For those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.
SciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events
If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.
The point is, discovering new technology adoption after the fact means added risk. From a governance point of view, it helps mitigate strategic risks like getting suboptimal pricing when vendor contracts are non-standard or non-centrally negotiated; from a security standpoint, it helps address "blind spots" protecting new technology when that technology is early in the adoption curve. So in a very real sense, better forecasting means better risk management. And, in turn, the ability to forecast new technology—including adoption, the approximate timing of when that technology will proliferate, what sectors might be impacted, etc.—is of great potential value to ISACA members.
SciCast represents a unique source of data for ISACA. Knowing what’s on the technology horizon helps us give our members relevant guidance to maximize technology investment returns and minimize risk for their organizations.
This also enables strategic, rather than tactical, decision-making. SciCast will provide us with a key data source to provide our membership with more rapid, more accurate, and more granular information about upcoming future trends,” Pasfield explains. “Because the SciCast platform is open, it allows us to incorporate information from the platform directly into our forward-looking knowledge products. That openness also allows us to reframe the information coming from the platform to make it most accessible to our membership and best meet their needs. It’s a very exciting platform, and I encourage you to take a look and start predicting.
Chair, ISACA’s Emerging Business and Technology Committee
Which smart technology will be most vulnerable to cyber-attacks in 2014? Predict now: http://ow.ly/zcVEt
The job of defending the world’s data from cybercriminals is an increasingly complicated one. According to industry experts, however, there is a lack of qualified information security professionals ready to lead the world’s organizations to true cybersecurity. That’s where EC-Council Foundation’s Global CyberLympics initiative comes in. Last year, the competition had more than 3,000 cybersecurity professionals participate, representing 72 countries, including Australia, Africa, Egypt, The Netherlands and Brazil.
Global CyberLympics, the world’s first international ethical hacking cybergame, is a nonprofit online cybersecurity competition that takes place in four rounds: Computer Forensics, Computer Network Defense, Penetration Testing, and Capture the Flag. The goal of the games is not only to educate the world’s cybersecurity professionals, but to test their skills in simulated attack-and-defend scenarios. The teams that advance through these challenging rounds do so by proving their superior skills.
EC-Council Foundation is a charitable and educational organization dedicated to educating and training individuals in cybersecurity. EC-Council Foundation is excited to partner with ISACA and host the finals of this year’s game alongside ISACA’s European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) conference, taking place in Barcelona, Spain in September. Because of ISACA’s impressive global reach, with more than 115,000 constituents in 180 countries, and its mission of supporting information security via globally accepted research, certifications, and community collaboration, it is a natural partner for hosting the Global CyberLympics finals. Added to the synergy between the missions of ISACA and EC-Council Foundation is the impressive backdrop to the event: Barcelona, Spain. This year’s setting adds an additional element of drama to the games, as this is the first year the final round has been held outside of the US.
For the competition schedule or to register a team to play in the games, please visit www.cyberlympics.org. For information about ISACA’s EuroCACS/ISRM conference, please visit www.isaca.org/eucacs-isrm2014.
Senior Director, EC-Council
Hundreds of millions of people around the world, including me, are cheering on the football games that comprise the 2014 FIFA World Cup, which bills itself as the biggest single-event sporting competition in the world. This is truly a global force of an event, with 204 entries across six continents competing for 31 available spots in the finals.
As I watched a recent close football match, it was clear that no matter what a sports organization (or governmental agency or enterprise) does as its core business, its relevance, value and reach depend on the team members driving strategy and activities forward. This is true for ISACA as well, and it is one more reason I am so honored to be elected international president and work with an excellent board of directors. The time and expertise they volunteer for the benefit of ISACA members is truly amazing. We recently installed our 2014-2015 ISACA Board of Directors and I would like to recognize them individually.
Reelected vice president are:
- Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, security strategist and evangelist at Dell Software, Spain
- Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, inspector general of the US House of Representatives, USA
- Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, partner of M/s. Kumar & Raj and director at Pristine Consulting Private Limited, India
Newly elected vice presidents are:
- Steven Babb, CGEIT, CRISC, ITIL, technology risk management, compliance and assurance leader at Vodafone, UK
- Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, managing consultant at BAE Systems, Australia
- Rob Clyde, CISM, CEO of Adaptive Computing, USA
- Debbie Lew, CISA, CRISC, executive director within Ernst & Young LLP Advisory practice, USA
- Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC, CEO of Focus Strategic Group Inc., Hong Kong
- Alexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor, COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO 27001, IT consultant in Latin America, Mexico
These ISACA leaders represent a diverse cross-section of geographies, industries and expertise, and I am confident that together we will serve our members and other constituents with drive, dedication and direction throughout the year.
