@ISACA Volume 9  3 May 2017

Tips for Leveraging Video Processing for Security


What does processing video mean to you? Traditionally, it meant someone is monitoring closed-circuit television (CCTV) feeds and managing some type of tape or file system. Today, video is much more than just the mechanics of capturing video. Video is being processed in a manner similar to pictures or images. A video is no more than a series of frames, and these frames can be treated as images. One can either process every frame or do a sampling of the frames. The sampling could be an arbitrary number or based on algorithms, such as the percentage of pixel changes across the image.

Video is being processed to automatically detect changes in scene as well as place identification, optical character recognition (OCR) and human recognition. These capabilities are being targeted at publicly available information (PAI) and CCTVs monitoring various facilities. (PAI is being used in this article to describe social media and open source as well as other information that is publicly available.) The boom in this market is being driven by a domain in machine learning called deep learning. Deep learning algorithms are based on neural networks. Technically, they are called convolutional deep neural networks. These algorithms are trained using control data. Once the algorithm is trained, it will be able to provide situation awareness without a person having to monitor or review every video recorded. Unfortunately, an integrated product that can perform all the possible functions is yet to be developed. In addition, algorithms that do certain functions are not as developed or reliable as one would hope.

The following are some of the more popular security-related video processing capabilities:

  • Access control using biometrics is quite common. Presenting the biometric to a reader (iris, fingerprint, face) is a popular application. The user enters a personal identification number (PIN), the system retrieves the biometric template, the comparisons occur, and authorization is either granted or denied. This has advanced to touchless access control. Today, one can be authorized by walking through an access portal. As individuals walk, they pass their hand over a reader that captures their noncontact fingerprint, and they continue walking toward a camera that reads their face and iris. This allows for a continuous flow of individuals into the facility.
  • In the future, it will be possible to authenticate an entire group of people at once. As individuals approach a perimeter from the parking lot or bus stop, their faces will be positively identified. Depending on the camera capabilities, individual irises might be able to be detected. Finally, based on their gait, their fingerprints might be able to be captured. By the time they get to the gate, the security function is reacting only to those people who do not have authorization to enter. This problem is complicated for high-assurance facilities, where 2-factor authentication (i.e., more than 1 biometric) for everyone would be required. This would allow passive authentication and would not slow the movement of people in and out of the facility. Unfortunately, performing this activity in real time is beyond the capability of central processing unit (CPU)- and graphics processing unit (GPU)-based solutions.
  • Turning the unknown into the known is where video processing and deep learning are especially promising. Scene recognition can determine the place a video was recorded without location metadata. This capability is seeing real success in unlikely places, including all videos that are being uploaded into PAI sites with metadata and location information. Object identification is being refined to the point where video processing can determine the type of object, the manufacturer of the object and the year it was manufactured. In addition, in CCTV monitoring, object identification can detect how long an object is present in a location and whether the object was previously at the location by using past videos. OCR capture from video is useful to read signs at protests, billboard messages and graffiti on walls. There are all kinds of uses for this information in security, law enforcement and military applications.
  • The identification of unknown people is an easier problem set if you start with a list of people of interest. Comparing unknown people to everyone on Earth is a bit out of the realm of possibility. But comparing people on a video to a list of people who may not like you or your organization is very achievable. When complemented with monitoring a perimeter and seeing how often that person comes to your organization, this information may be invaluable to the security of the facility.

The science of video processing is constantly changing, and so is the realm of possibilities. Its use in security applications is growing. New technologies that move use away from traditional CPU- and GPU-based solutions are making what was previously considered impossible, possible.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


ISACA’s New CSX Training Platform Helps Build and Assess Hands-on Skills


Source: Kohlerphoto
/Getty Images

ISACA is changing how cyber security training is delivered with the latest additions to its Cybersecurity Nexus (CSX) portfolio of resources—the CSX Training Platform and Assessment Tool.

