As you are likely aware, information technology is a rapidly growing field and a great career option for those with the right skill set. And, as you are likely aware, demand for these skills is simply not being met. There is a steadily increasing gap between the level of skills needed and the level of skills the people in the workforce e actually have.
According to a skills-gap report from the American Society for Training and Development, “…more than 15 million businesses rate the aggregate skill levels of their IT staff as less than optimal, and 93 percent of employers indicate that there is an overall skills gap among employees.”
In short—seven percent of businesses in this study considered themselves exactly where they wanted to be in terms of skilled employees.
Analysts attribute this problem to the dynamic, ever-evolving nature of the IT industry. (That is what attracts many professionals to the field.) So what can be done about it? Information technology is not going to slow down. And the field of IT is not going to curb its growth any time soon.
So we need to catch up.
IT awareness must be elevated and IT education needs to be more accessible. Online educational offerings meet this need nicely. We must give the necessary skills to students at a younger age, and promote continuing education—across business departments—among employees. IT organizations can focus on developing talent in-house, producing professionals with business skills that match their technical acumen.
Ultimately, the IT skills gap will only begin to close if educators, professionals, businesses, and leaders in the IT community tackle these problems by investing more time and money in IT skill training.
Chief content officer, SkilledUp
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.
We have entered the era of constant wireless connectivity, and the ramifications of this development are widespread. For example, it is not merely that Google Glass transforms your field of vision into a computer screen, but that this technology can be used constantly, permanently digitizing your perception of the world (as long as you are wearing the glasses). Likewise, wearable health-monitoring devices benefit many with their ability to analyze a body constantly—or at least over extended periods of time—which delivers useful data about their health and well-being.
And while this is an exciting time, this is also a time to be cautious. “The known vulnerabilities associated with wearable technology are found in the software that users load onto workstations and the devices themselves,” writes Bruce R. Wilkins in the @ISACA newsletter. “These weaknesses allow ill-intentioned actors to see and modify the individual performance reported by the device.”
In short, this constantly connected technology can be hacked in the same manner our other computers can be. The fact that these wireless devices are always connected and in constantly changing locations heightens that vulnerability.
Some of us choose to ignore these new technologies. Some go even further. Hating technological developments is normal human behavior, writes Ron Miller in this interesting TechCrunch post. Others are beginning to casually embrace the wearable technology/constant connectivity trend. Still others jump with both feet into the phenomenon, like “the most connected man in the world,” who at any time has as many as 700 systems collecting real-time data about his life. (Perhaps that is a bit extreme.)
I believe that whether or not we fully embrace constant wireless connectivity in our personal lives, we must educate ourselves and stay ahead of developments. This is our responsibility as guardians of trust in information systems and defenders of cybersecurity, which, as we all know, are roles that require constant diligence.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
As my wife recently watched a Sherlock Holmes program in which a clue was a silent dog, I worked on a presentation for the ISACA Los Angeles Conference titled “Controls–Why They’ve Become Wasteful, A False Sense of Security and Dangerously Distracting (And How to Fix Them).” In that process, two causes for controls churn and confusion came to mind.
First, the dog (control) does not bark if it fails to meet the tight assumptions required for control to actually work. For example, the “chain of fitness” assumptions for controls require that:
- The control is used as intended
- The control is maintained as implemented
- The control is implemented as designed
- The control is designed from the appropriate template
- The control template is appropriate for the process class and problem
- The control is located properly in the process flow
- The location in the process flow was determined based on the location of useful warning signs
- Useful warning signs were determined based on robust, real-world “What if?” scenario analysis
- Scenario analysis was conducted properly based on a thorough “know the business” understanding of environment and capabilities
Though still challenging, these assumptions are easier to meet when applied to retrospective financial reporting, when those reporting systems are stable and a threshold of materiality (percent of revenue or income) can be applied. These assumptions are more difficult to meet when a prospective view is needed of a dynamic, operational world, where a tiny issue can turn into a huge problem.
The second cause for controls churn and confusion is when the auditor or compliance person fails to bark because all looks well—because he or she does not understand the chain of fitness and other assumptions. There is a false sense of security.
Why do some auditors miss these problems? In speaking at ISACA programs around the world, show-of-hands surveys reveal that it has much to do with the time a person began working in audit. In particular, whether a person’s work experience begins before the Sarbanes–Oxley Act of 2002, when IT audit began focusing on a narrow financial reporting notion of “IT General Controls” (ITGC).
The modern, skilled IT pro has a clear operational view of a control as something that senses and responds, whether dumb like a light switch or intelligent like server load balancing.
