The enterprise IT organization is awash with operational silos that touch IT service management (ITSM). In many ways, one could argue that some of these should actually be part of corporate ITSM activities.
Most commonly pointed to is the App Dev and IT Operations divide, with DevOps a potential solution. But there are other significant opportunities for different parts of the enterprise IT organization to get along better. These include: security; IT asset management; and IT governance, risk and compliance.
The latter, in particular, is interesting as ITSM is actually part of the larger governance picture.
Consider the case study of a project performed by Intreis, a consulting firm specializing in ITGRC and ITSM integrations that partners with my enterprise. Intreis’ customer, a publicly traded global technology firm, is subject to SOX, PCI, European Safe Harbor, and ISO27001. Its controls environment consists of some 100 general computing controls. Prior to adopting an integrated approach to ITGRC and ITSM, their audits took eight months, cost more than $1.5 million, and auditors would identify dozens of deficiencies.
Through automation and integrating the customer’s ITSM and ITGRC processes on a single unifying platform, costs were slashed by 80%, turnaround was improved, IT hours were reduced and zero deficiencies were reached.
What’s the secret? Intreis advises six key steps:
- Define your services—Your services are the basis for effective process design and controls identification.
- Process redesign—Embrace it. You will have to redesign your processes in order to embed and automate your controls. It is worth the effort.
- Consolidation of controls—Get to a consolidated set of controls. The idea is to define one master set of controls that meets all of your business and regulatory requirements.
- Enlist the experts—Not everyone can be experts in controls and compliance or process design. If you don’t have the expertise in-house, engage subject-matter experts. Get it done right the first time and enjoy the results for a lifetime.
- Automate, automate, automate—Any time something is done manually it is open to human error. Automate to the fullest extent possible for maximum predictability and efficiency.
- Allow time for results—Definition and automation do not take very long, about a third of the time of most ITGRC-application implementations. With that said, many IT controls operate quarterly and annually, so your full savings potential may not be realized in year one, but you will certainly see it in year two.
Senior Manager- Product Marketing, ServiceNow
Continue the conversation in the Service Management topic within ISACA’s Knowledge Center.
One of the greatest challenges most professional women face is that of the work/life balance. Most of my colleagues laugh when I mention this, as they believe I have only two speeds—top speed and complete stop! There is, unfortunately, a modicum of truth in that. But it is necessary to have a level of drive and determination if you are going to reach the top of your field, particularly if you are female.
In the technology fields, only 26% of professional-level roles are held by women. I have worked hard to get to the position I am in today—sitting on the International Board of ISACA—but I am also aware that I have had some sensational role models along the way. I have been fortunate enough to participate in a number of international research initiatives in the areas of information security and governance. And I have met some wonderful people in my professional life and through my affiliation with ISACA.
However, too few of these people have been women.
In my role on ISACA’s Board, I am joined by Theresa Grafenstine and Krysten McCabe. We are in a position to encourage aspiring women to make the transition from operational to strategic areas of business. There are always detractors, and I have found in my professional life that there are those (including other women) who will ensure that it is difficult for you to make that transition. But when you do it is well worthwhile.
It can also be challenging. Techopedia recently published an article on women in the workforce, and I shared this mindset with them:
It’s my belief that, even today as a woman in the workforce, you cannot afford to cut corners. You absolutely have to be better qualified and better prepared than your male colleagues because there isn’t a glass ceiling, from my own experience. It’s a granite one, and I was more than prepared to take the jackhammer along with me.
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP
Director of Information Security and IT Assurance, BRM Holdich, Australia
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.
The “tech cleanse” movement is about achieving an equilibrium with technology, rather than taking an all-or-nothing approach. I would never expect anyone to remove technology from their life, and we benefit greatly from technological advancements. The key is looking at the intention behind our usage, and taking into consideration the frequency of and the environments in which we turn to our digital devices.
Mindfulness plays a major role in finding balance. For example, if I am waiting in line at the store, my instinct is to immediately reach for my smartphone. But lately I have been pushing myself to take a moment first, to consider the urgency and intention behind this instinct. For some people it has become almost a nervous twitch, and it is nearly impossible to stand idly without “doing something.” Each time I am waiting in a line or in traffic, I try to remember to give thanks for the rare time that I get to take a break from all of the input.
