@ISACA Volume 10  16 May 2018

Perceptions of Risk Owners and Risk Assessment


Sunil Bakshi During an IT risk assessment project, my colleagues and I discussed the various risk factors associated with technology in an effort to determine the likelihood of risk occurrence and, therefore, the impact it would have on the organization. During a likelihood assessment of a risk associated with fraudulent use of assets, the risk owner responded, “The earlier estimation of likelihood for this risk is too high. We trust our employees, and the possibility of them misusing assets is very low.”

This response is all too common. Trust can affect a risk assessment. Most of the time, IT risk assessment is the function of an experienced guess. While assessing the likelihood and impact of the risk associated with humans, the trust factor affects this judgment. This tendency needs to be eliminated to ensure appropriate risk assessment so that the right response is determined. This can be achieved by evaluating some metrics; for instance, what has your employee turnover been like for the past 2-3 years? You may also need to ask tough questions such as, “Will the employees I trust today be with the organization throughout the life of organization?” Typical risk owners have difficulty answering that question if they are not objective. Risk owners must realize that they must be more practical and objective rather than subjective with risk-based decisions and assessments.

In a different discussion about risk associated with ransomware attacks, we experienced a similar response. The difference was that this risk owner placed too much emphasis on the risk based on their awareness of ransomware attacks from media reports, not because of detailed analysis of the threat. The risk owner immediately concluded, “It is a very high risk and we are scared.” Many times, a risk owner needs to be educated on how to differentiate between reality and perceptions. Perceptions of risk owners can impact their judgment and have an adverse impact on risk assessment.

A risk practitioner needs to be aware of these aspects and try to minimize the risk associated with the perceptions of the risk owner. The following tips may help minimize the perception effect:

  • Ask for objective justification from the risk owner about the assessment result. At times, challenging or debating the judgement with the owner may shed light on perceptions that have impacted the judgement.
  • Present a neutral scenario by asking questions that will create doubt about perceptions.
  • Define an organization-level common framework including some benchmark information highlighting typical organizations that operate within similar parameters as the organization, and that will help define the meaning of likelihood and impact level in quantitative terms, wherever possible. Quantified results help to better reduce the effect of perceptions.

Risk assessment is dependent on careful analysis of relevant factors and should not be skewed by human perception that is not supported by data. The more you limit this in your organization, the more you will be able to assess risk effectively.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Print to Digital—Transforming the ISACA Journal


Source: Hocus-Focus;
Getty Images

The ISACA Journal has a proud tradition of delivering actionable information, thought leadership, industry insights and research to a diverse audience of business and IT professionals and practitioners. To continue to deliver this publication in the most timely and efficient format possible, the ISACA Journal’s digital presence is expanding, allowing ISACA to reduce environmental impact and quickly deliver important information into the hands of professionals shaping technology’s future.

Effective with volume 4 (the July/August 2018 edition), the ISACA Journal will be available exclusively in an online format unless you opt in to receive a printed copy. For uninterrupted delivery of the printed ISACA Journal, opt in by 26 June. If you do not opt in by that date, the ISACA Journal content will be delivered to you in an exclusively digital format. To opt in, follow these simple steps:

  • Log in to the myISACA section of the ISACA website.
  • Click on the myProfile tab, selecting the Account-Address-Demographic tab.
  • Click Edit and select the My Demographic and Other Information tab.
  • Check box to opt in under the ISACA Journal Delivery Options—Print and/or Digital section.

Readers who access the Journal online will be able to view content in a more dynamic, interactive format. You will be able to search by subject and author, find related resources, and access archived issues in addition to continuing to access online-exclusive feature articles, Practically Speaking (the ISACA Journal blog) posts and podcasts. Reading the Journal online will allow you and other members of ISACA’s global community of technology-minded professionals to explore the Journal alongside ISACA’s broad range of knowledge resources.

The ISACA Journal has evolved to meet the needs and interests of practitioners for more than 40 years and remains committed to connecting the ISACA professional community with valuable content in the digital era.


Apply Analytics-Driven Automation to Your Attack Surface Management Plan


Security automation includes a wide range of technologies that can drive improvements in firewall and security policy management and vulnerability/threat management, thereby helping to shrink the attack surface. However, whether you are struggling with compliance and network changes, tasked with auditing and reporting, or grappling with vulnerability discovery and prioritization, deciding where to automate is challenging. Automation can be used to merge myriad data sources that contain information about your network and can even be turned into a “queryable” network model that can be used for things such as path analysis, attack simulation and more. Automated analysis can even identify the best vulnerability remediation options instead of just identifying available patches.