As a team, we will accomplish several key activities this year:
- We will continue to focus on cybersecurity. Through the Cybersecurity Nexus, we will do for the cybersecurity profession what we’ve done (and will continue to do) for assurance and governance.
- We will also focus on providing tools and guidance on privacy, full-spectrum career development, expanded COBIT, and emerging business and technology.
- We will serve our assurance base. Audit and assurance professionals founded ISACA 45 years ago and are still central to our mission to create trust and value through information and technology.
- And, above all, we will provide more value to our members than ever before. We exist for you—to help you drive your careers and serve your enterprises. Be assured that you are at the forefront of every decision we make.
This is an era of incredible change and strategic advancement for ISACA, especially as our new CEO, Matthew Loeb, takes the helm of the ever-growing and evolving association in early September. I look forward to Matt’s business acumen and eye for global service and growth. I also want to give a sincere thank you to Ron Hale, who stepped up and has served as ISACA’s acting CEO after the retirement of former CEO Susan Caldwell in 2013. Ron provided guidance and oversight for ISACA’s momentum over the past year and we deeply appreciate his contributions. I also want to thank our prior board members, who have shared so much of their knowledge, other global leaders, and all members, no matter your level of involvement, because you embody the spirit of ISACA.
I want to hear from you. Please follow me on Twitter at @RobertEStroud and share your comments below. This is going to be an exciting year for all of us. Together, just like the World Cup champion, we can achieve great things.
Robert E Stroud, CGEIT, CRISC
International President, ISACA and the IT Governance Institute
Robert E Stroud, who today becomes ISACA's international president, delivers an opening keynote presentation—“ How Emerging Technologies Will Impact You and Your Enterprise and What You Can Do About It”—at The IIA/ISACA Governance, Risk and Control (GRC) conference this August. We chatted with Rob to preview his presentation.
ISACA: How will emerging technologies impact you / your enterprise?
Rob: They are changing business models. There is mobility everywhere, which is changing the interaction between people and services. Think about purchasing an item and doing price comparisons on the spot. You can go back to the sales agent with a better price. Their systems need to be able to adjust to provide that discount.
ISACA: What can you do about emerging technologies?
Rob: We all need to be aware of changing technologies and the impact on our current business models. Changing technologies will disrupt current business processes and buying patterns.
ISACA: How has business culture’s impression of emerging technology changed in recent years?
Rob: Business is leading the charge with emerging technology. This is led by younger professionals who are using—without bounds—new technology to execute business processes.
ISACA: Can you ignore emerging technologies?
Rob: Yes—at your own peril. Every business is powered by some form of technology. Technology is driving everything from buying decisions to tax calculation to, say, the maintenance of licenses. The time required to execute basic administrative tasks will kill a business that ignores technology.
ISACA: Do you differentiate between emerging technologies and disruptive technologies?
Rob: I would have two years ago, but they have started blurring together. The pace of the interconnectivity of things is accelerating beyond our wildest dreams, with everything from micro-chipped cows that give us milk to the milk containers to the fridge in which we store the milk.
ISACA: What is one emerging technology that most excites you?
Rob: The Internet of Things. Or, better yet, The Internet of Everything. Everything is becoming interconnected, enabling good management of information and a deluge of info that you need to process to make proper decisions. There is more information than a human can reasonably process, so we are dependent on technology to guide our decision-making processes. And if the base process is flawed, our decisions are flawed. What we are starting to see is deterministic systems that will learn patterns and develop decision-making criteria. Processes guided by computer data.
At this point, it is not going to completely replace humans. At this point…
Robert E Stroud, CGEIT, CRISC
VP of Innovation and Strategy
Learn more about the Governance, Risk and Control (GRC) conference here.
2014 has already been a year of exciting change, and as ISACA continues to transform and evolve we are very pleased that Matthew S. Loeb has been named chief executive officer (CEO) of ISACA and the IT Governance Institute. Matt brings extensive experience in global business operations, governance and strategy, and is the right person to lead ISACA as we build upon and carry out our strategic growth plans.
