@ISACA Volume 26: 19 December 2012 

@ISACA Relevant, Timely News

CGEIT Celebrates 5 Successful Years

Since its inception in 2007, ISACA’s Certified in Governance of Enterprise IT (CGEIT) certification has grown and its value in the marketplace has increased tremendously in the ever-changing world of technology. The ANSI-accredited certification (under the International Standard ANSI/ISO/IEC 17024) was just named one of the certifications with the biggest value gain in Foote Partners’ IT Skills and Certifications Pay Index™ (ITSCPI), gaining 25 percent in average market value from 1 July to 1 October 2012.

To date, the CGEIT certification has been earned by more than 5,300 professionals. As IT has become more important to achieving goals and delivering benefits, enterprises must extend governance to IT, as with all critical assets. IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the enterprise’s IT sustains and extends its strategies and objectives. CGEIT certification indicates that a professional is capable of bringing IT governance into an organization—grasping the complex subject holistically and enhancing value to an enterprise.

Visit the Certification page of the ISACA web site to learn more about CGEIT and all ISACA certifications.


5 Approaches Information Risk and Security Professionals Can Use to Improve Business Acceptance and Alignment

Information risk management and security professionals are constantly challenged with identifying ways to become more accepted and aligned with their business leaders, stakeholders and customers. Here are five approaches that can assist an information risk management and security professional in becoming more accepted and aligned:

  1. Evaluate threats and vulnerabilities first, and then work with business leaders and stakeholders to identify and assess risk. Information risk and security professionals often abuse and incorrectly use the word “risk” in their analysis and communications. They often assume that they can evaluate the information risk factors to an organization based on their visibility and an understanding of its business activities. To be more business-aligned, information risk and security professionals can change their approach and communication style, focusing their efforts on the accurate identification of threats and vulnerabilities, their likelihood of occurrence, and potential business impacts if realized or exploited.
  2. Develop mentor relationships with business leaders and stakeholders. Mentoring provides an opportunity for learning and for the development of positive working relationships for the mentor and mentee. Seeking out mentors who are leaders or key stakeholders in their organizations allows them to gain intimate knowledge about the organization and its operations while developing relationships with individuals who can support their efforts to gain greater business alignment and influence.
  3. Collaborate with business leaders and stakeholders to develop an information risk profile. An information risk profile provides the road map for and guidance on what information risk factors are acceptable and not acceptable to the organization. It also identifies the degree to which information security controls should be implemented and maintained to effectively reach the organization’s risk management goals and requirements. Collaborating with business leaders and stakeholders to develop the information risk profile ensures that risk and security requirements, controls, and capabilities that are implemented are accepted and supported by business leaders and stakeholders.
  4. Follow an embrace-and-educate approach for new concepts and technologies. Business leaders are often interested in adopting and leveraging the newest capabilities, solutions and technologies as quickly as possible to realize their benefits. By following an embrace-and-educate approach, the goals and interests of the business leader and the information risk and security professional can be met. Information risk and security professionals support the adoption and use of new capabilities, but advise business leaders, stakeholders and users of their concerns. They can then effectively collaborate to develop plans; leverage these new capabilities, solutions and technologies to support the success of the organization; and align information risk management with security goals, expectations and requirements.
  5. Learn how to become an internal consultant and advisor to the organization. Key attributes of this skill include listening, persuasion, effective business communication, negotiation and sales. One of the critical steps to demonstrating these skills is to emphasize a focus on information risk before security. Information risk and security professionals who can master this will begin to be considered more of an asset to the business than an adversary. In this manner, risk and security professionals focus on providing knowledge and advice to their constituency to assist them in developing similar, if not the same, conclusions for information security requirements as the traditional security professional would have previously mandated using an approach based on fear, uncertainly and doubt (FUD). Unlike with the FUD-based approach, the business leaders, stakeholders and constituents have a sense of ownership as well as a deeper understanding of both the reasoning and value of the risk and security requirements. This often results in their support of the controls and capabilities that are implemented instead of an attempt to circumvent them.

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Act Now, Standards Exposure Period Closes Soon
New ISACA Resources Also Available on Biometrics and Mobile Devices

The IS Audit and Assurance Standards exposure draft of revised standards is posted for review and online feedback through 28 December. ISACA encourages all those with expertise in the areas covered to provide feedback. Your feedback is critical to ensuring high-quality standards.

Additionally, ISACA has issued the following new deliverables:

  • Biometrics Audit/Assurance Program focuses on the acquisition, architecture, rollout and security of biometric technologies, both the deployed and planned, including, but not restricted to, policies, standards and procedures, as well as resilience to major outages, intrusions or other failures. It is posted for complimentary member download and available in the ISACA Bookstore.
  • Securing Mobile Devices Using COBIT 5 for Information Security is intended for audiences who use mobile devices directly or indirectly including end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. It is available as a complimentary PDF for members and in the ISACA Bookstore.

Information on current research projects is posted on the Current Projects page of the ISACA web site.


Last Month to Recruit Through Member Get A Member

December marks the last month for you to introduce your colleagues to ISACA and win a prize through the ISACA Member Get A Member campaign. Each colleague you recruit earns you one chance at a monthly prize worth US $50 in the ISACA Bookstore. In January, the top recruiter will be awarded his/her choice of an ISACA conference or exam registration, including travel and study materials—worth up to US $1,500.

Act now to be among this year’s winners! Our monthly winners for November are:

  • Ehinonmen Oni, Abuja (Nigeria) Chapter (professional member)
  • Amir Tavasoli, Toronto (Ontario, Canada) Chapter (student member)

Remember to have your colleagues enter your ISACA member ID on their application, so you receive credit for their recruitment and they have their new member processing fee waived.

If you have any questions, please contact the membership services team at mgam@isaca.org.


Learn the Latest About COBIT 5 in the Knowledge Center

Now that COBIT 5 has been released and you have taken the opportunity to download and review it, join ISACA members in the Knowledge Center to discover helpful links and publications that are available to guide you through using COBIT 5 in your business practice. Ask fellow topic members your COBIT 5 questions, and view questions asked by and responses from other members. Former COBIT 5 task force members are active in topic discussions. COBIT 5 Implementation, a member-only community, is among the communities available specifically for COBIT 5 content.

The Knowledge Center offers a unique opportunity to exchange ideas and information, whether you are just curious about COBIT 5 or in the process of implementation. Join now and participate in the COBIT 5 community.


A Global Conversation

In the days before and after ISACA’s recent certification exams, our social media platforms were buzzing. Exam-takers solicited advice from peers. Industry veterans offered guidelines for getting certified. ISACA posted reports about the surging value of the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) certifications, and joined others’ discussions about the certification process. Test-taking tips were traded around the globe, from Rio to London, Karachi to Nairobi.

Be a part of this conversation! Join ISACA on Facebook and Twitter and in our LinkedIn and Knowledge Center groups. And, if you have a story that you would like to share, be sure to let us know at socialmedia@isaca.org.


Read More Articles in Our Archives