Information is powerful. In today’s fast-moving world, timely information is critical to keeping cybersecurity plans and programs current.
But, having the time and diligence to filter massive amounts of information to a digestible, actionable form is nearly impossible. Besides myriad global regulations and other developments, all manner of cybersecurity breaches are frequently in the news. In fact, the growing rate of breaches around the world has organizations preparing for when they will be attacked, rather than wondering if they will be.
To provide a concise source for the industry trends and latest developments cybersecurity experts need to know about most, ISACA has launched a new free newsletter. The Nexus, which is part of ISACA’s Cybersecurity Nexus (CSX) program, features original CSX thought leadership and knowledge, news and updates related to cybersecurity, and a collection of cybersecurity articles from around the web .
Recent articles in The Nexus include:
- Cybersecurity table stakes for companies: The bare minimum needed to survive by Doug Steelman.
- 5 Costly consequences of SMB cybercrime from CIO Magazine.
- Simple steps go a long way in cybersecurity by Rolf von Roessing, CISA, CISM, CGEIT
Visit The Nexus subscription page of the ISACA web site to subscribe to this valuable monthly e-newsletter.
Robert E Stroud, CGEIT, CRISC
ISACA International President
I remember the first time I saw ISACA International President Robert E Stroud talk. I was really impressed by his knowledge and how he engaged with the audience. I remember thinking, ‘I wish I could do that!’
I am not Robert and I do not have his confidence in front of an audience, but I do have considerable experience in IT and IT audit, and with that comes knowledge. I wanted to participate and give something back to the profession, so I decided to volunteer as a “topic leader” in the ISACA Knowledge Center.
The ISACA Knowledge Center is a professional networking and knowledge meeting place for professionals who share common professional interests. It can help participants build a new understanding through exchanging information and experiences on more than 100 IT-related topics.
I downloaded and completed the topic leader application, but I was still concerned that I would not be good enough. What if I was asked questions that I did not know the answer to? I was assured by the staff at ISACA that this would not be an issue. Although knowledge is always helpful, they do not expect you to have all the answers. Instead, a key requirement is a willingness to learn, support, participate and maintain the community.
I took the plunge and formally became a topic leader for Oracle Databases as that was the available topic that I felt I knew the most about. I began by posting links and documents on Oracle. I realized that I was reading these anyway as my organization has Oracle databases and I like to keep up to date. Some of these generated discussion, and some did not. Then it happened—I was asked a question for which I was not 100 percent sure of the answer! What did I do? Well I looked into it, found the answer and learned something new. (This later proved useful to me during the course of my own work.)
As my confidence grew, I also became the topic leader for OS/400 and SQL Server Databases. I did not know an awful lot about SQL Server, but by becoming the topic leader and researching, reading, posting and answering, I have learned a lot!
My role as a topic leader has opened the door to many new opportunities. First, I was asked to become a member of ISACA’s Communities Committee. This committee identifies and supports activities to encourage the development, use and sustainability of ISACA communities.
Additionally, as my knowledge of my topics grew, I decided to write an ISACA Journal article. I submitted “Auditing Oracle Databases Using CAATs” which was accepted and published in volume 2, 2014. The reaction was very positive, so much so that many readers asked me to do something similar for SQL Server. “Auditing SQL Server Database Using CAATs” was accepted and published in volume 1, 2015.*
The Journal articles got the attention of someone in ISACA, as I was asked to help update the CISA Review Manual for 2016! This is a great honor for an IT auditor.
Being the topic leader for Oracle Databases, SQL Server Databases and Audit Tools & Techniques in the Knowledge Center is something that I am passionate about. It is more than social media; it is a forum to engage with your peers, to question, to learn and to share. It is linked to ISACA’s considerable body of knowledge and is where “networking and knowledge intersect.”
I encourage you all to join and participate. What’s more, I encourage you to become a topic leader. There is absolutely no reason you cannot follow in my footsteps and connect with some great people and learn new knowledge along the way.
Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS, DipFM, ITIL-F, Six Sigma Green Belt
IT Audit Manager, Dublin, Ireland
*Membership required to view ISACA Journal articles published within the past year.