ISACA’s COBIT 5 offers help in the shift from “controls” (too often understood mostly as ITGC) to business-objective-oriented management practices. More broadly, consider ISACA’s tagline: “Trust in, and value from, information systems.” Value creation in Val IT (now incorporated in COBIT 5) is well beyond controls that struggle just to protect value.
I suggest taking action—host a “Cut Controls Churn and Confusion Day” at your chapter or for your team at work. Invite a panel of people with managerial accounting, operational process improvement and IT process improvement experience to discuss why improved oversight, management practice and core business process are more effective than controls for any operational situation.
Principal Analyst & Advisor, ValueBridge Advisors
ISACA conference presenter and volunteer on Risk IT and COBIT 5 initiatives
Author of “The Operational Risk Handbook”
Continue the conversation in the Controls Monitoring topic within ISACA’s Knowledge Center.
I am intrigued by the ongoing dialogue about identifying key talent among security professionals. More specifically, identifying the skills necessary to protect the business from disaster. Everything from in-depth security best practices to software-development skills to vendor management has been highlighted.
My questions to leaders are these: How have you assessed your talent to ensure they actually have these skills? Have you confirmed your security professionals’ decision-making abilities are based on these skills? How have you assessed that decisions will be made in line with security standards and the vision and mission of your business?
Companies spend a significant amount of investment dollars on recruiting the “right talent” and train them to have the “right skills.” Companies enhance security systems and practices to provide the “right protection.”
But until we assess the effectiveness of those personnel investments, aren’t we leaving ourselves exposed?
Enterprises must be sure that the training provided will positively influence employees’ ability to make the best decision before and during security attacks. Enterprises must know that security professionals will make decision on security protocol in line with best practices and the enterprise’s values.
At times we can make the mistake of relying on certifications that measure knowledge at a specific point in time. However, in this social-engineering era filled with constantly changing technology, this is not an adequate approach. (This is why associations such as ISACA require members to earn CPEs throughout the year, ensuring their skills stay up to date.)
At my place of employment, Prometric, we take a unique approach. We have a unique technology environment that has unique vulnerabilities and defenses. As one of our core competencies is developing knowledge-based assessments, we have used our methods to create an assessment for our technology and security professionals based on internal content experts’ knowledge of our unique infrastructure.
It is a personalized approach that affords us a baseline to measure our security team’s knowledge and enables us to determine specific weaknesses in our staff, then take educational steps to address gaps.
Additionally, this approach ensures that our decision-making is aligned with the company’s vision, mission and values. And I am able to demonstrate results for our CEO, CFO and CTO, which enables me (and them) to sleep a little easier at night.
Director of compliance, Prometric
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.
Harry Markopolos took just five minutes to realize that Bernard Madoff’s investment strategy was a fraud. But it took him nine years to convince the U.S. Securities and Exchange Commission of the truth. As a chartered financial analyst, certified fraud examiner and author of New York Times bestseller “No One Would Listen,” Harry is dedicated to being the world's most visible and shrewd whistleblower on fraud and conflicts of interest in financial markets. He presents the opening keynote address at ISACA’s North America CACS Conference next month. Today he shares his perspective with us.
ISACA: Why is maintaining a healthy professional skepticism a good thing?
Harry: When you look at audit and risk failures, one common factor always appears—the people looking at the problem lacked professional skepticism and overlooked red flags staring them right in the face. No one questioned the too-good-to-be-true performance from the likes of AIG, Enron, WorldCom, Tyco and Bernie Madoff. I have a saying that I use to remind myself to remain skeptical: “Assume fraud first until genius is proven.” Any auditor without professional skepticism is an embarrassment to the profession.
ISACA: How is technology changing the world of audit?
Harry: In two main ways. First, we can automate testing and identify outliers more quickly at lower costs, which is a positive. Second, auditors can become overly reliant on analytical testing and end up fooled by falsified data entered by a crooked management team. Technology is a double-edged sword and the good auditor needs to know to add substantive tests of the underlying source inputs to make sure the data they are looking at is real. The Madoff case offers a painful example. Regulators, who were auditors at all of the Big Four accounting firms, and due-diligence professionals at big banks all over the world accepted Bernie’s trade-and-performance data without substantively testing it. If that data had been tested just once, the scheme would have been caught. All an auditor would have had to do is ask, “Where are the underlying trade confirmations that substantiate that this stellar performance is real and who are his trading counter-parties?”
ISACA: In this age of interconnectivity, what is a new red flag that auditors should be looking for?
