@ISACA Volume 5  9 March 2016

Cloudy With a Chance of Risk

By Jack Freund, Ph.D., CISA, CISM, CRISC

If you work in risk management, it is undeniable that your job is about predicting the future. Good form suggests that we do not call it “prediction,” per se, as that betrays the very nature of making forward-looking statements about what may or may not come to pass. My preference is to use the term “forecasting” as it better represents what is being done without drifting into the mystical. (Beware risk professionals with crystal balls on their desks—real or metaphorical.)

Risk is about ascertaining how often bad things may happen and, when they do, how bad they are likely to be. This is necessarily about future events. Things that are unfolding in the present are incidents. With that in mind, it is important to emphasize to management that a risk rating is bounded at all times. These caveats are really admissions of assumptions, to which all risk assessments are subject. And, indeed, it is imperative to the risk decision-making process that these assumptions be made clear. That way, they can be evaluated alongside actual results.

As risk professionals, we are squarely in the business of forecasting. Every high-risk application or server is only so because of its demographics (features such as data types, network location or remote access). Through the actions of others (and sometimes force majeure), we may experience losses associated with these systems (and on a long enough timeline, we are almost assuredly going to). This is not so different than forecasting rain: Given what we know about weather systems, on a long enough timeline, we will unquestionably need an umbrella. Without consulting the weather forecast, you may not get wet, but eventually, you will need to protect yourself from inclement weather.

It is not so different in IT risk management. For a time, an unprotected, Internet-facing server with all customers’ information on it may go undetected, but eventually someone will attempt to exploit its weaknesses. Our charge as risk professionals is to help organizations figure out what they need to do now, what can be postponed (and for how long) and what they do not need to worry about. One assumption that I make in saying this is that no organization will have all of the resources it would like to invest in security (or anything else), so as a result, it has to set priorities and make difficult tradeoffs.

To be helpful in that process, we need to assist decision makers in better understanding where cybersecurity concerns fit with their other priorities. This requires that we monitor industry trends, incidents that are occurring and what happens when risk materializes (and how much it costs). A mature risk function will compare these findings with statements of risk and produce metrics about its forecast accuracy. This is an assessment of how good we were at representing these bad things that could have happened (and sometimes did) during risk analysis work. Doing this kind of assessment provides a solid foundation upon which to base a discussion about changing risk ratings. This is a method to show that results are not made up in a vacuum; instead, risk professionals are indexing their analysis based on what is happening in the real world. Adjusting ratings after such a session is not an admission of failure; it is a mark of maturity reflecting the sophistication necessary to challenge initial assumptions. After all, even the weather report changes sometimes.

Jack Freund, Ph.D., CISA, CISM, CRISC, is senior manager of cyberrisk and controls for TIAA-CREF, member of the CRISC Certification Working Group, and coauthor of Measuring and Managing Information Risk.


ISACA Acquires CMMI Institute


ISACA has acquired CMMI® Institute, the global leader in the advancement of best practices in people, process and technology. By joining forces, the 2 organizations will raise the level of enterprisewide performance for existing and prospective members and customers and reach more diverse markets.

CMMI Institute is the organization behind the Capability Maturity Model Integration (CMMI), the globally adopted capability improvement framework that guides organizations in high-performance operations. CMMI Institute provides the tools and support for organizations to benchmark their capabilities and build maturity by comparing their operations to best practices and identifying performance gaps.

“We are living in a time of dynamic change in our industry, and technology has more power than ever before to transform an organization. For nearly 50 years, ISACA has been committed to equipping the professions we serve with the resources they need to positively impact their enterprises,” says ISACA CEO Matt Loeb, CGEIT, CAE. “Our acquisition of CMMI Institute will help us to broaden our focus on helping professionals and their organizations optimize their use of technology, increase value for stakeholders and improve business performance.”

ISACA and CMMI Institute share a vision of advancing organizational performance that centers on driving excellence in the IT, information systems governance, data management, governance, software and systems-engineering functions across a spectrum of industries.

“CMMI Institute is a natural fit for ISACA, and we are very excited to unite with them to create new offerings for ISACA’s member community,” says Kirk Botula, CEO of CMMI Institute. “Together, we’ll offer a stronger portfolio of business solutions and professional development to both of our global customer bases and accelerate the pace of capability improvement and high maturity operations in their organizations.”

ISACA and CMMI Institute will continue to operate separately, with CMMI Institute operating as a subsidiary of ISACA. For more information, visit the CMMI Institute page of the ISACA web site.


Using Machine Learning to Address Zero-day Threats


Source: ©iStock.com/

While antimalware vendors try to respond to threats quickly, malicious actors continue to bypass antimalware software, and zero-day threats continue to be a challenge. To help enterprises better address zero-day threats, ISACA® and Intel Security have partnered to present the “Understanding How Machine Learning Defends Against Zero-day Threats” webinar. This webinar will take place on 10 March at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Vinoo Thomas, senior product manager for endpoint technologies at Intel Security, will lead this webinar. In it, he will discuss machine learning as a method of detecting zero-day threats. Specifically, he will cover how machine learning can address gaps that traditional approaches do not cover, using cloud-based detection technologies to protect against attacks and how to leverage machine learning in your environment.

To learn more about this webinar or to register for it, visit the Understanding How Machine Learning Defends Against Zero-day Threats page of the ISACA web site.


Certification Renewals and Revocations


Source: ©iStock.com/

The 2016 certification renewal period is coming to a close. Individuals who have not completed their renewal—by paying the annual maintenance fee and reporting the required 2015 continuing professional education (CPE) hours—will be subject to revocation, which will take place on 31 March 2016. If you have not yet renewed, do not delay and put your certification in jeopardy—renew now.

To pay the annual maintenance fee visit www.isaca.org/renew. To report your 2015 CPE hours, visit www.isaca.org/reportCPE. Log in to your account, click “my certifications” and then click on “manage my CPE.” Scroll down, click on “add CPE,” enter CPE activity and save the data

For more information, visit the Maintain Your Certification page of the ISACA web site.


Risk Management in Agile Projects


The iterative nature of Agile practices makes them well-suited to manage risk associated with product development and related projects. To better establish how to incorporate risk management into Agile projects, ISACA Journal volume 2 author Alan Moran, Ph.D., CITP, CRISC, outlines the concerns Agile risk management ought to address:

  • Recognition of threats and opportunities within a project in order to balance the desire for reward against the risk incurred in its pursuit. This requires not only a thorough understanding of risk appetite and tolerance within a project, but also an appreciation of the risk inclinations of individual team members and the impact of social and cultural influences on risk management.
  • Identification and prioritization of appropriate risk response strategies (e.g., accept, mitigate, exploit) based on risk exposure and in a manner that is consistent with Agile practices (e.g., inclusion of risk-related tasks in a product backlog or use of a risk-modified Kanban board, which is a planning tool in which activities are moved between lanes representing the phase of development in which they find themselves [e.g., Planned, In Progress, Done] and user story maps.)
  • Ability to judge whether or not risk is being managed in an effective and efficient manner through the monitoring of risk. This also includes awareness of the residual risk at the iteration level and how these impinge on the overall riskiness of the undertaking.

Read Alan Moran’s full article, “Risk Management in Agile Projects,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.