Like many people, my office tends to be airports and wherever in the world I have traveled. The advent of connected devices, wearable tech and the Internet of Things enables me to be more productive and have more contact with colleagues and friends. This is a good thing.
But at the same time, these amazing advancements are also causing disruption in our lives and workplaces. We don’t always know who has use of or control over our sensitive personal and corporate information. And since new developments are always making their way into the workplace, it is critical that we understand attitudes and actions of consumers as well as the professionals and executives on the front lines of enterprise technology.
ISACA helps build this understanding with its annual IT Risk/Reward Barometer, and the 2014 survey results show some interesting trends with significant implications. For example, 68 percent of US consumers plan to use wearable tech or connected devices at work. But despite the surge in wearable tech at work, only 11 percent of enterprises have a policy that addresses it.
Enterprises need to be aggressively proactive here, and start educating staff on the risks and the opportunities of wearable tech. Devices such as smart watches and glasses collect and transmit information that provides great value. But if this information gets into the wrong hands or is mishandled, it can be used to damage a company’s reputation, financial position, compliance activities and even its existence.
According to the latest IT Risk/Reward Barometer, “increased security threats” and “data privacy issues” are two of the biggest challenges that ISACA members list regarding the Internet of Things.
But along with the inherent risk in the Internet of Things, enterprises are also reaping benefit, such as the 29 percent that have achieved greater accessibility to information and the 26 percent that have used it to improve services. Also 22 percent have gained efficiencies and improved employee productivity. With new technology there is always the need to balance risks and rewards—and there are plenty of both in the case of the Internet of Things.
To keep tabs on evolving perceptions and trends, ISACA has fielded the IT Risk/Reward Barometer for five years. This survey is unique in that it has two components—a consumer survey and an ISACA-member survey. Globally, more than 4,200 consumers and more than 1,600 ISACA members responded this year, giving us an excellent pool of responses.
Wearable tech, connected devices and other cool advancements in the Internet of Things are making their way into every aspect of our lives. The gates are open and the tide is flowing, and we encourage you to take an “embrace and educate” approach. Having an informed and alert customer/employee/stakeholder base is a key aspect of making connected devices work for you and your enterprise.
I invite you to review the full report, infographic and news announcement for the 2014 IT Risk/Reward Barometer. I need to take off now. My smart refrigerator just told my smart watch that I need to pick up some bread on the way home from the airport.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President
Football fans are enthusiastic around the world—even though rules, fields and equipment vary.
This similarity and differences is a great comparison to ISACA’s flexible frameworks and other guidance—just ask our rugby-playing International President Rob Stroud.
When I teach workshops, participants often ask questions about configuring firewalls, Wi-Fi, or data access tools. These are good questions with good answers. Yet, these product-level questions are not the “sweet spot” of ISACA-land guidance.
Using our football comparison, these questions are about lacing up shoes or inflating the ball. ISACA guidance assumes that players can pick their own shoes (and sign endorsement contracts), lace them up, clean them off and know when to replace them. ISACA assumes members read the intrusion prevention product manual.
ISACA-land guidance is focused more on how to train, recruit players, position players, work as a team, scout competitors, develop plays and even maintain the field and stadium.
Vitally, maturity models help answer the question, “how good are we?” People say “yes, I’m doing that.” But in football terms, is that just enough to play in the league or to be league champion? Players (and IT professionals) who are overconfident get a rude awakening in competition. Improvement is what we accelerate in workshops.
ISACA as sports stories….
ISACA’s COBIT-related guidance comes in layers with the broad framework at the top.
Next layer includes documents such as COBIT 5 for Information Security. Think of these as history and “how to” sports books by respected coaches and sports writers. A subset of these are the league rule books. In ISACA-land these are our audit framework and topic-specific sample audit programs.
More detailed guidance includes papers on specific topics such as cloud or mobile devices.
Next layer brings in personal stories through the ISACA Journal, COBIT Focus and the resources of the ISACA Bookstore. Think of these as post-game interviews with players and coaches.
