This weekend, all ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a dear friend. Robert E Stroud, CGEIT, CRISC, 2014-2015 ISACA Board Chair, and Board Director 2015-2018, will be deeply missed.
Only 55 years old, Rob passed away Monday, 3 September 2018, after being struck by a vehicle while jogging on Long Island, New York, USA. He is survived by his devoted family: his wife of 35 years, Connie, sons Josh and Kyle, daughter-in-law Allie Elizabeth, and grandchildren Ayden, Haylee and Jeremy.
Robert E Stroud
Rob brought boundless energy and enthusiasm into everything he did for ISACA—and those contributions were many. He was board chair for the 2014-2015 term, and was a driving force in the launch of ISACA’s Cybersecurity Nexus (CSX). Prior to that, he was international vice president of ISACA, member of the Strategic Advisory Council and Governance Committee, and chair of ISACA’s ISO Liaison Subcommittee. He was a COBIT champion and contributed to COBIT 4.0, 4.1 and 5, as well as numerous COBIT mapping documents. Additionally, he was involved in the creation of ISACA’s Basel II, Risk IT and Val IT guidance.
His excitement about emerging technologies and extensive knowledge of assurance, governance, cloud security and DevOps made him a highly sought-after speaker at events around the world—including ISACA’s. Rob’s technical expertise, his excitement to travel and share his knowledge around the world, and his humor and wit in delivering remarks will be greatly missed.
Rob’s dedication to the profession extended beyond ISACA. He previously served on the itSMF International Board, the board of the itSMF USA and multiple itSMF local chapters.
Additionally, he served as a member of the ITIL Update Project Board for ITIL 2011 and in various roles in the development of ITIL v3.
Rob’s high-impact career in assurance, governance and innovation leaves a lasting legacy. Rob was Chief Product Officer at XebiaLabs, where in the last year he primarily focused on DevOps scalability in the enterprise. Prior to that role, he was Principal Analyst for Forrester Research Inc., where he helped large enterprises successfully drive their DevOps transformations and guided them through organizational change.
He spent more than 15 years in multiple roles at CA Technologies, including Vice President of Strategy and Innovation, where he predicted changing trends in the domains of assurance, cybersecurity, governance security and risk. He also advised organizations on strategies to ensure maximum business value from their investments in IT-enabled business governance.
On a personal note, Rob has been my good friend and mentor. It was his inspiration and support that led me to serve on the ISACA board of directors. I have had the privilege of co-presenting with Rob many times, and frequently we have had lively discussions about new technology, cloud, DevOps and how we can help ISACA have even greater impact. The day before his passing, I was working on a DevOps presentation using slides that Rob had put together and just shared with me to use. Having collaborated with him for so many years, enjoying his advice, company, humor and zest for life, I feel like I have lost a part of me. I’m sure many of you feel the same, and we will explore a fitting way to honor his contributions and legacy. I will let you know of those opportunities as they are decided by the board in a timely fashion.
Rob was always looking forward to new trends, new challenges and new opportunities, so he could best serve his clients, his colleagues, and his friends, whether bonds were just formed or existed for decades. His exuberance lit up the room wherever he went, and he was truly a guiding light and progressive proponent for the association and our professional community.
Rob’s enduring spirit of innovation will continue to influence ISACA and our global family for years to come.
Thank you, Rob. You are gone too soon. We miss you.
While artificial intelligence and machine learning deployment are on the rise – and generating plenty of buzz along the way – organizations face difficult decisions about how, where and when to introduce AI.
In a session Tuesday at the 2018 GRC Conference in Nashville, Tennessee, USA, co-presenters Kirsten Lloyd and Josh Elliot laid out many of the ethical considerations that should be part of those deliberations.
The pair detailed several instances of high-profile AI events over the past decade that highlighted the need to give ethical components of AI deployment a high level of focus early in a product or service’s design, as opposed to risking unforeseen fallout. The examples included the development of a controversial algorithm that predicted higher rates of recidivism for black defendants in the judicial system and a Stanford University study exploring how often AI could determine a person’s sexual orientation based on photos of their faces.
Yet, for all of the questionable or even potentially malicious use cases of AI, Lloyd and Eliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyber attacks, improving energy efficiency and increasing crop yields. Elliot, Booz Allen Hamilton’s director of artificial intelligence, noted that AI also may prove transformative in missing person crises, such as being able to swiftly locate missing children in AMBER Alert child abductions.
