Today marks the launch of the CSX Practitioner (CSXP) certification exam. For the first time, cybersecurity professionals can now obtain a vendor-neutral, performance-based cyber certification.
With Cybersecurity Nexus (CSX), ISACA has made a commitment. Through training, guidance, education and credentialing, we will help develop a skilled cybersecurity workforce to reduce the global skills gap, and we will provide resources for cyber professionals at every level of their careers. CSXP is one way we are fulfilling that commitment.
Research shows that the majority of employers—nearly 7 in 10—are requiring cybersecurity job candidates to hold a certification. They are also looking for candidates with hands-on skills. When a prospective employee has CSXP, it indicates that they fulfill both of those criteria and that he or she has the skills needed to help protect the organization.
To earn CSXP, candidates must pass an exam in a state-of-the-art, adaptive, performance-based cyber laboratory environment. The exam measures skills and abilities in a virtual setting using real-world cyber security scenarios. Registration is now open for the exam, and a beta test rate is available for those who take the exam and complete a survey by 1 October 2015.
Very soon, ISACA’s CSX will offer cyber training and certifications for all skill levels and specialties:
- Cybersecurity Fundamentals Certificate—Knowledge-based certificate that demonstrates a foundational understanding of cybersecurity (currently available)
- CSX Practitioner—Demonstrates ability to be a first responder to cyber incidents, following established procedures and defined processes. CSXP indicates firewall, patching and anti-virus experience, as well as the ability to implement common security controls and perform vulnerability scans and analysis. (currently available)
- CSX Specialist—Demonstrates effective skills and deep knowledge in one or more of the five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover (coming soon)
- CSX Expert—Demonstrates ability of a master/expert-level cybersecurity professional who can identify, analyze, respond to and mitigate complex cybersecurity incidents (coming soon)
- Certified Information Security Manager—Demonstrates the ability to manage, design, oversee and assess an enterprise’s information security program (currently available)
It is an exciting time of opportunity for cyber professionals. Companies and government organizations need you more than ever. As you grow your career in this area, know that we are here for you—we will help you stand out, grow your career and connect with a global community of cybersecurity experts.
Christos Dimitriadis, Ph.D., CISA, CISM, CRISC
2015-2016 ISACA International President
When it comes to the use of technology decision making, the stakes for the business have never been higher. Investing in the right technology at the right time can very often mean direct competitive advantage to the business. Investing poorly, at the wrong time, or not at all (especially when competitors do so) can instead mean the business operates at a disadvantage relative to peers and competitors.
At the same time, the time window that organizations have to consider the options available to them is decreasing. It seems like digital trends and new technologies arise quickly and appear from seemingly out of nowhere, leaving organizations relatively little time to evaluate trends, understand the risk and rewards, and make an informed decision about investment. And, as we know, making an informed decision about value and risk tradeoffs for any technology or digital trend can be complicated. We need to consider business value added, new risks introduced (and old risks potentially mitigated), cost of the investment, possible disruption to business teams and numerous other factors.
To help with these challenges, ISACA is making a new resource available: ISACA Insights. The purpose of Insights is to identify the most impactful digital trends that organizations should consider in their strategic decision making:
- Big data analytics
- Mobile technologies
- Cloud computing
- Machine learning
- Internet of Things
- Massive open online courses
- Social networking
- Digital business models
- Digital currency
Insights consists of a top 10 report describing the high level trends in business-accessible language and supplemental individual trend reports highlighting specific trends with an eye to overall organizational risk and value. Because the reports are short and business-accessible rather than technical, they are easily understood by those on either the technology or business side of the organization. They can be used as a discussion aid between business and technical teams—for example, to help business teams understand the risk impact of a particular trend or to help technical teams understand the business value drivers that might be driving interest in a particular trend or technology area.
Over the next few weeks, ISACA will be looking in depth at some of the information outlined in these reports and some of the risk, value and security implications of each of the top trends. Making a holistic decision about the risk vs. reward associated with investing in any particular trend means understanding both sides of the risk equation—the value to the business in adopting, the potential business risks associated with failing to adopt, as well as the technical risks that can be introduced when adopting these trends.
I encourage you to view the report on the top 10 trends, as well as the more in-depth reports on each of the top four trends. All are free at www.isaca.org/isaca-insights.
