Enterprises are exploring opportunities driven by digital transformation, identifying technology-driven paths to deliver more value, more quickly, while also benefiting from new process efficiencies. IT auditors must do the same to ensure they remain valued partners by the organizations for which they work.
As enterprises increasingly harness technologies such as artificial intelligence and data analytics – and deploy methodologies such as Agile and DevOps – the IT audit teams of the future would be well-served to mirror this approach if they wish to thrive amid the business technology landscape of the future.
Traditional auditing methods need to be revisited to more directly align with how businesses are operating, so audit teams are living what they are auditing instead of operating in parallel universes from their business partners. If auditors are going to audit areas like DevOps or Agile, it stands to reason that they should have direct familiarity with those methodologies. Not only would that background allow auditors to deliver deeper, more meaningful audits by better understanding the practitioner view, but auditors also would realize many of the same business benefits that motivated their colleagues to adopt the methodologies in the first place. For example, one of the main benefits the business is realizing is faster development of key capabilities. Auditors could realize that same benefit of quicker development and release in areas that have long been challenges in the audit field, such as faster development of audit programs and reporting, and more comprehensive, automated audit testing procedures.
While IT auditors have a proud, longstanding tradition of making strong contributions to their organizations, auditors are seldom known for being on the leading edge of pursuing new technical capabilities or finding innovative approaches to performing their work. That will need to change, at least to some extent, if IT auditors are going to remain indispensable in a future in which automation, artificial intelligence and other emerging tech trends will dictate changing roles for auditors and, in some cases, potentially put auditors’ roles in jeopardy.
New ISACA research on the future of IT audit highlights several compelling data points that provide perspective on how auditors and their organizations need to prepare for the changing nature of the IT audit profession. Among the notable data points:
- Two-thirds of survey respondents (67 percent) observe difficulty recruiting auditors with the required technical skills
- Nearly half (47 percent) expect that IT auditors will be significantly more involved in major tech projects in the next 3-5 years
- An overwhelming majority (92 percent) express optimism when considering how technology will impact them professionally over the next five years
Organizations might not always be able to find the auditors with the technical skills they’re seeking immediately, which makes it even more important that they prioritize investing in education and skills-building capabilities as part of an ongoing strategy. That strategy needs to not only account for the conceptual, but also focus on the specific technologies and methodologies their audit teams need to understand. Given the rise of cybersecurity as a business imperative across all industries, auditors would be especially wise to pursue additional auditing cyber knowledge for how to better assess data protection and controls around key business processes. There is much work to do on the training front; the ISACA research shows that more respondents consider funding for training and professional development to be inadequate than those who say it is adequate. If organizations fail to remedy that in this evolving technology environment, their audit teams are likely to fall behind.
Traditionally, audit training has focused mostly on learning about emerging technology topics just prior to planning and performing an audit. While still important, this will not address the needs of the future. Similar to the IT business partners that auditors assess, the audit field should also focus on developing skills such as coding and testing, and areas such as AI and data analytics. These are skills and capabilities that audit teams will require in order to effectively perform their charter in the future. If the current auditor is not capable of adapting with these new skills, then the audit team will be required to find the person with those skills. This could be accomplished by seeking these capabilities from other talent pools, such as developers, co-sourcing or even complete outsourcing, which our research also has identified as trends.
Generally, respondents to the survey are right to be enthused about the future of IT audit. The coming years hold great promise for IT auditors, as an ever-expanding array of technology projects will benefit from auditors’ conscientiousness and unique ability to identify the process improvements and capability gaps that can make or break a project’s success. The more progressive audit teams, and the ones that will be best positioned to thrive in the future, are those that will proactively adopt the technologies and methodologies that their business partners are deploying, and those that commit to executing on a vision for continual training and education. Just as the digital transformation era is poised to enable organizations to better serve their customers and business partners, the same can hold true for the audit function.
Blockchain has emerged as one of the most promising technological developments of the past decade. Originating from the digital currency Bitcoin, blockchain employs use of a distributed ledger to provide consensus through its decentralized participants, eliminating the need for a central authority. This advancement has the potential to transform several key industries, much like the rise of the internet did in the 1990s.
Blockchain technology has a multitude of benefits, such as enabling peer-to-peer transactions, transparency, cost reduction, speed, fraud mitigation, and security by design. However, as is the case with any emerging technology, there are several risks with blockchain that should be considered by organizations that plan to use it. There are currently no universally accepted standards in place for blockchain, nor is there clear guidance available from a regulatory perspective. Due to these conditions, caution must be used when deploying blockchain technology at an enterprise level.