When I was installed as ISACA’s international president, I made three promises. I said we’d continue to effectively serve our members who work in audit and assurance, we would drive adoption and use of COBIT 5, and we would make cybersecurity a top focus. Cybersecurity has climbed its way to the top of many of our priority lists. And we at ISACA have listened. To best serve our members and the profession, we are committed to doing for cybersecurity what we have done—and continue to do—for assurance and governance.
This is a pivotal moment—an exciting time in our industry. The tremendous global impact that cybersecurity issues and threats are having is creating many new challenges and opportunities for all of us. These challenges and opportunities bring with them an urgent need for skilled professionals who can protect and defend enterprises worldwide. Experienced security professionals are key to the success of fighting against cyberadversaries. We learned a lot about that from the Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, who met at our North America ISRM conference in November. They discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles. As panel members pointed out, we are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.
As cybersecurity challenges and opportunities are transforming the way in which we all live and work, ISACA is also expanding to better serve you. We want to help you protect what you have built. We will do that by providing the education, guidance and solutions you are seeking—and by helping you develop your teams with the right people and the right skills.
In April, ISACA launched Cybersecurity Nexus (CSX). Through CSX, we are connecting enterprises and skilled professionals to help close the dramatic skills gap.
Now, as part of that mission, we are announcing CSX 2015 North America—a brand-new conference experience. It will deliver the risk management guidance that so many of you find valuable at ISRM, but it will also dive deeper than ever into the cybersecurity approaches and solutions that are demanded by professionals and organizations around the world.
Cybersecurity is everyone’s responsibility, and ISACA takes this responsibility very seriously. We developed CSX for you, and we will deliver it with you, to best serve you and your industries. We will give you the tools, credentials, community and education you need to meet cybersecurity challenges head on. CSX 2015 is one way we will accomplish that.
This brand-new conference features more than 70 cybersecurity sessions tailored to different levels of expertise. Attendees will explore cybersecurity trends and threats, exchange ideas and innovations, and learn how to excel at protecting and defending against cyber threats and attacks. From start to finish, CSX 2015 will focus on real-world solutions explained step by step by recognized industry leaders.
Be sure to mark your calendars now for CSX North America 2015 in Washington DC. I promise you—this is an event you won’t want to miss! North America is just the first step. We’ll be introducing CSX events throughout the world in 2016 and 2017.
Cybersecurity challenges will continue to advance and grow. Rest assured that ISACA will be there for you every step of the way.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Editor’s Note: If you would like to submit a proposal for a session at CSX North America 2015, please visit www.isaca.org/csxcallforpapers.
ISACA celebrated its 45th anniversary in 2014, and marked this accomplishment with a year of great advancements. One of the most visible and impactful events was the launch of Cybersecurity Nexus (CSX). At a time when cybersecurity breaches and devastating hacks make news daily, CSX offers innovative ways to help provide resources for cybersecurity professionals at all levels and fill the global skills gap. ISACA also successfully introduced the Cybersecurity Fundamentals Certificate and several workshops were sold out, which further supports the need and acceptance of CSX worldwide.
In addition, the online version of COBIT 5 was released, complete with a new Goals and RACI (responsible, accountable, consulted, informed) planner. This tool helps organizations of all sizes and industries improve governance and management of enterprise IT. COBIT 5 is used globally to help create value and address business issues.
We also implemented our digital strategy and are able to provide members with fresher content more frequently and in an easy-to-use format. Most notably, the ISACA Journal—one of the top member benefits—is now publishing online articles every two weeks instead of every two months. COBIT Focus, which provides the latest news and case studies about COBIT, is also publishing articles more frequently.
And in September, ISACA took another step toward its future by welcoming our new chief executive officer, Matt Loeb. Matt brings to ISACA a depth of experience, and he will be an instrumental factor in our future growth.
Driving all of these activities is ISACA’s commitment to what ultimately makes us a successful organization—our valued members around the world. For all of you who have attended chapter meetings, obtained CISA, CISM, CGEIT or CRISC certifications, participated in a Training Week or conference, or read the ISACA Journal or one of our many other excellent research publications, the board of directors and I thank you for your support and expertise. The future of ISACA has never looked brighter.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Like many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.
But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.
ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.
Enterprises need to be aggressively proactive here, and start educating staff on the risks and the opportunities of wearable tech. Devices such as smart watches and glasses collect and transmit information that provides great value. But if this information gets into the wrong hands or is mishandled, it can be used to damage a company’s reputation, financial position, compliance activities and even its existence.