For people who work in the tech industry, this becomes even more important. An extreme example is my father, who has been a successful programmer and systems analyst his entire life. He works long hours and when he is not at the office he is mostly unplugged. He does not own a personal computer or a tablet, and it has only been a year since he broke down and got a basic cell phone. His most beloved digital device is his GPS that guides him through the wilds of Canada where he hunts each November.
So how do we find that equilibrium? And for those of us working in the technology sector, what are some practical tools we can put into action right away? These questions are at the core of the tech cleanses I lead. Here are a few easy tips:
- When not at work, schedule your tech breaks. Check your texts, social media, or whatever else seems important to you before dinner and then leave your phone muted, face down or tucked away. Remind yourself you can take another look after dinner to put your mind at ease.
- Leave technology out of the bedroom. All of it. Not only will it put your mind at ease to know checking your phone in the middle of the night is not an option, but studies have shown that having digital devices near your bed at night may interferes with the quality of your sleep. Using technology just before sleep has shown to lead to poor sleep quality and even a deterioration in verbal-cognitive performance for youth.
- Throughout the day, take at least two 15-minute breaks from all technology, whether it is a short walk outside or catching up with a friend. (If possible, it is ideal to take five-minute breaks every 90 minutes.)
Just like any stimulant, checking your smartphone sends a rush of dopamine to your brain. Find other “pleasure points” that can replace this technology fix. The more replacement activities you turn to, the more you can reestablish equilibrium, and in turn you might appreciate your time with technology even more!
Director, Tech Cleanse
More than 45 years ago, a small group of individuals recognized that business had changed and that there was a need to define a profession around the audit of information systems. These individuals connected with likeminded professionals to create a body of knowledge and a certification that would distinguish them and their skill from others in audit and IT. The hard work and entrepreneurial activities of this evolving group resulted in the birth of ISACA and the creation of a profession that is now recognized globally.
Change continued as new technology capabilities were embraced by enterprises and as executives and management explored opportunities to draw value from information and information systems. A necessary component of value is the ability to also trust the information and the systems that the enterprise relies upon. As enterprises changed, and as their dependence on information and information systems grew, the skill and expertise that were part of IS audit was embraced by the enterprise. ISACA members were drawn to new professional opportunities and joined other professionals who contributed different skills and professional perspectives to take on trust-related responsibilities for information protection, information systems risk management, and regulatory compliance. ISACA has embraced enterprise and technology change and continues to be actively engaged in supporting our members by providing access to leading experts and to other professionals who can be consulted to help resolve difficult issues. We provide the credentials that distinguish members within the workforce. We disseminate the foundational, applied and career knowledge necessary to address changing conditions and needs.
Change is a constant part of our modern lives. Evolving technologies such as cloud computing, mobile devices, and the Internet of Everything have resulted in the exponential growth of information, creating almost unlimited new opportunities to leverage this big data. These enabling technologies are driving change in how and where work is done, how individuals and groups relate, and how enterprises structure work groups and perform their activities. These new and evolving technologies and their use by enterprises are also creating new cyber-threats. They also challenge the right of individuals to control their identity and personal information. Recognizing the accelerated change we experience and its impact on society, the enterprise and our professions, ISACA launched a strategy initiative to ensure we continue to serve the professional interests of those responsible for ensuring that enterprises achieve value and can trust information and information systems. As ISACA has transitioned from a solitary focus on IS audit to address the wider and evolving needs of enterprises and our members, we are expanding our reach into other professional areas as trust responsibilities are more widely distributed within the enterprise and as trust and value responsibilities are shared among a wider group of technology and non-technology specialists.
Recently ISACA experienced another change as I took on the responsibility of Acting CEO upon the retirement of Susan Caldwell, our long-time CEO. As we experience this change, ISACA will remain constant in serving our members by providing the credentials, educational programs, knowledge and community that not only make them credible and capable, but that prepare them to address challenges created by the continued force of technical and enterprise change. As a member of ISACA, a professional holding an ISACA certification, and the chief knowledge officer and acting CEO, I am honored to be able to serve my colleagues in the profession. As ISACA has faced change over the years we have continued to remember our purpose, to serve our members and to point the way for enterprises to gain trust in and gain greater value from their information and information systems.
Ron Hale, Ph.D., CISM
Acting CEO, ISACA
Editor’s Note: Ron Hale was recently selected to the National Association of Corporate Directors Directorship 100 for Governance Professionals and Institutions. This award recognizes directors who lead through innovation, courage, integrity and commitment. ISACA congratulates Ron on this great accolade.
In late August, ISACA welcomed a new chapter—Lusaka—to the association. With about 100 members, the new Zambian chapter is serving the needs of local IT professionals in search of career development, networking, and increased awareness of their skills and certifications. (About 40 members of the Lusaka Chapter already hold ISACA certifications.)
There is great interest in ISACA in Zambia, particularly in the capital, Lusaka. And I was thrilled to be a part of the chapter-launching ceremonies recently. The chapter board members are very enthusiastic and organized a great event at short notice. On a personal note, they made me feel very welcome.
It was a privilege. It was a pleasure. And it was a busy few days.
The first day of ceremonies featured the official launch of the chapter and a chapter meeting. Day two featured a conference with sessions on COBIT, cybersecurity and IT audit. Lusaka Chapter President Moonga Mumba (who is glowingly profiled in this article) oversaw the activities, citing how pleased he and his peers were to have their own chapter.
The Lusaka Chapter’s launch attracted local media, resulting in radio and newspaper coverage (see here).
It also drew dignitaries. Zambia’s Deputy Auditor General Regina Chilupula, speaking on behalf of Auditor General Anna Chifungula, said, “For us auditors, the paradigm shift towards integrated audits also means that the demand for information technology governance professionals is increasing.”
Chifungula, whose office has adopted ISACA's COBIT framework as a guide for its information-system audits, added that she appreciated the role ISACA was playing in promoting the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.
Throughout two days of festivities, business connections and friendships were made, photos were snapped, and memories were forged of the origins of what will surely become another great chapter in the ISACA association.
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP
Information Risk Manager at Morgan Stanley
ISACA International Vice President
*See the full photo album from Allan's visit with the Lusaka Chapter here.
I am pleased to announce that Ron Hale, Ph.D., CISM, has been named acting chief executive officer (CEO) and corporate secretary of ISACA and the IT Governance Institute (ITGI) effective today.
Ron’s depth of knowledge and diverse background will serve ISACA’s members very well. After serving with the Cook County Sheriff’s Department for more than a decade as a crime-scene investigator, he entered the security field, serving as manager of security services for Northrop Corporation Defense Systems Division, and then as a research manager for the Bank Administration Institute. He has also provided consulting services as a practice director in the Enterprise Risk Management division within Deloitte & Touche LLP.
Ron has been with ISACA since 2004 and is highly respected among members, associates and others in the field. He currently serves as ISACA’s chief knowledge officer, responsible for leading the association’s research and knowledge-development efforts, and today begins serving in his new roles, upon the retirement of Susan M. Caldwell, CEO and corporate secretary of ISACA and ITGI. Since 1992, Susan has been responsible for directing the organizations' pursuit of helping IT professionals and enterprises around the world achieve trust in, and value from, information systems. For more than 30 years, Caldwell has been a CEO of national and international research, trade and professional organizations, representing a range of industries.
We are pleased to have Ron serve as acting CEO to ensure continuity and continued momentum for association constituents during this transition. Our profound thanks also go to Susan for her strong leadership in guiding ISACA through its past two decades of significant growth.
Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
It continually amazes me when I consider the foresight exhibited by ISACA’s founders. They are truly pioneers of our profession. Electronic data processing (EDP) auditing was barely a recognized endeavor 40-50 years ago, yet these individuals had enough vision to know that it was vital to good business practice. I am grateful to them for their courage and commitment. Their efforts continue to benefit us, our industry and business around the world to this day.
I have been thinking about this since hearing that Stuart Tyrnauer, ISACA’s first president, who served from 1969 to 1972, has passed away. Stu was instrumental in the formation of the association, then known as Electronic Data Processing Auditors Association (EDPAA), in California (USA) in 1969.
While they had a strong grasp on the growing importance of our field, I don’t know if Stu and the other founders knew just how significantly this association would grow. But clearly, they are all important facets of what we have become.
Stu personified the idea that each individual can make a difference. All members of ISACA have the capability to positively influence this association and their own professional and personal spheres.
I take pride in knowing that the core of ISACA has been, since its inception, our members, our volunteers and the reputation we all uphold. While we celebrate Stu’s accomplishments today, we also acknowledge our sadness at his passing and send our deep sympathy to his wife, Donna.
Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
The creature has been with us all along, of course, but it was only this year that a team of Smithsonian scientists confirmed that the little brown mammals living in the tree canopies of Andean forests were a distinct species. You may have read about the olinguito, which recently made headlines as a newly discovered species. (For years, scientists had mistaken olinguitos for their cousins, the olingos.)
“The olinguito, described as a cross between a house cat and a teddy bear, is the first new carnivorous mammal identified in the Western Hemisphere in 35 years…” writes NBC News’ Nidhi Subbaraman. “…and it’s considered among one of the cutest scientific finds in recent memory.”
Researchers first laid eyes on the olinguito back in 2006, following up on a hunch they had developed a few years prior. But only this year were they able to confirm and announce their big news.
So what can the discovery (if I may be excused for using that human-centric term) of the olinguito teach those of us in the information audit, governance, risk, control and security professions? Sometimes, we must look past the familiar—past our preconceived notions—to make meaningful discoveries. Sometimes we must alter our perspectives and shine a new light on old problems to solve them.
I am proud to note that ISACA constantly takes that approach with its ever-growing library of deliverables. White papers, conferences (in-person and virtual), surveys, certifications and webinars provide members with new approaches to overcoming challenges in their professional lives. And with the continued emergence of new challenges—think BYOD, the Internet of things, cloud adoption—new mindsets and new skills are required.
This theme of constant discovery is also often addressed at ISACA events. With three different conferences taking place this month, the options and venues for education are varied. Some highlights include Amar Singh’s cloud keynote and John Meakin’s cybersecurity keynote at EuroCACS/ISRM, which concluded yesterday. At Oceania CACS, I will be among a group of keynote speakers exploring shifting approaches to IT. And at Latin America CACS/ISRM, Samir Estefan and Luis Arturo will present on the democratization of technology and changes with internal audit in the financial sector, respectively.
While it is refreshing to hear reports of the identification of a new species, it also is encouraging to know that ISACA continues to provide inspiration for professionals in cutting-edge fields like ours. By being open to new ways of looking at daily issues and challenges, we may find that we can make some groundbreaking discoveries ourselves.
Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
In the hype surrounding big data, too many people seem to be forgetting, “What is the question?”
Whether selecting a vendor, a marketing campaign, or your customer-service approach, knowing the “what” and the “why” is the starting point. Consider this—in a survey*, 54 percent of people prefer kickball over dodgeball. But among those who prefer chemistry to physics, 73 percent prefer kickball to dodgeball. And thus…what?
Too many people get distracted by the hype of a big data tool rather than focusing on the hypothesis to test. Is it enough to know a correlation (that says nothing about causality) or does a decision-maker need to know the actual cause? For example, should a sales prediction for snow shovels be based on sales of winter coats or on the weather forecast? Once the question is clear, an appropriate technique can be selected.
In another survey, 78 percent of people say they always tip their servers, even if the service is poor. But among those who prefer their gravy thin and soupy rather than thick and gloopy, 94 percent always give a server a tip, even if the service is poor. (If you have seen Men in Black 3, you know about causality and tipping!)
Using only associations when causality is needed is why marketers get ugly surprises when underlying causes change. (Consider the rapidly changing tastes in social media platforms.) It is a problem, for example, when IT planners run correlations on web-server loads without knowing about new consumer promotions causing traffic increases.