Whether the potential ethical implications of AI and machine learning outweigh the good that can be accomplished is very much a case-by-case judgment call, Elliot said, requiring a holistic evaluation of the possible outcomes through a risk management lens. Successful, ethical implementation of AI and machine learning also call for strong governance, with emphasis on benefits realization, risk optimization and resource optimization. Elliot and Lloyd said organizations should identify and engage key stakeholders in AI projects, including the creation of an ethical review board and a chief ethics officer. Some high-impact deployments might also require direct access to the C-Suite for input on risk considerations.
Elliot and Lloyd suggested that organizations consider the following questions when deciding how they might want to deploy AI and machine learning:
- What are our goals?
- How much risk are we willing to tolerate?
- What is the state of our data assets?
- What talent assets do we have?
- What are our values?
From a people talent standpoint, Elliot noted there is a serious shortage of professionals with the expertise to help enterprises effectively and securely implement AI and machine learning, causing many organizations to turn to the ranks of academia and research to fill in the personnel gaps. Lloyd, an AI strategist with Booz Allen Hamilton, acknowledged the workforce worries many harbor regarding the potential for AI and machine learning to displace large numbers of practitioners, but said that there will remain an enduring need for humans’ critical thinking skills, while machines continue to introduce process improvements in computational thinking.
Taking the long view, Elliot and Lloyd said AI and related disciplines have transitioned from their previous state of simple task execution to the current era of pattern recognition, with a future that will be reshaped by added capabilities of contextual reasoning. Elliot said many of today’s common uses, such as robotic process automation (RPA), are a mere “gateway drug” to more sophisticated technologies and applications that are being aggressively researched in Silicon Valley and beyond.
Editor’s note: Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, will give the closing keynote address at the GRC Conference 2018, to take place 13-15 August in Nashville, Tennessee, USA. Williams recently visited with ISACA Now to discuss how enterprises can spark more innovation, the concept of disruptive hypotheses and more. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: How, if at all, is entrepreneurship different from it was 10 years ago?
In the past 10 years, the public perception of “entrepreneurship” has shifted toward “disruptive entrepreneurship,” which is about trying completely new products and business models that haven't been tried before. Instead of staying small, disruptive entrepreneurship is focused on high-growth businesses.
We often contrast small business entrepreneurs as sort of “incremental” entrepreneurs; they're incrementally improving business models that have already been established. So, someone who wants to open a shoe store might take their own incremental spin on it, but that's pretty much what it is. Disruptive entrepreneurship is a different form of entrepreneurship and it requires a completely different skill set. As a result, it requires a different approach to education.
Ten years ago, this approach was very much focused on the business plan: this long, elaborate document with all these sorts of financial projections. There was emphasis on getting the plan right. There was little emphasis on prototyping and experimenting. That has been a significant shift in the last 10 years. What we’re really educating entrepreneurs on today is far less about writing a business plan and far more about putting that focus, time, and energy into trying out your idea.
ISACA Now: What are some of the most common missteps made by people who are starting their first business?
I think the biggest misstep or mistake is that people are focused on finding problems to solve. We’re obsessed (in America in particular) with problem-solving. We almost use “problem-solving” as a label for thinking. The problem with problems is they’re seductively clear. They’re screaming for your attention, which typically means that problems are all that are getting anyone's attention.
The richest areas for innovation are found in the seemingly unbroken aspects of the situation you're focused on, precisely because nobody else is looking at these things. Because nothing appears to be wrong, or because it’s not broken enough to be really a problem, that doesn't mean that there’s not an opportunity there.
Often, an adequate idea blocks the emergence of a better idea. Because something is adequate, people don’t feel the need really to look at an alternative way of delivering their model. If it’s not broken, they don’t see the need to spend the time and attention to fix it.
ISACA Now: What type of management style most lends itself to fostering innovative thinking among employees?
What I’m going to talk about at the conference is the difference between sustaining leadership and disruptive leadership.
Sustaining leadership means incrementally improving what you’re currently doing. It’s all about maintaining the continuity of the current business.
Building options for the organization’s future is about managers introducing prolific discontinuity into the business – not waiting for disruption to happen, but rather being proactive. You've got to disrupt yourselves.
There are a lot of managers running around saying they value innovation. Where I find the disconnect most readily occurs is in the metrics; most managers find they’re rewarding the status quo, basically incentivizing people to keep the existing system of continuity. They have to fix that disconnect and figure out how to actually start rewarding effort rather than result.