According to the latest IT Risk/Reward Barometer, “increased security threats” and “data privacy issues” are two of the biggest challenges that ISACA members list regarding the Internet of Things.
But along with the inherent risk in the Internet of Things, enterprises are also reaping benefit, such as the 29 percent that have achieved greater accessibility to information and the 26 percent that have used it to improve services. Also 22 percent have gained efficiencies and improved employee productivity. With new technology there is always the need to balance risks and rewards—and there are plenty of both in the case of the Internet of Things.
To keep tabs on evolving perceptions and trends, ISACA has fielded the IT Risk/Reward Barometer for five years. This survey is unique in that it has two components—a consumer survey and an ISACA-member survey. Globally, more than 4,200 consumers and more than 1,600 ISACA members responded this year, giving us an excellent pool of responses.
Wearable tech, connected devices and other cool advancements in the Internet of Things are making their way into every aspect of our lives. The gates are open and the tide is flowing, and we encourage you to take an “embrace and educate” approach. Having an informed and alert customer/employee/stakeholder base is a key aspect of making connected devices work for you and your enterprise.
I invite you to review the full report, infographic and news announcement for the 2014 IT Risk/Reward Barometer. I need to take off now. My smart refrigerator just told my smart watch that I need to pick up some bread on the way home from the airport.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Football fans are enthusiastic around the world—even though rules, fields and equipment vary.
This similarity and differences is a great comparison to ISACA’s flexible frameworks and other guidance—just ask our rugby-playing International President Rob Stroud.
When I teach workshops, participants often ask questions about configuring firewalls, Wi-Fi, or data access tools. These are good questions with good answers. Yet, these product-level questions are not the “sweet spot” of ISACA-land guidance.
Using our football comparison, these questions are about lacing up shoes or inflating the ball. ISACA guidance assumes that players can pick their own shoes (and sign endorsement contracts), lace them up, clean them off and know when to replace them. ISACA assumes members read the intrusion prevention product manual.
ISACA-land guidance is focused more on how to train, recruit players, position players, work as a team, scout competitors, develop plays and even maintain the field and stadium.
Vitally, maturity models help answer the question, “how good are we?” People say “yes, I’m doing that.” But in football terms, is that just enough to play in the league or to be league champion? Players (and IT professionals) who are overconfident get a rude awakening in competition. Improvement is what we accelerate in workshops.
ISACA as sports stories….
ISACA’s COBIT-related guidance comes in layers with the broad framework at the top.
Next layer includes documents such as COBIT 5 for Information Security. Think of these as history and “how to” sports books by respected coaches and sports writers. A subset of these are the league rule books. In ISACA-land these are our audit framework and topic-specific sample audit programs.
More detailed guidance includes papers on specific topics such as cloud or mobile devices.
Next layer brings in personal stories through the ISACA Journal, COBIT Focus and the resources of the ISACA Bookstore. Think of these as post-game interviews with players and coaches.
Next layer contains personal experience and questions through ISACA communities at isaca.org, social networks such as LinkedIn groups and local chapter events. Think of these as super-fan web sites or parties.
The point is that ISACA is a great newsstand when it comes to “trust in and value from IT.”
Opportunities for growing together in ISACA…
ISACA is focused on managing and governing information technology, more than the creation of technology. In sports, technology creation is more like sports business news—growing fans, league management, team ownership, sponsorships, new stadiums and advertising and more. Those of us members who are more focused on business cases or in managerial roles live in this world every day. Chapters reaching out to business leaders (such as Brisbane, Australia) or with many members in the technology industry (Silicon Valley, US) include this in their programming.
- If you are a member in a technology company, help other ISACA members learn how to more easily adopt technology—especially technology that can help grow business revenue, not just automate for cost cutting.
- If you are a member in a managerial role or writing business cases, help other ISACA members learn how to connect their daily work to revenue—not just paperwork or cost cutting. This can help other members advance their careers and grow their organizations.
- Chapters—create an event that invites business leaders of any company, technology company new product leaders, or your more revenue-focused members to share their insight with broader chapter members. The format could be a speaker series, workshop, conference track or panel program. The audience could be existing members, potential members or “bring your boss to ISACA” outreach.
In all cases, the point is to build on ISACA’s rich history and knowledge base to help members and chapters grow themselves and their organizations.