ISACA has developed a Blockchain Preparation Audit Program to provide organizations with a framework to manage blockchain. The program covers six key areas: pre-implementation, governance, development, security, transactions and consensus.
These areas touch upon the primary risks that are associated with use of blockchain, and aim to achieve the following objectives:
- Assess an organization’s blockchain solution to determine whether it is adequately designed and operationally effective
- Identify blockchain risks which could result in reputational and/or material impact
- Provide organizations with a holistic perspective on blockchain technology, with consideration for both technical and non-technical factors
When properly deployed, blockchain can provide substantial benefits. However, blockchain is not practical for every organization, and management must ensure that its use supports business objectives accordingly. The following are examples of adverse impacts that can occur when a blockchain solution does not align with business objectives:
- Impractical use cases that are in misalignment with organizational strategy
- Inadequate deployment that results in wasted time and resources
- A blockchain solution that does not function properly
- Potential for noncompliance with industry regulators
- Vulnerabilities that could impact source code, endpoints, and sensitive data
In addition to the risks discussed above, the blockchain audit/assurance preparation program also will allow organizations to consider other relevant questions. Some of these questions include:
- Was there a business case assessment created for the use of blockchain? Was it approved by key stakeholders?
- What were some practical use cases that the organization was looking to use blockchain for?
- What type of blockchain (permissioned vs. permission-less) is the organization using?
- Are blockchain wallet private keys being managed by a clearly identified custody approach?
- How is the organization acquiring the required development expertise to support the blockchain solution?
- How were vendors selected to support the organization’s blockchain solution? What due diligence processes were followed?
- Does management adequately understand blockchain technology, and are they providing effective oversight?
- What is the approach being used to manage applicable regulatory risks?
Editor’s note: The Blockchain Preparation Audit Program is complimentary for ISACA members.
The turn of the calendar to a new year is always a great time to take pause and reflect. Now that 2019 is in full swing, I wanted to take a quick snapshot of hot topics and trends for the IT audit field in 2019. And just to make sure I wasn’t completely winging it, I checked in with a couple valued industry contacts.
1) Security and availability remain atop nearly all IT (and by association IT audit) departments’ list of top priorities. As John Steensen, a senior director of technology audit for Visa noted, “At Visa, Job #1 is security and Job #2 is systems availability.” This is echoed daily in conversations with heads of IT audit from around the country. IT auditors can continue to expect a steady diet of: firewalls and routers; internet, intranet and web services; remote access systems; telecommunications (data and voice); threat intelligence; systems security (penetration testing, vulnerability management, malware protection); activity and event monitoring; cyber defense and incident response, Dev-Ops, and AWS and cloud infrastructure.
2) Heightened focus on data and data governance. Dan DerGarabedian, the head of information technology and data audit (a title that is in itself telling) for BNP Paribas USA, noted that “Data governance, management and quality has been a very hot topic in the banking industry, and the trend is continuing.” As a result, they value candidates with “hands-on experience in enterprise data management.” Ronnie Dinfotan, VP of information technology internal audit for First Republic Bank in San Francisco, echoed that sentiment, noting that “These days, data savvy resonates more in the world of technology as opposed to only having network savvy.”
3) Increased focus on data analytics. In part related to the above, we continue to see increase focus on the use of data analytics for more efficient and effective auditing. As DerGarabedian noted, “Ten years ago, data analytics were a ‘nice to have.’ Today, it is an absolute and necessary (and expected) skill set to have within your audit department.” Among the desired skillsets, DerGarabedian further noted, are Python, SQL, and the use of visualization tools such as Tableau.
4) Return of the technical IT auditor. Over the past several years, in an effort to address more complex IT environments and heightened technology-related risks, we have witnessed an unmistakable trend to add more technical muscle to IT audit departments. Steensen noted that “at Visa, over the past year we have been transitioning to more of a ‘practitioner hiring model,’ where we seek out experienced technology practitioners with audit experience … and the payback has been great – our audits are deeper, more insightful, and address technical issues at a deeper level than ever before.” (For a more detailed examination of this trend and its challenges see my blog post, “Return of the Technical IT Auditor”).
