Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Creating CyberCulture

Matt LoebWhen growing up, many of us probably heard warnings from our parents to be careful in certain environments—the local woods, a busy side street, or at the beach.  Our parents cautioned us out of concern for our well-being, and it served a purpose. 

Their warnings were meant to raise our awareness of our surroundings, and ensure we would exercise care when appropriate. They reminded us that the safety of our environment depended upon the decisions we made. Today, we would be well-served to add one more domain to those dangers areas drilled into us: the world of cyber.

Like the woods and the beach where we played when we were young, cyber offers a great amount of reward, tempered with significant risk if we’re not prepared.

How do we evolve to a CyberCulture, though? How do we convince people that, for all the positive potential of technology, there is a dark side as well? How do we especially reach today’s digital natives, who have grown up largely responsible for their own security in cyberspace, and take security somewhat for granted?

It starts with an initial decision: at what level should cyber security be a part of our daily lives? For a CyberCulture, in which security is a top-of-mind concern, the answer is simple—cyber security should be as prevalent in our lives as possible. There is one security measure that comes to mind that’s prevalent anywhere we look, from shopping carts, to cars, to airplanes, regardless if we are in Kenya, Kolkata, or Kentucky.

Seatbelts.

Cyber security needs to become the modern-day equivalent of seatbelts that can keep us protected when we are navigating down new roads at high speeds.   Yes, cyber security is a ‘security’ issue—but it’s a safety issue as well, for all of us. Nations, enterprises and individuals need strong cyber security—and all these entities need it for both safety and security. Most significantly, cyber security needs to become pervasive at all of those levels, and no one level is more important than another. To create a safe, secure CyberCulture, people, enterprises and nations needs to function in as complementary and synergistic a manner as possible.

For nations and governments, cyber security must be a prime concern, across the breadth of government, at all levels, and in all functions of government. Last month’s DefCon 2017 gave us an object lesson in protecting the entirety of governmental operations, when conference attendees hacked various election equipment in a matter of hours. Assessing the capabilities—and vulnerabilities—of that equipment should be as regular an activity in government as ordering office supplies. It should be part of a CyberCulture.

For individuals, the journey towards a CyberCulture should begin as early as possible.  We need to make cyber security and good ‘online hygiene’ part of core curricula at the pre-university level, to imbed the concept of security online at the earliest possible levels, and ensure that tomorrow’s digital (and eventually cognitive) natives don’t make cyber security an afterthought. Much like many universities already include humanities or similar courses as graduation requirements, we need to give similar importance to cyber security courses at the university level.

And, just like we would subject potential candidates for a cyber security post to an evaluation of their abilities, maybe it’s time to start evaluating all potential hires—regardless of where they will work in the enterprise—on their abilities to assist in securing the enterprise through sound personal security habits. Likewise, the enterprise should be evaluated on a regular basis for how cybersecure its operations are, not merely from a technical standpoint, but from a cultural standpoint as well. In today’s digital economy, everything is connected; a hack of the cyber infrastructure of one enterprise imperils all with whom they work.

Creating a CyberCulture in which cyber security is as pervasive and commonplace as seatbelts isn’t a ‘nice goal’—it’s a necessity. We are all part of the digital economy now; our digital footprints span continents, borders and time zones. We’ve all helped to make cyberspace what it is today, contributing to its awe-inspiring power and frightening vulnerabilities.  It’s up to all of us to make cyber security what it can be, tomorrow, and to ensure that future digital natives continue to enjoy the positive potential of technology.

Buckle up… it promises to be a thrilling ride!

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Five Questions With Author and Africa CACS Keynoter Siphiwe Moyo

Siphiwe MoyoEditor’s note: Siphiwe Moyo, author and motivational speaker, will deliver the closing keynote address at Africa CACS 2017, which will take place 11-12 September in Accra, Ghana. Moyo, an expert on developing human capital and strategically managing change, recently visited with ISACA Now about what he terms an ‘entitlement culture’ and how the financial markets produce important life lessons. The following is an edited transcript:

ISACA Now: What is the biggest key to an organization developing a healthy culture that leads to strong morale among its workforce?
Having the correct job and organizational fit, including placing people in jobs that are in line with their strengths.

ISACA Now: How do you define an ‘entitlement culture?,’ and why is it problematic?
It’s a culture where people feel that someone else owes them something. It’s problematic because without taking responsibility for their own lives and progress, people cannot perform fully.

ISACA Now: One of your books is Bulls & Bears: Life Lessons from The Financial Markets. In what ways do the markets produce important life lessons?
If you study the markets long enough, you see how they really teach us about life. Markets go up and down but if you have your fundamentals correctly, over the long term you will succeed. Success is about doing those small things every day that lead to big results eventually.

ISACA Now: What are some unique opportunities for enterprises in Africa?
Infrastructure – railroads, and regional integration in terms of roads, energy and water.

ISACA Now: Today’s business technology professionals are dealing with a rapidly evolving technology landscape. What is some advice you will give Africa CACS attendees about how to ensure their organizations are embracing these changes constructively?
It’s about mindsets. Although we know in our heads that we need to embrace change, we know that if the external environment changes faster than our organizations, the end is near, as Jack Welch says. People often feel change fatigue, and I will be helping the delegates with how to overcome that.

Cyberpsychologist Mary Aiken: New Threats Demand New Solutions

Mary AikenEditor’s note: Dr. Mary Aiken, a cyberpsychologist, expert in cyber behavioral analysis and author, will deliver the closing keynote address at CSX North America 2017, to take place 2-4 October in Washington, D.C., USA; and CSX Europe 2017, to take place 30 October-1 November in London. Aiken recently visited with ISACA Now about several of her core areas of interest, including digital ethics and how parents can combat some of the cyber threats that could harm their children. The following is an edited transcript:

ISACA Now: What intrigued you about pursuing cyber behavioral analysis?
As a cyberpsychologist, I maintain that human behaviour can fundamentally change in cyberspace. Powerful drivers such as (perceived) anonymity, online disinhibition and psychological immersion, along with minimization of authority online, dictate that people can act very differently in cyber contexts. Therefore, there is a need for new behavioral scientific approaches and analysis in terms of understanding human, and specifically criminal behavior mediated by technology.

ISACA Now: What should organizations be especially mindful about from a digital ethics standpoint?
In 2016, NATO declared that cyberspace was a ‘domain of operations.’ People like me have been talking about cyberspace for over a decade, but this was a paradigm shift in terms of an official acknowledgement that ‘cyber’ is actually a place, an environment. This recognition gives us a great opportunity to draw on the learnings of the environmental movement. What happens in cyberspace impacts the so-called real world, and vice versa. We should therefore be very protective of this new cyber environment.

The “precautionary principle” has been used to great effect in the environmental movement, placing the onus on companies to prove that their products are doing no harm. From an ethical perspective, if we apply the precautionary principle to cyberspace, then the onus will be on organizations to prove that their digital products do no harm. We are all familiar with the benefits of Corporate Social Responsibility (CSR). There is a now an exciting opportunity for organizations to practice Cyber CSR.

ISACA Now: Which aspects of your research on virtual behavioral profiling tend to surprise people the most?
In terms of behavioral profiling, I have been involved in a dozen different research silos – everything from cyberchondria to organized cybercrime – and the one thing that I have observed is that whenever technology interfaces with a base human disposition, the result tends to be amplified and accelerated. I called this ‘the Cyber Effect,’ and wrote a book about it. A lot of people were surprised and fascinated by this insight; I believe it could be the E = mc2   of this century. If we could figure out and factor this escalation, then we could also look at technological solutions to de-escalate.

ISACA Now: What do you see as the most positive potentials of technology across the cyber environment today?
I believe that AI offers incredible potential across the cyber environment. Many of the problems that we experience in cyber contexts are in fact ‘big data’ type problems – for example cyberbullying. If we could develop machine intelligence solutions to technology-facilitated problem behaviors, then I firmly believe we could help to create a better cyber society for all, and most importantly for those who are vulnerable, such as children.

ISACA Now: Cyberchondria is probably a new concept for a lot of people. How would you characterize that term, and how prevalent is it?
Searching about health and illness are among the most popular search topics. There is lots of constructive and helpful information available online, from quality medical websites, such as the Mayo Clinic. However, it is difficult from an untrained human perspective to be objective in terms of the interpretation of bodily symptoms, and subsequent translation into medical search. There is a word for what can go wrong. Cyberchondria is a form of hypochondria manifested online.

It is described as anxiety induced as a result of escalation to review morbid or serious content while engaging in health-related search. What does that mean? It means that you have a headache (that could be anything from a hangover to a migraine), and you start clicking to read about brain tumors, and experience anxiety as a result. In other words, you may be perfectly well in physical terms, but may end up with a nasty dose of health anxiety.

ISACA Now: How concerned should parents be about cyberbullying, and what should they be doing to help their kids navigate the digital world?
Cyberbullying is a serious issue for parents, and I am very concerned about what society should be doing to tackle it. Let’s think about it like this. Real-world bullying is a problem – why? With a harsh word or punch on the playground, there is little or no evidence. However, cyberbullying is nothing but evidence; in fact, you cannot cyber-bully without leaving a significant digital trail. So, how did we ever get to a point where cyberbullying was a bigger problem that real-world bullying? There are solutions.

We could develop AI technologies for telecommunications and social media platforms that (with parental consent) could monitor digital traffic to children. The point at which the behavior escalates in terms of bullying, the AI could trigger a digital outreach to the child to “go and get help,” and a digital outreach to the parent to “go talk to your child.” Parents should not be the last to know that their child is being cyber-bullied.

ISACA Now: If you had one key inspirational message for the ISACA business technology professional community today, what would that be?
I am absolutely pro-technology. I could not do my job as a cyberpsychologist without spending most of my time online.  I firmly believe that in time we will develop a whole range of technological solutions to technology-facilitated problem behaviors. It is important to remember that technology is not good or bad; it is either used well or poorly by humans.

Faces of ISACA: Cynthia Damian, CISM, CRISC, CCSK, Senior Manager of Enterprise Risk Management, T-Mobile

Cynthia DamianEditor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Cynthia Damian, T-Mobile senior manager of enterprise risk management. Interested in joining ISACA and networking with colleagues like Damian? Learn more here.

ISACA member Cynthia Damian has not had to leave her hometown to work for some of the world’s largest, best-known brands.

Damian, a lifelong resident of the Seattle (Washington, USA) area, has worked for corporate giants such as Starbucks and T-Mobile, including her current role as T-Mobile’s senior manager of enterprise risk management.

While being part of organizations with heavy global footprints has its share of advantages, navigating the sheer size of the organizations, and the corresponding market pressures, requires a skilled balancing act for a risk management professional. T-Mobile, a wireless network operator, has more than 72 million customers.

“One of the challenges is working in a fast-paced, speed-to-market environment,” said Damian “Although it’s important that customers are the focus, it makes things challenging not only to execute on projects and priorities of a given company, but also wrapping around risk management to inform decisions. In my specific area, it’s figuring out the right balance of creating risk management practices and processes that are lean and agile.”

Damian has found ways to strike that balance. At Starbucks, she helped put in place the coffee powerhouse’s first internal governance, risk and compliance function.

“Being part of that was a significant career move for me, knowing that Starbucks is a well-established and global company,” Damian said. “Being part of starting up a brand-new practice internally was critical, and allowed us to drive the way we approached GRC, especially in the security space.”

Damian’s impact at T-Mobile has included ensuring that sound risk management is taken into account as the organization evaluates how to utilize cloud platforms. Her role in managing risk calls for a comprehensive, enterprise view, and requires steady interaction with both executives and those at the operational level to ensure an aligned risk strategy.

Damian, who has ISACA’s CISM and CRISC certifications, has been an ISACA member for nearly 10 years, and serves as a board member and education director of the Puget Sound Chapter. Her ISACA affiliation has proven to be a valuable resource when it comes to connecting with quality consultants and speakers for professional events, as well as networking with industry professionals to share experiences.

Away from work, Damian has developed a passion for portrait photography, and her two sons – a 7-year-old and a 7-month old – provide a pair of charming subjects. The renowned beauty of the Pacific Northwest makes for ideal backdrops, providing all the more incentive to stay put in the Seattle area.

“I love the diversity here – both the diversity in the people, but also in career pathing,” Damian said. “I just feel like we’re a great market to be able to build your career in whatever aspect that you’re looking for, especially in the technology space. It’s a wonderful place for raising a family, as well.”

And while her physical location may not change, major shifts in the technology landscape ensure that Damian has new experiences on a daily basis.

“Technology is moving so quickly, and the risk landscape is also moving and changing very rapidly,” Damian said. “So, whether it’s risk from technology transformation within a company, or risk management of external threats, as technology has grown and evolved, so has the sophistication of threats on the landscape.”

Faces of ISACA: Mike Krajecki, Director, Emerging Technology Risk Services, KPMG

Mike KrajeckiEditor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Mike Krajecki, KPMG director in emerging technology risk services.

Mike Krajecki was studying information technology as a college undergraduate when his career goals crystallized.

“I loved what I was doing, but I wanted to find a way to tie it to business,” Krajecki said. “I didn’t want to be a programmer or a data base administrator or a network engineer. I wanted to do something on a bigger and more strategic level.”

That notion led Krajecki to graduate school, where he studied accounting at DePaul University, and eventually to an internship with professional services firm KPMG. The internship was in 2007, and he has remained at KPMG since, leading to his current role as director in emerging technology risk services. Krajecki, an ISACA member, specializes in helping KPMG clients navigate disruptive technologies, such as Internet of Things devices.

The goal is to “help them manage that risk versus reward equation of adopting something that’s disruptive and new to the market, but doing it in a responsible manner,” Krajecki said. “We’re kind of trailblazing a little bit. It’s really exciting. It’s almost like we have a little bit of an entrepreneur’s mentality inside of a huge global firm.”

Krajecki, a lifelong resident of the Chicago area, made pursuing the CISA certification one of the first major elements of his career strategy – calling CISA “kind of the de facto seal of approval” for IT audit and assurance professionals – and he has continued prioritizing his professional development since.

That’s especially important given his focus on the fast-evolving IoT space. Gartner projects 8.4 billion connected things will be in use this year, and the range of opportunities that staggering growth presents enterprises – along with the related security and compliance considerations – can be overwhelming.

Krajecki said many organizations are beginning to at least recognize potential IoT-related hazards, but often need assistance with developing a more comprehensive risk approach. That tends to include the need to coax stronger collaboration between the products team and other functional groups within the organization.

“Today, companies are getting it, but they’re very tactical,” Krajecki said. “It’s still device by device, and still very focused on the minutiae, and it needs to be more focused on a strategic risk strategy, and how do we build a responsible program that is principles-based, that helps us keep focused on the return this product is going to give the company, why we invested in it, and making sure those profits aren’t diminished by risk exposures. That strategic governance layer is what’s lacking the most right now.”

Krajecki points to the automotive industry as being ahead of the curve, noting successful connectivity for many automobiles and a general realization that there is too much at stake to take security shortcuts.

Still, Krajecki said too many large, global organizations “are still kind of stuck in the past.” Going forward, Krajecki expects he and his colleagues will spend more of their time helping organizations think through their digital strategies on a holistic, enterprise level, as opposed to focusing on the risk elements related to specific technologies or products.

To ensure he’s positioned to help his clients transform, Krajecki is an avid consumer of industry guidance and resources.

“You have to be a lifelong student and keep learning,” Krajecki said. “I learn from my clients every day. I’m very active in the industry in attending ISACA events and other large industry events to keep learning what people are saying, and I just read a lot. There’s a tremendous amount of information available if you seek it out.”

On occasion, though, Krajecki feels compelled to take a step back, prioritizing quality time with his wife, Megan, and their 2-year-old son, Grayson. At 6-foot-6, Krajecki is a former basketball player and remains a fan of the sport, while also pursuing cooking as a more recent passion. He calls his cast iron pan, used for grilling, “my best friend.”

“It’s a way to escape technology and data and risk, and just put together a fun meal for friends and family,” Krajecki said.

Five Questions with ‘Passionpreneuer’ Moustafa Hamwi

Moustafa HamwiEditor’s note: Self-described ‘passionpreneuer’ and award-winning author Moustafa Hamwi will deliver the closing keynote address at Asia Pacific CACS 2017, to take place 29-30 November in Dubai. Hamwi will address an often overlooked ingredient in business success – passionate leadership, also the subject of his recent visit with ISACA Now. The following is an edited transcript:

ISACA Now: Why is passionate leadership so important?
Passion is the key differentiating factor for true leaders. It is easy to lead when times are good. Truly passionate leaders show when times are tough. I always say, “The longest distance leaders have to walk is between their mouth and their feet.” Passionate leaders care about the purpose they are serving and find the energy and drive to keep them going against all the odds.

ISACA Now: Is passion innate, or are there techniques to become a more passionate leader?
The quality of one’s passion comes from the quality of their purpose. In my opinion, we are all born to serve a bigger purpose, and when leaders are aligned with their purpose, their ability to lead and to achieve increases. This takes a high dose of brutal honesty for the leader to ask, “Do I really care about what I’m leading?” If not, then any technique will be symptomatic rather than bringing any deep change.

ISACA Now: Can someone be too passionate? Is there a risk of burnout?
Great question. The best way to answer this is to quote, “If passion drives you, let reason hold the reins,” from Benjamin Franklin.

There is a huge difference between being guided by passion and being blinded by it! Planning and constant learning to adjust the plan is a crucial element in any successful venture and in avoiding burnout. Passion is using your heart as your guide and your mind as the planning and execution tool. With this mix, there is low risk of burnout and faster recuperation because the journey becomes more fulfilling.

ISACA Now: You once met a swami who was influential in your trajectory. Tell us how that came about.
When the student is ready, the teacher appears! It was a pure coincidence. I bought a one-way ticket to India in 2012 seeking some answers about my life and the bigger meaning, and through a friend of a friend of a friend, I ended up meeting him. The interactions with him were eye-opening; however, it was one of the questions he asked me that changed a lot of things for me.

One day I was asking him about life and he turns to me and asks me, “Do you know what you are thirsty for? Because if you do not know what you are thirsty for, you cannot quench your thirst.” This was the beginning of my search for how to quench my thirst, to have a great impact on the world, and to help people find and fulfill theirs.

ISACA Now: You are from Syria, then moved to Dubai and have visited plenty of other places. Is passion a universally important ingredient you have observed in successful leaders?
I have lived in, traveled to and spoken in around 30 countries, and have worked with thousands of leaders and executives, and one thing is for sure. Passion is the key to success anywhere in the world. The world is becoming so much more competitive, and without passion, you will run out of energy long before you achieve desired results. Also, passion gives you a joyful competitive advantage (when you are passionate about what you do, you perform better than the person that is doing it just for the money), so your quality of work is better, and people enjoy receiving services from you, which means you have higher demand.

Five Questions with Social Business Guru Ryan Hogarth

Ryan HogarthEditor’s note: Social business strategist, author and radio show host Ryan Hogarth will deliver the opening keynote address at Africa CACS 2017, to take place 11-12 September in Accra, Ghana. Hogarth’s keynote is titled “We Are Not Robots.” Hogarth recently spoke with ISACA Now about some of the themes he will address, such as navigating digital disruption and how to strengthen relationships with customers. The following is an edited transcript:

ISACA Now: You use the term a “frictionless economy.” What do you mean by that?
Everything about being a customer has been transformed through our use of customizable technology because friction is constantly eliminated. We can get what we want or what we need with a click, a tap, a swipe or a gesture. The businesses that will succeed are those that understand their customers’ journey enough to use the right technology to remove friction and make interaction, servicing and purchasing seamless and effortless, or frictionless.

ISACA Now: What are some common mistakes that organizations make in navigating digital disruption?
The two most common mistakes are:

  1. Ignoring it and pretending that disruption does not affect your industry or business. Here we see an insistence that the way business has always been done is sufficient to ensure success in the future. These are the companies that will not allow access to social media at the office or who discourage the use of smartphones for work.
  2. Over-investing in technology without a change in thinking and culture. Here we have the affliction of doing old things with new technology. Converting training manuals to PDF and making them available on a tablet does not mean digital transformation. Before investing in technology, a business should first be clear about what technology their customers and teams use, and then shape your technology to fit them.

ISACA Now: What are the best ways for an organization to strengthen its relationship with customers?
First, map your customers’ journey. What is their actual, real-world experience with your brand or business? Knowing this is far harder than we at first think because we make assumptions about what our customers actually do and experience. Once you plot this out, the shortcomings become far clearer and solutions a lot more obvious.

ISACA Now: Do you think most enterprises are utilizing social media effectively?
No. Most enterprises that are on social media still view it as just another tool of sales or marketing rather than a means of communication and relationship. Again, this requires a shift in thinking. Are you thinking about how you can build a relationship with a customer or just how you can push your latest offering?

ISACA Now: What technological innovations do you anticipate having the most impact on the global economy within the next few years?
There are several: Self-driving cars, clean energy, augmented reality, artificial intelligence, blockchain, high-quality online education, food science and medical technology. All of these are important because their impact will affect so many industries beyond the obvious. We see the immediate effect in how global businesses are playing in fields far outside their traditional spaces. Social media wants to get into banking, tech firms are playing in areas of transportation or health, and banks are pushing hard into the tech space.

In Era of Digital Disruption, ISACA is Ready to Rise to the Occasion

Theresa GrafenstineMuch of what I learned about being a professional – and being part of a professional community – came through my association with ISACA.

As the first person in my family to graduate from college, I entered the workforce hungry for the educational resources, networking and professional growth opportunities to make an impact. ISACA provided that and much more, allowing me to envision and embark upon a career trajectory that otherwise would not have been possible.

My professional development was accelerated by pursuing ISACA volunteer opportunities such as helping to coordinate local conferences, which allowed me to make valuable industry contacts and build my project management skills. Eventually I became president of ISACA’s Greater Washington DC Chapter, providing another important opportunity to expand my skill set and learn more about the audit and assurance, governance, risk, and information and cyber security professions. Serving on several ISACA committees and on the board of directors provided further enrichment, both professionally and personally, as I am fortunate to have built treasured relationships with many of ISACA’s 130,000-plus members worldwide.

Now, as the newly installed chair of ISACA’s board of directors, I am grateful for the opportunity to help lead the organization that has provided me so much fulfillment. I’m privileged to work with and on behalf of our global professional community to advance the positive potential of technology in the professions that we serve and society as a whole.

ISACA is nearing its 50-year mark, and with technology-driven challenges and opportunities all around us, there is no doubt we are more relevant than ever. In addition to ongoing activities building toward our 50th anniversary in 2019, there is so much to accomplish in the year ahead. Cultivating a deeper pipeline of leaders in our professions through the Leadership Development Advisory Council, building toward greater societal impact through a revitalized foundation and ensuring ISACA’s Connecting Women Leaders in Technology program becomes even more robust and influential are among many projects for which there is promising momentum.

As we anticipate the progress ahead, I want to express my appreciation for the many contributions of our outgoing board members, as well as our outgoing board chair, Chris Dimitriadis. Chris has led with a calm and good-natured approach, steering ISACA through a period of growth and change while making sure that local chapters and all members of our community are heard and included.

I am delighted that Chris will be part of the smart, dedicated and diverse group of board members for 2017-2018 that will help shape ISACA’s vibrant future:

  • Theresa Grafenstine, CISA, CGEIT, CRISC, CPA, CISSP, CIA, CGMA, CGAP, chair
  • Rob Clyde, CISM, vice-chair
  • Brennan Baybeck, CISM, CISSP, CISA, CRISC, director
  • Zubin Chagpar, CISA, CISM, PMP, director
  • Peter Christiaans, CISA, CISM, CRISC, PMP, director
  • Hironori Goto, CISA, CISM, CGEIT, CRISC, ABCP, director
  • Mike Hughes, CISA, CRISC, CGEIT, director
  • Leonard Ong, CISA, CISM, CGEIT, CRISC, CFE, CIS, CISSP, CPP, CSSCP, ISSAP, ISSMP, PMP, director
  • R.V. Raghu, CISA, CRISC, director
  • Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, director
  • Ted Wolff, CISA, director
  • Tichaona Zororo, CISA, CISM, CRISC, CGEIT, CIA, CRMA, director
  • Chris Dimitriadis, CISA, CISM, CRISC, ISO 20000 LA, director and past board chair
  • Robert E Stroud, CGEIT, CRISC, director and past board chair
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, director and past board chair
  • Matt Loeb, CGEIT, director and CEO

While the board will work diligently on ISACA’s behalf, it will take a team effort – all of us collaborating as ONE – to achieve all that we can. We live in a world that is grappling with widespread digital disruption. ISACA can and must be a leading voice in providing a sense of assurance and security as professionals and enterprises navigate a challenging technology landscape.

I know how influential ISACA can be, as evidenced by my own journey. I am proud of what ISACA has meant for myself and so many others, but more than anything, I am energized about the future that we can build together. 

Faces of ISACA: Gerard A. Joseph, CISA, CISSP, CSAM, Ph.D., Independent Consultant

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Australia-based consultant Gerard A. Joseph.

Australia resident and ISACA member Gerard Joseph has traveled extensively throughout the United States, as his visits to all 50 US states would attest.

One of Joseph’s can’t-miss US destinations is wherever ISACA’s North America CACS conference is taking place.

Joseph has amassed some serious frequent flyer miles – and drawn his share of quizzical banter from fellow conference attendees – for what has become an annual tradition of trekking to North America CACS all the way from his home just outside Canberra, Australia.

“It does kick off the conversation quite nicely, and you can go from there,” Joseph said. “At the conferences, you’re not just talking commercially, but you can mix it with the personal side of things. I guess coming from Australia, it does attract attention to some extent because of the distance. It just helps to cement a nice, easygoing relationship, even if it’s just for a couple of minutes, to talk about where you’ve been and how much of the country you’ve seen.”


Australia resident Gerard Joseph, pictured attending the Alchemy & Ale social event at North America CACS last month in Las Vegas, is a regular North America CACS attendee.

Joseph became an ISACA member in 2006 when he pursued the CISA certification, and, as he learned more about the depth of offerings at North America CACS, he decided it was well worth the time and financial investment to attend. Joseph has attended North America CACS each of the past four years, including the most recent gathering last month in Las Vegas.

Joseph has many friends, business associates and even a daughter in the United States, so he tends to combine his CACS trips with other visits and sightseeing. Besides, journeying thousands of miles is a fact of life for Australians with a taste for travel.

“For Australians and for New Zealanders, really to travel anywhere you’ve got to travel a long way,” said Joseph, who has visited around 35 countries in total. “If we travel, we’re used to traveling a long distance.”

Joseph, a consultant, is a registered security assessor under a program managed by an agency of the Australian Department of Defence. As his career unfolds, he has become intrigued to learn more about trends and best practices in audit and security. That, along with what he called “absolutely enthralling” speakers, quality networking opportunities and an array of exhibitors that “just help you to keep tabs on where the industry is going” has made him a North America CACS loyalist.

Despite Joseph residing in Australia, the conference’s US location might be more of a bonus than deterrent. He has been fond of the United States since he was young – an affinity he and his wife seemingly passed on to their children, one of whom attended Massachusetts Institute of Technology and another who currently resides in Honolulu, Hawaii. Those family visits helped Joseph expand the list of US states he’d visited, and, by 2012, he realized he’d been to 41 states.