Drop me a note and let me know what you are doing in your chapter to further the sport of ISACA. Glad to help you share your success with others.
Together, we can make a difference.
Brian Barnier, ValueBridge Advisors, has served ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore. Brian@valuebridgeadvisors.com
For those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.
SciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events
If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.
The point is, discovering new technology adoption after the fact means added risk. From a governance point of view, it helps mitigate strategic risks like getting suboptimal pricing when vendor contracts are non-standard or non-centrally negotiated; from a security standpoint, it helps address "blind spots" protecting new technology when that technology is early in the adoption curve. So in a very real sense, better forecasting means better risk management. And, in turn, the ability to forecast new technology—including adoption, the approximate timing of when that technology will proliferate, what sectors might be impacted, etc.—is of great potential value to ISACA members.
SciCast represents a unique source of data for ISACA. Knowing what’s on the technology horizon helps us give our members relevant guidance to maximize technology investment returns and minimize risk for their organizations.
This also enables strategic, rather than tactical, decision-making. SciCast will provide us with a key data source to provide our membership with more rapid, more accurate, and more granular information about upcoming future trends,” Pasfield explains. “Because the SciCast platform is open, it allows us to incorporate information from the platform directly into our forward-looking knowledge products. That openness also allows us to reframe the information coming from the platform to make it most accessible to our membership and best meet their needs. It’s a very exciting platform, and I encourage you to take a look and start predicting.
Chair, ISACA’s Emerging Business and Technology Committee
Which smart technology will be most vulnerable to cyber-attacks in 2014? Predict now: http://ow.ly/zcVEt
The job of defending the world’s data from cybercriminals is an increasingly complicated one. According to industry experts, however, there is a lack of qualified information security professionals ready to lead the world’s organizations to true cybersecurity. That’s where EC-Council Foundation’s Global CyberLympics initiative comes in. Last year, the competition had more than 3,000 cybersecurity professionals participate, representing 72 countries, including Australia, Africa, Egypt, The Netherlands and Brazil.
Global CyberLympics, the world’s first international ethical hacking cybergame, is a nonprofit online cybersecurity competition that takes place in four rounds: Computer Forensics, Computer Network Defense, Penetration Testing, and Capture the Flag. The goal of the games is not only to educate the world’s cybersecurity professionals, but to test their skills in simulated attack-and-defend scenarios. The teams that advance through these challenging rounds do so by proving their superior skills.
EC-Council Foundation is a charitable and educational organization dedicated to educating and training individuals in cybersecurity. EC-Council Foundation is excited to partner with ISACA and host the finals of this year’s game alongside ISACA’s European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) conference, taking place in Barcelona, Spain in September. Because of ISACA’s impressive global reach, with more than 115,000 constituents in 180 countries, and its mission of supporting information security via globally accepted research, certifications, and community collaboration, it is a natural partner for hosting the Global CyberLympics finals. Added to the synergy between the missions of ISACA and EC-Council Foundation is the impressive backdrop to the event: Barcelona, Spain. This year’s setting adds an additional element of drama to the games, as this is the first year the final round has been held outside of the US.
For the competition schedule or to register a team to play in the games, please visit www.cyberlympics.org. For information about ISACA’s EuroCACS/ISRM conference, please visit www.isaca.org/eucacs-isrm2014.
Senior Director, EC-Council
Hundreds of millions of people around the world, including me, are cheering on the football games that comprise the 2014 FIFA World Cup, which bills itself as the biggest single-event sporting competition in the world. This is truly a global force of an event, with 204 entries across six continents competing for 31 available spots in the finals.
As I watched a recent close football match, it was clear that no matter what a sports organization (or governmental agency or enterprise) does as its core business, its relevance, value and reach depend on the team members driving strategy and activities forward. This is true for ISACA as well, and it is one more reason I am so honored to be elected international president and work with an excellent board of directors. The time and expertise they volunteer for the benefit of ISACA members is truly amazing. We recently installed our 2014-2015 ISACA Board of Directors and I would like to recognize them individually.