Next layer contains personal experience and questions through ISACA communities at isaca.org, social networks such as LinkedIn groups and local chapter events. Think of these as super-fan web sites or parties.
The point is that ISACA is a great newsstand when it comes to “trust in and value from IT.”
Opportunities for growing together in ISACA…
ISACA is focused on managing and governing information technology, more than the creation of technology. In sports, technology creation is more like sports business news—growing fans, league management, team ownership, sponsorships, new stadiums and advertising and more. Those of us members who are more focused on business cases or in managerial roles live in this world every day. Chapters reaching out to business leaders (such as Brisbane, Australia) or with many members in the technology industry (Silicon Valley, US) include this in their programming.
- If you are a member in a technology company, help other ISACA members learn how to more easily adopt technology—especially technology that can help grow business revenue, not just automate for cost cutting.
- If you are a member in a managerial role or writing business cases, help other ISACA members learn how to connect their daily work to revenue—not just paperwork or cost cutting. This can help other members advance their careers and grow their organizations.
- Chapters—create an event that invites business leaders of any company, technology company new product leaders, or your more revenue-focused members to share their insight with broader chapter members. The format could be a speaker series, workshop, conference track or panel program. The audience could be existing members, potential members or “bring your boss to ISACA” outreach.
In all cases, the point is to build on ISACA’s rich history and knowledge base to help members and chapters grow themselves and their organizations.
Drop me a note and let me know what you are doing in your chapter to further the sport of ISACA. Glad to help you share your success with others.
Together, we can make a difference.
Brian Barnier, ValueBridge Advisors, has served ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore. Brian@valuebridgeadvisors.com
For those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.
SciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events
If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.
The point is, discovering new technology adoption after the fact means added risk. From a governance point of view, it helps mitigate strategic risks like getting suboptimal pricing when vendor contracts are non-standard or non-centrally negotiated; from a security standpoint, it helps address "blind spots" protecting new technology when that technology is early in the adoption curve. So in a very real sense, better forecasting means better risk management. And, in turn, the ability to forecast new technology—including adoption, the approximate timing of when that technology will proliferate, what sectors might be impacted, etc.—is of great potential value to ISACA members.
SciCast represents a unique source of data for ISACA. Knowing what’s on the technology horizon helps us give our members relevant guidance to maximize technology investment returns and minimize risk for their organizations.
This also enables strategic, rather than tactical, decision-making. SciCast will provide us with a key data source to provide our membership with more rapid, more accurate, and more granular information about upcoming future trends,” Pasfield explains. “Because the SciCast platform is open, it allows us to incorporate information from the platform directly into our forward-looking knowledge products. That openness also allows us to reframe the information coming from the platform to make it most accessible to our membership and best meet their needs. It’s a very exciting platform, and I encourage you to take a look and start predicting.
Chair, ISACA’s Emerging Business and Technology Committee
Which smart technology will be most vulnerable to cyber-attacks in 2014? Predict now: http://ow.ly/zcVEt
The job of defending the world’s data from cybercriminals is an increasingly complicated one. According to industry experts, however, there is a lack of qualified information security professionals ready to lead the world’s organizations to true cybersecurity. That’s where EC-Council Foundation’s Global CyberLympics initiative comes in. Last year, the competition had more than 3,000 cybersecurity professionals participate, representing 72 countries, including Australia, Africa, Egypt, The Netherlands and Brazil.
Global CyberLympics, the world’s first international ethical hacking cybergame, is a nonprofit online cybersecurity competition that takes place in four rounds: Computer Forensics, Computer Network Defense, Penetration Testing, and Capture the Flag. The goal of the games is not only to educate the world’s cybersecurity professionals, but to test their skills in simulated attack-and-defend scenarios. The teams that advance through these challenging rounds do so by proving their superior skills.
EC-Council Foundation is a charitable and educational organization dedicated to educating and training individuals in cybersecurity. EC-Council Foundation is excited to partner with ISACA and host the finals of this year’s game alongside ISACA’s European Computer Audit, Control and Security (CACS)/Information Security and Risk Management (ISRM) conference, taking place in Barcelona, Spain in September. Because of ISACA’s impressive global reach, with more than 115,000 constituents in 180 countries, and its mission of supporting information security via globally accepted research, certifications, and community collaboration, it is a natural partner for hosting the Global CyberLympics finals. Added to the synergy between the missions of ISACA and EC-Council Foundation is the impressive backdrop to the event: Barcelona, Spain. This year’s setting adds an additional element of drama to the games, as this is the first year the final round has been held outside of the US.
For the competition schedule or to register a team to play in the games, please visit www.cyberlympics.org. For information about ISACA’s EuroCACS/ISRM conference, please visit www.isaca.org/eucacs-isrm2014.
Senior Director, EC-Council
Hundreds of millions of people around the world, including me, are cheering on the football games that comprise the 2014 FIFA World Cup, which bills itself as the biggest single-event sporting competition in the world. This is truly a global force of an event, with 204 entries across six continents competing for 31 available spots in the finals.
As I watched a recent close football match, it was clear that no matter what a sports organization (or governmental agency or enterprise) does as its core business, its relevance, value and reach depend on the team members driving strategy and activities forward. This is true for ISACA as well, and it is one more reason I am so honored to be elected international president and work with an excellent board of directors. The time and expertise they volunteer for the benefit of ISACA members is truly amazing. We recently installed our 2014-2015 ISACA Board of Directors and I would like to recognize them individually.
Reelected vice president are:
- Ramsés Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, security strategist and evangelist at Dell Software, Spain
- Theresa Grafenstine, CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA, inspector general of the US House of Representatives, USA
- Vittal Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, partner of M/s. Kumar & Raj and director at Pristine Consulting Private Limited, India
Newly elected vice presidents are:
- Steven Babb, CGEIT, CRISC, ITIL, technology risk management, compliance and assurance leader at Vodafone, UK
- Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, managing consultant at BAE Systems, Australia
- Rob Clyde, CISM, CEO of Adaptive Computing, USA
- Debbie Lew, CISA, CRISC, executive director within Ernst & Young LLP Advisory practice, USA
- Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, FHKITJC, CEO of Focus Strategic Group Inc., Hong Kong
- Alexander Zapata Lenis, CISA, CGEIT, CRISC, COBIT Certified Assessor, COBIT 5 Implementation, PMP, ISO 22301 Lead Implementer, ITIL, ISO 27001, IT consultant in Latin America, Mexico
These ISACA leaders represent a diverse cross-section of geographies, industries and expertise, and I am confident that together we will serve our members and other constituents with drive, dedication and direction throughout the year.
As a team, we will accomplish several key activities this year:
- We will continue to focus on cybersecurity. Through the Cybersecurity Nexus, we will do for the cybersecurity profession what we’ve done (and will continue to do) for assurance and governance.
- We will also focus on providing tools and guidance on privacy, full-spectrum career development, expanded COBIT, and emerging business and technology.
- We will serve our assurance base. Audit and assurance professionals founded ISACA 45 years ago and are still central to our mission to create trust and value through information and technology.
- And, above all, we will provide more value to our members than ever before. We exist for you—to help you drive your careers and serve your enterprises. Be assured that you are at the forefront of every decision we make.
This is an era of incredible change and strategic advancement for ISACA, especially as our new CEO, Matthew Loeb, takes the helm of the ever-growing and evolving association in early September. I look forward to Matt’s business acumen and eye for global service and growth. I also want to give a sincere thank you to Ron Hale, who stepped up and has served as ISACA’s acting CEO after the retirement of former CEO Susan Caldwell in 2013. Ron provided guidance and oversight for ISACA’s momentum over the past year and we deeply appreciate his contributions. I also want to thank our prior board members, who have shared so much of their knowledge, other global leaders, and all members, no matter your level of involvement, because you embody the spirit of ISACA.
I want to hear from you. Please follow me on Twitter at @RobertEStroud and share your comments below. This is going to be an exciting year for all of us. Together, just like the World Cup champion, we can achieve great things.
Robert E Stroud, CGEIT, CRISC
International President, ISACA and the IT Governance Institute
Robert E Stroud, who today becomes ISACA's international president, delivers an opening keynote presentation—“ How Emerging Technologies Will Impact You and Your Enterprise and What You Can Do About It”—at The IIA/ISACA Governance, Risk and Control (GRC) conference this August. We chatted with Rob to preview his presentation.
ISACA: How will emerging technologies impact you / your enterprise?
Rob: They are changing business models. There is mobility everywhere, which is changing the interaction between people and services. Think about purchasing an item and doing price comparisons on the spot. You can go back to the sales agent with a better price. Their systems need to be able to adjust to provide that discount.
ISACA: What can you do about emerging technologies?
Rob: We all need to be aware of changing technologies and the impact on our current business models. Changing technologies will disrupt current business processes and buying patterns.
ISACA: How has business culture’s impression of emerging technology changed in recent years?
Rob: Business is leading the charge with emerging technology. This is led by younger professionals who are using—without bounds—new technology to execute business processes.
ISACA: Can you ignore emerging technologies?
Rob: Yes—at your own peril. Every business is powered by some form of technology. Technology is driving everything from buying decisions to tax calculation to, say, the maintenance of licenses. The time required to execute basic administrative tasks will kill a business that ignores technology.
ISACA: Do you differentiate between emerging technologies and disruptive technologies?
Rob: I would have two years ago, but they have started blurring together. The pace of the interconnectivity of things is accelerating beyond our wildest dreams, with everything from micro-chipped cows that give us milk to the milk containers to the fridge in which we store the milk.
ISACA: What is one emerging technology that most excites you?
Rob: The Internet of Things. Or, better yet, The Internet of Everything. Everything is becoming interconnected, enabling good management of information and a deluge of info that you need to process to make proper decisions. There is more information than a human can reasonably process, so we are dependent on technology to guide our decision-making processes. And if the base process is flawed, our decisions are flawed. What we are starting to see is deterministic systems that will learn patterns and develop decision-making criteria. Processes guided by computer data.
At this point, it is not going to completely replace humans. At this point…
Robert E Stroud, CGEIT, CRISC
VP of Innovation and Strategy
Learn more about the Governance, Risk and Control (GRC) conference here.
2014 has already been a year of exciting change, and as ISACA continues to transform and evolve we are very pleased that Matthew S. Loeb has been named chief executive officer (CEO) of ISACA and the IT Governance Institute. Matt brings extensive experience in global business operations, governance and strategy, and is the right person to lead ISACA as we build upon and carry out our strategic growth plans.
Matt is an innovative leader who shares ISACA’s deep commitment to serving our members and other constituents. His depth of expertise in emerging technology and global expansion, along with his keen business insights, will benefit all of us and our industries as a whole.
I have met with Matt and know that when he takes the helm in September, he will be laser-focused on identifying new opportunities for ISACA to serve our diverse constituents—current and future. Together with the Board of Directors and our staff, we have an extraordinary team in place and I am thrilled about our long-term outlook.
I want to thank Ron Hale, Ph.D., CISM, for stepping up and ensuring that ISACA moved forward with its strategic activities upon being named acting CEO of ISACA following the 2013 retirement of Susan M. Caldwell, after 21 years in the corner office. I also want to thank those who served with me on the CEO Search Panel (Ev Johnson, Jon Singleton and Terry Grafenstine) for the many hours they invested in ensuring a successful outcome of our efforts.
This also marks my final post to the ISACA Now blog as international president. I have met many new people from around the world during my term and I am happy to include all of you in my circle of friends and trusted colleagues. The accomplishments of our members and leaders this year have truly been amazing. Naming just a few, we experienced continued international growth of COBIT, established the formal corporate social responsibility program and launched the Cybersecurity Nexus, I will remain very active on ISACA’s board and am confident of ISACA’s prospects as Robert E Stroud, CGEIT, CRISC, takes over as international president for 2014-2015.
ISACA is a great organization and I am proud of the passion, experience and energy that we bring to all of our members, enterprises and business partners. Thank you for the honor of serving as your international president.
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA
International President, ISACA and the IT Governance Institute
Dr. Simon Singh wears many hats—scientist, encryption expert, documentarian, best-selling author. At ISACA’s EuroCACS/ISRM 2014 Conference in September, he will be the opening keynote speaker, delivering a presentation titled “Cracking the Cipher Challenge,” in which he will explore how encryption is increasingly important for cybersecurity and data privacy, while providing a demonstration of an original, World War II-era Enigma machine.
ISACA: What is an Enigma machine?
Simon: The Enigma cipher machine is probably history's most famous encryption device. Invented by Arthur Scherbius, this electro-mechanical machine was used by Germany prior to and throughout the Second World War. Looking rather like a typewriter, each letter on the keyboard was connected to a letter on the lampboard by 26 wires. However, the machine was not hardwired. The wiring passed through rotors, which turned after each key was pressed, so the circuits were continually changing.
A crucial feature of the Enigma cipher is that the machine has billions of possible settings, such as the starting orientations of the rotors. The Germans knew that a machine would eventually fall into the hands of the Allies, but such a machine could not be used to decipher a message unless the key used to encrypt the message was known or could be deduced. The significance of the key is an enduring principle of cryptography, and it was definitively stated in 1883 by the Dutch linguist Auguste Kerckhoffs von Nieuwenhof: “The security of a cryptosystem must not depend on keeping secret the crypto algorithm. The security depends only on keeping secret the key.”
There were different keys for the distinct communication networks (e.g., the North Atlantic arena or North Africa) and they were changed on a daily basis. Nevertheless, Britain’s codebreakers at Bletchley Park discovered shortcuts to finding the Enigma keys and the cipher was cracked routinely throughout long periods of the war, providing vital information for Allies.
ISACA: What can the modern IT/cybersecurity professional learn from the Enigma machine?
Simon: Although the Enigma was cracked, it was actually a very sophisticated machine, which potentially offered a high level of security. So, why was it cracked? The problem was not so much the machine, but rather in the way that it was used. Errors in the way that messages were sent gave Allied codebreakers the cracks they needed to break open a message. In other words, a cipher may be theoretically strong, but practically weak due to user error, a problem that still exists seven decades after the Second World War.
Want more? Join Simon and the rest of the expert presenters at EuroCACS/ISRM 2014 Conference. Learn more here.
While attending ISACA’s North America CACS 2014 Conference, I was impressed by insightful presentations on cloud security, big data, security GRC, security programs and frameworks, not to mention the opening and closing keynote presenters. Likewise, I appreciated the diverse events at the conference (everything from breakout workshops to a professional photography station), the role of ISACA’s Young Professionals Subcommittee in promoting engagement among attendees, and the interactive communication opportunities for all.
As I look back at North America CACS, key messages stand out:
People—not computers—catch frauds
Harry Markopolos’ keynote presentation explored his exceptional work on Bernard Madoff’s fraud case, which demonstrated the whistleblower’s process of conducting holistic fraud examinations. Markopolos highlighted the red flags of potential frauds and answered the question, “How did one man lose $65 billion?”
As the presentation ended, I considered how we, as IT professionals, should rethink how IT is aligned with business objectives and strategies. Or, at least, how IT controls are designed and implemented for fraud-detection purposes.
Cloud and big data security
A major issue with cloud computing is data privacy, especially the data-residency problem, as most organizations worry about their business/customer data leaving the country or jurisdiction system. In some cases, your primary data might be stored within a geographic area as required, but the backups are loosely controlled by the cloud service provider (CSP). Organizations must perform due diligence to ensure their data is properly stored and protected. Government agencies will define which types of data can be put into the cloud and the FedRamp certification program can provide independent view on the CSP’s ability to clearly define and describe system boundaries.
Another key consideration discussed at CACS is having a proper notification process in case the CSP makes changes. Old data + old data=new data.
New cybersecurity programs and roles
Cybersecurity is drawing attention from organizations across sectors. Two cybersecurity initiatives were discussed at North America CACS. One is the US Cybersecurity Framework – developed by NIST as part of the US Presidential order. The Framework is applicable those sectors designated as part of the US critical infrastructure. While its content supports and potentially overlaps with some existing NIST security risk-management programs, NIST is planning to further its overall relationship. This was point was clarified by one of the NA CACs presenters - Victoria Yan Pillitteri from NIST.
The other initiative is ISACA’s Cybersecurity Nexus (CSX), which will include cutting edge thought leadership as well as a certification program (Cybersecurity Fundamentals Certificate) and resources such as webinars, mentoring programs, training courses and an online community.
Be situationally aware of risks
The concept of “risk management” is a constant, all while technologies advance and the context in which technology is used is in perpetual flux. According to presenter Hubert Glover, when people think about high-level risk management, such as technology risk, they must consider every aspect of organizations, as every aspect of organizations are enabled, powered by and supported by IT.
Executive teams are considering how to turn risk into results, especially as they encourage participants to do innovative things in innovative ways. During his “Turning Risk into Results” presentation, Dr. Glover illustrated ways to evaluate risks in the context of time, place and mass. He skillfully demonstrated how turn risk into results by leveraging a business mode and risk framework, focusing on addressing organizational, operational and strategic risks.
Another critical aspect around risk management, proposed by keynote presenter/astronaut Mike Mullane, is to be aware of your risks in diverse situations. Using the Challenger disaster as an example, Mullane explained the dangers of accepting—in a changing work environment—a “tolerance” that was previously defined as “intolerable.” The astronaut stressed that it is not uncommon for organizations to fall victim to a “normalization of deviance”—getting away with shortcuts from best practices until the shortcut becomes the norm, leading to problems.
A few more nuggets from North America CACS
- Do not be a passenger. Everyone’s suggestion on how to manage (security) risks and improve processes counts. The executive team and managers should listen to various opinions—one might save the organization some day.
- Information security should be integrated into business process and systems by design. The add-on approach will cause you more time, money and effort.
- Do periodic resets to best practices standards. The fact that you’ve been successful previously doesn’t mean you will be successful again. To avoid predictable surprise, don’t let a “can do” attitude guide you into a shortcut.
Alan Tang, CGEIT, PMP, TOGAF, CISSP, CISA, CBCI, CIPP/IT, ISO27K, PCIDSS, ISO20K
Senior Consulting Analyst
Info-Tech Research Group
As you are likely aware, information technology is a rapidly growing field and a great career option for those with the right skill set. And, as you are likely aware, demand for these skills is simply not being met. There is a steadily increasing gap between the level of skills needed and the level of skills the people in the workforce e actually have.
According to a skills-gap report from the American Society for Training and Development, “…more than 15 million businesses rate the aggregate skill levels of their IT staff as less than optimal, and 93 percent of employers indicate that there is an overall skills gap among employees.”
In short—seven percent of businesses in this study considered themselves exactly where they wanted to be in terms of skilled employees.
Analysts attribute this problem to the dynamic, ever-evolving nature of the IT industry. (That is what attracts many professionals to the field.) So what can be done about it? Information technology is not going to slow down. And the field of IT is not going to curb its growth any time soon.
So we need to catch up.
IT awareness must be elevated and IT education needs to be more accessible. Online educational offerings meet this need nicely. We must give the necessary skills to students at a younger age, and promote continuing education—across business departments—among employees. IT organizations can focus on developing talent in-house, producing professionals with business skills that match their technical acumen.
Ultimately, the IT skills gap will only begin to close if educators, professionals, businesses, and leaders in the IT community tackle these problems by investing more time and money in IT skill training.
Chief content officer, SkilledUp
Continue the conversation in the Career Management topic within ISACA’s Knowledge Center.