5) New areas of focus. Continued movement to the cloud, big data, and other technology advancements have continued to bring new areas for IT auditors to focus. Steensen noted some of these new areas of focus for technology audit at Visa: Robotic Process Automation (RPA), machine learning and artificial intelligence, textual analysis, and blockchain, while continuous monitoring/auditing continues to evolve.
Ronnie Dinfotan sees value in an IT auditor with a forensic skill set. “I think the cybercriminals have figured out a long time ago that vulnerability tools were going to detect their backdoor services, and that an IT auditor with a forensic skillset and malware detection experience is what is needed to match some of today’s cybersecurity issues.”
Finally, increasing movement to the cloud requires IT audit to take into account consideration of the legal and contractual perspective. Thierry Dessange, an SVP and audit director with Wells Fargo, notes that, “Everyone is moving to the cloud. As an IT auditor, what should you consider when your organization is confronted with the complexity, and often inflexibility, of a third-party cloud computing contract? Ensure you’ve got the right skills at the table (i.e., legal, information security, finance, IT, operations, sourcing, etc.). You also should be clear about what types of compensating processes, and associated costs, need to be in place where the contract doesn’t provide you with all of the elements that you would want from the third-party cloud service provider.”
The new white paper, Auditing Artificial Intelligence, provides an overview of what AI is, why auditors need to be aware of AI, and how the COBIT 2019 framework relates to AI auditing.
The guidance addresses the somewhat nebulous definition of AI, as there is no agreed-upon definition even in the research community, since AI encompasses a wide swath of ground, including machine learning, deep learning (a subset of machine learning), and some types of rule-based systems. ISACA wisely takes a neutral stance regarding definitions and capabilities of AI, as fact vs. fiction is still under active investigation.
As AI implementations are still in embryonic stages of deployment for the vast majority of companies outside of Silicon Valley, and there is a lack of regulatory requirements for assuring AI, there is still no definitive and comprehensive set of auditing standards for AI. Research is progressing, however—with ISACA at the forefront, as this whitepaper and its cited papers suggest.
The shortage of specialized tech talent for implementations, the “black box” nature of AI, and the deficiency of research regarding the holistic impact of AI on organizations, are just some of the challenges confronting IT auditors who are tasked with auditing AI. Approaches for addressing the black box nature of algorithms exist, such as sensitivity analysis and the like, but these approaches are often time-consuming and best left to modeling specialists for technical evaluation. The paper makes a recommendation for bifurcating an audit of AI between model specialists and IT auditors, with IT auditors looking at the holistic process and how technology stacks integrate. The authors highlight that in small-to-medium-sized enterprises that implement AI, third-party vendor management may be one of the critical aspects of an audit. The use of vendors allows less technical users to access the AI solution; however, keep in mind that many vendor products cannot be customized.
The paper states that auditors look at the holistic risks and integration of AI into the organization, and approach AI as they have approached cybersecurity and cloud computing, with an iterative, adaptive approach focusing on the implications. Commonly, auditors mistakenly believe that they need to know the low-level details of how algorithms work before conducting an AI audit. This is not the case, and it may actually be more beneficial when auditors do not know the intricate details of how AI works, as they will be able to take a holistic, 40,000-foot view into how AI makes sense in the enterprise instead of getting caught in the weeds.
I believe that this is the area that is currently missing the most in enterprises: a holistic view of AI. Technologies now rule the roost, but no matter how impressive the technical capabilities, an AI system needs to make sense in the grand mission of the company. The technological sophistication takes a backseat, and sometimes a less technical system that is more controllable is better for organizations. Let the technologists take care of the technical details, and empower auditors to think big picture, which is where they can provide tremendous value and shine.
The paper concludes with context of how COBIT 2019 can be used to create an audit plan for AI, along with an enumeration of the nine main challenges to an effective AI audit that ISACA has identified, with similar best practice approaches to tackle these challenges.
Auditing Artificial Intelligence is arguably the most comprehensive analysis of the current state of AI auditing, governance and assurance. It is the ideal stepping-off point for beginning your governance analysis and planning an AI audit for your enterprise.
In October 2018, Bloomberg Businessweek sent shivers through the business and intelligence community when it published an astonishing report that claimed that Chinese spies had exploited vulnerabilities in the US technology supply chain, infiltrating computer networks of almost 30 prominent US companies, including Apple, Amazon.com Inc., a major bank, and government contractors.
