@ISACA Volume 17  21 August 2019

Systems Thinking in Risk Management


Systems thinking is the ability or skill to solve problems in a complex system. Systems thinking focuses on understanding the way subsystems and resources of a system are interrelated and identifying interdependencies of subsystems in the context of the organization. In other words, it provides a big-picture understanding of the organization and its systems.

Many organizations consider IT risk independently from enterprise risk management and try to integrate them as an afterthought. This approach creates obvious gaps in risk assessment results and, when risk materializes, the organization may experience unexpected impacts. Systems thinking may help organizations overcome this issue.

Here are some systems thinking considerations to look at when implementing enterprise risk management:

  • A system is composed of parts, so vulnerabilities that introduce uncertainty can result in risk to either the system as a whole or its parts. Any change in the system’s parts may change risk status and impact risk upon other parts.
  • A system is considered the sum of its parts; however, multiple systems within an enterprise may depend on each other. Therefore, even if all systems are analyzed independently for risk impact and risk likelihood, the analysis of all systems combined (risk aggregation) may indicate a different risk impact and risk likelihood on the organization due to the interdependency of systems.
  • A system has a boundary, and the actors within the system have access to its resources. The risk impact is determined by the change in the status of resources (e.g., data) due to users’ actions within the system.
  • A system can be nested inside another system, and the risk that exists for the nested system could have a nonlinear and unexpected impact on the system in which it is embedded.
  • A system can overlap with another system.
  • A system follows a life cycle. Operations and maintenance are major parts of the life cycle. Initiation and retirement of system activity can be triggered by a risk assessment.
  • A system is bound within an organization’s environment and may not be located at the same location as the business function. This can result in regional and geographic factors impacting risk assessment results.
  • A system receives input from and sends output to the organization and, as a result, risk can be propagated in the business environment, causing unexpected and undesired systemic impact. The system consists of processes that transform inputs into outputs and interact with other systems. Risk management can attach risk analysis to certain inputs and outputs, and it can transform system insight through risk assessment and continually ensure this process through a feedback loop.

A systems thinking approach helps to consider the entire enterprise while implementing risk management. This approach helps in understanding technology-induced risk from a business perspective through its aim at holistic organizational understanding.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Using EDR to Address Unmanaged Devices


Source: xijian;
Getty Images

Endpoint detection and response (EDR) systems allow enterprise security managers to detect how and when an endpoint has been compromised. But what happens when the endpoint is an unmanaged device? EDR systems do not traditionally work on unmanaged devices, and this is an issue as unmanaged devices will soon outnumber managed devices by 10 to 1 in the workplace. This lack of control in detection can disrupt business operations and even human safety.

To learn how to introduce an agentless approach to EDR that monitors unmanaged devices, join Joe Lea, vice president of product at Armis, in the “Agentless EDR for Unmanaged and IoT Devices” webinar, presented by ISACA and Armis. This webinar takes place on 27 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Lea leads the product team at Armis and is responsible for turning the Armis vision into a service that provides value to and protects customers. He will use his experience utilizing EDR to monitor unmanaged devices to help you secure your enterprise’s endpoints.

To learn more about this webinar or to register for it, visit the Agentless EDR for Unmanaged and IoT Devices page of the ISACA website.


Earn CPE While Learning About Emerging Trends at EuroCACS/CSX Conference


Further your knowledge of information systems, business and cybersecurity at this year’s EuroCACS/CSX conference, 16-18 October 2019. This year’s event combines computer audit, control and security (CACS) and ISACA’s Cybersecurity Nexus™ (CSX) to offer a greater depth of knowledge about cybersecurity. Attendees can earn up to 35 continuing professional education (CPE) credits by attending EuroCACS/CSX 2019, the SheLeadsTech Seminar and one of the 2-day pre-conference workshops.