Matt is an innovative leader who shares ISACA’s deep commitment to serving our members and other constituents. His depth of expertise in emerging technology and global expansion, along with his keen business insights, will benefit all of us and our industries as a whole.
I have met with Matt and know that when he takes the helm in September, he will be laser-focused on identifying new opportunities for ISACA to serve our diverse constituents—current and future. Together with the Board of Directors and our staff, we have an extraordinary team in place and I am thrilled about our long-term outlook.
I want to thank Ron Hale, Ph.D., CISM, for stepping up and ensuring that ISACA moved forward with its strategic activities upon being named acting CEO of ISACA following the 2013 retirement of Susan M. Caldwell, after 21 years in the corner office. I also want to thank those who served with me on the CEO Search Panel (Ev Johnson, Jon Singleton and Terry Grafenstine) for the many hours they invested in ensuring a successful outcome of our efforts.
This also marks my final post to the ISACA Now blog as international president. I have met many new people from around the world during my term and I am happy to include all of you in my circle of friends and trusted colleagues. The accomplishments of our members and leaders this year have truly been amazing. Naming just a few, we experienced continued international growth of COBIT, established the formal corporate social responsibility program and launched the Cybersecurity Nexus, I will remain very active on ISACA’s board and am confident of ISACA’s prospects as Robert E Stroud, CGEIT, CRISC, takes over as international president for 2014-2015.
ISACA is a great organization and I am proud of the passion, experience and energy that we bring to all of our members, enterprises and business partners. Thank you for the honor of serving as your international president.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
Dr. Simon Singh wears many hats—scientist, encryption expert, documentarian, best-selling author. At ISACA’s EuroCACS/ISRM 2014 Conference in September, he will be the opening keynote speaker, delivering a presentation titled “Cracking the Cipher Challenge,” in which he will explore how encryption is increasingly important for cybersecurity and data privacy, while providing a demonstration of an original, World War II-era Enigma machine.
ISACA: What is an Enigma machine?
Simon: The Enigma cipher machine is probably history's most famous encryption device. Invented by Arthur Scherbius, this electro-mechanical machine was used by Germany prior to and throughout the Second World War. Looking rather like a typewriter, each letter on the keyboard was connected to a letter on the lampboard by 26 wires. However, the machine was not hardwired. The wiring passed through rotors, which turned after each key was pressed, so the circuits were continually changing.
A crucial feature of the Enigma cipher is that the machine has billions of possible settings, such as the starting orientations of the rotors. The Germans knew that a machine would eventually fall into the hands of the Allies, but such a machine could not be used to decipher a message unless the key used to encrypt the message was known or could be deduced. The significance of the key is an enduring principle of cryptography, and it was definitively stated in 1883 by the Dutch linguist Auguste Kerckhoffs von Nieuwenhof: “The security of a cryptosystem must not depend on keeping secret the crypto algorithm. The security depends only on keeping secret the key.”
There were different keys for the distinct communication networks (e.g., the North Atlantic arena or North Africa) and they were changed on a daily basis. Nevertheless, Britain’s codebreakers at Bletchley Park discovered shortcuts to finding the Enigma keys and the cipher was cracked routinely throughout long periods of the war, providing vital information for Allies.
ISACA: What can the modern IT/cybersecurity professional learn from the Enigma machine?
Simon: Although the Enigma was cracked, it was actually a very sophisticated machine, which potentially offered a high level of security. So, why was it cracked? The problem was not so much the machine, but rather in the way that it was used. Errors in the way that messages were sent gave Allied codebreakers the cracks they needed to break open a message. In other words, a cipher may be theoretically strong, but practically weak due to user error, a problem that still exists seven decades after the Second World War.
Want more? Join Simon and the rest of the expert presenters at EuroCACS/ISRM 2014 Conference. Learn more here.
While attending ISACA’s North America CACS 2014 Conference, I was impressed by insightful presentations on cloud security, big data, security GRC, security programs and frameworks, not to mention the opening and closing keynote presenters. Likewise, I appreciated the diverse events at the conference (everything from breakout workshops to a professional photography station), the role of ISACA’s Young Professionals Subcommittee in promoting engagement among attendees, and the interactive communication opportunities for all.
As I look back at North America CACS, key messages stand out:
People—not computers—catch frauds
Harry Markopolos’ keynote presentation explored his exceptional work on Bernard Madoff’s fraud case, which demonstrated the whistleblower’s process of conducting holistic fraud examinations. Markopolos highlighted the red flags of potential frauds and answered the question, “How did one man lose $65 billion?”