These claims were indeed alarming, but not surprising. Since the infamous 2013 Target hack, in which hackers exploited security weaknesses at one of its little-known suppliers and exfiltrated millions of payment card details, cybersecurity experts have been warning that expanding supplier networks would exponentially increase digital touch points, providing several softer avenues for threat actors to exploit and access high-value systems.
There is no dearth of high-profile examples. For instance, back in 2017, cyber threat actors compromised the Ukrainian software firm MeDoc and implanted NotPetya – a highly destructive malware – deeply within its software update. Like the mythical Trojan Horse, NotPetya easily exploited the trusted software package, circumvented layers of security defences and crippled critical operations of high-profile enterprises, such as pharmaceutical giant Merck, shipping firm Maersk, and Ukrainian electric utilities Kyivenergo, to name but a few.
It’s certainly hard to argue with the benefits of business partnering, given the decades of studies demonstrating that well-thought alliances can enable an enterprise to focus on its competitive advantages, as well as measurably boost its bottom line. But at the same time, the raging demand for transfer of utilities, goods and data, combined with the rapid intersection of cyber espionage and geopolitics, also has substantially complicated the cyber risk equation. Cyber threats exploiting weak supply chains are on the rise, like sea levels. The stakes are also invariably higher, threatening global peace and undermining the benefits of globalization and open markets.
While tightening cyber risk assurance within complex supply chains is certainly challenging, it’s not impossible. In the section below, we provide three practical recommendations for business leaders to maximize the value of outsource relationships, while minimizing associated risks.
Have the right security clauses
Underpinning any robust supplier security assurance program is formally documented and legally enforceable security contractual clauses. During the contract negotiation phase, business leaders must have a clear understanding of cyber risks associated with each relationship, and ensure appropriate clauses are agreed upon from the outset and baked into contracts. At a minimum, high-risk suppliers must:
- Provide independent assurance reports to attest the operating effectiveness of key controls, such as the SOC 2 Type 2 report, ISO 27 001 certification or Payment Card Industry Data Security Standard (PCI DSS). These should be provided at least annually.
- Provide the enterprise with the right to audit in the event of a systemic control breakdown or legal requirements.
- Demonstrably comply with applicable data protection and privacy laws, not engage subcontractors without express approval from the enterprise and only host data within approved jurisdictions.
- Adhere with applicable data breach notification laws, including notifying the enterprise, without unreasonable delay, of any data or privacy breach, as well as results of subsequent investigations.
- Engage an independent, suitably qualified firm to regularly conduct penetration tests on critical applications and fix material vulnerabilities within agreed SLAs.
The significance of getting this right from the outset is hard to overstate. Requesting security assurance reports later into a relationship is complex, and without legally enforceable clauses, suppliers will likely push back, leaving an enterprise with no recourse in the event of disputes or systemic control breakdowns. This too, however, has its challenges. For instance, large cloud service providers will unlikely agree to a “right to audit clause” with a medium-sized corporate customer. This comes down to leverage. Hence, it’s important to set realistic expectations upfront, as well as ensure that security contractual requirements are reviewed and signed off by the legal team and business owners.
Limit vendor remote access to the network
As we learned from the Target breach, suppliers with remote access to the enterprise network can present soft avenues for threat actors to exploit and gain access to the enterprise network, escalate privileges and cause substantial harm. To manage this risk, the enterprise must adopt the least privilege principle, only giving remote access when there is no other cost-effective way for the vendor to deliver their services. Such access must be restricted to specifically segmented zones, channelled via secure virtual private networks and protected via multi-factor authentication. Furthermore, an up-to-date list of all vendors with access to the network, including their respective access rights, must be maintained and validated frequently, at least quarterly.
Segment suppliers based on risk
The basic risk management principles also apply to managing supplier related cyber-risk: the rigor of assurance process should be commensurate with the criticality of business process, and the potential impacts should the outsourced business process be compromised. For instance, suppliers that handle high-value payment processes, handle volumes of customer personally identifiable data, manage critical infrastructure or underpin most profitable business lines require tighter governance as compared to those that handle ancillary services, such as administrative tasks. Taking a risk-based approach maximizes the value of the security assurance budget, as well as reduces needless audits on suppliers. It also reduces noise, enabling limited security resources to focus on supplier arrangements that present the highest level of risk instead of spreading thin across all supplier arrangements, each of varying level of significance.
The benefits of outsourcing are vast, but business leaders can no longer afford to enter into these alliances blindly. Cyber resilience is no longer a nice-to-have, but a top business imperative with far-reaching consequences on brand perception, customer retention, margin, regulatory compliance, and more importantly, business survival.
