@ISACA Volume 17: 13 August 2014 

@ISACA Relevant, Timely News

Cybersecurity Attacks Spur Demand for CISO Talent

With the latest spate of major data breaches, the days of the chief information security officer (CISO) are anything but numbered, according to recruiting experts at Heidrick & Struggles, a global executive search and leadership advisory firm. Their research shows information and data security are now in the top 2 concerns of corporate boards today, having not even been in the top 5 just 5 years ago.

But when searching for CISO talent, experts say companies are looking for 1 major criterion: leadership. Heidrick & Struggles Partner Paul Gibson says companies are seeking risk and security officers with executive presence, influential behavior and more. This global skills crisis is compounding, with very few cybersecurity programs emphasizing expertise in business strategy and communication, in addition to technology.

“Lately, we have been seeing huge demands from clients in information security,” Gibson said. “It is one of the hottest areas in the market in terms of demand for talent.”

“When we look at the leaders of tomorrow in this space, they are technology savvy. They have relationships with agencies. They understand the cyberworld. They understand legal. They understand privacy. They have the nuances and understand technology in a regulated world and regulation within technology,” explained Regional Managing Partner David Boehmer.

More information about the top qualities of a CISO leader can be found on Heidrick & Struggles’ new LeadershipTV™ series. The executive search firm’s first video on the rising demand for CISO talent explains who enterprises are searching for to handle their cybersecurity needs. Additional resources that address these increasing needs can be found on the Cybersecurity Nexus (CSX) page of the ISACA web site.


Earn CPE at Privileged User Management Webinar

Many organizations’ data breaches can be linked back to privileged users, including employees, contractors or partners. ISACA and Oracle are offering a webinar on privileged user auditing. Led by Lee Howarth, senior principal product manager at Oracle Identity Management, the “Manage, Monitor & Audit Privileged Users” webinar will be held on 28 August at 12:00PM EDT (UTC -4 hours). This free webinar is open to everyone, and ISACA members can earn 1 continuing professional education (CPE) hour by attending.

This webinar will look at how to best manage, monitor and audit privileged accounts. Horwath will discuss how to make managing, monitoring and auditing part of an organization’s larger identity management strategy.

To learn more about and register for this webinar, visit the Manage, Monitor & Audit Privileged Users page of the ISACA web site.


4 More Big Data Security Controls
By Leighton Johnson, CISA, CISM, CIFI, CISSP

With the advent of big data analytics, auditors and security professionals need to be aware of the methods to secure big data systems. The following are 4 areas for additional controls, beyond the normal network and server security, to enhance big data security:

  1. Access controls:
    • Internal and external authentication—Detailed user authentication is needed for both kinds of system users (internal users and external users).
    • Object permission management in structured databases—Permissions on actual data objects and the normal privileges of users need to be monitored.
    • Extra controls for access control in data feeds—Additional access control monitoring is needed for actual data lines to ensure integrity and confidentiality of the data inputs.
    • Multifactor authentication—The advent of additional methodologies of authentication allows for further authentication based on attributes and location.
  2. Encryption controls:
    • Transparent data encryption for all objects and data—All actions need to be encrypted.
    • File-level and block-level encryption—Detailed types and uses include symmetric block-type encryption for data in the storage side.
    • Enterprise tape encryption for all “moving” data—Stream-based symmetric encryption would be utilized for all data in transit.
    • Robust key management (this is the proverbial “the key is the key” part of encryption)—Understanding the key management is the primary focal point of encryption attacks.
  3. Audit controls:
    • Auditing of all user activity and changes—All access actions must be logged and checked for compliance and accuracy.
    • Alterations—The input for malicious or inadvertent alterations, especially in the critical data components arena, must be watched.
    • Log management criteria—Who can change what, under what circumstances and when must be known.
  4. Governance controls:
    • Data security laws in location—Policies should be made with local regulations in mind.
    • Watching the watchers—A monitoring activity must be in place and used.
    • Reporting to senior executives and the board of directors, especially for risk—They are ultimately responsible for all risk-based decisions within the organization.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


New CRISC Job Practice Effective June 2015

ISACA conducts an international job practice analysis for each of its certification programs at least every 5 years to keep pace with industry demands. ISACA and the CRISC Practice Analysis Task Force recently completed a 9-month assessment resulting in a revised job practice for ISACA’s Certified in Risk and Information Systems Control (CRISC) certification.

“The continuous advancement in information technology and its application in information systems, along with the risk associated with the adoption of these technologies in every business, requires IT risk professionals to stay current with the profession,” said Eduardo Ritegno, CISA, CRISC, chair of the CRISC Certification Committee. “As part of this evolution, ISACA conducted a job practice analysis to ensure that the CRISC certification requirements and exam content stay current and remain relevant to the practice of IT risk and IS controls.”

The recently revised CRISC job practice incorporates the collective opinions of the 9 CRISC Practice Analysis Task Force members, 25 independent subject matter experts and more than 1,400 IT risk professionals from around the world. The major change to the CRISC job practice is the combining of risk and control tasks within the domains, resulting in a decrease from the current 5 domains to 4 domains. The 4 new domains of the 2015 CRISC job practice include:

  • Domain 1—IT Risk Identification (27 percent of test questions)
  • Domain 2—IT Risk Assessment (28 percent of test questions)
  • Domain 3—Risk Response and Mitigation (23 percent of test questions)
  • Domain 4—Risk and Control Monitoring and Reporting (22 percent of test questions)

Effective with the June 2015 exam administration, the CRISC exam will contain 150 questions testing the new job practice.

The requirements to obtain a CRISC certification will also change. Candidates who pass the CRISC exam will still need to submit evidence of 3 years of cumulative work experience performing the tasks of a CRISC professional; however, this experience will need to be across at least 2 of the 4 new domains instead of 3. At least 1 of these 2 required domains must be either domain 1 or 2.

Candidates who have been studying from the current CRISC job practice are encouraged to register for the upcoming December exam, as the June 2015 exam will be based on the new CRISC job practice.

Since 2010, more than 17,000 individuals have earned the CRISC certification. For more information about the current or 2015 CRISC job practice, visit the CRISC Job Practice Areas page of the ISACA web site.


EuroCACS/ISRM Focuses on Reducing Cybersecurity Skills Gap

Because of the growing need for cybersecurity professionals, the 2014 European Computer Audit, Control and Security and Information Security and Risk Management Conference (EuroCACS/ISRM) focuses on cybersecurity resources, with 2 of the 5 tracks focused on keeping organizations and their information more secure.

The conference has sessions on a variety of cybersecurity topics, including open-source cyberintelligence, industrial cybersecurity and responding to cyberattacks, and is hosting the first-ever Cybersecurity Fundamentals Workshop. Because of all of the valuable cybersecurity resources offered at this conference, ISACA’s London (United Kingdom) and Barcelona (Spain) chapters are sponsoring student members to attend EuroCACS/ISRM.

“The ISACA Barcelona Chapter believes cybersecurity is the missing element in the quest for the Internet to become a trusted business platform,” said Barcelona Chapter Membership Director Gonzalo Cuatrecasas, CISA, CISM, CGEIT.

Among the cybersecurity activities offered at this conference is the CyberLympics competition. CyberLympics is a cybersecurity competition in which teams from around the world compete in an ethical hacking cybergame. The CyberLympics final round and awards ceremony will take place at EuroCACS/ISRM.

To learn more about the cybersecurity sessions at the conference, visit the 2014 EuroCACS/ISRM Presentations and Descriptions page of the ISACA web site. Registration for EuroCACS/ISRM can be completed on the EuroCACS/ISRM page of the ISACA web site.