The CSX Training Platform offers learners an easily accessible, constantly updated education environment that will help them keep their security knowledge and skills up to date. The enterprise will benefit as well, by monitoring employees’ learning activities relative to company expectations to ensure a well-informed, highly skilled workforce. The on-demand, performance-based training and assessment tool, conducted in live environments using real-world threat scenarios, is the first of its kind.

Historically, organizations have had to rely on training mechanisms that are costly, inaccessible and quickly out of date due to the ever-changing threat environment. According to a recent ISACA survey, 52% of respondents said they believe traditional cyber security training options leave staff only moderately to not at all prepared to respond to an attack. With the growing skills gap, cyber security team leaders are looking to formally diagnose specific areas where they need to bolster skills, according to 62 percent of respondents. The CSX Training Platform will make it possible for cyber security leaders to track what courses are or are not being consumed by employees and where skills gaps may result.

The CSX Training Platform currently includes up to 100 hours of performance-based learning, divided among beginner, intermediate and advanced levels. It also includes virtual versions of ISACA’s 3 CSX Practitioner courses, the CSX Practitioner Bootcamp and the Cybersecurity Fundamentals course. The CSX Labs and courses will be updated continuously, and new courses will be added in response to evolving needs of cyber security teams and the threat landscape.

“With its hands-on approach to cyberdefense, the CSX Training Platform is an important learning solution for enterprises that want their frontline IT teams to be cyberhardened, cyberprepared and cybertested,” said Christos Dimitriadis, ISACA board chair and group director of information security at INTRALOT. “The ability to test and build skills will help enterprises address the significant skills gap problem they are facing.”


The Business Benefits of Sustainable IT



Sustainability is becoming a growing concern for enterprises, and a growing number of customers expect businesses to be green. Incorporating sustainable practices can be challenging, and it is necessary to balance profitability and sustainability. To help enterprises learn how to incorporate sustainable business practices and understand why sustainability is so important, ISACA has produced a podcast called “Sustainability.” In this podcast, we are joined by Ramses Gallego, CISM, CGEIT, CISSP, SCPM, Six Sigma Black Belt, strategist and evangelist at Symantec and contributor to ISACA’s 2011 Sustainability white paper.

In this podcast, Gallego discusses the impact of green computing on IT operations, the role of the board in a sustainable enterprise, and how audit and assurance professionals are affected by a sustainable enterprise. In addition, Gallego illustrates how sustainable IT can lead to considerable business benefits and reputational benefits.

This podcast is available on the Podcast page of the ISACA website. To ensure you never miss an episode, subscribe to the ISACA Podcast on iTunes, Google Play and SoundCloud.


2016 Annual Report Highlights ISACA Moving Forward With Purpose


ISACA achieved numerous milestones in 2016, while also positioning itself for sustained progress through programs, presence and new opportunities for its global professional community.

The 2016 Annual Report recaps numerous highlights, such as:

  • The acquisition of CMMI Institute, which adds a portfolio designed to raise enterprisewide performance for existing and prospective members and customers. CMMI Institute is the home of the Capability Maturity Model Integration (CMMI).
  • The gathering of more than 400 chapter leaders in Lisbon, Portugal, for ISACA’s first Global Leadership Summit. The summit put the focus on key initiatives and drew on the collective energies of ISACA’s professional community on a local level.
  • The launch of ISACA’s Connecting Women Leaders in Technology program, which provides opportunities for ISACA to create awareness of and address the current gender disparities in the technology workforce.
  • Expanded global reach of ISACA’s conferences, including the first Africa CACS conference and the debuts of the Cybersecurity Nexus (CSX) conference in London, UK, and Singapore.
  • A heightened focus on global engagement with enterprises and governments throughout the world, leading to promising strategic partnerships and laying valuable groundwork for many others.
  • The celebration of the 20th anniversary of the COBIT framework, marked by a campaign that included posters spotlighting elements of COBIT most useful to practitioners, a video series and a global media campaign.