About the authors
Phil Zongo is the author of The Five Anchors of Cyber Resilience, an Amazon best-selling book that strips away the complexity of cyber security and provides practical guidance to business executives. His is also the 2016 – 17 winner of the ISACA’s Michael Cangemi Best Book / Article Award. Zongo is the Founder and CEO of CISO Advisory, a consultancy firm that helps enterprises build high-impact and cost-effective cyber resilience strategies.
Rohini Kuttysankaran Nair is an experienced project manager with more than a decade experience helping large enterprises deliver complex digital transformation programs. She now leveraging her strong technical background and project governance skills to help enterprises deliver business aligned cyber resilience uplift programs. She is based in Sydney, Australia.
ISACA successfully organized a SheLeadsTech event focusing on career development of female IT auditors in Shanghai earlier this month. This was a milestone event in China, believed to be the first female-themed event of this scale among IT auditors in China. Executive speakers from ISACA, a leading accounting firm, a bank, and an insurance company conducted speeches and a panel discussion on selected topics.
Tara Wisniewski, ISACA Senior Vice President, Global Affairs, attended the event and introduced the SheLeadsTech strategic program for the audience. More than 50 professionals attended the event, including some senior male professionals in the industry who provided great support. The event was delivered in both English and Chinese.
Some takeaways and observations from the event:
1. Representation of women in the tech workforce is higher in more developed areas than in less developed areas. Female professionals may leverage the advantage of working in Shanghai to expand their horizons and connect with established valuable groups of professionals.
2. Representation of women in technology leadership roles is increasing.
3. Some global organizations have women’s leadership programs to assist women in growing their careers. These programs share common goals to empower women and create platforms for female participants to collaborate across the globe.
4. Women need to realize their unique values to perform work and communicate in and across organizations. For example, women may have an advantage in terms of interpersonal skills, which is important in gathering information and evidence from various people and roles required for IT auditing.
5. The ISACA Shanghai Community works to provide a platform for women in tech, especially in IT auditing, risk management, governance and in supporting female leadership.
Here is what we recommend female professionals in tech to do based upon the above takeaways and observations:
1. Identify existing and nearby women’s leadership groups and programs from either employers or communities, such as ISACA local communities or chapters, or both, and actively participate in the programs. Reach out to people from the programs and build professional relationships. Attending events is a great way to learn from and communicate with the experienced professionals.
2. Intentionally improve soft skills. Attend relevant courses, learn and practice how to persuade people in order to meet specific business goals, how to perform better in presentations, how to communicate with people in more rational ways, etc.
3. Keep learning and improve expertise. Get familiarized with new technologies and trends. For example, learn IoT technologies, and give thought to how IT auditing may be different in IoT environments. Learn big data technologies, and consider what may be unique in terms of data lifecycle and data governance of big data. The ISACA Journal is a valuable resource that provides useful knowledge and experiences covering these areas and can trigger more thoughts.
The Future of Jobs Report 2018, published by the World Economic Forum, presents a well-researched reading with a thorough and comprehensive coverage of global industries and regions. The essence of the report can be captured in the preface by Klaus Schwab, founder and executive chairman, World Economic Forum, which states “Catalysing positive outcomes and a future of good work for all will require bold leadership and an entrepreneurial spirit from businesses and governments, as well as an agile mindset of lifelong learning from employees.”
It was Peter Drucker who said in a 1992 essay for Harvard Business Review that “In a matter of decades, society altogether rearranges itself – its worldview, its basic values, its social and political structures, its arts, its key institutions. Fifty years later a new world exists. And the people born into that world cannot even imagine the world in which their grandparents lived and into which their own parents were born. Our age is such a period of transformation.”
The transformative society, often called a knowledge society, has now gone past the initial technological innovations and is traversing the digital expressway. This no longer require 50 years for a full cycle of change, but just five years.
The report, which addresses a Fourth Industrial Revolution taking place from 2018-2022, puts forth succinctly that the impending transformations, if managed well, can lead to good work, good jobs and improved quality of life, or otherwise can result in widening skill gaps, greater inequality and broader polarization.
The key points are as follows:
- Four specific technological advances – ubiquitous high-speed mobile internet; artificial intelligence; widespread adoption of big data analytics; and cloud technology – are set to dominate the 2018–2022 period as drivers positively affecting business growth.