Avoiding problems like this requires employing the right technique to answer the right question. Too often, big lazy data comes from analysts using software tools and/or datasets that are easily available, rather than using the right ones. This is seen when financial-news commentators give poor advice because they don’t dig into the stories behind the numbers.
IT departments also fall into this trap when reporting easily available infrastructure-monitoring data (e.g., processing units) to internal customers, rather than more meaningful measures, such as user-response time.
IT leaders should consider four opportunities to partner with business users to:
- Understand data SOURCE quality. Many errors spring from misunderstanding the data source (e.g., nature of questions asked, respondent characteristics, randomness of sample, strata, response rate, point-in-time). This is Statistics 101 stuff that gets lost in the minds of busy people.
- Improve data SET quality. Not just the basics (truncated data passed from system to system), but also the ability to more easily align time series and transform data points (e.g., math or logic operations).
- Understand the STAGE of research. To determine what to study for causality, a correlation might be a helpful initial filter, but not the more robust answer.
- Understand the cost SAVINGS from using the right tool for the job. For example, rather than spending mountains of time and money on big-number crunching for correlations, focus-group interviews might offer more insight on why a new software product is not selling. For example, why would 46 percent of people rather be called a nerd than a geek, but among those who would rather be a portrait photographer than a landscape photographer, 67 percent would rather be called a nerd? The data associations aren’t actionable without knowing why. The “why” is probed with focus groups and similar approaches.
So how do you implement this approach? You can cross-train business and IT pros to serve as expert resources for the organization. Basic tools in the hands of experts are usually better than advanced tools in the hands of the confused. When basic tools are fully utilized, the business case for more—and more advanced—tools gets easier. I think 100% of people would agree with that.
*The crazy correlations included here are courtesy of Correlated.
Principal, ValueBridge Advisors
Continue the conversation in the Big Data topic within ISACA’s Knowledge Center.
Captain Richard Phillips, whose dramatic nautical kidnapping is the basis for next month’s “Captain Phillips” film starring Tom Hanks, will deliver a special keynote—Insights on Protecting Enterprise Assets From Even the Most Unpredictable Threats—at ISACA’s North America Information Security and Risk Management (ISRM) Conference in Las Vegas this November.
While at sea, Captain Phillips answered a few questions to preview his presentation.
ISACA: How is a ship captain a "floating CEO"?
Captain Phillips: Mainly in the way you are responsible for all facets of an operation and activities in an organization, even if it is not your field of knowledge or, lord knows, your expertise. You have to try and solve the problems that occur, no matter the source—no matter the department or area of concern—and solve them in a way that does not adversely affect your whole organization. In business as well as on ships, the organization can run smoothly, but a hiccup or error in one department can potentially take the whole thing down.
We are only as strong as our weakest link. A great idea can fail in a business if all departments are not on the same page and actually working toward the same goal without egos or selfishness. I think that is the most important job for a captain or CEO or anyone running any kind of team—to get everyone to buy into a formula or procedure; to ensure that everyone know their jobs and know the importance of it and the importance of everyone else’s work. This makes any endeavor successful.
ISACA: Does the modern ship captain deal with any information technology / information security / risk issues?
Captain Phillips: Nowadays in any job, we all deal with these issues on varying levels. IT departments in every company seem to be growing, and more demands are being put on them.
On ships with satellite communications and computer programs for payroll, stability, cargo stowage, etc., the technology has grown by leaps and bounds. While the need for computer security is less than in most businesses, there is still the concern for identity theft. This is a problem all over the world, onshore and at sea.
ISACA: What is the greatest challenge in your profession in recent years?
Captain Phillips: I think it is and always will be the same as it was in the beginning: to get the ship, its crew and its cargo safely from point A to point B. The problems change with the times and with locations, but we still deal with hurricanes, typhoons, fog, ice and all that the environment can deal us. And there are problems that every other business deals with—personnel, IT, communications, safety, security, health, fires, mechanical breakdowns, maintaining schedules, economic upheavals, and the changing seas of business and the economy.
Like any profession, this is about maintaining a good business, foreseeing problems as best you can before they become critical, and ensuring you are heading in the right direction.
Want to see the captain in person? Learn more about ISACA’s North America ISRM conference.