@ISACA Volume 23  18 November 2015

Five Value-enhancing Adjustments for Information Risk and Security Programs and Professionals


For information risk and security programs and professionals to continue to stay relevant, provide value and be effective in the organizations they support, they must regularly adjust their approach. Organizations are constantly maturing and evolving, while simultaneously changing their activities, expectations and requirements. The most effective way for risk and security professionals to support programs is to mature, evolve and change with them. Consider these 5 adjustments that risk and security programs and professionals can implement to continue to be valuable and beneficial to their organizations:

  1. Organize under enterprise risk management (ERM) functions—Information risk and security should be considered and organized under an ERM function within an organization instead of a technology function. In many organizations, the information risk and security programs and their associated professionals are organized as part of IT groups led by technology leaders (e.g., chief information officers). This potentially limits the risk and security professional’s scope and can create a conflict of interest and tension between them and the technology leaders they are supposed to support. As a result, the information risk and security professional may not be viewed as a valued asset by the technology leader, which could result in punitive action or lack of trust, as IT leaders may not believe information risk and security professionals are properly supporting their views or initiatives.
  2. Present information that the organization really wants—Instead of assuming what business leaders and stakeholders want to know about information risk and security, ask them. It is often the case that information risk and security professionals either assume they know the insights and information that their constituents and stakeholders are interested in or that these individuals are not knowledgeable enough to ask for the right things. Regardless of the scenario, collaboration will help both groups build stronger relationships and understand how to interact with each other more effectively.
  3. Articulate threat, vulnerability and then risk—Risk and security professionals commonly make the mistake of speaking about risk when they really are representing their insights and analysis concerning threats and vulnerabilities. The determination of a risk to an organization includes threat and vulnerability information, but also incorporates important data points such as business impact analysis if the threat is realized or vulnerability is exploited, business value and strategy, and calibration with the organization’s overall risk appetite. If these information risk and security professionals do not have a current and credible understanding of business considerations and tolerances, they cannot be expected to provide accurate representations of risk to their constituents and stakeholders.
  4. Use a consultative approach—Information risk and security professionals are often perceived as being authoritative and unapproachable in many organizations. This is especially true when they are restricting individuals from pursuing a course of action or activity. An effective approach to removing this stigma is to integrate a consultative element into the information risk and security program or activities. This will assist the risk and security professional in building strong relationships, allowing them to provide useful advice and guidance, and be present and active in business activities on a regular basis instead of only at decision or review points. A consultative element will also provide the organization with an interface into the risk and security program where they can ask questions, develop and collaborate on ideas, and proactively engage to ensure they not only understand information risk and security expectations and requirements, but also the reasons for their existence.
  5. Embrace, but educate—Instead of saying no to new technologies, ideas and capabilities in the name of security, try to find a way to say yes. Individuals within the organization often assume that the position of the risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace technological changes while at the same time educating the individuals who want to use new technologies about the appropriate information risk and security considerations, concerns and requirements that need to be accommodated as part of their use. This will empower individuals to able to make informed decisions about the use of these resources and, at the same time, ensure they are aware of their risk and security obligations.

Information risk and security programs and professionals need to continue to enhance their value proposition to the organizations and individuals they support so they can continue to be effective and relevant. The fundamental organization, policies, standards, functions and control frameworks to support information risk management and security are typically already in place in most organizations. What may be missing are the adjustments in approach and capability that are required to operate security programs effectively so that they are viewed as a benefit and not as a burden to the organizations and individuals they support.

John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Four Ways to Increase Your Strategic Thinking Ability

By Ann Butera

At times it is possible to be stuck at a certain part of an audit because you are not using the right type of thinking. For example, imagine that you are in the process of collecting information concerning the control structure of an area under review. Mentally, you are in an evaluative, critical-thinking mind-set. But imagine that during a meeting you receive an answer from a constituent or team member that takes you completely by surprise. Since you had not contemplated receiving this information, you are unprepared and unable to think divergently, i.e., think in different directions and ask relevant follow-up questions based on the other person’s response. Mentally, you are caught flat-footed, unsure of how to proceed at that moment.

To prevent this type of mental immobilization, consider taking the following thinking actions when you encounter the unexpected:

  • Consider why you are surprised; perhaps you had an unintentional bias or inadvertently made some invalid assumptions.
  • Use a pull strategy, i.e., ask open-ended questions that are targeted to obtain additional data that can help you think strategically to generate options and alternatives or help you decide on an action to take.
  • Consider the relevancy and significance of the information relative to your objective or goal. If the data are important and relevant, imagine the impact on planned outcomes and options.

Take the following steps to enhance your ability to think strategically:

  1. Become externally oriented by joining and getting actively involved in organizations such as ISACA, the Association of Government Accountants AGA and the Institute of Internal Auditors (IIA) and trade groups that relate to your industry. Register for and read industry-specific magazines to learn about current priorities, trends and concerns.
  2. Exaggerate current trends and consider what would happen and the possible implications for you and your organization.
  3. Join a futurist group or association. The Association of Professional Futurists studies trends in what they call the Society, Technology, Economic, Environmental and Political (STEEP) categories. Political or societal upheaval or an environmental disaster could impact your organization in ways that would have been impossible 40 or 50 years ago.
  4. Consider emerging technologies and how they may impact you and your organization. For example, cloud computing has opened vulnerabilities to hacking and intellectual property ownership.