- Significant change is at hand in composition of value chain and the geographical base of operations.
- Lots of specific human tasks can be automated by 2022.
- The demand for traditional skills will diminish, paving the way for requirement for new skills like those of data analysts and scientists, software and application developers, and those with expertise in e-commerce, social media, machine learning, big data, process automation, information security analysis, human-machine interaction, robotics engineering and blockchain. Also included in this list are human-specific skills, such as training, organizational development and innovation managers.
- Companies prefer to hire new permanent staff with relevant skills, so existing employees should develop mindsets focused on a lifelong pursuit of learning, knowledge acquisition and re-skilling.
- Policymakers, regulators and educators will need to play a fundamental role in helping those who are displaced to repurpose their skills or retrain to acquire new skills.
While this report contains a wealth of valuable information, let us analyze how it impacts the fields of specific interest to ISACA’s professional community.
The report identifies an increase in cyber threats as one of many trends set to negatively impact business growth up to 2022, and increasing adoption of new technology such as big data, mobile internet, artificial intelligence and cloud technology as being among the many trends set to positively impact business growth. But all of the factors are only going to positively impact the cybersecurity profession, as advances in technology and its associated increasing cyber threats will only require more and more cybersecurity professionals.
The report also identifies stable roles, new roles and redundant roles, in which information security analysts are in both stable and new roles, which is very heartening and as expected.
Auditors have been mentioned under redundant roles, probably because it is thought that artificial intelligence can take over routine decisions on auditing and assessment. Though it is true to some extent, auditing as a profession will never diminish completely, as newer technologies will always bring in newer threats and loopholes, which need to be plugged-in by trained auditors. For sure, auditing techniques will evolve tremendously under AI, but the work can never be fully delegated to robots or be completely automated, because while humans can create super-intelligent computers which are completely predictable, humans themselves remain unpredictable. Therefore, human auditors are here to stay.
ISACA and the AICPA should continue to develop and evolve newer standards on auditing to render assurance services for the enterprises advancing technologies as part of the Fourth Industrial Revolution.
Author’s note: The views expressed in this article are the author’s views and do not represent those of the organization or of the professional bodies to which he is associated.
An SVP of Enterprise Risk Management (ERM) at a highly influential financial services company recently told me that succeeding in ERM is all about “breaking down the silos.” It’s a good mantra – one that IT audit and GRC professionals should take to heart and execute on daily.
One increasingly effective way to do that is through expanded understanding of information and cyber security. Information security has become critical to understanding an enterprise, its risk and its processes. To add increased value now, IT audit and GRC professionals have to build solid information security skills. This is the golden ticket to short-term success and long-term career sustainability.
The director of IT SOX compliance for a global medical device company and I were talking about who she hires for her team. She views information security knowledge as part and parcel of the requisite qualifications. She noted that a lot of people coming from public accounting have reviewed change management from an IT controls perspective, but they don’t really understand the technical processes that underlie change management. Without the technical knowledge of how a network works and its security requirements, for instance, the auditor provides a review at a superficial level. Beyond that, without baseline level knowledge of information and cyber security, it is very hard to make the jump to applying what you know to an unknown system and applying critical thinking.
CAEs, IT audit directors and IT risk directors all are crying for talent that can demonstrate critical thinking skills, and a big picture understanding of how to align risk, enterprise strategy and appropriate controls. Critical thinking skills come from a combination of intellectual curiosity and knowledge. Innovation as well as nimble and proactive responses to dynamic business environments require more than rote practice. They require the ability to leverage knowledge and experience to develop pragmatic and, when necessary, creative solutions to risk and controls. Information security is a key domain area that supports critical thinking in IT audit and GRC.
The NA IT audit director at a global financial services company said he views information security skills as a core skill set that is necessary for being hired as a senior IT auditor – and even more so as an IT audit manager – on his team. To add value, he noted, IT auditors need to be able to challenge the configuration and the build of the information security environment (encryption, firewalls and so forth).
His strong statement was: “If an IT auditor doesn’t have information security knowledge and experience, they don’t even know how to ask about how the system was built. A key question they have to ask is ‘Are the in-built controls enough?’ If they have had only general controls experience, they will typically only ask ‘What is the control?’ and “Is the control being followed?’”