Harry: I have got the perfect example from a case I am currently working on. The company in question submits its financial statements in both XBLR format and in paper format to lenders in order to borrow large sums of money. Credit analysts import that data and assume that the numbers in the columns add up. But what if they do not? That is a big problem and a huge red flag that fraud is likely present. Lesson learned—just because you are importing data, do not assume the data is correct. Test it to make sure! Interconnectivity is great, but you cannot assume the data you are receiving is accurate until you have figured out ways to test it first. For example, even running simple tests such as “Does year-end cash in Year 1 equal beginning-year cash for Year 2” can uncover multi-billion dollar accounting schemes. Why? Simple…it is nearly impossible to cook a company’s books without leaving behind a long trail of easy-to-find clues in the financial statements. Getting falsified numbers to balance takes a lot of top-line entries that are easy to spot, but only if you are running thoughtful tests that others have failed to conduct. In the Madoff case, no one did any data testing whatsoever. It was 100% trust and 0% verify for everyone who became ensnared in Madoff’s tangled web.
Learn more about Harry’s keynote presentation and all of the sessions at North American CACS here: http://oak.ctx.ly/r/tha5.
*This is the first in a series of posts intended to help ISACA members get to know the personal side of members of ISACA’s board of directors. To learn more about the board of directors, click here.
International Vice President Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, is information risk manager at Morgan Stanley. He began his career with Deloitte in Cape Town (South Africa) and has more than 30 years of experience in IT audit, risk, security and consultancy roles at companies such as JPMorgan, Goldman Sachs, KPMG, PricewaterhouseCoopers, Marks and Spencer, and the London Stock Exchange. He is a past president of the ISACA London Chapter and has served on the British Computer Society’s Information Risk Management and Audit Committee. He has also served on and chaired ISACA’s CISM Certification Committee and the Leadership Development Committee. He currently chairs ISACA’s Credentialing and Career Management Board and is a member of ISACA’s Strategic Advisory Council. He was a London 2012 Paralympics Games Maker, a school governor (chair of the finance committee), and is a Freeman of the City of London.
ISACA: Tell us about your volunteer work during the London, UK, 2012 Paralympics.
Allan: Out of 70,000 volunteers, I think I had one of the best roles. I was National Paralympic Committee assistant, which meant I was assigned to one of the countries taking part. As luck would have it, I was assigned to the South African Paralympic Team and my job was to support the chief de mission and his team in making sure the athletes and the rest of the delegation had the best possible experience. (I should mention that I am from South Africa and left there in my late 20s.) We performed a variety of duties and no two days were the same. One of the perks was accompanying the team to training sessions, competition venues and other events, such as press conferences and celebrations at the South African Embassy. It was a lot of fun. I met some very interesting people and made some great friends.
ISACA: You are going to Russia this March for the Sochi 2014 Paralympics.
Allan: I am very excited be going to Sochi as a volunteer at the Paralympic Games. I applied as soon as the call for volunteers opened early last year and consider myself very fortunate to be part of that group. I will be working with the protocol team assigned to the Ice Cube (the curling venue) where I will greet and support VIPs and the athletes’ families. I am really excited about this and very much looking forward to it.
ISACA: Have you been watching the Sochi Olympics?
Allan: Absolutely! It really looks fantastic and I cannot wait to get out there. Although I am assigned to a coastal-region venue, my schedule allows me to visit the mountain region as well, so I hope to see a number of the Paralympic events and also some of Sochi. London 2012 was an amazing, life-changing experience for me. It is something I will never forget. I am sure Sochi will be the same. Looking to the future, I am keeping a close watch out for the call for volunteers at the Brazil 2016 games. Who knows…I may see you there!
IT infrastructure is designed and built for reliability, robustness and redundancy with significant consideration given to long-term viability and sustainability. It is less subject to the rapidly changing evolution seen in endpoint domains such as applications, services and delivery models. Nevertheless, pressure is mounting to focus additional resources on core infrastructure investments and operational capabilities due to both technological advances and increasing user demands.
Contributing to this pressure from the technological side are the growing implementations of IPv6, DNSSEC and 4G networks, which all require new functional capabilities and architectures to handle the new/expanded protocol elements and increased traffic loads. User demands on infrastructure will also continue to increase—particularly in the areas of bandwidth—across modalities and locations, and the expectation of always on/always accessible systems.
With these factors in mind, IT leaders will need to build out resilient networks that are flexible enough to meet rapidly changing business requirements, while being robust enough to provide 24 x 7 x 365 availability. Rather than building everything in-house, results-oriented technologists will look for ways to effectively partner with vendors and service providers (particularly in the areas of infrastructure-as-a-service and platform-as-a-service) to rapidly scale up and scale down capabilities to meet organizational needs with efficient business investments in mind, whether for a short-term transitional bridge or as a long-term solution.