Director of Emerging Business and Technology, ISACA
The rate of change in our enterprises is racing faster than at any other time. New technologies are introduced nearly daily—and many of them are making their ways into our workplaces. These new realities mean that information flows instantly around the globe, and we need to be agile and prepared.
ISACA has long been respected for its foresight and innovation, and with the installation of the 2015-2016 board of directors recently in Brussels, this tradition continues. I am honored to serve as ISACA’s international president during this time of incredible innovation.
I would like to thank Immediate Past President Robert Stroud for his many years of dedicated service. During Rob’s tenure, ISACA experienced growth in many areas, including membership, chapters and revenue. ISACA launched the Cybersecurity Nexus (CSX) and the online version of COBIT 5. I look forward to Rob’s continued significant contributions throughout the year.
My sincere appreciation also goes out to the outgoing board members who have given so much of their time and expertise to ISACA over the years—Steven Babb (UK), Ramsés Gallego (Spain), Vittal Raj (India), Debbie Lew (USA), Frank Yam (Hong Kong), and Alexander Zapata Lenis (Colombia). You have helped lead ISACA and contributed to the growth of our global respect and reputation—thank you for your past and future contributions.
As our new and returning board members continue to move ISACA forward and focus on our refreshed strategy and goals, I am eager for you to collaborate closely with all of us:
- International President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, group director of Information Security for INTRALOT, Greece
- International Vice President Rosemary Amato, CISA, CMA, CPA, director, Deloitte, Amsterdam, The Netherlands, program director for Global Client Intelligence (GCI), The Netherlands
- International Vice President Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, practice lead, Governance Advisory at Vital Interacts, Australia
- International Vice President Robert Clyde, CISM, managing director of Clyde Consulting LLC, USA
- International Vice President Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, inspector general of the U.S. House of Representatives, USA
- International Vice President Leonard Ong, CISA, CISM, CRISC, CGEIT, CPP, CFE, PMP, CIPM, CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA, GCIH, GSNA, GCFA, COBIT 5 Implementer and Assessor, Singapore
- International Vice President Andre Pitkowski, CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, COBIT 5 Foundations Trainer, principal consultant APIT Consultoria de Informática Ltd., Brazil
- International Vice President Eddie Schwartz, CISA, CISM, CISSP-ISSEP, PMP, president and COO of WhiteOps, USA
- International Director Zubin Chagpar, CISA, CISM, PMP, focuses on Venture Capital Business Development in EMEA for Amazon Web Services, United Kingdom
- International Director R.V. Raghu, CISA, director of Versatilist Consulting India Pvt. Ltd., India
- International Director Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP, director of information security and IT assurance at BRM Holdich, Australia
For more than 45 years, ISACA has been a trusted global resource to help professionals transcend borders and collaborate. We recognize that the people we serve have rapidly evolving needs, and are focused on ensuring that ISACA continues on its path of becoming more flexible, responsive and enabled for a dynamic future.
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC
ISACA International President
Information is powerful. In today’s fast-moving world, timely information is critical to keeping cybersecurity plans and programs current.
But, having the time and diligence to filter massive amounts of information to a digestible, actionable form is nearly impossible. Besides myriad global regulations and other developments, all manner of cybersecurity breaches are frequently in the news. In fact, the growing rate of breaches around the world has organizations preparing for when they will be attacked, rather than wondering if they will be.
To provide a concise source for the industry trends and latest developments cybersecurity experts need to know about most, ISACA has launched a new free newsletter. The Nexus, which is part of ISACA’s Cybersecurity Nexus (CSX) program, features original CSX thought leadership and knowledge, news and updates related to cybersecurity, and a collection of cybersecurity articles from around the web .
Recent articles in The Nexus include:
- Cybersecurity table stakes for companies: The bare minimum needed to survive by Doug Steelman.
- 5 Costly consequences of SMB cybercrime from CIO Magazine.
- Simple steps go a long way in cybersecurity by Rolf von Roessing, CISA, CISM, CGEIT
Visit The Nexus subscription page of the ISACA web site to subscribe to this valuable monthly e-newsletter.
Robert E Stroud, CGEIT, CRISC
ISACA International President
I remember the first time I saw ISACA International President Robert E Stroud talk. I was really impressed by his knowledge and how he engaged with the audience. I remember thinking, ‘I wish I could do that!’