As the presentation ended, I considered how we, as IT professionals, should rethink how IT is aligned with business objectives and strategies. Or, at least, how IT controls are designed and implemented for fraud-detection purposes.
Cloud and big data security
A major issue with cloud computing is data privacy, especially the data-residency problem, as most organizations worry about their business/customer data leaving the country or jurisdiction system. In some cases, your primary data might be stored within a geographic area as required, but the backups are loosely controlled by the cloud service provider (CSP). Organizations must perform due diligence to ensure their data is properly stored and protected. Government agencies will define which types of data can be put into the cloud and the FedRamp certification program can provide independent view on the CSP’s ability to clearly define and describe system boundaries.
Another key consideration discussed at CACS is having a proper notification process in case the CSP makes changes. Old data + old data=new data.
New cybersecurity programs and roles
Cybersecurity is drawing attention from organizations across sectors. Two cybersecurity initiatives were discussed at North America CACS. One is the US Cybersecurity Framework – developed by NIST as part of the US Presidential order. The Framework is applicable those sectors designated as part of the US critical infrastructure. While its content supports and potentially overlaps with some existing NIST security risk-management programs, NIST is planning to further its overall relationship. This was point was clarified by one of the NA CACs presenters - Victoria Yan Pillitteri from NIST.
The other initiative is ISACA’s Cybersecurity Nexus (CSX), which will include cutting edge thought leadership as well as a certification program (Cybersecurity Fundamentals Certificate) and resources such as webinars, mentoring programs, training courses and an online community.
Be situationally aware of risks
The concept of “risk management” is a constant, all while technologies advance and the context in which technology is used is in perpetual flux. According to presenter Hubert Glover, when people think about high-level risk management, such as technology risk, they must consider every aspect of organizations, as every aspect of organizations are enabled, powered by and supported by IT.
Executive teams are considering how to turn risk into results, especially as they encourage participants to do innovative things in innovative ways. During his “Turning Risk into Results” presentation, Dr. Glover illustrated ways to evaluate risks in the context of time, place and mass. He skillfully demonstrated how turn risk into results by leveraging a business mode and risk framework, focusing on addressing organizational, operational and strategic risks.
Another critical aspect around risk management, proposed by keynote presenter/astronaut Mike Mullane, is to be aware of your risks in diverse situations. Using the Challenger disaster as an example, Mullane explained the dangers of accepting—in a changing work environment—a “tolerance” that was previously defined as “intolerable.” The astronaut stressed that it is not uncommon for organizations to fall victim to a “normalization of deviance”—getting away with shortcuts from best practices until the shortcut becomes the norm, leading to problems.
A few more nuggets from North America CACS
- Do not be a passenger. Everyone’s suggestion on how to manage (security) risks and improve processes counts. The executive team and managers should listen to various opinions—one might save the organization some day.
- Information security should be integrated into business process and systems by design. The add-on approach will cause you more time, money and effort.
- Do periodic resets to best practices standards. The fact that you’ve been successful previously doesn’t mean you will be successful again. To avoid predictable surprise, don’t let a “can do” attitude guide you into a shortcut.
Alan Tang, CGEIT, PMP, TOGAF, CISSP, CISA, CBCI, CIPP/IT, ISO27K, PCIDSS, ISO20K
Senior Consulting Analyst
Info-Tech Research Group
As you are likely aware, information technology is a rapidly growing field and a great career option for those with the right skill set. And, as you are likely aware, demand for these skills is simply not being met. There is a steadily increasing gap between the level of skills needed and the level of skills the people in the workforce e actually have.
According to a skills-gap report from the American Society for Training and Development, “…more than 15 million businesses rate the aggregate skill levels of their IT staff as less than optimal, and 93 percent of employers indicate that there is an overall skills gap among employees.”
In short—seven percent of businesses in this study considered themselves exactly where they wanted to be in terms of skilled employees.
Analysts attribute this problem to the dynamic, ever-evolving nature of the IT industry. (That is what attracts many professionals to the field.) So what can be done about it? Information technology is not going to slow down. And the field of IT is not going to curb its growth any time soon.
So we need to catch up.
IT awareness must be elevated and IT education needs to be more accessible. Online educational offerings meet this need nicely. We must give the necessary skills to students at a younger age, and promote continuing education—across business departments—among employees. IT organizations can focus on developing talent in-house, producing professionals with business skills that match their technical acumen.