Key technologies that will play a role in the diffusion of responsibility for infrastructure implementation are Software Defined Networking and Network Functions Virtualization. The abstraction of network functionality from hardware to software enables a more rapid, flexible deployment of services on an as-needed/where-needed basis, without the significant upfront capital expenditures typically associated with infrastructure projects.
Even if used only for evaluation and prototyping, virtualization technologies can reduce development costs and testing while improving delivery times.
Nelson Gibbs, CISA, CISM, CGEIT, CRISC, CIA, CISSP, CRMA
Vice president and senior IT audit manager at Union Bank
ISACA COBIT trainer
Continue the conversation in the Network Security topic within ISACA’s Knowledge Center.
ISACA has just released a new paper on big data that I like and recommend. (Full disclosure: I reviewed and provided feedback on a draft).
What I most like is one of the key messages: it may be riskier to ignore big data than implement it. This captures my belief that the value that can be obtained by the intelligent and creative use of analytics against the massive data sets that are available to every organization far outweighs both the cost of the effort and any associated risk.
Most organizations recognize that there is value in big data, although in practice that value is usually limited by their ability to define the critical business questions that can be answered by the use of this wonderful new tool. Organizations are also limited by their belief that they are constrained by inadequacies in their corporate systems.
My view is that almost any organization, no matter the size or type, not only can but should be taking advantage of the immense possibilities with big data. Not doing so indicates a lack of imagination and resolve. Internal auditors, information security practitioners, risk professionals, and executives should not allow risks to blind them to the great values and possibilities.
Here are a few excerpts from the paper:
“New analytics tools and methods are expanding the possibilities for how enterprises can derive value from existing data within their organizations and from freely available external information sources, such as software as a service (SaaS), social media and commercial data sources. While traditional business intelligence has generally targeted ‘structured data’ that can be easily parsed and analyzed, advances in analytics methods now allow examination of more varied data types.”
“Information security, audit and governance professionals should take a holistic approach and understand the business case of big data analytics and the potential technical risk when evaluating the use and deployment of big data analytics in their organizations.”
“For information security, audit and governance professionals, lack of clarity about the business case may stifle organizational success and lead to role and responsibility confusion.”
“By looking at how these analytics techniques are transforming enterprises in real-world scenarios, the value becomes apparent as enterprises start to realize dramatic gains in the efficiency, efficacy and performance of mission-critical business processes.”
“Understanding this business case can help security, audit and governance practitioners in two ways: it helps them to understand the motivation and rationale driving their business partners who want to apply big data analytics techniques within their enterprises;, and it helps balance the risk equation so that technical risk and business risk are addressed. Specifically, while some new areas of technical risk may arise as a result of more voluminous and concentrated data, the business consequences of not adopting big data analytics may outweigh the technology risk.”
My friends and former colleagues at SAP have chimed in with an emphasis on the increased value when more sophisticated tools, especially “predictive analytics,” are used to mine and produce information from big data.
The SAP paper on this topic, “Predicting the future of Predictive Analytics” makes the point well. Here are some wise thoughts, from a personal correspondence with SAP executive James Fisher, that focus on the risk of using analytics and big data without making sure that the information you are using to run the business is reliable:
“The opportunity of big data is huge, and the biggest analytical opportunity I see within that is the use of predictive analytics. The data shows companies favor taking advantage of the opportunities in front of them rather than minimizing risk. Technology is playing a role here and making predictive capabilities even easier to use, embedding them in business processes and automating model creation. SAP is, of course, in a position to deliver all this. The added question to ask (and this is really my view) is this: Does this introduce an inherent risk in that people who don’t know what they are looking at blindly follow what the data says? When you read a weather forecast you immediately sanity check what it says by looking out the window—is everyone doing the same with data?”
Norman Marks, CISA, CISM, CGEIT, CRISC
Member of ISACA’s Emerging Business and Technology Committee
*A version of this post originally appeared in Norman’s blog.
Continue the conversation in the Big Data topic within ISACA’s Knowledge Center.
At ISACA’s North America CACS conference this April, former Space Shuttle Astronaut Mike Mullane delivers the closing keynote titled “Countdown to Teamwork.” We chatted with Mike, a veteran of three Space Shuttle missions who has logged more than 356 hours in space, about his presentation.
ISACA: What is an example of astronauts' reliance on IT during space missions?