I am not Robert and I do not have his confidence in front of an audience, but I do have considerable experience in IT and IT audit, and with that comes knowledge. I wanted to participate and give something back to the profession, so I decided to volunteer as a “topic leader” in the ISACA Knowledge Center.
The ISACA Knowledge Center is a professional networking and knowledge meeting place for professionals who share common professional interests. It can help participants build a new understanding through exchanging information and experiences on more than 100 IT-related topics.
I downloaded and completed the topic leader application, but I was still concerned that I would not be good enough. What if I was asked questions that I did not know the answer to? I was assured by the staff at ISACA that this would not be an issue. Although knowledge is always helpful, they do not expect you to have all the answers. Instead, a key requirement is a willingness to learn, support, participate and maintain the community.
I took the plunge and formally became a topic leader for Oracle Databases as that was the available topic that I felt I knew the most about. I began by posting links and documents on Oracle. I realized that I was reading these anyway as my organization has Oracle databases and I like to keep up to date. Some of these generated discussion, and some did not. Then it happened—I was asked a question for which I was not 100 percent sure of the answer! What did I do? Well I looked into it, found the answer and learned something new. (This later proved useful to me during the course of my own work.)
As my confidence grew, I also became the topic leader for OS/400 and SQL Server Databases. I did not know an awful lot about SQL Server, but by becoming the topic leader and researching, reading, posting and answering, I have learned a lot!
My role as a topic leader has opened the door to many new opportunities. First, I was asked to become a member of ISACA’s Communities Committee. This committee identifies and supports activities to encourage the development, use and sustainability of ISACA communities.
Additionally, as my knowledge of my topics grew, I decided to write an ISACA Journal article. I submitted “Auditing Oracle Databases Using CAATs” which was accepted and published in volume 2, 2014. The reaction was very positive, so much so that many readers asked me to do something similar for SQL Server. “Auditing SQL Server Database Using CAATs” was accepted and published in volume 1, 2015.*
The Journal articles got the attention of someone in ISACA, as I was asked to help update the CISA Review Manual for 2016! This is a great honor for an IT auditor.
Being the topic leader for Oracle Databases, SQL Server Databases and Audit Tools & Techniques in the Knowledge Center is something that I am passionate about. It is more than social media; it is a forum to engage with your peers, to question, to learn and to share. It is linked to ISACA’s considerable body of knowledge and is where “networking and knowledge intersect.”
I encourage you all to join and participate. What’s more, I encourage you to become a topic leader. There is absolutely no reason you cannot follow in my footsteps and connect with some great people and learn new knowledge along the way.
Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS, DipFM, ITIL-F, Six Sigma Green Belt
IT Audit Manager, Dublin, Ireland
*Membership required to view ISACA Journal articles published within the past year.
When I was installed as ISACA’s international president, I made three promises. I said we’d continue to effectively serve our members who work in audit and assurance, we would drive adoption and use of COBIT 5, and we would make cybersecurity a top focus. Cybersecurity has climbed its way to the top of many of our priority lists. And we at ISACA have listened. To best serve our members and the profession, we are committed to doing for cybersecurity what we have done—and continue to do—for assurance and governance.
This is a pivotal moment—an exciting time in our industry. The tremendous global impact that cybersecurity issues and threats are having is creating many new challenges and opportunities for all of us. These challenges and opportunities bring with them an urgent need for skilled professionals who can protect and defend enterprises worldwide. Experienced security professionals are key to the success of fighting against cyberadversaries. We learned a lot about that from the Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, who met at our North America ISRM conference in November. They discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles. As panel members pointed out, we are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.
As cybersecurity challenges and opportunities are transforming the way in which we all live and work, ISACA is also expanding to better serve you. We want to help you protect what you have built. We will do that by providing the education, guidance and solutions you are seeking—and by helping you develop your teams with the right people and the right skills.
In April, ISACA launched Cybersecurity Nexus (CSX). Through CSX, we are connecting enterprises and skilled professionals to help close the dramatic skills gap.
Now, as part of that mission, we are announcing CSX 2015 North America—a brand-new conference experience. It will deliver the risk management guidance that so many of you find valuable at ISRM, but it will also dive deeper than ever into the cybersecurity approaches and solutions that are demanded by professionals and organizations around the world.
Cybersecurity is everyone’s responsibility, and ISACA takes this responsibility very seriously. We developed CSX for you, and we will deliver it with you, to best serve you and your industries. We will give you the tools, credentials, community and education you need to meet cybersecurity challenges head on. CSX 2015 is one way we will accomplish that.
