@ISACA Volume 26  30 December 2015

Risk and Politics

By Jack Freund, Ph.D., CISA, CISM, CRISC

If you have worked in the IT risk profession for any period of time, you have undoubtedly felt pressured into adjusting risk ratings to satisfy a constituency. Perhaps it was to support the status quo or to postpone risk response until action could be conveniently taken. A common reason for this pressure may be the not-so-subtle reaction of those to whom you were presenting the analysis. Sometimes all it takes is a stakeholder saying “This does not feel high risk to me” to send risk analysts back to the drawing board to come up with a more palatable response.

Working in IT risk means a commitment to communicating the truth about the state of technology to established authorities. As Voltaire observed, it is dangerous to be right in matters on which established authorities are wrong. It takes an uncanny amount of integrity to stand your ground against pressure like this, but it is exactly this kind of integrity that is needed in the IT risk profession. It does no good to simply wish to work in an organization that is absent of politics; to be human is to be political. Put another way, that organization simply does not exist.

Note that the call to action for more integrity in IT risk analysis work is not an excuse to be obstinate. No one is perfect in their work, and mistakes are always possible. Integrity includes the need to own up to mistakes and clarify assumptions that were made during analysis. When those assumptions are shown to be inaccurate, integrity necessitates correcting the work to present the most accurate picture of reality to decision makers.

An integral part of this drive for integrity is the need to do the legwork necessary to support the decision makers; integrity is not an excuse for improper risk analysis work. Conclusions should be supported with as much quantifiable data as possible. Do not accept that things cannot be measured. How many attacks happened? How often is the system down? How many hours were dedicated to the response? How much money was spent? How many customers would the organization lose? There are more data, both within and without the organization, available to support conclusions than many may think.

The ISACA Code of Professional Ethics compels members and credential holders to have high personal integrity in risk work and commit to performing this work with due care, due diligence and objectivity. We also have to serve in the interests of our organization’s stakeholders, i.e., objectively representing risk to them and filtering out personal biases (what is high risk to a risk professional may be nothing more than a rounding error to organizations). Finally, IT risk professionals are compelled to disclose material information that, if withheld, would distort the results of findings.

It is especially this last commitment that is difficult to do in the face of political opposition. But IT risk does not exist to validate the subjective impressions of reality as viewed by the first line of defense. Risk professionals sit squarely in the second line and, as such, have an ethical obligation to challenge misperceptions and set the bar high to maintain the integrity of the organization and ourselves.

Jack Freund, Ph.D., CISA, CISM, CRISC, is senior manager of cyberrisk and controls for TIAA-CREF, member of the CRISC Certification Working Group and coauthor of Measuring and Managing Information Risk.


Reflecting on Your Career


Source: ©iStock.

Take time out of your busy schedule to reflect on your career throughout 2015. As you remember the highs and lows of the past year, remember to be compassionate with yourself. Although a few accomplishments were easy to obtain, others may have been a little more challenging.

Prioritize reflections around the challenges so that you can better direct your efforts in 2016. What was your role during the challenges? Was there another option that could have stabilized the process? As you reflect on these questions, connect with an ISACA chapter member to uncover an alternative approach.

When you reflect on your accomplishments, pinpoint the circumstances that created the platform for success. How did you facilitate the operations of a well-functioning team? What qualities did you demonstrate that motivated project completion? Check in with other ISACA members through the Knowledge Center or ISACA’s LinkedIn group to discuss how those same qualities impacted their performance.

Utilize your chapter network and your virtual connections to discuss the preparations for a successful 2016. As you move through your 2015 career history, share your insights and reflections with us. We may be able to create a blog post based on your experience or feature your words of wisdom on ISACA’s Facebook page or LinkedIn group.


Book Review:  System Forensics, Investigation, and Response

Reviewed by Dauda Sule, CISA

With the rise of cybercrime, it has become imperative for investigators to be informed about system forensics to trace and solve cyberincidents. System Forensics, Investigation, and Response provides an introduction to system forensics processes and techniques to ensure proper investigation. The book also covers how to respond to incidents that affect system security. Forensics on Windows, Linux and Mac operating systems is discussed, as are mobile and network forensics. This book also discusses emerging technologies and the future of the field. These issues are of great benefit to information security managers and systems auditors as they aid in not just investigating to get to the root of a breach, but also in strengthening the security of a system based on the flaws that may have led to the breach.

The book is written in simple, easy-to-understand language, with step-by-step examples that facilitate understanding. It works as a guide for anyone who wants to understand computer forensics by providing advice on what one needs to know before getting into the field. The book discusses the fundamentals of system forensics, such as how to collect and analyze digital evidence. The first part of the book provides an introduction to the topic; the second part addresses the tools, techniques and methods of performing system forensics and investigation; and the final part covers incident response, emerging technologies and predictions for the future of system forensics.

The book will be of immense benefit to those in the academic field, and it can serve as a reference guide for those in law enforcement, investigators and legal practitioners. Information security managers and system auditors can also refer to this book when handling an incident.

System Forensics, Investigation, and Response is available from the ISACA Bookstore. For more information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Dauda Sule, CISA, is marketing executive of GGL Risk and Strategic Consulting, a consultancy firm that specializes in designing and organizing training programs pertaining to auditing, fraud detection and prevention, information security and assurance, and anti-money laundering. He has more than 5 years of experience in the Nigerian Banking industry and worked at Gtech Computers (a computer and allied services company) as a systems security and assurance supervisor.