ISACA Now: Which themes from Disrupt: Think the Unthinkable to Spark Transformation in Your Business tend to surprise people the most? What kind of feedback have you heard that are kind of new, a-ha moments for people?
There’s a tool called “disruptive hypothesis.” With a regular hypothesis, we make a reasonable prediction of what we can do, and then we test that prediction. An example: if your phone wasn't working, you would predict that the battery was flat, so you'd charge your phone. If your phone starts working, your hypothesis was correct; if it doesn't, you need to formulate another hypothesis.
That’s OK for sustaining leadership. If you want to start growing through innovation, you have to get out of the habit of making reasonable predictions and into the habit of making unreasonable provocations.
So, you might start thinking, “Well, why does a phone even need a battery?” The difference is profound. The point of a “disruptive hypothesis” is to give yourself deliberate permission to be wrong and try to create a new idea.
If you’re in a brainstorm session and everyone’s nodding and going “Yeah! Great idea! We can implement that tomorrow!” it means it’s incremental; one of your competitors is already doing it or will be soon. A disruptive hypothesis is an intentionally unreasonable statement that gets everyone’s thinking flying in a different direction.
Another takeaway from the book, I talk about the “cult of personality” problem with innovation. It forms out of celebrity CEOs – Steve Jobs, Jeff Bezos, and Elon Musk – and reminds us that they’re role models of innovation. It’s all about their personalities, and it’s not productive. It’s not about actually creating new products and services. For all of us as innovators, our most important job is to educate and create more innovators. We need to treat innovation as a skill. This isn’t about asking them to change their personality.
I often use the metaphor of cooking; there’s cooking show on every channel. Weirdly, we have a problem teaching people to cook, because it’s nothing more than, “We show you how to take the ingredients and arrange them into a meal.” It’s the same with innovation. Those recipes are ideas, and those recipes (your ideas) make the ingredients (your resources) more valuable. The cooking metaphor is powerful for people because this isn’t about inventing anything new; it’s just rearranging things we already have.
Recognition of service and of outstanding achievements has long been an ISACA tradition, and it has been my pleasure to volunteer on the ISACA Awards Working Group, which was charged with enhancing the prestige and increasing global participation in the ISACA Awards Program. We have made great progress over the last couple of years in creating a peer recognition program, soliciting nominations from our membership and inviting distinguished colleagues to fairly peer-review the nominations, identifying the “best of the best” among a rather elite professional community.
Our 2018 class of recipients lived up to that reputation, and we celebrated their accomplishments during the awards presentation at EuroCACS in Edinburgh, Scotland in May. Terry Grafenstine, 2017-18 ISACA board chair, presented each recipient with his or her award after the audience viewed a short video on the importance of recognition activities and how we can inspire future generations.
Recipients celebrate on stage and with their families and colleagues.
Jack Freund, recipient of the ISACA John W. Lainhart IV Common Body of Knowledge Award, brought his wife and 10-year-old daughter (and possible future ISACA member if her lawyer/racecar driver/veterinarian career falls through) to celebrate with him. Jack has been instrumental in developing the CRISC certification and maintaining the quality of the exam content.
Upon learning of his award selection, Mark Thomas, a top-rated speaker at many ISACA meetings and recipient of the ISACA John Kuyers Award for Best Speaker, said, “I am honored to receive this award, and appreciate all that ISACA does for our professional community.” This is a common remark from our humble honorees, who dedicate so much of their time, energy, expertise and passion toward advancing ISACA’s purpose and promise.
2018 ISACA Global Achievement Recipients pose with 2017-18 ISACA Chair Terry Grafenstine.
CISM and CRISC Exam Top Scorers pose with 2017-18 ISACA Board Chair Terry Grafenstine.
We are inspired by Gail Coury, recipient of the ISACA Chair’s Award for her dedication to advancing women in technology and supporting ISACA’s philanthropic initiatives, and Nikesh Dubey, an active author and reviewer for the ISACA Journal. We appreciate the knowledge shared by Ahmet Efe in his outstanding articles about COBIT, and we value the leadership Christian Palomino has provided in the CGEIT and CISM working groups. Additionally, our Certification Exam Top Scorers outdid themselves with seven honorees this year for our five certifications: CISA (tie), CISM, CRISC, CGEIT and CSX Practitioner (tie).