Ultimately, the IT skills gap will only begin to close if educators, professionals, businesses, and leaders in the IT community tackle these problems by investing more time and money in IT skill training.
Chief content officer, SkilledUp
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.
We have entered the era of constant wireless connectivity, and the ramifications of this development are widespread. For example, it is not merely that Google Glass transforms your field of vision into a computer screen, but that this technology can be used constantly, permanently digitizing your perception of the world (as long as you are wearing the glasses). Likewise, wearable health-monitoring devices benefit many with their ability to analyze a body constantly—or at least over extended periods of time—which delivers useful data about their health and well-being.
And while this is an exciting time, this is also a time to be cautious. “The known vulnerabilities associated with wearable technology are found in the software that users load onto workstations and the devices themselves,” writes Bruce R. Wilkins in the @ISACA newsletter. “These weaknesses allow ill-intentioned actors to see and modify the individual performance reported by the device.”
In short, this constantly connected technology can be hacked in the same manner our other computers can be. The fact that these wireless devices are always connected and in constantly changing locations heightens that vulnerability.
Some of us choose to ignore these new technologies. Some go even further. Hating technological developments is normal human behavior, writes Ron Miller in this interesting TechCrunch post. Others are beginning to casually embrace the wearable technology/constant connectivity trend. Still others jump with both feet into the phenomenon, like “the most connected man in the world,” who at any time has as many as 700 systems collecting real-time data about his life. (Perhaps that is a bit extreme.)
I believe that whether or not we fully embrace constant wireless connectivity in our personal lives, we must educate ourselves and stay ahead of developments. This is our responsibility as guardians of trust in information systems and defenders of cybersecurity, which, as we all know, are roles that require constant diligence.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
As my wife recently watched a Sherlock Holmes program in which a clue was a silent dog, I worked on a presentation for the ISACA Los Angeles Conference titled “Controls–Why They’ve Become Wasteful, A False Sense of Security and Dangerously Distracting (And How to Fix Them).” In that process, two causes for controls churn and confusion came to mind.
First, the dog (control) does not bark if it fails to meet the tight assumptions required for control to actually work. For example, the “chain of fitness” assumptions for controls require that:
- The control is used as intended
- The control is maintained as implemented
- The control is implemented as designed
- The control is designed from the appropriate template
- The control template is appropriate for the process class and problem
- The control is located properly in the process flow
- The location in the process flow was determined based on the location of useful warning signs
- Useful warning signs were determined based on robust, real-world “What if?” scenario analysis
- Scenario analysis was conducted properly based on a thorough “know the business” understanding of environment and capabilities
Though still challenging, these assumptions are easier to meet when applied to retrospective financial reporting, when those reporting systems are stable and a threshold of materiality (percent of revenue or income) can be applied. These assumptions are more difficult to meet when a prospective view is needed of a dynamic, operational world, where a tiny issue can turn into a huge problem.
The second cause for controls churn and confusion is when the auditor or compliance person fails to bark because all looks well—because he or she does not understand the chain of fitness and other assumptions. There is a false sense of security.
Why do some auditors miss these problems? In speaking at ISACA programs around the world, show-of-hands surveys reveal that it has much to do with the time a person began working in audit. In particular, whether a person’s work experience begins before the Sarbanes–Oxley Act of 2002, when IT audit began focusing on a narrow financial reporting notion of “IT General Controls” (ITGC).
The modern, skilled IT pro has a clear operational view of a control as something that senses and responds, whether dumb like a light switch or intelligent like server load balancing.
ISACA’s COBIT 5 offers help in the shift from “controls” (too often understood mostly as ITGC) to business-objective-oriented management practices. More broadly, consider ISACA’s tagline: “Trust in, and value from, information systems.” Value creation in Val IT (now incorporated in COBIT 5) is well beyond controls that struggle just to protect value.
I suggest taking action—host a “Cut Controls Churn and Confusion Day” at your chapter or for your team at work. Invite a panel of people with managerial accounting, operational process improvement and IT process improvement experience to discuss why improved oversight, management practice and core business process are more effective than controls for any operational situation.
Principal Analyst & Advisor, ValueBridge Advisors
ISACA conference presenter and volunteer on Risk IT and COBIT 5 initiatives
Author of “The Operational Risk Handbook”
Continue the conversation in the Controls Monitoring topic within ISACA’s Knowledge Center.