PDF, digital and video versions of ISACA’s 2016 Annual Report can be found on the Annual Report page of the ISACA website.


10 Tips for Leading a Multigenerational Workforce

By Ann M. Butera

At the moment, there are 5 generations in the workplace: veterans, baby boomers, Generation X, millennials and Generation Z. However, veterans are retiring, semi-retiring or joining boards. Generation Z is graduating college, wrapping up internships and getting a foot in the door. Many are exploring ways to work independently and juggle multiple jobs. Their values and perspectives are progressive and unique, and we curiously await their impact on the workforce.

Each of these demographic groups brings a distinct set of aspirations and needs to a job. In addition to these demographic differences, each person is an individual with unique goals and needs. Therefore, today’s leader has to be an orchestra conductor, able to bring out the best performance from each musical section so that the orchestra’s results are harmonic and well-timed.

A satisfied team is a motivated team. Based on my experience in working with internal audit departments of various sizes and across industries, the following 10 methods can help create motivated multigenerational teams:

  1. When practical, accommodate flexible and nontraditional work schedules and remote working arrangements. Once a requirement associated mostly with Gen Xers and Gen Yers, the ability to accommodate employees’ lives makes for happier customers, increased employee loyalty and lower turnover. More employees in all generations are finding it necessary to achieve work-life balance. However, working from home is a privilege, not a right. Get nontraditional work arrangements (e.g., flexible hours, work from home) defined in writing before these arrangements begin. Keep the ground rules simple and fair (e.g., all employees must start their shift between 7:00AM and 8:30AM, and the shift length is 7 1/2 hours).
  2. Be sure to answer team members’ “why” questions before they even ask them. Auditing attracts analytical people, i.e., those who closely examine facts to reach conclusions and enjoy doing so. Some analytical individuals may need to make a greater effort to communicate in an empathic manner when responding to others’ questions. To project an empathic persona, ask the other party if what you said makes sense and adjust where necessary. Think about the information you would need to know if you were in the questioner’s shoes. If you are a staff auditor, manage up. Try to anticipate information your manager needs to provide to his or her boss and incorporate these facts.
  3. Optimize millennials’ technological savvy to leverage technology in your audit methodology.
  4. Use technology to stay in constant communication on each project and gain visibility to everyone’s workload.
  5. Where you can, give authority. It will pay off in loyalty and make your team members better decision makers and future managers in the end.
  6. If you are a department lead, provide the right individual coaching and training to each of your team members. Create a mentoring program for the most promising and talented people as a means of bolstering your institution’s succession plan. Make career counseling available to employees.
  7. Invest in your team members so that they will, in turn, invest in their roles and the organization. The most critical training need is to develop people management competency as soon as an individual becomes a lead auditor. All too frequently, the newly promoted auditor-in-charge has excellent technical skills and displays tireless attention to detail (e.g., test work papers are clearly organized and cross-referenced). Often, these abilities and proficiencies are the reason the auditor was promoted. Department leaders should help the newly promoted manager acquire an appreciation and a desire to delegate, build bench strength and get work accomplished through others.
  8. Communicate to each team member specifically how their role adds value to the overall goals of the department and the organization. Ascribing to the adage of “what gets measured gets done,” make sure that the performance appraisal system aligns with the whole organization’s behavior and core values. Additionally, make sure that the “game” rules, i.e., desired performance results, are clearly explained.
  9. Inevitably, you and your team may end up having to deliver bad news to members of an area you are auditing. Develop a reputation for reaching agreements without bloodshed while sticking up for and supporting your team members.
  10. Create an ongoing and meaningful exchange with each team member that communicates the value they add to the process. Connect with them personally. This is a strong recommendation for department leads, but staff auditors can do much to engage other team members, especially those of older generations.

Read more on the KnowledgeLeader website.

Editor’s Note: © 2017 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.