Strategic thinking is a core competency for auditors. Its use enhances the results of audit planning and increases your ability to anticipate and deal with outcomes of the decisions you and others make. It increases your value as an employee and auditor, and it ultimately has a meaningful impact on your organization’s processes and ensuing success.

Read more on the KnowledgeLeader web site.

Editor’s Note: © 2015 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Internet of Things—The Fate We Make for Ourselves


Source: ©iStock.

The fantasy once associated with science fiction films is becoming increasingly similar to modern life. It has never been more important for organizations across the globe to work together to ensure that future advancements in technology are carried out safely and securely. Internet of Things (IoT) data security/safety must be put at the forefront in business environments. To help enterprises better secure their IoT devices, ISACA Journal volume 6 author Jim Seaman, CISM, CRISC, provides some recommended measures that organizations should take:

  • Businesses recognizing the importance for securing data devices, baselining themselves with suitable industry standards—These standards may include COBIT 5, ISO/IEC 27001:2013, the US National Institute of Standards and Technology’s (NIST) Cybersecurity Framework or NIST SP 800-53, to name a few. Businesses should also connect with reputable security services providers (e.g., consultancy, penetration testing, web application testing).
  • Vendors developing secure systems—Because of the sense of urgency from vendors to develop and sell these new and emerging technologies, there has been little or no effort applied to ensuring that the systems are built securely. As the technology has advanced, the potential danger associated with these advanced data processing technologies has significantly increased. For example, take the latest smart phones. These phones have the capability of acting in the capacity of a temporary mobile portable desktop, accessing sensitive emails or downloading copies of sensitive documents. Yet how many of these devices have the capability to install a personal firewall, antimalware programs or operating system updates?
  • End users receiving security awareness training about the safe and secure use of the devices—The significant threats to data resources come from the end-user perspective, in which users carry out actions that undermine or bypass the security measures employed to protect both the device and the data within it. Ensuring that all end users are fully aware of the correct usage of devices becomes increasingly important when such devices are interconnecting, as in the world of IoT.
  • Security professionals maintaining their professional knowledge and awareness of emerging technologies and threats—This can include membership in professional bodies, formalized professional development programs or other similar efforts. The appointment of suitably trained and experienced professionals within an organization is critical to helping reduce the risk associated with the introduction of new technologies. They act as the linchpin between decision makers and end users, ensuring effective mentoring, risk identification and communication. To make this an effective service, it is essential that these specialist appointments maintain their professional knowledge so they can efficiently respond to the challenges associated with the dynamic world of new technologies.
  • Global governments recognizing the need to ensure data and device security by introducing appropriate legislation and awareness campaigns—Unfortunately, today’s world appears to be one of reaction and, as a result, the majority of organizations only react to technology-related issues in response to data breaches. There are limited legal requirements for businesses to ensure that technologies, usage and data are secure. With the introduction of more IoT technologies, it has never been more important for global governments to recognize the need to enforce the sensible use of such technologies, through the introduction of appropriate legislation. Without such legislation, there is nothing to incentivize businesses to operate their technologies responsibly.

Read Jim Seaman’s full article, “Internet of Things—The Fate We Make for Ourselves,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.


Book Review:  Enterprise Applications Administration

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Enterprise Applications Administration by Jeremy Faircloth lays a solid foundation for anyone interested in learning more about the primary technologies that enterprise application administrators work with daily. The high degree of IT specialization has led to a silo view of the big picture of the enterprise applications landscape, which can be problematic when organizations move from small-scale environments to the use of large, complex enterprise applications. The enterprise application administrator who has cross-technical knowledge will bridge the gap between the various technical specialists and provide the knowledge and expertise essential to facilitate solutions for applications across corporate institutions.

This book creates a body of knowledge that provides information on the skill set that highly specialized IT professionals need to support multiple technology disciplines with the same level of expertise. Its chapters contain deep dives into specific areas, which include explanations of specific standard terminology and definitions, and are outlined in an easy-to-read format that is relatable. The book contains numerous illustrations, diagrams, memory aids and tables that bring the theory to life.

The book effectively provides a general understanding of key knowledge areas needed by enterprise application administrators. It also bridges the gap between technology-specific literature and practical work while defining and standardizing processes and documentation to make enterprise administration easier. The book provides essential information on topics such as operating systems, network architecture and hardware, system architecture, database architecture, teamwork, application defense against security risk factors, and application upkeep and maintenance.

Enterprise Applications Administration has 9 chapters and begins by focusing on defining enterprise applications administration and how this role differs from any other technical role. It further delves into training on the technologies used by enterprise applications administrations: networks, servers, databases, information security and architecture. Each of these components has its own dedicated chapter that discusses the technology and its linkage to enterprise applications.

The book then introduces softer skills and reviews enterprise applications administration teams. This is followed by the review of the full enterprise applications environment and the impact of automation and monitoring in the administration role. The final chapter explains the concept of documentation.

This book would benefit from having more information on access controls and security, logging script security, and vulnerabilities that are considered threats in enterprise applications. But an end-to-end coverage of all the elements of enterprise applications administration is almost impossible to address in a single book. That said, this book is particularly comprehensive in its review of enterprise applications administration.

Enterprise Applications Administration is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).