As an executive search provider to Fortune 500 companies in the IT audit and GRC space, we have seen an incredible uptick in the requirement for information and cyber security knowledge in candidates for IT audit and GRC roles. This year alone, a major FinTech company built out its “Second Line” IT risk, internal controls and compliance functions, doubling its existing resources in these areas due to risk and regulatory requirements. The CISO was clear: He wanted the new resources to have strong knowledge of information security, including cybersecurity, plus cloud, blockchain, operating system security, NIST, and COBIT 5.
The drivers contributing to the growing need for information security knowledge and skills (mounting external threats, emerging tech, outsourcing and third parties, new regulations such as GDPR) are increasing and will continue to do so.
Developing a solid understanding of information security fundamentals is vital as IT Audit and GRC professionals build out and enhance current skills in order to achieve near-term career goals. Information security skills and knowledge are absolutely critical for crafting sustainable, long-term career growth no matter which career path you chose: IT Audit, GRC, or security.
Start with small steps: reading, online coursework, setting up a tech sandbox in your basement, talking with your information security colleagues and sharing their passion. Participate as a guest resource within IT or information security. Volunteer or lobby to be the audit, risk or compliance representative on the corporate information security roundtable. Finally, consider a serious move: a security-focused certification or certificate.
In the words of Stephane Nappo, Global Head of Information Security for Société Générale International Banking & Financial Services: “A holistic vison can help to build the comprehensive approach we need nowadays … the real scope includes five main factors: cyber-threat, technology issues, business evolution, behavior gaps and legal compliance… Security basics (vulnerability management, access rights review, password policy, system hardening, vendor management, awareness, etc.) are often 20% of costs and 80% of risk coverage.”
The mission for IT audit and GRC professionals for 2019: Be part of that holistic vision. Firm up your information and cyber security skills. Break down those silos. Add value.
Editor’s note: Are you an auditor seeking to improve or demonstrate your cybersecurity knowledge? Take a look at ISACA’s brand-new Cybersecurity Audit Certificate here.
Cybersecurity continues to grab spotlight and mindshare as it pertains to computing and social trends.
The topic itself is broad and expansive, and the true impact of this segment of computing will be around for generations to come. For strong perspective on where the industry stands in its current state, ISACA’s State of Cybersecurity 2018 research is a must-read. This report provides a great assessment of what needs to happen in the cybersecurity field to move from reactive to proactive.
Challenges around cybersecurity are not new and have actually been around since the dawn of computing. However, it is now a topic that everyone talks about. It is a board topic, it is a public safety and livelihood topic, and it is a personal topic. Hitting this trifecta of impact has finally created the sense of urgency and the attention that is needed. Now, the key is that as an industry, as a country, and as a world of over 7 billion people, we need to effectively address these industry challenges to preserve the computing environment for the future.
Today, most cybersecurity efforts are focused on what is referred to as the “EMR” model of educate, monitor, and remediate. This approach is effective but is essentially like the game of “whack-a-mole,” where the core underlying risks and issues are never solved and keep popping up.
So, how does the governing of cybersecurity become proactive?
While EMR is essential, the core foundation of a more secure and trustworthy computing experience requires being more proactive. Proactive means ongoing, real-time, continuous self-testing and self-assessment, and a laser focus on education as it pertains to best practices. This, combined with a continued evolution on the new SaaS (security-as-a-service), will help mitigate and ensure more trust in the future. Still, it will be very difficult to solve all cybersecurity challenges due to the technical debt that exists and will exist for the immediate future.
Safe and secure computing can occur with a connected, comprehensive approach to security embedded in each of the leading digital disruption levers, from the Internet of Things, to conversational artificial intelligence, to blockchain and distributed ledger technology, to wearables and mobility. Industry focus, industry standards, close adherence to best practices, and the constant ability to randomize to protect digital identities is on the horizon and needs to continue to gain acceleration.
However, first and foremost, security best practices begin at the code level. As software engineers and as an innovation industry, we must make sure this is well-executed in each and every opportunity we have.
Author’s note: Mike Wons is the former CTO for the state of Illinois and is now serving as Chief Client Officer for Kansas City, Missouri-based PayIt. Mike can be reached at firstname.lastname@example.org
The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.
The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.
Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.
While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:
- Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
- Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
- Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
- Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
- Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.
Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:
- Simplify compliance;
- Reduce the likelihood of missing compliance requirements;
- Maximize everyone’s time;
- Allow for clearly understood expectations;
- Are commonly accepted by control stakeholders.
The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.
“We’re here to make sure that crime doesn’t pay,” Villanueva said.