This brand-new conference features more than 70 cybersecurity sessions tailored to different levels of expertise. Attendees will explore cybersecurity trends and threats, exchange ideas and innovations, and learn how to excel at protecting and defending against cyber threats and attacks. From start to finish, CSX 2015 will focus on real-world solutions explained step by step by recognized industry leaders.
Be sure to mark your calendars now for CSX North America 2015 in Washington DC. I promise you—this is an event you won’t want to miss! North America is just the first step. We’ll be introducing CSX events throughout the world in 2016 and 2017.
Cybersecurity challenges will continue to advance and grow. Rest assured that ISACA will be there for you every step of the way.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Editor’s Note: If you would like to submit a proposal for a session at CSX North America 2015, please visit www.isaca.org/csxcallforpapers.
ISACA celebrated its 45th anniversary in 2014, and marked this accomplishment with a year of great advancements. One of the most visible and impactful events was the launch of Cybersecurity Nexus (CSX). At a time when cybersecurity breaches and devastating hacks make news daily, CSX offers innovative ways to help provide resources for cybersecurity professionals at all levels and fill the global skills gap. ISACA also successfully introduced the Cybersecurity Fundamentals Certificate and several workshops were sold out, which further supports the need and acceptance of CSX worldwide.
In addition, the online version of COBIT 5 was released, complete with a new Goals and RACI (responsible, accountable, consulted, informed) planner. This tool helps organizations of all sizes and industries improve governance and management of enterprise IT. COBIT 5 is used globally to help create value and address business issues.
We also implemented our digital strategy and are able to provide members with fresher content more frequently and in an easy-to-use format. Most notably, the ISACA Journal—one of the top member benefits—is now publishing online articles every two weeks instead of every two months. COBIT Focus, which provides the latest news and case studies about COBIT, is also publishing articles more frequently.
And in September, ISACA took another step toward its future by welcoming our new chief executive officer, Matt Loeb. Matt brings to ISACA a depth of experience, and he will be an instrumental factor in our future growth.
Driving all of these activities is ISACA’s commitment to what ultimately makes us a successful organization—our valued members around the world. For all of you who have attended chapter meetings, obtained CISA, CISM, CGEIT or CRISC certifications, participated in a Training Week or conference, or read the ISACA Journal or one of our many other excellent research publications, the board of directors and I thank you for your support and expertise. The future of ISACA has never looked brighter.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Like many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.
But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.
ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.
Enterprises need to be aggressively proactive here, and start educating staff on the risks and the opportunities of wearable tech. Devices such as smart watches and glasses collect and transmit information that provides great value. But if this information gets into the wrong hands or is mishandled, it can be used to damage a company’s reputation, financial position, compliance activities and even its existence.
According to the latest IT Risk/Reward Barometer, “increased security threats” and “data privacy issues” are two of the biggest challenges that ISACA members list regarding the Internet of Things.
But along with the inherent risk in the Internet of Things, enterprises are also reaping benefit, such as the 29 percent that have achieved greater accessibility to information and the 26 percent that have used it to improve services. Also 22 percent have gained efficiencies and improved employee productivity. With new technology there is always the need to balance risks and rewards—and there are plenty of both in the case of the Internet of Things.
To keep tabs on evolving perceptions and trends, ISACA has fielded the IT Risk/Reward Barometer for five years. This survey is unique in that it has two components—a consumer survey and an ISACA-member survey. Globally, more than 4,200 consumers and more than 1,600 ISACA members responded this year, giving us an excellent pool of responses.
Wearable tech, connected devices and other cool advancements in the Internet of Things are making their way into every aspect of our lives. The gates are open and the tide is flowing, and we encourage you to take an “embrace and educate” approach. Having an informed and alert customer/employee/stakeholder base is a key aspect of making connected devices work for you and your enterprise.
I invite you to review the full report, infographic and news announcement for the 2014 IT Risk/Reward Barometer. I need to take off now. My smart refrigerator just told my smart watch that I need to pick up some bread on the way home from the airport.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Football fans are enthusiastic around the world—even though rules, fields and equipment vary.
This similarity and differences is a great comparison to ISACA’s flexible frameworks and other guidance—just ask our rugby-playing International President Rob Stroud.