Reelected vice president are:
- Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, security strategist and evangelist at Dell Software, Spain
- Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, inspector general of the US House of Representatives, USA
- Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, partner of M/s. Kumar & Raj and director at Pristine Consulting Private Limited, India
Newly elected vice presidents are:
- Steven Babb, CGEIT, CRISC, ITIL, technology risk management, compliance and assurance leader at Vodafone, UK
- Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, managing consultant at BAE Systems, Australia
- Rob Clyde, CISM, CEO of Adaptive Computing, USA
- Debbie Lew, CISA, CRISC, executive director within Ernst & Young LLP Advisory practice, USA
- Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC, CEO of Focus Strategic Group Inc., Hong Kong
- Alexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor, COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO 27001, IT consultant in Latin America, Mexico
These ISACA leaders represent a diverse cross-section of geographies, industries and expertise, and I am confident that together we will serve our members and other constituents with drive, dedication and direction throughout the year.
As a team, we will accomplish several key activities this year:
- We will continue to focus on cybersecurity. Through the Cybersecurity Nexus, we will do for the cybersecurity profession what we’ve done (and will continue to do) for assurance and governance.
- We will also focus on providing tools and guidance on privacy, full-spectrum career development, expanded COBIT, and emerging business and technology.
- We will serve our assurance base. Audit and assurance professionals founded ISACA 45 years ago and are still central to our mission to create trust and value through information and technology.
- And, above all, we will provide more value to our members than ever before. We exist for you—to help you drive your careers and serve your enterprises. Be assured that you are at the forefront of every decision we make.
This is an era of incredible change and strategic advancement for ISACA, especially as our new CEO, Matthew Loeb, takes the helm of the ever-growing and evolving association in early September. I look forward to Matt’s business acumen and eye for global service and growth. I also want to give a sincere thank you to Ron Hale, who stepped up and has served as ISACA’s acting CEO after the retirement of former CEO Susan Caldwell in 2013. Ron provided guidance and oversight for ISACA’s momentum over the past year and we deeply appreciate his contributions. I also want to thank our prior board members, who have shared so much of their knowledge, other global leaders, and all members, no matter your level of involvement, because you embody the spirit of ISACA.
I want to hear from you. Please follow me on Twitter at @RobertEStroud and share your comments below. This is going to be an exciting year for all of us. Together, just like the World Cup champion, we can achieve great things.
Robert E Stroud, CGEIT, CRISC
International President, ISACA and the IT Governance Institute
Robert E Stroud, who today becomes ISACA's international president, delivers an opening keynote presentation—“ How Emerging Technologies Will Impact You and Your Enterprise and What You Can Do About It”—at The IIA/ISACA Governance, Risk and Control (GRC) conference this August. We chatted with Rob to preview his presentation.
ISACA: How will emerging technologies impact you / your enterprise?
Rob: They are changing business models. There is mobility everywhere, which is changing the interaction between people and services. Think about purchasing an item and doing price comparisons on the spot. You can go back to the sales agent with a better price. Their systems need to be able to adjust to provide that discount.
ISACA: What can you do about emerging technologies?
Rob: We all need to be aware of changing technologies and the impact on our current business models. Changing technologies will disrupt current business processes and buying patterns.
ISACA: How has business culture’s impression of emerging technology changed in recent years?
Rob: Business is leading the charge with emerging technology. This is led by younger professionals who are using—without bounds—new technology to execute business processes.
ISACA: Can you ignore emerging technologies?
Rob: Yes—at your own peril. Every business is powered by some form of technology. Technology is driving everything from buying decisions to tax calculation to, say, the maintenance of licenses. The time required to execute basic administrative tasks will kill a business that ignores technology.
ISACA: Do you differentiate between emerging technologies and disruptive technologies?
Rob: I would have two years ago, but they have started blurring together. The pace of the interconnectivity of things is accelerating beyond our wildest dreams, with everything from micro-chipped cows that give us milk to the milk containers to the fridge in which we store the milk.
ISACA: What is one emerging technology that most excites you?
Rob: The Internet of Things. Or, better yet, The Internet of Everything. Everything is becoming interconnected, enabling good management of information and a deluge of info that you need to process to make proper decisions. There is more information than a human can reasonably process, so we are dependent on technology to guide our decision-making processes. And if the base process is flawed, our decisions are flawed. What we are starting to see is deterministic systems that will learn patterns and develop decision-making criteria. Processes guided by computer data.
At this point, it is not going to completely replace humans. At this point…
Robert E Stroud, CGEIT, CRISC
VP of Innovation and Strategy
Learn more about the Governance, Risk and Control (GRC) conference here.