Highlights From ISACA Board of Directors Meeting

The 2014-15 ISACA Board of Directors held its first meeting of the new term in June 2014 in Chicago, Illinois, USA. Items discussed included:

  • ISACA’s investments—ISACA’s board has a fiduciary responsibility to guard and grow ISACA’s financial assets on behalf of its members. In that capacity, the board is always eager to ensure that investment funds are properly handled so as to enable growth while not incurring undue risk. As a result of a presentation by ISACA’s investment advisor, the board decided (via formal motion and vote) to increase the target allocation for the ISACA long-term investment portfolio to up to 65 percent of the total investment portfolios (short-term and long-term). The Finance Committee will report to the board any further recommendations or results in November 2014.
  • ISACA marketing—To achieve the Strategy 2022 initiative calling for enhancement of ISACA’s marketing efforts, a presentation was made showing the various data-driven tools currently used to measure the outcomes of various marketing activities. These tools will enable faster response and more focused expenditures.
  • Emerging business and technology—The committee charged with identifying and reporting on emerging trends presented the latest update on the status of its work and was supported by the board. The launch of the trend reports will occur by early 2015.

The next meeting of the board will take place in November 2014 in the San Jose, California, USA, area.


2014 Member Get a Member Program Begins

Participate in the 2014 Member Get a Member program! Beginning 1 August, you can once again earn rewards for recruiting professional members to ISACA. In 2013, more than 700 members and 172 chapters participated, more than 20 prizes were awarded, and almost 1,100 new members joined ISACA. You can be part of the success of the 2014 Member Get a Member program.

When ISACA grows, members benefit. More members mean more networking, more connections, more resources and more chances to win valuable prizes. You will receive credit that can be used toward prizes, such as a laptop case, a high-quality portable wireless speaker, headphones and other electronic gadgets, when you recruit professional members to ISACA.

Who should you recruit?

  • A coworker who could benefit from COBIT
  • Colleagues interested in professional growth
  • Members of other professional associations
  • Someone who might be interested in taking an ISACA certification exam
  • New college graduates eager for career advancement

For you to earn recruitment credit through the Member Get a Member program, your colleagues must enter your ISACA Member ID number when joining. As an added bonus, your colleague’s online new member fee (US $10) will be waived when your member ID is entered during the application process.

Start recruiting new members today—the more members you recruit, the more you will be rewarded. More information is available on the Member Get a Member page of the ISACA web site. Questions? Contact mgam@isaca.org or +1.847.660.5600.


Book Review:  Executive’s Guide to IT Governance
Reviewed by Joyce Chua, CISA, CISM, CITPM, ITIL, PMP

Executive's Guide to IT Governance: Improving Systems Processes With Service Management, COBIT, and ITIL provides high-level background information on a variety of IT governance issues important to today’s business enterprise and executive manager.

As a how-to guide, this comprehensive book has an extensive amount of documentation and allows the reader to have a greater understanding of important IT governance issues in order to be better equipped to make effective decisions regarding essential IT governance matters.

In the current business climate, where a tremendous amount of importance is being given to governance, risk and compliance (GRC) issues, the concept of IT governance has become increasingly significant for corporate management.

With a focus on risk, IT governance, security and assurance, and extensive references to COBIT, this book complements other books on GRC issues. It defines IT governance and why it is important to both IT management and overall business operations. This book helps readers to understand the current strengths and weaknesses of their enterprise IT governance processes and how they can be better implemented, monitored and strengthened with other enterprise GRC initiatives.

Despite the book’s lack of diagrams and figures, the content is straightforward and practical, covering what IT governance is, its importance and the relevant frameworks to support its effectiveness. It also provides approaches to build effective IT governance processes and high-level information on the various IT governance issues (e.g., importance of social network computing) for upper management. From fundamental governance concepts to the audit committee's IT role, this book is an extremely comprehensive resource on IT governance, risk and compliance.

Executive’s Guide to IT Governance: Improving Systems Processes With Service Management, COBIT, and ITIL is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest print edition of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Joyce Chua, CISA, CISM, CITPM, ITIL, PMP, is a global IT compliance manager for GLOBALFOUNDRIES, one of the world’s top dedicated semiconductor foundries. Chua is a member of the ISACA Publications Subcommittee.


Read More Articles in Our Archives