What Is the Role of a CISO—Friend or Watchdog?
During my first annual appraisal as an information security officer, my boss informed the committee that he was satisfied with my work. “You know,” he further added, “the information security officer is the most hated person and, hence, a successful security officer.” Although it earned me my raise, it left me with an uneasy feeling throughout the day. The question that bothered me was about the role of an information security manager. Should the information security manager be a scary watchdog or a friend?
What was the reason for my scary image in the organization? The root cause analysis indicated the following:
- There were many security incidents during the year that tested the ability of the organization to respond and recover.
- A majority of the time, the security team was engaged in designing and implementing new controls with a focus on preventing the recurrence of security incidences. This prevention deprived users of the freedom they enjoyed earlier.
- There had been many exception requests for these new controls due to legacy systems. Most of the time, these requests ended in tough decisions of outright denial by the security team.
What should be done to change this image? My company devised and implemented a plan to address this issue. The salient aspects of the plan included:
- A redesign of the computer-based training (CBT) module for the security awareness program
- In the meantime, a request to human resources to organize classroom-based training for all users throughout the organization, each lasting about 40-45 minutes
- The overwhelming response to this plan and questions about security were indications that the decision to conduct training was effective. As a result, the team conducted training across the entire organization.
- IT risk assessment workshops were conducted for functional heads.
The interactions helped to close the gaps between the security team and end users. End users now understood the rationale of controls, and the security team realized problems faced by end users. The result was that the controls were redesigned to suit the environment without compromising the objectives. Control compliance levels increased, resulting in a secure environment. And at my next appraisal, the positive feedback was still the same, but my boss commented, “I do not know how, but the information security manager is now the most loved person around here.”
Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.
Cybersecurity and the Role of Audit
An organizational commitment to security is required to address issues such as cybersecurity, data privacy and fraud. Jim DeLoach and David Brand, managing directors at Protiviti, discuss the roles of cybersecurity, audit and board engagement.
Q: Have you seen any best practices that organizations have used to get everyone on board with the idea that cybersecurity is a business issue, not simply an IT issue?
David Brand: The only way to get people to see that this is a business issue is to start at the top. You have to start with a clear understanding of what assets the organization wants to protect. These so-called “crown jewels” have to be defined by the business; IT cannot make this decision. Once the organization has decided what is important, then the capital committee and risk management committee must decide how much they want to spend protecting those crown jewels. IT’s role is to execute the protection scheme.
Q: Our board engagement in and level of understanding of cybersecurity are not aligned. How would you address this?
DB: Board members are always looking for educational opportunities, and internal audit can play an important role in this process. There is nothing to stop internal audit from scheduling an educational briefing session with the board or hiring a third party to come in and facilitate. For additional insight, see Issue 67 of Protiviti’s Board Perspectives series on board risk oversight, which is devoted entirely to briefing the board on IT matters in a manner that directors can understand.
Q: Are you seeing cybersecurity experts being added to the audit committee?
DB: Generally speaking, no. Organizations face a broad and ever-changing spectrum of risk. For that reason, boards and audit committees should be staffed with people from a variety of backgrounds who stay well-informed on the current risk landscape and emerging risk factors and know where to go and whose advice to seek to educate themselves as needed—through the chief information officer (CIO), chief information security officer (CISO) or independent cybersecurity experts. An exception to this, of course, would be technology companies or organizations where technology is the centerpiece of the business strategy and, in such cases, we see some boards setting up a separate technology committee. But from a pure risk oversight perspective, no.
Q: Do you see differences between cybersecurity risk and data privacy risk, and should a risk profile have both? Or do you see in the industry that these types of risk are combined?
DB: Although there tends to be a heavy focus on cybersecurity these days, it is important to remember that information—including personally identifiable information (PII), nonpublic financial information, drug formulas, customer lists and price sheets—often exist in nonelectronic formats, including paper printouts on people’s desks. Cybersecurity deals exclusively with electronic data that are housed in computer systems. Data privacy risk encompasses information in all forms and is, therefore, both distinct from, and inclusive of, cybersecurity risk. It is a misnomer to say that if a company is doing cybersecurity, it has achieved data privacy. Data privacy is related to cybersecurity, but broader than cybersecurity.
Jim DeLoach: Let me add that Protiviti’s 2016 Top Risks Survey report, which was released in March, reports on cybersecurity risk and privacy/identity management risk separately, and both were highly rated in the global survey results.
Q: Do you have a tool kit available for auditing cyberrisk?
JD: The US National Institute of Standards and Technology (NIST) has developed and publicized a cybersecurity framework that has become the de facto standard for control areas that need to be addressed. That is the best place to start in the public domain.
Q: How come more organizations do not use data analytics to support internal audit?
JD: Good question. It is hard to pin down the why. Improved data analytics has been one of the top-rated capabilities and needs in our annual survey of chief audit executives for the past 10 years. If you are asking whether your organization should be investing in analytics to keep pace with an increasingly complex environment, the answer is yes.
Q: Relative to other rising concerns (such as cybersecurity), is fraud less important than in previous years?
JD: Fraud is, and always will be, a huge area for concern, particularly for public companies and not-for-profits dependent on continued funding because of its impact on reputation and brand image. As fast-paced and globally connected as everything is today, and as many alternatives as there are for investors, money can move from one organization to another in a heartbeat. The reality is that capital flight from a company besieged by significant fraud can be brutal.
There are certain things investors take as a given about a company. They are going to inherently assume that its products are safe, that it complies with all applicable laws and regulations and that people are not stealing from it. This understanding is often taken for granted and, therefore, may not come up in conversation. But once the veil of that inherent presumption is pierced when a problem arises, then it is going to be all that people talk about. Given that investors/donors can easily move their money elsewhere, a significant reputation hit from material fraud can mean game over.
Read more on the KnowledgeLeader web site.
Editor’s Note: © 2016 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.
Help Support and Strengthen the COBIT Community
One of the best ways to support and strengthen the COBIT community is through knowledge sharing. COBIT users worldwide add to the COBIT body of knowledge by sharing case studies, practical use articles and tips from COBIT trainers in ISACA’s weekly, peer-reviewed e-magazine COBIT Focus.
If you have experience working with COBIT, consider contributing an article about your work to COBIT Focus. Writing for COBIT Focus is a flexible process that is intended to accommodate, to the greatest degree possible, the needs and preferences of you and your enterprise. Connect with the global community of COBIT users in a new way that benefits everyone.
For more information, visit the COBIT Focus Submit an Article page of the ISACA web site. To submit an article, please contact email@example.com.
Certification Revocation Appeals
The certification revocation process took place 4 April 2016. Certified individuals who did not complete the 2016 renewal, either by not paying the certification maintenance fee or reporting the appropriate 2015 continuing professional education (CPE) hours, had their certification revoked. Email and hard copy letters were sent to individuals who fell into this category. If revoked, certified individuals have 60 days from the revocation date of 4 April 2016 to address the revocation of their certification. If there is a balance due, payment can be made online at www.isaca.org/renew. If 2015 CPE hours need to be reported, visit www.isaca.org/reportCPE. If these actions required to satisfy the 2016 renewal are taken within the first 60 days of revocation, certified individuals will have their certification renewed. All appeal requests received after 60 days must include a detailed explanation for the appeal along with CPE documentation. Appeals accepted after 60 days will incur a US $50 reinstatement fee. Questions? Contact +1.847.660.5660 or firstname.lastname@example.org.
Succeeding Professionally and Personally With a CISA Certification
Within a week of sharing on social media that he earned his Certified Information Systems Auditor (CISA) certification, Anglade Perrier was invited to 3 job interviews. And while the CISA certification has made Perrier more competitive in the job market, he has also learned valuable skills from both the certification and his career that he applies to his personal life. “There are three different skills I have developed or improved inside my profession that are useful in my everyday life: communication, time management and collaboration,” he says. “All of these skills help me keep harmony with my family and maintain a balance between the different roles in my life.”
Perrier’s professional success has been achieved through a lot of hard work. Perrier moved from Haiti to Canada and finding a job in Canada was challenging at first. “After many efforts to get a job related to my knowledge and my experiences without success, I decided to obtain an internationally recognized certification to improve my professional profile,” he says. “I opted for CISA because during my research, all of the jobs I was interested included the CISA certification as a must.”
Perrier says one of the most challenging aspects of his job is how rapidly the risk profile can change. “As an IT auditor, I have to provide assurance over some components of IS applications and infrastructure,” he explains. “ISACA support for CISA holders is invaluable. We have access to great information, networks and activities to help us learn from each other.”
Perrier believes that the CISA certification can provide value for a variety of professionals. “Pursuing the CISA certification is an investment of time and money, but the return on this investment is an absolute and generally goes beyond expectations,” he says. “Regardless of where you are in your career, the CISA certification is an asset.”
To learn more about ISACA certifications, visit the Certification page of the ISACA web site.