Session highlights and topic areas include:

  • The opening keynote is with Anders Sorman-Nilsson, a global futurist and innovation strategist who helps leaders decode trends, decipher what is next and turn provocative questions in to proactive strategies
  • The closing keynote is with Jon Duschinsky, who was voted the world's second most influential communicator on social innovation. He will share his expertise by sparking change—which involves creating the ideas that amplify the connection between what an organization does and the impact it can have in the world.
  • ISACA 50th Anniversary panels with topics such as “From Disruptive to Daily Dependence: 50 Years and Future Tech” and “A Spectrum of Professions: The ISACA Global Community, Past, Present and Future.”
  • Sessions covering IT audit, emerging technologies and techniques, cybersecurity, risk management, IT governance, compliance, and more.
  • Five preconference workshops including a COBIT 2019 Foundation course, Cybersecurity Audit workshop, Accelerated Cybersecurity Practitioner workshop, Forensics for Auditors workshop and 7 Critical Factors for Effective Security workshop.

Register before 5 September and save US$100 using the promo code EURO19CA. To register or learn more, visit the EuroCACS/CSX Conference page of the ISACA website.


Paving the Future of Tech With Cybersecurity Education: Teen Cybersecurity Activist Kyla Guru Shares Her Mission and Insights

New From SheLeadsTech

Source: Caiaimage/
Paul Bradbury;
Getty Images

Security and safety are primary needs for all people. The requirements for both have changed in the digital age and need everyone’s attention now more than ever. Beginning to secure a digital future starts with becoming aware that security is a part of life 24 hours a day, 7 days a week. This is critical at a high level because every single person who utilizes technology is a component in building community resilience in the face of cyberrisk. Some easy ways for individuals to improve everyday security include creating longer, stronger passwords for accounts, implementing 2-factor authentication, knowing how to identify malicious emails, and extending one’s sense of security further than the boundary of one’s home and into the world at large. In today’s digital age, everyone must understand that security must be maintained on all digital devices at all times and know the risk scenarios and benefits that come with using technology.

Since cybersecurity is an ever-changing industry where new threat vectors are discovered and exploited every day, one of the most important ways to protect oneself in today’s threat landscape is by reading news from unbiased security sources such as InformationWeek Dark Reading and CIO to become and remain informed about the latest hacks and attacks. An educated and informed public can become a more security vigilant population. At the same time, reading security news raises awareness of just how many hacks and attacks affect organizations and consumers every day, and how many attacks are actually caused on the user end by the human risk element.

One way that cybersecurity is changing is with the exponential increase in the use of technology across generations. Looking ahead to the future, new cybersecurity challenges will arise from the increase of data mining and the abuse of social media platforms. For instance, the sharing of personal information across platforms allows for the development of both highly targeted and highly sophisticated social engineering attacks that could aim at high-ranking officials and high-stakes, multinational organizations. Attackers will also likely continue to try to influence public opinion by abusing social media networks. Additionally, 1 key fact to bear in mind is that children are also not immune to these attacks. Data indicates that only 15% of K-12 US schools have implemented cybersecurity plans as of 2018, and many of these systems hold terabytes of personal student data.

In addition to change, humans adapt to current needs and evolve, and technology will be built around those needs. One of the most insightful analogies that speaks to this is that humans did not stop hunting because people were no longer hungry, they learned to harvest. In the same vein, 20 years ago, cybersecurity was not a part of the conversation because attacks were not as prevalent and sophisticated as they are today. When speaking with security professionals, they will say that 20 years ago, people were willing to leave their doors open before going to bed and did not think twice about buying a talking stuffed animal for their children. Now, security, particularly cybersecurity, must be embedded into the way people think about these same situations. If younger generations are taught end-user security so that they are fluent in the conversation from their very first interactions with digital devices, it will become natural for them to value cybersecurity when designing, engineering, building and marketing next-generation technology.

For instance, computers and artificial intelligence (AI) will help identify and detect risk in the future, but even as technologies improve, there will need to be a focus on making the behavioral and cultural changes necessary to build a human firewall for prevention.

To improve cybersecurity for all organizations today, however, a chorus of louder voices championing security, bigger organizational focus and budgeting in cybersecurity, and more security subject matter experts (SMEs) working across industries to improve the framing of the security conversation are needed. However, the sustainability of supplying more security SMEs is highly dependent on the workforce development initiatives undertaken today. It is critical that organizations and people think about the cybersecurity skills gap—3.5 million jobs by 2021—and begin finding creative, inclusive and proactive ways to fill this gap. This can start with creating engaging classroom conversations.

What is really exciting to see is that educators today are taking those proactive steps. Educators are currently demonstrating the most interest in utilizing the open-source curriculum provided by Bits N’ Bytes Cybersecurity Education (BNBCE). BNBCE has received more than 200 requests to use the curriculum from educators in New Zealand, the Philippines, Saudi Arabia, Singapore, and more countries. There is a huge desire on the parts of parents and educators to disseminate this information as they discover opportunities to do so. While this is encouraging, today’s teenage population can be hard to reach so BNBCE is working on capturing the attention of teenagers in the most effective ways possible, on the platforms where they are most present and comfortable. BNBCE is finding and crafting the best ways to leverage school curriculum and social media campaigns to make cybersecurity relevant and interesting to future leaders. BNBCE is developing ways to make cybersecurity spark lunch table conversations, make cyber a part of science, technology, engineering and math (STEM) education, and make privacy a part of civics in the classroom.

BNBCE aims to steer the course of human progress by empowering the safe and secure use of technology for innovation. I imagine a world with educated citizens in developing nations that are able to use cybersecurity as a gateway to vigilance and independence. BNBCE also works directly with practitioners to bring cybersecurity curriculum in front of school boards to ensure that the schools with which BNBCE has partnered and to which curriculum has been delivered are teaching cybersecurity in tandem with STEM classes. BNBCE wants to see media representation of women in cybersecurity, normalize the idea of including both young people and women in boardrooms, and ensure that secure behavior is second nature for all people. By committing to this vision, BNBCE hopes to see financial loss averted, citizens both safer and more secure, and communities built on a foundation of peace.

Kyla Guru is a 17-year-old senior at Deerfield High School in Deerfield, Illinois, USA. In the summer of 2016, before she entered high school, Guru discovered a curiosity around cybersecurity and became fascinated with successfully protecting the technologies of the future. After learning that 90% of cyberattacks on US national infrastructure targets were due to human error, Guru founded Bits N’ Bytes Cybersecurity Education (BNBCE), a nonprofit organization to combat this vulnerability. Three years later, BNBCE now sustains over 20 national partnerships with US school districts, corporations, including Facebook and IBM, and educational platforms such as Discovery Education, all in an effort to increase awareness and fluency in privacy and cybersecurity. Guru has presented at TEDxChicago, the US National Institute for Standards and Technology’s (NIST’s) National Initiative for Cybersecurity Education (NICE) K12 Conference, the RSA Conference 2019 and the RSA Conference-Asia Pacific conference in Singapore, advocating for both cybersecurity education and the critical mobilization of Gen Z youth. Guru is a firm believer in the power of young people which led to her roles as cofounder and codirector of GirlCon Chicago. This premiere high school tech conference takes place in Chicago, Illinois, USA, each year and unites more than 300 industry professionals and students to discuss bridging the gender gap in tech. Follow Kyla’s journey on Twitter @GuruDetective, and keep up with GirlCon on Instagram @girlconchicago.

This article was originally published on Paving the Future of Cybersecurity Education page of the SheLeadsTech website.

The ISACA SheLeadsTech program and the SheLeadsTech newsletter shed light on the waves women are making in the tech industry today. By subscribing to the monthly newsletter, you will receive the latest event updates, webinar content, podcast content and insight into what women leaders, like Guru, are uncovering in the tech industry. To subscribe to the newsletter, visit the SheLeadsTech website.