make such a mistake, since it was one of the champions of the “Six Sigma” philosophy (which targets a maximum of 3.4 defects per million opportunities). Motorola realized that manufacturing perfection is impossible, so manufacturers (and the people in Motorola’s weird Biometric Business Unit) should instead concentrate on reducing the error rate as much as possible.

So one misspelling could be tolerated, but I shudder to think what would have happened if I had misspelled “quality” a second time.

Fill Your Company Gap With A Biometric Content Marketing Expert

Companies often have a lot of things they want to do, but don’t have the people to do them. It takes a long time to hire someone, and it even takes time to find a consultant that knows your industry and can do the work.

This affects identity/biometric companies just like it affects other companies. When an identity/biometric company needs a specific type of expertise and needs it NOW, it’s often hard to find the person they need.

If your company needs a biometric content marketing expert (or an identity content marketing expert) NOW, you’ve come to the right place—Bredemarket. Bredemarket has no identity learning curve, no content learning curve, and offers proven results.

Identity/biometric consulting in the 1990s

I remember when I first started working as an identity/biometric consultant, long before Bredemarket was a thing.

By Federal Bureau of Investigation – https://washingtonian.com/2016/11/24/the-fbi-opened-its-crime-lab-here-in-dc-back-in-1932, Public Domain, https://commons.wikimedia.org/w/index.php?curid=128508441

OK, not quite THAT long ago. I started working in biometrics in the 1990s—NOT the 1940s.

In 1994, the proposals department at Printrak International needed additional writers due to the manager’s maternity leave, and she was so valuable that Printrak needed to bring in TWO consultants to take her place.

At least initially, the other consultant and I couldn’t fill the manager’s shoes.

Designed by Freepik.
  • Both of us could write.
  • Both of us could spell “AFIS.”
  • Both of us could spell “RAID.” Not the bug spray, but the storage mechanism that stored all those “huge” fingerprint images.
  • But on that first night that I was cranking out proposal letters for something called a “Latent Station 2000,” I didn’t really know WHAT I was writing about.

As time went on, the other consultant and I learned much more—so much that the company brought both of us on as full-time employees.

After we were hired full-time, we spent a combined 45+ years at Printrak and its corporate successors in proposals, marketing, and product management positions, contributing to industry knowledge.

Which shows that learning how to spell “AFIS” can have long-term benefits.

Printrak’s problem

When Printrak needed biometric proposal writing experts quickly, it found two people who filled the bill. Sort of.

But neither of us knew biometrics before we started consuting at Printrak.

And I had never written a proposal before I started consulting at Printrak. (I had written an RFP. Sort of.)

But frankly, there weren’t a lot of identity/biometric consultants out in the field in the 1990s. There were the 20th century equivalents of Applied Forensic Services LLC, but at the time I don’t think there were any 20th century equivalents of Tandem Technical Writing LLC.

Peter Higgins. From https://www.search.org/biometrics-expert-peter-higgins-to-receive-searchs-highest-practitioner-honor/

The 21st century solution

Unlike the 1990s, identity/biometric firms that need consulting help have many options. In addition to Applied Forensic Services and Tandem Technical Writing you have…me.

Mike and Laurel can tell you what they can do, and I heartily endorse both of them.

Let me share with you why I call myself a biometric content marketing expert who can help your identity/biometric company get marketing content out now:

  • No identity learning curve
  • No content learning curve
  • Proven results

No identity learning curve

I have worked with finger, face, iris, DNA, and other biometrics, as well as government-issued identity documents and geolocation. If you are interested, you can read my Bredemarket blog posts that mention the following topics:

No content learning curve

Because I’ve produced both external and internal content on identity/biometric topics, I offer the experience to produce your content in a number of formats.

  • External content: account-based marketing content, articles, blog posts (I am the identity/biometric blog expert), case studies, data sheets, partner comarketing content, presentations, proposals, sales literature sheets, scientific book chapters, smartphone application content (events), social media posts, web page content, and white papers.
  • Internal content: battlecards, competitive analyses, demonstration scripts (events), email internal newsletters, FAQs, multi-year plans, playbooks, project plans, proposal templates, quality improvement documents, requirements documents, strategic analyses, and website/social media analyses.

Proven results

Read about them here.

Download

So how can you take advantage of my identity/biometric expertise?

If you need day-one help for an identity/biometric content marketing or proposal writing project, consider Bredemarket.

(Bredemarket Premium) The mechanics of acquisitions

During my years in biometrics, my employer was acquired by another firm three times:

  • Printrak was acquired by Motorola in 2000.
  • Part of Motorola was acquired by Safran in 2009.
  • Part of Safran was acquired by Oberthur in 2017. (The combined entity was named IDEMIA.)
CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=243386

Acquisitions always cause a lot of changes, but one of these three acquisitions caused more changes than any of the others.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.
Subscribe

Four of my identity information sources that I have created over the years, including one that you can access in the next ten seconds

How many of us keep on doing the same thing, but just use different tools to do it?

For example, I am going to provide four examples of ways…I mean, for example, I am going to list four ways in which I have disseminated identity information to various internal and external audiences over the last fifteen years. Three of these methods had restricted access and some are no longer available, but the last one, Bredemarket Identity Firm Services, is publicly available to you TODAY.

You can get to this information source in ten seconds if you like. If you’re a TL;DR kind of person, click here.

For the rest of you, read on to see how I used COMPASS (most of you haven’t heard of COMPASS), SharePoint (you’ve heard of that), email (you’ve definitely heard of that), and LinkedIn (ditto) to share information.

Take One: Using Motorola Tools

For the first identity information source, let’s go back about fifteen years, when I was a product manager at Motorola (before The Bifurcation). Motorola had its own intranet, called COMPASS, which all of us Motorolans would use to store information except when we didn’t.

Using this intranet, I created a page entitled “Biometric Industry Information,” in which I pasted links and short descriptions of publicly-available news items. I’m not sure how useful this information source was to others, but I referred to it frequently.

Eventually Motorola sold our business unit to Safran, and “Biometric Industry Information” was lost in the transition. For all I know it may be available on some Motorola Solutions intranet page somewhere, though I doubt it.

Take Two: An Industry-Standard Tool and an Expanded Focus

The second identity information source was created a few years later, when I was an employee of MorphoTrak. Two things had changed since the Motorola days:

  • MorphoTrak’s parent company Safran didn’t use the Motorola intranet solution. Instead, it used an industry-standard intranet solution, SharePoint. This was tweaked at each of the individual Safran companies and regions, but it was pretty much a standard solution.
  • The second change was in the breadth of my interests, as I realized that biometrics was only part of an identity solution. Yes, an identity solution could use biometrics, but it could also used the driver’s licenses that MorphoTrak was slated to produce (but didn’t), and other security methods besides.

So when I recreated my Motorola information source, the new one at MorphoTrak was a Microsoft SharePoint list entitled “Identity Industry Information.”

Again, I’m not sure whether others benefited from this, but I certainly did.

Take Three: Taking Over an Email List

The third iteration of my information source wasn’t created by me, but was created about a decade ago at a company known as L-1 Identity Solutions. For those who know the company, L-1 was a conglomeration of multiple small acquisitions that provided multiple biometric solutions, secure document solutions, and other products and services. Someone back then decided that a daily newsletter covering all of L-1’s markets would be beneficial to the company. This newsletter began, and continued after Safran acquired L-1 Identity Solutions and renamed it MorphoTrust.

MorphoTrust and my company MorphoTrak remained separate entities (for security reasons) until Oberthur acquired some of Safran’s businesses and formed IDEMIA. In North America, this resulted in the de facto acquisition of MorphoTrak by MorphoTrust, and some significant shifting in organizational charts and responsibilities.

As a result of these changes, I ended up taking over the daily newsletter, tweaking its coverage to better meet the needs of today, and (in pursuit of a personal annual goal) expanding its readership. (This email was NOT automatically sent to everyone in the company; you had to opt in.)

Now some may believe that email is dead and that everyone should be on Volley or Clubhouse, but email does serve a valid purpose. As a push technology, emails are provided to you every day.

OK, every five seconds.

But modern email systems (including those from Microsoft and Google) provide helpful tools to help you manage your email. This allowed people to prioritize their reading of my daily newsletter, or perhaps de-prioritize it.

Two years later IDEMIA underwent another organizational change, and I was no longer responsible for the daily newsletter. Last I heard, the daily newsletter still continues.

Take Four: Market Me, Benefit You

Eventually I left IDEMIA and started Bredemarket, and the identity industry became one of the industries that I targeted for providing Bredemarket’s services. To build myself as an identity industry authority, and to provide benefits to identity industry firms, I needed to market specifically to that segment. While my online marketing outlets were primarily focused on my website, I was also marketing via LinkedIn and Facebook. My LinkedIn marketing was primarily though the Bredemarket LinkedIn company page.

In late November, I decided to create a LinkedIn Showcase page entitled Bredemarket Identity Firm Services. While the page was initially created for other reasons, I eventually settled into a routine of sharing identity industry information via the page.

Like I’ve done one thousand times before.

I’m trying to add new content to Bredemarket Identity Firm Services on a daily basis. It’s primarily content from other sources, but sometimes my own content (such as this post) will find its way in there also. And, as in the example above, I’ll occasionally include editorial comments on others’ posts.

So if you’re on LinkedIn and would find such content useful to you, go to the showcase page and click the “Follow” button.

P.S. I have a technology showcase page also.