When I teach workshops, participants often ask questions about configuring firewalls, Wi-Fi, or data access tools. These are good questions with good answers. Yet, these product-level questions are not the “sweet spot” of ISACA-land guidance.
Using our football comparison, these questions are about lacing up shoes or inflating the ball. ISACA guidance assumes that players can pick their own shoes (and sign endorsement contracts), lace them up, clean them off and know when to replace them. ISACA assumes members read the intrusion prevention product manual.
ISACA-land guidance is focused more on how to train, recruit players, position players, work as a team, scout competitors, develop plays and even maintain the field and stadium.
Vitally, maturity models help answer the question, “how good are we?” People say “yes, I’m doing that.” But in football terms, is that just enough to play in the league or to be league champion? Players (and IT professionals) who are overconfident get a rude awakening in competition. Improvement is what we accelerate in workshops.
ISACA as sports stories….
ISACA’s COBIT-related guidance comes in layers with the broad framework at the top.
Next layer includes documents such as COBIT 5 for Information Security. Think of these as history and “how to” sports books by respected coaches and sports writers. A subset of these are the league rule books. In ISACA-land these are our audit framework and topic-specific sample audit programs.
More detailed guidance includes papers on specific topics such as cloud or mobile devices.
Next layer brings in personal stories through the ISACA Journal, COBIT Focus and the resources of the ISACA Bookstore. Think of these as post-game interviews with players and coaches.
Next layer contains personal experience and questions through ISACA communities at isaca.org, social networks such as LinkedIn groups and local chapter events. Think of these as super-fan web sites or parties.
The point is that ISACA is a great newsstand when it comes to “trust in and value from IT.”
Opportunities for growing together in ISACA…
ISACA is focused on managing and governing information technology, more than the creation of technology. In sports, technology creation is more like sports business news—growing fans, league management, team ownership, sponsorships, new stadiums and advertising and more. Those of us members who are more focused on business cases or in managerial roles live in this world every day. Chapters reaching out to business leaders (such as Brisbane, Australia) or with many members in the technology industry (Silicon Valley, US) include this in their programming.
- If you are a member in a technology company, help other ISACA members learn how to more easily adopt technology—especially technology that can help grow business revenue, not just automate for cost cutting.
- If you are a member in a managerial role or writing business cases, help other ISACA members learn how to connect their daily work to revenue—not just paperwork or cost cutting. This can help other members advance their careers and grow their organizations.
- Chapters—create an event that invites business leaders of any company, technology company new product leaders, or your more revenue-focused members to share their insight with broader chapter members. The format could be a speaker series, workshop, conference track or panel program. The audience could be existing members, potential members or “bring your boss to ISACA” outreach.
In all cases, the point is to build on ISACA’s rich history and knowledge base to help members and chapters grow themselves and their organizations.
Drop me a note and let me know what you are doing in your chapter to further the sport of ISACA. Glad to help you share your success with others.
Together, we can make a difference.
Brian Barnier, ValueBridge Advisors, has served ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore. Brian@valuebridgeadvisors.com
For those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.
SciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events
If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.
The point is, discovering new technology adoption after the fact means added risk. From a governance point of view, it helps mitigate strategic risks like getting suboptimal pricing when vendor contracts are non-standard or non-centrally negotiated; from a security standpoint, it helps address "blind spots" protecting new technology when that technology is early in the adoption curve. So in a very real sense, better forecasting means better risk management. And, in turn, the ability to forecast new technology—including adoption, the approximate timing of when that technology will proliferate, what sectors might be impacted, etc.—is of great potential value to ISACA members.
SciCast represents a unique source of data for ISACA. Knowing what’s on the technology horizon helps us give our members relevant guidance to maximize technology investment returns and minimize risk for their organizations.
This also enables strategic, rather than tactical, decision-making. SciCast will provide us with a key data source to provide our membership with more rapid, more accurate, and more granular information about upcoming future trends,” Pasfield explains. “Because the SciCast platform is open, it allows us to incorporate information from the platform directly into our forward-looking knowledge products. That openness also allows us to reframe the information coming from the platform to make it most accessible to our membership and best meet their needs. It’s a very exciting platform, and I encourage you to take a look and start predicting.
Chair, ISACA’s Emerging Business and Technology Committee
Which smart technology will be most vulnerable to cyber-attacks in 2014? Predict now: http://ow.ly/zcVEt