*This is the first in a series of posts intended to help ISACA members get to know the personal side of members of ISACA’s board of directors. To learn more about the board of directors, click here.
International Vice President Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, is information risk manager at Morgan Stanley. He began his career with Deloitte in Cape Town (South Africa) and has more than 30 years of experience in IT audit, risk, security and consultancy roles at companies such as JPMorgan, Goldman Sachs, KPMG, PricewaterhouseCoopers, Marks and Spencer, and the London Stock Exchange. He is a past president of the ISACA London Chapter and has served on the British Computer Society’s Information Risk Management and Audit Committee. He has also served on and chaired ISACA’s CISM Certification Committee and the Leadership Development Committee. He currently chairs ISACA’s Credentialing and Career Management Board and is a member of ISACA’s Strategic Advisory Council. He was a London 2012 Paralympics Games Maker, a school governor (chair of the finance committee), and is a Freeman of the City of London.
ISACA: Tell us about your volunteer work during the London, UK, 2012 Paralympics.
Allan: Out of 70,000 volunteers, I think I had one of the best roles. I was National Paralympic Committee assistant, which meant I was assigned to one of the countries taking part. As luck would have it, I was assigned to the South African Paralympic Team and my job was to support the chief de mission and his team in making sure the athletes and the rest of the delegation had the best possible experience. (I should mention that I am from South Africa and left there in my late 20s.) We performed a variety of duties and no two days were the same. One of the perks was accompanying the team to training sessions, competition venues and other events, such as press conferences and celebrations at the South African Embassy. It was a lot of fun. I met some very interesting people and made some great friends.
ISACA: You are going to Russia this March for the Sochi 2014 Paralympics.
Allan: I am very excited be going to Sochi as a volunteer at the Paralympic Games. I applied as soon as the call for volunteers opened early last year and consider myself very fortunate to be part of that group. I will be working with the protocol team assigned to the Ice Cube (the curling venue) where I will greet and support VIPs and the athletes’ families. I am really excited about this and very much looking forward to it.
ISACA: Have you been watching the Sochi Olympics?
Allan: Absolutely! It really looks fantastic and I cannot wait to get out there. Although I am assigned to a coastal-region venue, my schedule allows me to visit the mountain region as well, so I hope to see a number of the Paralympic events and also some of Sochi. London 2012 was an amazing, life-changing experience for me. It is something I will never forget. I am sure Sochi will be the same. Looking to the future, I am keeping a close watch out for the call for volunteers at the Brazil 2016 games. Who knows…I may see you there!
IT infrastructure is designed and built for reliability, robustness and redundancy with significant consideration given to long-term viability and sustainability. It is less subject to the rapidly changing evolution seen in endpoint domains such as applications, services and delivery models. Nevertheless, pressure is mounting to focus additional resources on core infrastructure investments and operational capabilities due to both technological advances and increasing user demands.
Contributing to this pressure from the technological side are the growing implementations of IPv6, DNSSEC and 4G networks, which all require new functional capabilities and architectures to handle the new/expanded protocol elements and increased traffic loads. User demands on infrastructure will also continue to increase—particularly in the areas of bandwidth—across modalities and locations, and the expectation of always on/always accessible systems.
With these factors in mind, IT leaders will need to build out resilient networks that are flexible enough to meet rapidly changing business requirements, while being robust enough to provide 24 x 7 x 365 availability. Rather than building everything in-house, results-oriented technologists will look for ways to effectively partner with vendors and service providers (particularly in the areas of infrastructure-as-a-service and platform-as-a-service) to rapidly scale up and scale down capabilities to meet organizational needs with efficient business investments in mind, whether for a short-term transitional bridge or as a long-term solution.
Key technologies that will play a role in the diffusion of responsibility for infrastructure implementation are Software Defined Networking and Network Functions Virtualization. The abstraction of network functionality from hardware to software enables a more rapid, flexible deployment of services on an as-needed/where-needed basis, without the significant upfront capital expenditures typically associated with infrastructure projects.
Even if used only for evaluation and prototyping, virtualization technologies can reduce development costs and testing while improving delivery times.
Nelson Gibbs, CISA, CISM, CGEIT, CRISC, CIA, CISSP, CRMA
Vice president and senior IT audit manager at Union Bank
ISACA COBIT trainer
Continue the conversation in the Network Security topic within ISACA’s Knowledge Center.
ISACA has just released a new paper on big data that I like and recommend. (Full disclosure: I reviewed and provided feedback on a draft).
What I most like is one of the key messages: it may be riskier to ignore big data than implement it. This captures my belief that the value that can be obtained by the intelligent and creative use of analytics against the massive data sets that are available to every organization far outweighs both the cost of the effort and any associated risk.
Most organizations recognize that there is value in big data, although in practice that value is usually limited by their ability to define the critical business questions that can be answered by the use of this wonderful new tool. Organizations are also limited by their belief that they are constrained by inadequacies in their corporate systems.
My view is that almost any organization, no matter the size or type, not only can but should be taking advantage of the immense possibilities with big data. Not doing so indicates a lack of imagination and resolve. Internal auditors, information security practitioners, risk professionals, and executives should not allow risks to blind them to the great values and possibilities.
Here are a few excerpts from the paper:
“New analytics tools and methods are expanding the possibilities for how enterprises can derive value from existing data within their organizations and from freely available external information sources, such as software as a service (SaaS), social media and commercial data sources. While traditional business intelligence has generally targeted ‘structured data’ that can be easily parsed and analyzed, advances in analytics methods now allow examination of more varied data types.”
“Information security, audit and governance professionals should take a holistic approach and understand the business case of big data analytics and the potential technical risk when evaluating the use and deployment of big data analytics in their organizations.”
“For information security, audit and governance professionals, lack of clarity about the business case may stifle organizational success and lead to role and responsibility confusion.”
“By looking at how these analytics techniques are transforming enterprises in real-world scenarios, the value becomes apparent as enterprises start to realize dramatic gains in the efficiency, efficacy and performance of mission-critical business processes.”
“Understanding this business case can help security, audit and governance practitioners in two ways: it helps them to understand the motivation and rationale driving their business partners who want to apply big data analytics techniques within their enterprises;, and it helps balance the risk equation so that technical risk and business risk are addressed. Specifically, while some new areas of technical risk may arise as a result of more voluminous and concentrated data, the business consequences of not adopting big data analytics may outweigh the technology risk.”
My friends and former colleagues at SAP have chimed in with an emphasis on the increased value when more sophisticated tools, especially “predictive analytics,” are used to mine and produce information from big data.
The SAP paper on this topic, “Predicting the future of Predictive Analytics” makes the point well. Here are some wise thoughts, from a personal correspondence with SAP executive James Fisher, that focus on the risk of using analytics and big data without making sure that the information you are using to run the business is reliable:
“The opportunity of big data is huge, and the biggest analytical opportunity I see within that is the use of predictive analytics. The data shows companies favor taking advantage of the opportunities in front of them rather than minimizing risk. Technology is playing a role here and making predictive capabilities even easier to use, embedding them in business processes and automating model creation. SAP is, of course, in a position to deliver all this. The added question to ask (and this is really my view) is this: Does this introduce an inherent risk in that people who don’t know what they are looking at blindly follow what the data says? When you read a weather forecast you immediately sanity check what it says by looking out the window—is everyone doing the same with data?”
Norman Marks, CISA, CISM, CGEIT, CRISC
Member of ISACA’s Emerging Business and Technology Committee
*A version of this post originally appeared in Norman’s blog.
Continue the conversation in the Big Data topic within ISACA’s Knowledge Center.
At ISACA’s North America CACS conference this April, former Space Shuttle Astronaut Mike Mullane delivers the closing keynote titled “Countdown to Teamwork.” We chatted with Mike, a veteran of three Space Shuttle missions who has logged more than 356 hours in space, about his presentation.
ISACA: What is an example of astronauts' reliance on IT during space missions?
Mike: On an early Space Shuttle mission, the center liquid-fueled engine shut down well before the vehicle had reached orbit, resulting in a launch abort (a very serious situation). The vehicle was too far from Florida to turn around and return. The crew could only continue toward a lower—hopefully safe—orbit. The commander selected the “Abort To Orbit” option on the abort-selection switch. That switch had never been touched in flight and would never again be touched in the remainder of the Space Shuttle program. While the software behind an ATO abort selection had been tested over and over in ground-based simulations, this wasn’t a simulation. This was the real world and any mistake in the abort software could have resulted in the loss of the vehicle and crew. But there were no errors and the transition from “normal” ascent-operation software to the ATO launch-abort software package was seamless. The vehicle achieved a lower—but safe—orbit. There were a lot of white knuckles in the cockpit and Mission Control when the commander turned the instrument-panel dial to the ATO abort mode and hit the engage button. The software engineers and testers had saved the day by delivering error-free software.
ISACA: How did technology change over the course of your career as an astronaut?
Mike: There were huge changes in technology over the 30-year span of the shuttle program. For personal entertainment on my missions (in 1984, 1988 and 1990), NASA provided each crew member a Sony Walkman. We were allowed to carry six cassettes loaded with whatever music we might like to listen to in orbit. In those same missions, there were no digital cameras. We used Hasselblad film cameras. There was no Internet or fax to connect the crew with mission control. To send daily updates to our mission plans and checklists, we depended upon a cockpit teletype machine. We had no GPS to determine vehicle position over Earth, instead relying upon an inertial measuring unit and updates from ground-tracking radars. The vehicle computer screens were monochrome and, on some displays, we had to enter and interpret hexadecimal digits. Only on my last mission in 1990 did we have a monochrome, early IBM ThinkPad laptop that had the software to display our ground track over Earth. The ship’s computers didn’t have enough memory for the “luxury” of providing such a display, and contrary to what you might believe, it can be very difficult to locate yourself by just looking out the window. By the end of the shuttle program (and aboard the International Space Station) there was Internet access, email capability, Skype, digital cameras, voice recognition to control some equipment, etc. None of this existed in the early shuttle program.
ISACA: What is your definition of “normalization of deviance"? Why must one guard against it?
Mike: Normalization of deviance is a phenomenon in which individuals or teams repeatedly accept a deviance from best practices until that deviance becomes the norm. Usually, the acceptance of the deviance occurs because the individual/team is under pressure (budget, schedule, etc.) and perceives it will be too difficult to adhere to the best-practice standard while executing the mission. When there are no immediate negative consequences to taking best-practice shortcuts (the usual outcome) a false feedback is signaled as to the “rightness” of that decision. This emboldens the individual/team to take future shortcuts when the same pressure circumstances exist. Eventually, with repeated success in shortcutting best practices, the shortcut (deviance) becomes the norm. Normalization of deviance leads to “predictable surprises” which are invariably disastrous to the team. The Space Shuttle Challenger tragedy was a predictable surprise.
Want more? Join Mike at North America CACS 2014 this March in Las Vegas, Nevada. Learn more here.
The beginning of each new year is special—we pause to reevaluate our lives and make promises for the coming months. As an association, we are also looking forward to building on the benefits we provide to members and embarking on new activities throughout the year. As we enter the first weeks of 2014, we also recognize a significant milestone—the 45th anniversary of ISACA.
Credit for this 45th anniversary belongs to all members, whether they have been part of ISACA since its inception or joined this month.
As business use of technology continually grows and matures, ISACA continues to be an influential global leader in providing research, education, publications, certifications, standards, frameworks and community for information technology professionals in nearly all industries.
ISACA was founded in 1969 as the EDP Auditors Association. After professionals in Los Angeles, California, USA, held their first meetings of our fledgling organization, growth continued around the world with chapters forming in Mexico City, Mexico; Tel Aviv, Israel; Sydney, Australia; and Hong Kong. In 1984, the association’s name was changed to Information Systems Audit and Control Association, and the decision was made to use our acronym exclusively in 2006.
Our membership numbers increased accordingly, and in the early 1990s it was an honor to announce that we had 10,000 members. Heading into 2014, we now serve more than 110,000 constituents in more than 180 countries. This is incredible growth, thanks to the hard work and expertise of many professionals around the world.
We will recognize ISACA’s 45th anniversary in the ISACA Now Blog throughout the year. Keep an eye out for posts that celebrate four-and-a-half decades of commitment to trust in, and value from, information systems. If you have anything to contribute—a photo, a quote, an anecdote or a post about your experience at any point on this journey—please let us know here (firstname.lastname@example.org).
It is my pleasure to wish you a happy New Year, to congratulate you on this anniversary, and to thank you for making this milestone possible.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
Everything in this world, it seems, is becoming connected, from household appliances that “speak” to one another to drones that deliver groceries. These are part of the emerging world of disruptive technologies. Since businesses’ survival is more dependent on technology than ever before, today’s CIOs must act as technology leaders in addition to critical business partners who understand the nature and direction of their businesses.
A problem that continues to nag many CIOs, however, is that they are seen as technologists. This is exacerbated with the decrease of useful lifecycles of technology and increased awareness and empowerment of businesses to directly procure IT-enabled business solutions. This leads to investments in capital equipment that holds little value to organizations, causing some to question the CIO’s business acumen.
In response, many CIOs are transitioning to a new, agile environment where speed is critical. To deliver, they need to integrate at the rate and pace of business (based on the risk appetite, of course). This is not always easy, as too many IT organizations still do not classify their information properly, often implementing a single security approach rather than an information approach, which spurs business frustration as there are too many controls guarding the critical information.
The CIOs that make this transition will be best equipped to deal with upcoming trends such as the Internet of Things and Big Data. Information related to these developments, when correctly leveraged, will provide a critical competitive advantage, but many CIOs are still coming to grips with the resources required to drive value.
As such, the role of data scientists is emerging. This role will require sound business knowledge paired with the skills to read these new types of information and make speedy decisions about them.
Robert E. Stroud, CGEIT, CRISC
Vice president of strategy and innovation at CA Technologies
Chair of ISACA’s ISO Liaison Subcommittee
Continue the conversation in the Big Data topic within ISACA’s Knowledge Center.
2014 is now upon us: the ball has dropped, the fireworks are over, and now it is time to see what the year brings.
Nobody can know the future, but if there is one thing that is clear, it is that 2014 is shaping up to be a year of exciting developments and rapid change. Things like delivery via automated drone and wearable computing devices, once the domain of only the most speculative sci-fi writers, is now not only possible but seemingly on the brink of becoming “serious business.”
For professionals in the ISACA community, periods of disruptive technology change can sometimes seem daunting; there are a lot of hard questions to answer. How does one secure an automated drone? How does one govern a technology ecosystem that—literally—extends to what corporate citizens wear to work? And how do we ensure users’ privacy rights as we do so?
Answering these questions fully will take time, research, diligence and industry consensus. But as we face these questions, it is useful to consider a few things. First, being in a position to ask these hard questions in the first place is a good thing. Questions that “push the envelope” mean the business is evolving: these questions are a byproduct of the business taking advantage of new markets, exploring more efficient ways of operating, or opening up new pathways to deliver value to the customer.
As such, it is important that we frame risk discussions with the business accordingly. By this I mean that it is important that risk discussions include both technical risks of adoption and business risks of non-adoption.
Obviously, it is important that we address the new technology risks that can arise (since many of them can and will introduce new security and governance challenges that we ignore at our own peril). However, it is also imperative that we counterbalance those with due consideration of the business risks associated with the “status quo,” since businesses that do not adapt alongside their competitors will incur market risk.
The faster the pace of change, the riskier running in place becomes. In the words of Starbucks CEO Howard Schultz, “Any business today that embraces the status quo as an operating principle is…on a death march.”
Additionally, it is important to remember that business leaders asking questions like these of security professionals, risk managers, governance professionals, or other practitioners is a good sign. It indicates trust in the practitioners’ ability to understand the issue and confidence that guidance received will be useful and actionable.
That kind of relationship takes time to build and requires the foundation of a successful and fruitful partnership. If that history is not there, effort is required on the part of the practitioner to build it. (And the faster the pace of change, the more effort required.)
The point is, there will be plenty of tough questions to answer in the weeks and months ahead, and while that is challenging, it is also an optimistic sign for 2014.
Director, Emerging Business and Technology Trends-- ISACA/ITGI
As 2013 draws to a close, I would like to take a moment to reflect on a year of exciting developments.
ISACA conferences continued to offer a broad range of presentation topics delivered by highly skilled experts. New approaches included focused sessions on important components of COBIT 5, and even some presenters pulled from the headlines, such as Captain Richard Phillips, who wowed the audience at the North America Information Security and Risk Management Conference with tales of his experience being kidnapped at sea. He showed how preparation and a never-give-up attitude can solve most any business problem.
In addition to delivering valuable information at conferences, 2013 was a busy year.
The association celebrated the 35th anniversary of the Certified Information Systems Auditor (CISA) certification, and surpassed 100,000 CISA-certified individuals since inception. The Certified in Risk and Information Systems Control (CRISC) certification was named Best Professional Certification Program by SC Magazine in February. And all four ISACA certifications are now accredited by the American National Standards Institute. Kudos to all who have earned these certifications—your professionalism is globally recognized.
In recent months, ISACA introduced the COBIT 5 Certified Assessor program and recognized the individuals who earned this distinction.
Throughout the year, ISACA published a number of deliverables on topics ranging from the cloud to targeted cyberattacks to Big Data. The association released new IS Audit and Assurance Standards and published the revised IS Audit and Assurance Guidelines for public comment. COBIT 5 was translated and is now available in seven languages, in addition to English.
Throughout October, ISACA recognized Cybersecurity Month, partnering with ENISA in its educational efforts. Capping off the month, ISACA hosted a tweet chat with ISACA International Vice President Ramsés Gallego, enabling a global audience to access expertise on the subject.
More recently, ISACA released its annual IT Risk/Reward Barometer survey, which includes perspective from thousands of global IT professionals and consumers. Media around the world took notice of the timely findings on attitudes and actions related to security, privacy and risk.
Naturally, as we look back, we also look ahead. The new year is almost upon us, presenting new opportunities (BYOD), new challenges (evolving cyberthreats), new ideas (The Internet of Everything) and new tools (COBIT 5 Online).
There is also a new concept that seems to grow more important each month—the idea that every enterprise is in the business of IT. This was true in 2013, will become more evident in 2014, and is certainly a good thing for our members and constituents.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
The enterprise IT organization is awash with operational silos that touch IT service management (ITSM). In many ways, one could argue that some of these should actually be part of corporate ITSM activities.
Most commonly pointed to is the App Dev and IT Operations divide, with DevOps a potential solution. But there are other significant opportunities for different parts of the enterprise IT organization to get along better. These include: security; IT asset management; and IT governance, risk and compliance.
The latter, in particular, is interesting as ITSM is actually part of the larger governance picture.
Consider the case study of a project performed by Intreis, a consulting firm specializing in ITGRC and ITSM integrations that partners with my enterprise. Intreis’ customer, a publicly traded global technology firm, is subject to SOX, PCI, European Safe Harbor, and ISO27001. Its controls environment consists of some 100 general computing controls. Prior to adopting an integrated approach to ITGRC and ITSM, their audits took eight months, cost more than $1.5 million, and auditors would identify dozens of deficiencies.
Through automation and integrating the customer’s ITSM and ITGRC processes on a single unifying platform, costs were slashed by 80%, turnaround was improved, IT hours were reduced and zero deficiencies were reached.
What’s the secret? Intreis advises six key steps:
- Define your services—Your services are the basis for effective process design and controls identification.
- Process redesign—Embrace it. You will have to redesign your processes in order to embed and automate your controls. It is worth the effort.
- Consolidation of controls—Get to a consolidated set of controls. The idea is to define one master set of controls that meets all of your business and regulatory requirements.
- Enlist the experts—Not everyone can be experts in controls and compliance or process design. If you don’t have the expertise in-house, engage subject-matter experts. Get it done right the first time and enjoy the results for a lifetime.
- Automate, automate, automate—Any time something is done manually it is open to human error. Automate to the fullest extent possible for maximum predictability and efficiency.
- Allow time for results—Definition and automation do not take very long, about a third of the time of most ITGRC-application implementations. With that said, many IT controls operate quarterly and annually, so your full savings potential may not be realized in year one, but you will certainly see it in year two.
Senior Manager- Product Marketing, ServiceNow
Continue the conversation in the Service Management topic within ISACA’s Knowledge Center.
One of the greatest challenges most professional women face is that of the work/life balance. Most of my colleagues laugh when I mention this, as they believe I have only two speeds—top speed and complete stop! There is, unfortunately, a modicum of truth in that. But it is necessary to have a level of drive and determination if you are going to reach the top of your field, particularly if you are female.
In the technology fields, only 26% of professional-level roles are held by women. I have worked hard to get to the position I am in today—sitting on the International Board of ISACA—but I am also aware that I have had some sensational role models along the way. I have been fortunate enough to participate in a number of international research initiatives in the areas of information security and governance. And I have met some wonderful people in my professional life and through my affiliation with ISACA.
However, too few of these people have been women.
In my role on ISACA’s Board, I am joined by Theresa Grafenstine and Krysten McCabe. We are in a position to encourage aspiring women to make the transition from operational to strategic areas of business. There are always detractors, and I have found in my professional life that there are those (including other women) who will ensure that it is difficult for you to make that transition. But when you do it is well worthwhile.
It can also be challenging. Techopedia recently published an article on women in the workforce, and I shared this mindset with them:
It’s my belief that, even today as a woman in the workforce, you cannot afford to cut corners. You absolutely have to be better qualified and better prepared than your male colleagues because there isn’t a glass ceiling, from my own experience. It’s a granite one, and I was more than prepared to take the jackhammer along with me.
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP
Director of Information Security and IT Assurance, BRM Holdich, Australia
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.