To learn more about examining where automation makes the most sense and why it is essential to effectively controlling and managing your attack surface, ISACA and Skybox present the “Analytics-Driven Automation for Better Attack Surface Management” webinar. This webinar will show how automated solutions can help you build a holistic, proactive attack surface management program for your enterprise. This webinar takes place on 31 May at 11AM CST (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Cliff Chase, CISSP, North American technical director at Skybox Security, will lead the webinar. He will use his experience as a systems engineer and technical director to help show why automation is needed to analyze vulnerabilities in the complete context of your organization’s attack surface.

To learn more about this webinar or to register for it, visit the Analytics-Driven Automation for Better Attack Surface Management page of the ISACA website.


Gain Insight Into RSA 2018


The RSA Conference 2018 (RSAC) was held 16-20 April with more than 42,000 attendees and more than 600 vendor exhibitors. The conference theme, “Now Matters,” recognized the fact that cyberthreats are ever-present and must be dealt with as soon as they appear. Past ISACA Board Director Allan Boardman, CISA, CRISC, CISM, CGEIT, ACA, CA (SA), CISSP, attended and shares takeaways in Highlights From RSA 2018.

In the report, Boardman summarizes the key messages, announcements, research and techniques introduced at the conference so that you can better protect your enterprise. Some notable highlights include:

  • Reshma Saujani, founder and chief executive officer of Girls Who Code, gave an inspiring presentation on “How to Fail First, Fail Hard and Fail Fast,” which introduced a new model of female leadership focused on risk-taking, competition and mentorship.
  • A panel discussion on hacking healthcare revealed that 85% of hospitals in the United States do not have a single IT security professional.
  • The conference had extensive General Data Protection Regulation (GDPR) coverage.

To read the report Highlights From RSA 2018 and to further understand why “Now Matters,” visit the Highlights from RSA page of the ISACA website.


Learn How IT Governance Affects Your Board

Learn How IT Governance Affects Your Board
Source: FangXiaNuo;
Getty Images

IT governance has been a key point on organizational agendas for years. Since IT only continues to grow, governance of enterprise IT (GEIT) has become a crucial factor for efficient and effective service/product delivery and compliance.

To help you learn more about Information Technology Governance (ITG) Principles and GEIT preparedness of the board, ISACA presents the “IT Governance Principles and Know Your Board’s GEIT Score” webinar. This webinar will help you prepare for the upcoming ISACA exams and to identify the GEIT score of your board. This webinar takes place on 17 May at 11AM CST (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Smita Totade, Ph.D., CISA, CRISC, CISM, CGEIT, CDMA, is a trainer and arbitrator and will lead the webinar. She will use her more than 35 years of diverse information systems experience to educate you on how best to approach GEIT for your enterprise.

To learn more about this webinar or to register for it, visit the IT Governance Principles and Know Your Board’s GEIT Score page of the ISACA website.


Building Bridges With the Board Innovation in Information Governance


Information governance (IG) is crucial to managing organizational data and requires cross-department collaboration. When different departments have different goals, it can be hard to ensure this cross-functional success. In his ISACA Journal volume 3 article, “Building Bridges With the Board—Innovation in Information Governance,” author T. Sean Kelly discusses the ways enterprises must create bridges across departments to ensure successful IG.

IT professionals and enterprise board members live in 2 very different worlds. Boards worry about strategic concerns such as revenue, share price and brand reputation, whereas IT staff are paid to deal with operational challenges such as those stemming from big data, cyberthreat actors and cloud usage. Bridging the gap between these strategic priorities and day-to-day concerns to initiate an organization’s technological transformation can seem insurmountable.

In any enterprise transformational program, people, processes and technology are key ingredients to long-term success. IG, which is an operational approach to managing the valuation, creation, storage, use, archival and deletion of data within an organization, is no exception. Proactive IG requires collaboration among legal, compliance, security and IT teams to take an incremental, measurable approach to deal with today’s enterprise data challenges. Such cross-functional collaboration almost invariably requires an executive or board-level mandate. Often, however, absent fines, litigation and/or regulatory scrutiny, IG is not sponsored at the board or executive level. What can stakeholders in an IG program do to obtain the level of executive or board sponsorship necessary to ensure success?

In one recent client engagement, consultants helped legal counsel get a seat at the table and engage top enterprise leadership in establishing IG to mitigate risk around impending litigation. Conversely, consultants have also worked to help clients restart projects that have stalled due to competing demands within a cross-department project team.

Read T. Sean Kelly’s full ISACA Journal article, “Building Bridges With the Board—Innovation in Information Governance.”