 “I thought, well, this is ridiculous, I really have to see the other nine,” said Joseph, who did just that, completing his 50-state milestone with a trip to Juneau, Alaska that capped a two-week, eight-state odyssey.

Despite having seen much more of the country than most US residents ever will – for the record, he counts New York as his favorite locale due to its cultural gravitas – Joseph’s wanderlust remains intact. Visiting the remaining 10 state capitals he has yet to see remains a goal.

“Regardless of how much of any country I've seen, I always feel I've merely scratched the surface and that there is a vast amount left that I'd like to explore, and that is certainly true of the U.S.,” Joseph said.

Along with work and travel, Joseph is passionate about history, classical movies and music, ballet and genealogy. His interests and travel experience supply him plenty of potential ice-breakers with fellow conference attendees, though he might have slightly less time on his hands at North America CACS 2018, set for 30 April-2 May in Chicago, Illinois.

As if making another overseas expedition to attend North America CACS doesn’t convey enough dedication, Joseph has an eye on potentially making his debut as a conference presenter.

“Chicago will be my fifth NA CACS conference so I thought it was time to elevate my participation – and my overall profile in audit and security – by being part of the program,” Joseph said. “Of course, it depends on whether my proposal is accepted, but even if it isn't, I'll still enjoy the conference and the networking opportunities it presents.”

Faces of ISACA: Michael Thiessmeier, Senior Manager, Technology & Security Risk Management, Oportun

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight risk management professional and ISO delegate Michael Thiessmeier.

Perhaps owed to his military background, Michael Thiessmeier believes that knowing how to perform the duties of both his supervisors and subordinates is the best way to ensure success. He has put in the time to make sure that’s the case.

Thiessmeier has more than 20 certificates and certifications, including ISACA’s COBIT Foundation certificate.

“Think about it this way,” Thiessmeier said. “One person might go watch soccer on Sundays. I might sit on that same couch preparing for a certification exam and feel the same kind of joy and excitement if I pass that the other person feels when their home team scores a goal.”

Thiessmeier joined ISACA in 2012 when professors in Germany – where he was born and spent seven years performing military service – encouraged him to seek out professional organizations.

“I spent years looking for options and evaluating my career path,” Thiessmeier said. “Finally, I determined that ISACA was best aligned with the direction that my career was taking.”

His current role is Senior Manager, Technology & Security Risk Management, with Oportun in Redwood City, California, USA. He is especially interested in how trends like machine learning necessitate automating controls testing.

“Being situated at the intersect of fin-tech and financial services allows me to work on things that have not been done before,” Thiessmeier said. “There truly is no cookie-cutter approach to our industry, and that’s where the research I am doing with ISACA and other organizations turns out to be very helpful.”

Thiessmeier also is heavily involved with ISO as a delegate expert for ISACA, a relationship that came about when he saw an opening on the ISO liaison committee posted on ISACA’s website. He is active in the Security Controls and Services, and Identity Management and Privacy Technologies working groups, and recently was elected as project co-editor for the ISO standard pertaining to application security validation and verification.

Some of Thiessmeier’s career highlights include working on the largest gaming console launch in history – he was manager of consumer services technology with Sony PlayStation during the PS4 launch – while at the same time participating in a major customer relationship management (CRM) implementation that automated consumer service processes.

“During that time I was not only allowed to lead several teams of incredibly smart and caring individuals, but also designed and ran the 'war room' used to manage that console launch,” he said. “Thanks to everyone involved, the launch was a great success and beat our expectations.”

Going forward, Thiessmeier intends to learn more about penetration testing. Fitting his overarching approach, that objective isn’t for personal gain as much as to continue deepening his broad-based reservoir of knowledge.

“I do not plan on being a penetration tester at this point in my career, but I want to make sure that I am in the best position to empower them in their day-to-day duties,” he said.

Aside from his traditional career interests, Thiessmeier volunteers for Team Rubicon, an organization that provides disaster response and veteran integration services.

“The moment you see a community that went through a horrible disaster pull together and come out of it closer than ever – no words can describe that,” Thiessmeier said.

1 - 10 Next