Mike: On an early Space Shuttle mission, the center liquid-fueled engine shut down well before the vehicle had reached orbit, resulting in a launch abort (a very serious situation). The vehicle was too far from Florida to turn around and return. The crew could only continue toward a lower—hopefully safe—orbit. The commander selected the “Abort To Orbit” option on the abort-selection switch. That switch had never been touched in flight and would never again be touched in the remainder of the Space Shuttle program. While the software behind an ATO abort selection had been tested over and over in ground-based simulations, this wasn’t a simulation. This was the real world and any mistake in the abort software could have resulted in the loss of the vehicle and crew. But there were no errors and the transition from “normal” ascent-operation software to the ATO launch-abort software package was seamless. The vehicle achieved a lower—but safe—orbit. There were a lot of white knuckles in the cockpit and Mission Control when the commander turned the instrument-panel dial to the ATO abort mode and hit the engage button. The software engineers and testers had saved the day by delivering error-free software.
ISACA: How did technology change over the course of your career as an astronaut?
Mike: There were huge changes in technology over the 30-year span of the shuttle program. For personal entertainment on my missions (in 1984, 1988 and 1990), NASA provided each crew member a Sony Walkman. We were allowed to carry six cassettes loaded with whatever music we might like to listen to in orbit. In those same missions, there were no digital cameras. We used Hasselblad film cameras. There was no Internet or fax to connect the crew with mission control. To send daily updates to our mission plans and checklists, we depended upon a cockpit teletype machine. We had no GPS to determine vehicle position over Earth, instead relying upon an inertial measuring unit and updates from ground-tracking radars. The vehicle computer screens were monochrome and, on some displays, we had to enter and interpret hexadecimal digits. Only on my last mission in 1990 did we have a monochrome, early IBM ThinkPad laptop that had the software to display our ground track over Earth. The ship’s computers didn’t have enough memory for the “luxury” of providing such a display, and contrary to what you might believe, it can be very difficult to locate yourself by just looking out the window. By the end of the shuttle program (and aboard the International Space Station) there was Internet access, email capability, Skype, digital cameras, voice recognition to control some equipment, etc. None of this existed in the early shuttle program.
ISACA: What is your definition of “normalization of deviance"? Why must one guard against it?
Mike: Normalization of deviance is a phenomenon in which individuals or teams repeatedly accept a deviance from best practices until that deviance becomes the norm. Usually, the acceptance of the deviance occurs because the individual/team is under pressure (budget, schedule, etc.) and perceives it will be too difficult to adhere to the best-practice standard while executing the mission. When there are no immediate negative consequences to taking best-practice shortcuts (the usual outcome) a false feedback is signaled as to the “rightness” of that decision. This emboldens the individual/team to take future shortcuts when the same pressure circumstances exist. Eventually, with repeated success in shortcutting best practices, the shortcut (deviance) becomes the norm. Normalization of deviance leads to “predictable surprises” which are invariably disastrous to the team. The Space Shuttle Challenger tragedy was a predictable surprise.
Want more? Join Mike at North America CACS 2014 this March in Las Vegas, Nevada. Learn more here.
The beginning of each new year is special—we pause to reevaluate our lives and make promises for the coming months. As an association, we are also looking forward to building on the benefits we provide to members and embarking on new activities throughout the year. As we enter the first weeks of 2014, we also recognize a significant milestone—the 45th anniversary of ISACA.
Credit for this 45th anniversary belongs to all members, whether they have been part of ISACA since its inception or joined this month.
As business use of technology continually grows and matures, ISACA continues to be an influential global leader in providing research, education, publications, certifications, standards, frameworks and community for information technology professionals in nearly all industries.
ISACA was founded in 1969 as the EDP Auditors Association. After professionals in Los Angeles, California, USA, held their first meetings of our fledgling organization, growth continued around the world with chapters forming in Mexico City, Mexico; Tel Aviv, Israel; Sydney, Australia; and Hong Kong. In 1984, the association’s name was changed to Information Systems Audit and Control Association, and the decision was made to use our acronym exclusively in 2006.
Our membership numbers increased accordingly, and in the early 1990s it was an honor to announce that we had 10,000 members. Heading into 2014, we now serve more than 110,000 constituents in more than 180 countries. This is incredible growth, thanks to the hard work and expertise of many professionals around the world.
We will recognize ISACA’s 45th anniversary in the ISACA Now Blog throughout the year. Keep an eye out for posts that celebrate four-and-a-half decades of commitment to trust in, and value from, information systems. If you have anything to contribute—a photo, a quote, an anecdote or a post about your experience at any point on this journey—please let us know here (email@example.com).
It is my pleasure to wish you a happy New Year, to congratulate you on this anniversary, and to thank you for making this milestone possible.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute