Other Blogs
There are no items in this list.
Knowledge Center > ISACA Now > Categories
Corporate Governance:  Evaluating and Directing Value Creation

Organizations are contending with increasingly dynamic and demanding external and internal environments by making good corporate governance accessible and fit for application through the adoption of governance practices that sustain value creation. Governance and management systems are being designed to reinforce and govern a holistic, interrelated set of arrangements that can be understood and implemented in an integrated manner using organizational structures, processes, practices and ethical, conscious behavior.

Governance and Management
Corporate governance is the system that a governing body exercises ethical and effective leadership to establish:

  1. An ethical culture
  2. Sustainable performance and value creation
  3. Adequate and effective control by the governing body
  4. Trust in the organization, its reputation and its legitimacy

Putting corporate governance into practice requires a holistic and integrated set of arrangements that can be evaluated and directed to create the value stakeholders expect.

Organizations often use a wide variety of resources and governance mechanisms to achieve their purpose, strategic goals and to fulfill stakeholder needs. Leveraging resources requires the establishment of accountability, assignment of responsibility, and transparency and fairness in how work gets done.

The implementation of corporate governance starts with an examination of the roles and responsibilities for decision-making processes, specifically those that impact the achievement of strategic goals. This will reveal who is accountable and who is responsible for the practices and governance mechanisms required to achieve governance outcomes. A governance and management system institutionalizes the organizational structures, processes and ethical, conscious behavior.

Technology and Information Governance
While governing bodies are expected to be proactive in ensuring that information assets are leveraged for growth, there are few tools actually available that provide governing bodies with sufficient oversight. A governance and management system provides an integrated solution that brings the governors and the managers together and provides a holistic approach for them to effectively govern and manage the current and future use of technology and information.

Such a system provides the means to institutionalize the enablers of good corporate governance. People, process, technology and information come together in an integrated governance and management system that enables value creation and supports the achievement of strategic goals.

An organization’s capability to govern and manage is developed within a governance and management system and enhanced through the use of a suitable mix of enablers:

  • Principles, policies and frameworks
  • Processes, practices and activities
  • Organizational structures, roles and responsibilities
  • Skills and competencies
  • Culture and behavior
  • Service delivery components
  • Information management

Orchestration and Choreographing the Practices
Corporate governance is not accessible or actionable if the application of the underlying practices cannot be influenced. To achieve the organization’s purpose and strategic goals and deliver value to the stakeholders, the governing body and executive managers must evaluate and direct the regular and ad hoc daily activities of internal and external parties.

Leadership and organizational structures are of little benefit if they cannot influence the organization’s processes and practices, direct the alignment and prioritization of value delivery, govern risk management, optimize resource usage and track performance.

A governance and management system provides the functionality required to orchestrate those responsible and choreograph the implemented practices how the governing body and management want to direct operations, effectively manage risk, consume resources and comply with regulatory obligations.

Being fit for purpose is paramount. Every governance and management system should be crafted in accordance with size, available resources, and complexity of strategic objectives and operations so that it suits the organization and sustains value creation.

Maintaining a Framework for Governance
Regardless of any technical and organizational arrangements deployed by management, these arrangements will be fundamentally undermined if operated outside an effective risk management and governance regime. It is essential that the implemented corporate governance framework ensures procedures, personnel, physical, technical and organizational arrangements, and that controls:

  • Remain effective throughout the lifetime of service delivery and value creation
  • Are responsive to changes in the services and value delivery propositions, and
  • Change in accordance with threat and technology developments

A documented governance and management system ensures that corporate governance is understood and communicates which practices are required to support service delivery, performance standards, value creation, regulatory compliance and internal controls. Records of assigned responsibilities, current status, analysis, evaluation and completion demonstrate compliance with the selected principles, policies, frameworks, standards, and legal and regulatory requirements applicable to the practices assigned.

The governance and management system incorporates the priority, status, sequence and timing of actions; enables the monitoring of capability, progress and outcomes achieved; and coordinates continuous improvement.

Peter Hill will speak on Governance & Management at EuroCACS in Dublin 30 May-June 1 2016.

WIRED Editor David Rowan Predicts Future of Audit, Governance, Risk Management

ISACA Now recently interviewed David Rowan, editor of WIRED magazine and keynote speaker at EuroCACS 2016. He discussed the future of audit, governance and risk management, as well as what can be done to stop cybercriminals once and for all.

ISACA Now: What are some of the changes/innovations audit, governance and risk management professionals should expect in the next 5-10 years?
Rowan: 
We are in a networked world of ever increasing transparency, as well as increasing vulnerability to data breaches. Starting with transparency, the recent breaches of client confidentiality over Panamanian accounts, and the Snowden disclosures before that, are a stark reminder that every professional’s decisions could tomorrow be scrutinized on the front page of the New York Times. If you’re an auditor or a risk management professional, are you comfortable with your advice, your private emails, your entire work life being exposed to the twittersphere? I hope so. At the same time, we’ll find foreign states and criminal gangs investing ever greater efforts in breaching supposedly secure corporate networks to transfer funds or steal proprietary data. How well defended are you against these real and growing risks? Is your CEO taking personal responsibility?

ISACA Now:  Will the technology of cybersecurity ever catch up to or surpass the technology used by cybercriminals?
Rowan: 
The single biggest worry I have today is our growing reliance on networked connections to keep our economy moving—the satellites empowering communications, the servers running our utilities, the corporate decisions being made on supposedly safe internal networks. The bad guys are terrific innovators; they understand psychology as well as technology, so whether they’re spoofing the GPS signal of a satellite to put it out of orbit or hijacking your home computer with ransomware, they’re delivering nicely rising profits at our expense. I’m not sure we’ve seen the political will or the corporate education to confront these criminals with well-resourced defense systems that can scale and can keep up with the bad guys’ rate of innovation. They, after all, have a great incentive:  you used to rob a bank because that was where the money was; today the money is all over the network.

ISACA Now:  You’ve interviewed many global influencers over the years. What key characteristics have allowed them to be so influential? Any examples?
Rowan:  When it comes to entrepreneurs who really build something huge—the Facebooks, the WhatsApps, the Kickstarters—there tend to be a few common characteristics in many cases. Often they are motivated to solve a big problem, something that really makes a difference and not simply make money. That motivation keeps them going through the tough bits. They’re often very resilient personalities who don’t take it personally when things go wrong, so they can get up and push past the problem. They’re often outsiders in some way who don’t see the rules other people rely on:  maybe they had dyslexia at school, or were immigrants who didn’t easily fit in, or were misfits in some other way. They have tremendous self-belief, which lets them motivate their teams as well as attract investors and the media. And often I’ve found they had difficult relationships with their father—I can’t prove this scientifically, but perhaps it’s something that leads them to be driven beyond reason to prove themselves...

ISACA Now:  You will be speaking at the EuroCACS conference 30 May-1 June 2016 in Dublin. Give us a brief preview of what you’ll discuss and what attendees will take away.
Rowan: 
My life is spent travelling to meet the start-ups transforming industries and the investors betting big on them, as well as the research labs designing the way we will interact in the future with technology. So I’ll translate what I’m seeing in real fast-growth businesses to how it will impact successful existing businesses in the next five years—and how consumer behavior is being transformed by everything from mobile screens to virtual-reality headsets. The bottom line is the world will never move this slowly again, as exponential technologies create massive new opportunities to build businesses that could never have existed a couple of years ago. So there’s a risk that delegates will go back to the office with a rather big to-do list of urgent things they need to do to become as innovative as the start-ups...

Chic Geek Speak:  Vanquish the “Nice Syndrome”

We have often heard these pearls of wisdom during our formative years:  “Play nice. If you don’t play nice, no one will want to play with you.” “You have to be nice.” “Be a nice girl.”

Unfortunately, many of us (myself included) suffer from what I’m calling the “Nice Syndrome.” Merriam-Webster dictionary defines nice as pleasing and agreeable. Nice was rewarded, reinforced and subsequently internalized, leading to:

  • Putting other’s needs before your own
  • Over apologizing
  • Consistently asking for permission
  • Denying your own power
  • Not asking for what you want or need
  • Tolerating too much negativity
  • Being overly patient

In the workplace, we continue to be nice. We don’t rock the boat. We play nice even when it means denying one’s self. We sacrifice self and wait for our reward. Unfortunately, the rules we learned as girls no longer apply as women in the workplace. We instead work extra hard, do the work of others, deny ourselves lunch or breaks. We put work first, our families second, and ourselves last.

How then can we break this nice cycle without being labeled a witch or worse? How can we vanquish our misplaced guilt when we no longer play nice? We do this through:  1) language; 2) prioritization; and 3) building our brand.

Never Underestimate the Power of Words
Words create our reality and give us and others a blueprint for interacting with us. Women often use touchy-feely language that lacks self-confidence. These phrases include:  “Maybe we could…”; “I was thinking we might…”; “How about…” Instead use more assertive language:  “I believe it would be best to…”; “I propose that we…”; “It is my understanding that …”

Stop Putting Work Ahead of Everything Else 
Many women of my era are referred to as the “sandwich” generation. We juggle careers, families and caring for elderly family members. We put ourselves so far down the list that we do not recognize our own needs. By playing nice, women put their needs on hold or lower their expectations. They deny their own power. Let go of the beliefs that you are powerless and that standing up for yourself is selfish. Rethink what power means. You have more power than you allow yourself to use. To reclaim your power, start by saying “no” to unreasonable requests. Express yourself in more empowered ways by stating, “I choose to…” which ties back to creating your reality. Take small steps for yourself, such as:

  • Taking lunch breaks
  • Taking short walks outside
  • Establishing set start/stop times, and sticking to them
  • Taking time for exercise
  • Taking meditation or yoga classes
  • Getting regular massages or facials

Build Your Brand
We all know brands that are synonymous with a product, such as Coke or Kleenex. What is your name synonymous with? Once you determine that it will inform you of your brand. It is what sets you apart from others. What is your unique story? It is said that “If you don’t build your image (brand), someone else will.” What are you really good at? Build your unique story.

Appearance is also a big part of your brand. The saying goes, “Never dress for the job you have; dress for the job you want.” Look at successful women. What style of clothes, hair, make-up and jewelry do they favor? I am not advocating a complete makeover, but maybe wear a blazer to important meetings or dress up your blouse and slacks with a scarf.

Also, observe how successful women speak. Do they use a lot of touchy-feely language? What is the pitch of their voice? Your presentation skills communicate your brand. Are you confident in front of a group? Do you talk at an acceptable rate or speak rapidly? Do you use crutch words like “ah,” “um,” and “you know?” Do you over explain or apologize when presenting? Do you use words to minimize importance or ask for permission? Do you speak too softly or at too high of a pitch? Does your voice pitch up at the end of a statement? If you struggle in any one of these areas, I suggest Toastmasters International, which offers a cost-effective communication development course that moves at your own pace.

Do you, like me, suffer from Nice Syndrome? How have you broken through this syndrome? Share your success and struggles in the comments section below.


Today, 28 April, just happens to be International Girls in Information and Communication Technologies (ICTs) Day. The goal of the event is to create a global environment that empowers and encourages girls and young women to consider careers in the growing field of ICTs. For more information click here.

ISACA Now Chats with EuroCACS 2016 Keynote Speaker Mark Stevenson

ISACA Now recently spoke with Mark Stevenson, the closing keynote address for EuroCACS in Dublin 30 May-June 1 2016. Stevenson is the founder of We Do Things Differently, and the author of An Optimist's Tour of the Future and the upcoming We Do Things Differently. He is also an advisor to the Virgin Earth Challenge, Atlas of the Future, Comic Relief and Institution of Mechanical Engineers.

ISACA Now:  In Principle 7 of your 8 Principles for Thinking About the Future, you discuss how pragmatic optimists will experience significant rejection and ridicule when starting new endeavors. What practical advice do you have for getting through all that rejection without becoming defeated and cynical?
Stevenson:  By understanding that you will lose more often than you will win until half way through the game—and that’s OK. Persistence (driven by the optimism that a better future is possible) is the secret sauce of success. Cynicism by contrast is just a recipe for laziness dressed up as wisdom. Every great leader you can think of is an optimist. As the saying goes, “The road to success is littered with corpses, but they’re all suicides.” Also remember that that rejection is often a sign you’re on the right track. As the computer scientist Howard Aitken sagely remarked: “Don’t worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people’s throats.”

ISACA Now:  For many, cynicism is deeply embedded. How is it possible for those long-term cynics to kick out their cynicism?
Stevenson:  By looking in the mirror and asking themselves if they want to continue being unhappy. Cynicism is obedience. As the author Richard Bach put it, “Shop for security over happiness and you buy it, at that price.” Cynics reinforce the status quo they complain about by refusing to imagine it can be different. But the antidote is doing something bigger than you for which the dividends emotionally (and often financially) are handsome. It’s a choice. Comfortable miserable cynicism, or uncomfortable happy optimism? It’s your life.

ISACA Now:  Your pragmatic optimist’s view of the future should come in handy for cybersecurity professionals as they work to address the avalanche of cybercrimes and criminals. What is your advice for those who may be growing weary of the world’s seeming inability to overcome cybercrime? What historic parallels can you draw from this?
Stevenson:  The question is what are we protecting? One has to ask what the roots of crime are, and they are based in scarcity and distrust. In a world of abundance and transparency, crime and war are far less likely (indeed history teaches us this time and time again). The cybersecurity profession has to ask itself whether it is on the side of people, or Mossack Fonseca (the Panamanian law firm that recently had 11.5 million confidential documents leaked) and its clients. Who are your paymasters and what are their morals? We overcome violence and addiction by being more connected, not less so. We will overcome cybercrime most effectively by working to reduce inequality. So, the question is, what are you doing about that and whose side are you on?

ISACA Now:  You will be speaking at the EuroCACS conference 30 May-1 June 2016 in Dublin. Give us a brief preview of what you’ll discuss and what attendees will take away.
Stevenson:  I’ll be explaining why all bets are off, how the next 30 years will be some of the most turbulent in history and how to navigate that in the service of making the world better for your children.

ISACA Now Chats with NACACS Keynote Speaker Tim Sanders

ISACA Now recently talked to Tim Sanders, a keynote speaker at the North America CACS 2016 2-4 May in New Orleans. Sanders is the New York Times best-selling author of Love Is The Killer App: How to Win Business & Influence Friends and an Internet pioneer. He advises Fortune 500 executives on leadership, marketing and new media strategies to grow business.

ISACA Now:  Your new book Dealstorming: The Secret Weapon That Can Solve Your Toughest Sales Challenges suggests a team approach to sales. What are the keys to developing a best-in-class team, no matter its function?

Sanders:  Effective problem solving teams are diverse in thinking and united in shared vision. So ask yourself:  Who has a stake in the outcome? Who has expertise about our problem? These are your blockers, tacklers and skill position players for your team. Every team has an overarching goal or purpose, so make sure yours cuts across the lines. In sales, you can’t lead with just the revenue opportunity; you need to elevate the discussion to winning a rivalry, pursuing excellence or building your brand. Same goes for any other problem area at work. A bigger why creates a stronger team, especially when finding a solution takes a lot of meetings and time.

ISACA Now:  You recently tweeted that nurturing team building and team players is more important than hiring rock stars. Why is that?

Sanders:  From business to technology, complexity is rising fast. This puts pressure on organizations to quickly innovate, keeping up with the times. In my research, I’ve found that genius is a team sport…not the work of a lone creative type. There are bodies of research (such as The Myths of Creativity by David Burkus) that debunk the stories of lone-invention. It’s a romantic notion, really. We want to think that the rock star programmer, sales person or marketer will save the day. But really, the effective team builder and player will harness group genius to move things forward more quickly. Additionally, many “rock stars” on paper are the product of their previous working environment. That’s why so often as they move to new opportunities, they can’t replicate their success. And making matters worse, because they were a rock star at their previous job, they’ve likely developed the lone-wolf mentality.

ISACA Now:  Many IT professionals are introverted or work remotely. How can they become lovecats?

Sanders:  A lovecat is a person who is strong and intelligent but at the same time, generous and empathetic to their colleagues. One way we can be generous is knowledge sharing or mentoring. This can be done now online, in a series of very helpful emails. For networking, another way to be generous at work, email introductions or LinkedIn endorsements offer a way to connect others that “should meet.” Finally, introverts are naturally great listeners. Helping others be heard is a valuable offering in organizations where there is constant change.

ISACA Now:  You will be speaking at the NACACS conference 2-4 May 2016 in New Orleans. Give us a brief preview of what you’ll discuss and what attendees will take away.

Sanders:  I’ll be talking about the power of great relationships, team work, collaboration and leading from the heart. Main takeaways will include insights on how to be an effective mentor, a power networker and a great listener. Also, I’ll reveal the collaboration process I’ve developed over my career, and how when fueled by relationships, it can triple your chances at solving your toughest challenges.

Newbies/Mid-Careerists: Jumpstart Your IT Audit Careers

In the two decades that I have been an IT Audit recruiter, the field has come a long way, and there is now much more recognition for the IT Audit profession. Going back to 1995, whenever I speak at an ISACA gathering I’ve always asked how many knew in college that they wanted to be an IT auditor. Just 10 years ago, no one ever raised their hand. About five years ago, hands started to go up. That IT Audit is now considered a viable career choice has been helped considerably by the steady increase in college curriculum focused on IT risks and controls.

As an IT Audit recruiter I am often asked by individuals at various stages of their IT Audit journey—from college to mid-career—what they can do to jump-start their IT audit careers and stand out from the pack. Here are some suggestions.

IT Audit Internships for Newbies
Let us start with those still in college. I strongly recommend you get into a good internship program to gain experience and “try before you buy” to help you decide if IT audit is something you are truly interested in. A good place to look for these programs is with the Big 4 accounting firms, but also with Fortune 500 companies, more and more which are developing audit internship opportunities.

ISACA Membership/CISA Highly Recommended
For those starting out or at mid-career looking to get into the IT audit field, my first suggestion: You need to become a member of ISACA. To get a foothold in the IT Audit world, ISACA can be invaluable particularly for the networking opportunities an ISACA membership affords. Robust ISACA chapters can be found in most major cities.

You should approach every chapter meeting as a networking opportunity. Yes, those events are great for learning more about the profession through training and presentations, but networking is key for those looking to break into the IT audit field. Sit with people you do not know. Move around the room. Introduce yourself to the chapter president or vice president. Ask for 30 seconds to a minute to introduce yourself to the entire group and present your stump speech/elevator pitch to make everyone aware of who you are and that you are looking to get into the IT audit field. How many times will you need to introduce yourself and network your way to an opportunity? Maybe once, maybe one hundred times…but if you put in that level of effort to go beyond the comfort zone and market yourself, you will eventually win somebody over.

Next: It is critical that you sit for the CISA certification. It sends a clear message to prospective employers that have mastered the IT Audit body of knowledge, but even more important, it shows you have taken initiative in your professional development. It demonstrates that you have bought into IT audit, which is something potential employers need to know, especially if they are going to take the risk of hiring someone who needs additional time and training to get up to speed. The CISA has gone from a “nice to have,” to a “Why in the world do you not have your CISA?” CISA is a door opener if you have it and a door shutter if you do not….so dig into your wallet and pay for the exam. If you are serious about the IT Audit field, this is an investment that will definitely pay off.

As for other ISACA certifications, both the CISM and CRISC are continuing to gain recognition. Non-ISACA certifications I recommend include the CISSP from the International Information Systems Security Certification Consortium and the CIA from the Institute of Internal Auditors (IIA).

To sum up, with IT audit candidate scarcity as significant as it has been since the initial years of Sarbanes-Oxley compliance, demand for qualified IT audit professionals will likely continue to exceed supply for the foreseeable future. This creates opportunities for those looking to break into the field, and an ISACA membership and certification are the keys to doing just that.

Derek Duval is the owner of Duval Search Associations, which is devoted exclusively to enhancing careers of IT audit, risk management, compliance, and advisory professionals.

Has David Chaum Saved The Internet?

As the Internet of Things continues its promising evolution, the world is becoming more engaged in the discussion of privacy issues versus issues of national security. At the center of this exchange is the burning question of whether we, as nations and communities, should sacrifice privacy for security.

Some governments think so, and have gone to great lengths to gather information from sources both inside and outside their borders, quite often acquiring the information of millions of persons in a quest to identify the specific actions of only a few individuals.

On the other side of the argument are those who believe that an individual’s right to privacy is sacrosanct; nothing can, nor should, supersede it, including a government’s desire to act in what it deems the interests of national security.

The actions of Edward Snowden put a spotlight on these conflicting perspectives, pointing out the various ‘back door’ entry points that enabled a government to examine the information of private citizens at any moment it deemed such an examination necessary.  Today, we find governments and citizens across the world having conversations about the appropriate balance of privacy and security.  Those discussion, as yet, have yielded little agreement, and few signs of potential resolution.

And now, the voice of someone new has joined that conversation: David Chaum.

David Chaum was the creator of the mix networks of the late 1970s.  He has spent much of his career in encryption, ensuring that information stays the property of the individual, and no one else’s.  In January at the Real World Crypto conference at Stanford University, he proposed a new way to ensure an individual’s online privacy, a model he calls PrivaTegrity.

His solution is somewhat counterintuitive.  He proposes more ‘back doors’—nine of them, in fact.  Simply put, Chaum’s PrivaTegrity model places nine servers in nine different nations.  No single server can provide access to the information being transmitted, nor can any combination of the nine servers access the information —save all of them acting in unison.  His rationale is simple: if nine governments or other entities can agree that something is undesirable—terrorist plots, human or drug trafficking, or similar endeavors—then that information should be accessed and acted upon.

A critic of Chaum’s pointed out the central flaw in this, though.  Why would criminals and terrorists use a construct that you have already publicly stated has the ability to be accessed through a back door, albeit a door with nine locks?

While Tor encrypts and bounces communications through a network of relay servers, preventing traffic analysis, Tor cannot—and does not—protect against traffic confirmation. Because of imperfections such as this, Tor and similar constructs are vulnerable to decryption efforts—but are they vulnerable enough, in the mind of a bad actor, to merit switching from that to Chaum’s PrivaTegrity model?  PrivaTegrity may make privacy more difficult to pierce—but it can still be pierced.

To be blunt, the only reason for criminal or terrorist elements to use PrivaTegrity would be if they controlled all nine servers.  It is difficult to imagine a scenario in which any one of nine criminal or terroristic enterprises would act against their own self-interests, so it would be extremely difficult to get all nine actors’ approvals, and lift the veil of privacy.  This could prove appealing to such groups—and be a nightmare beyond imagination for law enforcement, cybersecurity and national security professionals.

So, I believe it is safe to say—no, David Chaum has not saved the Internet.

But perhaps he has pointed to a way forward.  Plurilateral agreements require the approval of all entities involved before an action can be undertaken, and may be the nontechnological solution to the privacy versus security debate.  This is not a new approach to issues that are borderless, global in scope, and with implications for nations and individuals the world over; a plurilateral agreement regarding the future development and usage of Antarctica was entered into force by a dozen nations in 1961.  In the half-century since, the member nations have worked together to increase the number of nations in the Antarctica Treaty, as well as to set parameters for the scientific and research on that continent.

In this age of the Internet, privacy is disappearing---or perhaps we might soothe our souls by acknowledging that privacy is being redefined. Individuals are continuing to reveal more about themselves online.  Governments are actively pursuing what they believe to be the best security interests of their respective nations.  While many security-focused agencies around the world would be loath to have another similar agency in an outside nation sign off on their actions, the fact remains that it just might be the best way to ensure the privacy of the individual while still engaging in the pursuit and apprehension of criminals, terrorists and similar bad actors.

The Internet does not belong to an individual or a nation; it is among the few constructs in our world that can make that claim.  Instead, it is a construct that deserves the responsible stewardship of both state actors and individuals.  It is time that privacy be given the same status that other issues of global import have been given. It is time we work together to ensure that innocent, ordinary individuals the world over can communicate with one another—and only one another.

5 Ways to Hack Your Leadership Communication

“The art of communication is the language of leadership.” James Humes

Good interpersonal skills are the hallmark of all great leaders. There is no leadership without effective communication. And those who possess the art of delivering thoughts and ideas in meaningful and befitting ways are those who are most successful.

No academic discourse or any business degree can teach you how to become a skillful communicator. It is self-taught and learned by exposing oneself to situations where interpersonal skills are tested the most. Regardless of which leadership style CEOs and managers adopt or have, delivering the right communication is a different matter altogether.

The best communicators are not only those who show the intent to listen to others, but also those who have incredible situational awareness and observation and problem-solving skills. Without being able to critically analyze, process the finer details and evaluate it holistically, leaders will not be able to communicate the “big picture” to their staff, and the business as a result will not grow as it should.

The following are a few ways leaders can uphold effective leadership communication:

Get personal—The positive value of any relationship intensifies the more emotions are involved. While it is important to have disciplined and professional relationships with your staff, it is also essential that leaders communicate with their staff using personalized tones and messages. Cultivating meaningful relationships is thus critical for leaders to communicate effectively.

Be specific—Leaders also need to practice ways of keeping their messages concise and to the point. There is nothing remarkable about making long speeches, if your staff cannot understand and remember half of the things you say. Business leaders are more pressed for time, and it can be very damaging if they do not deliver messages in a summarized and concise manner. The more summarized your messages are, the more clarity your staff will have.

Show empathy—“Leadership today is based on relationships built with trust, hope, love and encouragement,” Billy Cox. It is only natural that those vested with authority will exploit their position to show ego. That, however, is not the mark of a strong leader. A strong leader is one who can show empathy for his or her staff. Empathy contains the human element of compassion and care that can patch up emotional or psychological issues faced by employees in their work routines. Showing empathy means that you value human emotions and doing it enough can be precursor for influencing great motivation levels in your staff.

Demonstrate analytical reasoning—How well you analyze information and events is an important quality for a leader to have. What is more important is getting your employees to think like you and perceive things from your point of you. This does not necessarily mean that they have to agree with you; rather, it is about exercising one’s rational faculties to become better, data-driven staff that can achieve extraordinary results.

Leaders should ask employees to make their research and present their own analysis and solutions to a problem along with a case study, company/department objectives and conclusion. You can then ask a series of questions regarding how the business should quantify the solutions and how it can translate into long term business growth.

This is an important exercise to train your staff to think on their feet, appreciate their rational thinking and arrive at conclusions that can relate to worthwhile business strategies.

Listen and be silent—Listening with an open mind and out of genuine interest is one of the easiest ways to gain trust of your employees. By listening with a sincere heart, your employees feel valued and become encouraged to participate more closely with the activities of the organization. It sparks interest in your staff and allows them to be more at ease with their company culture.

Simon T. Bailey
Author, speaker and Brilliance Enabler
Bailey will be speaking at ISACA’s 2016 North America CACS conference 2-4 May 2016 in Las Vegas, Nevada, USA.

Cybersecurity Snapshot: Cyberthreats, Regulations, Workforce Issues in 2016

The dynamic world of cybersecurity continued its rapid pace of change in 2015, creating new challenges and opportunities for ISACA and our 140,000 global constituents. Of course, 2016 will be no different. ISACA professionals across the globe expect to see an evolving mix of cyberthreats, regulatory issues, and an ongoing shortage of qualified cybersecurity workers needed to address these issues, according to the January 2016 Cybersecurity Snapshot survey.

Nearly 3,000 IT professionals from 121 countries voiced their opinions in the Cybersecurity Snapshot, and the results say much about where cybersecurity is headed in 2016. Respondents said their top cyberthreat concerns for 2016 were social engineering, insider threats and advanced persistent threats (APTs). Fully 84 percent believe there is a medium to high likelihood of a cybersecurity attack disrupting critical infrastructure (e.g., electrical grid, water supply systems) this year. Nearly a third said there will be some increased risk of insider threats (privileged users) vs. last year.

ISACA’s well-trained, knowledgeable professionals do not lack for recommendations on how to best tackle these cyberthreats. Adding two-factor authentication was considered the best response for improving security in the virtualized data center, followed by adding dual-person approvals for certain actions. Other suggested solutions included using a password manager for checking in/out password access to systems, and adding air gaps for different types of workloads (e.g., sensitive or non-sensitive).

Another area where ISACA constituents had consistent opinions involved government regulations and privacy issues. We saw significant activity in these areas in 2015, and I believe we can expect to see more of the same in 2016. A majority (63 percent) of respondents believe governments should not have backdoor access to encrypted information systems. A similar majority think privacy is being compromised by stronger cybersecurity regulations.

From an organizational standpoint, 84 percent favor regulation requiring companies notify customers within 30 days of a data breach discovery. Interestingly, only a third of respondents believe their organization would voluntarily share cyberthreat information if it experienced a breach.

These issues make a strong case for organizations to have certified, well-trained cybersecurity personnel. Finding well-qualified cybersecurity professionals, however, is an ongoing, global issue. Nearly half of global organizations are planning to hire more cybersecurity personnel in 2016, and 94% say they will expect to have a difficult time finding skilled candidates.

Not surprisingly, 81 percent say they would be more likely to hire a cybersecurity job candidate who holds a performance-based certification. That’s where ISACA and Cybersecurity Nexus (CSX) come in.

ISACA launched CSX in 2014 and expanded its certification offerings in 2015 with the introduction of the CSX Practitioner (CSXP) certification. CSXP is a vendor-neutral, performance-based cyber certification—the first of its kind—that focuses on key cybersecurity skills and requires demonstration of skills in a virtual lab environment in the Identify and Protect domains.

CSX has big plans for 2016, kicking off today with the introduction of the Cybersecurity Career Roadmap, which will help cybersecurity professionals identify new opportunities for career advancement. It provides the resources to continuously hone your skills, expand your knowledge, and start (and keep) your career on a trajectory toward achieving your goals.

ISACA is committed to all four of its core focus areas— audit/assurance, governance, risk and cybersecurity—and we will be delivering new resources in all of these areas over the course of the year. There has never been a more challenging or rewarding time to be in our field than right now.

I wish you a happy and successful 2016. It’s going to be an exciting year.

Christos Dimitriadis, Ph.D., CISA, CISM
2015-2016 ISACA International President

Moving from Managers to Mentors in 2016

Managers are obsolete. Mentors are a thing – or should be!

Fortune magazine suggests that companies retire the term ”manager.” It is there in black and white on page 52 of a recent issue, in the Growth Guru article titled, “5 Key Trends to Master in 2016.”

According to Fortune, Zappos CEO Tony Hsieh eliminated all of his company’s managers. The author of the article notes that most people are better supervised by their phones than by bosses (something to ponder) and goes on to say that by morphing managers into coaches and having them spend an hour of individual quality time each week with up to 40 employees, companies will get better overall performance than they will from teams with a manager and eight to 10 employees.

Cool idea. The sticking point: Converting managers into mentors and coaches. That is potentially a tough sell to professionals who have fought hard to become a “manager” and for younger professionals who are striving for that first manager title.

Rewarding Achievement
Management gurus and innovative companies suggest that growth and innovation come from developing leadership at all levels and flattening hierarchies. You reward achievement, in contrast to the traditional career trajectory that rewards advancement. With the advancement model, companies overtly or indirectly push people to aim for roles that may not suit their passion or skills because that is the only way to earn more and be recognized. When you flatten organizations and reward achievement, achievers thrive, as does innovation.

Mentors and coaches are critical in achievement-driven companies because they assist employees in developing the skill sets that allow them to achieve, inspire and lead others. The essential knowledge being transmitted by the mentor is the understanding of the enterprise, culture, protocol, perspective of senior management, strategy vs. tactics, and the synthesis of all those elements, which can take years of work and experience with a company to digest, assimilate and fully understand. Not that mentors are spoon-feeding mentees, but the best of them offer the boiled-down essence of what one needs to know to progress. The information empowers mentees to be more creative, think outside the box and take more (and appropriate) risks. These actions benefit the enterprise and accelerate careers in a positive direction.

Everyone Benefits from Mentoring Process
The exciting thing about mentoring is that it works well in both directions: experienced people mentoring more junior staff and more junior staff offering their expertise (particularly with IT) to senior professionals. The concept of ”reverse mentoring,” pioneered at GE, has been driving knowledge transfer and improved collaboration across companies large and small.

As we start thinking about career and life goals for 2016, put mentoring on your personal development agenda. Have two goals:

  • Find a mentor who will help you further develop your institutional and business savvy.
  • Look for someone junior who you can mentor.

Research has shown that those who receive mentoring build their careers faster and are more satisfied with the direction their career is going. Research also shows that those who mentor others are recognized as leaders and are more positively perceived within their organizations. This is a win-win no matter what kind of company you work for, and you will find yourself ahead of the curve as the mentor/coach leader paradigm (gradually) becomes a dominant business model—which it will.

Resolve to Get Involved in 2016
Finally, you have to know the power of mentoring. Social scientists at Harvard, UC Berkeley, Stanford and other major research universities are finding important links between happiness and gratitude. Mentoring is a dynamic process that engages us in receiving a gift of wisdom from another, for which we feel grateful and happy. When we mentor, we pay it forward and help someone who will benefit from our knowledge. This is a powerful cycle that generates happiness, effectiveness and job satisfaction. If you make only one career resolution in 2016, make it this one: get involved in mentoring.

For more about mentoring—the process, how to find a mentor, how to be a good mentee, how to mentor effectively, and more—join us for ISACA’s webinar on mentoring, 12PM (EST) / 17:00 (UTC), Wednesday, 20 January 2016. Click here for more details.

1 - 10 Next