To meet these outstanding ISACA contributors during the awards presentation was truly my honor, and now I’m eager to help select the 2019 award recipients. But the Awards Working Group and I can’t do it without your help!
The 2019 ISACA Awards call for nominations is now open, and I ask each ISACA member to think about the incredible articles and speakers you have learned from and the volunteer leaders you have met throughout your ISACA journey. ISACA needs you to nominate them so we can publicly recognize their contributions. Our Global Achievement Awards and our Chapter Awards nominations close 15 August and will be presented in 2019.
To learn more about the ISACA Awards Program and to submit a nomination, visit our webpage.
To learn more about the 2018 ISACA Award recipients, download the 2018 Awards Booklet.
There is nothing quite like the birth of a child to redirect our thinking from our daily patterns and prompt us to consider the big-picture view of where our world is heading.
I recently was blessed to become a grandfather for the first time as we joyfully welcomed a beautiful little girl to our family. While the immediate aftermath of her arrival is exciting in its own right, I am especially intrigued by the long-view for my new granddaughter and all of the other children who are being born into what many are terming Generation Alpha.
What will my granddaughter’s life look like in an era when technological advancements will create new opportunities that are impossible for us to fathom? Will her favorite middle school teacher be a human being or an intelligent machine? If she decides to play soccer in high school, will her matches be officiated by referees like me, or by more advanced and precise video refereeing and goal-line technology? On her 21st birthday in 2039, will she be summoning a driver-less vehicle to take her home safely after sipping her first margarita? Will her wedding planner be a robot? As she embarks upon her professional path, which career fields will be available to her, and what modalities will she be using to acquire the necessary education, training and practical experience needed to position her for success?
It is fun to let our imaginations run wild in envisioning the future, and there are many tantalizing possibilities to ponder. The reality, however, is that our likelihood of correctly predicting which technologies will reshape society 10, 25, or 50 years into the future is slim, at best. That said, we do know that the pace of technology-driven change is only going to accelerate. Those with the innovation bug are “standing on the shoulders of giants,” building upon the advancements that we are adopting today. ISACA has always evangelized the importance of good technology and information governance, but the importance of this governance today is not only about effectiveness and efficiency, nor is it only about enhancing organizational business performance and enabling business outcomes. Governance will evolve to consider boundaries for innovation and assurance of social and ethical responsibility. And this means responsible governance for technology and information will become even more pronounced – and perhaps just a given – during the course of my granddaughter’s lifetime.
As future innovations stream to market – presenting new opportunities in both our personal and professional lives – we must apply and assure the appropriate safeguards and controls to guard against the risks of unintended consequences. The disciplined approach to governance will not take stronger root unless we prioritize digital ethics and social responsibility. Today, these concepts are generally not top of mind, as the race to embrace disruptive technologies, and to meet the challenges of digital transformation through business model innovation, take precedence, resulting in products rushed to market without appropriate consideration given to security and privacy. This is problematic enough today, as evidenced by the increasing number of data breaches and cyberattacks we have experienced. In the years to come, be aware of the dark clouds overhead when malicious uses of artificial intelligence and new developments such as quantum computing become forces with which society will have to reckon. Just as my granddaughter must learn to crawl before she can walk, and walk before she can run, enterprises must train themselves to take responsible, security-minded measures on the path from ideation to launching new products.
Appeasing shareholders with a few strong quarters of growth, or even a few strong years, is nice, but the path to sustainable enterprise success will depend upon treating consumers with genuine concern for their well-being – and for society’s as well. An enterprise failing to take good-faith measures to look out for its customers will ultimately be subject to a profound backlash from the public, as many of the biggest names on the enterprise landscape have already discovered. As the risk-reward continuum for deploying new technologies becomes more pronounced at both ends of the spectrum, enterprises will need expanded training and ingrained protocols that give digital ethics and social responsibility sharpened emphasis in a new era of technological potency.
At ISACA, we are building up to our 50th anniversary year in 2019, which gives us cause to reflect upon the momentous, technology-driven strides our professional community has helped set in motion since the organization was founded in 1969. It is even more stirring to consider what ISACA’s impact will be over the next 50 years, as the global technology workforce serves as an even more transformative engine to propel society forward.
There is no doubt that technology advancements will enrich the lives of my granddaughter and her generation, providing incredible experiences and accomplishments that that will go well beyond what is available to her parents’ generation (we are already way past mine!). As promising as this may be, I want my granddaughter to live in a society that not only prioritizes the positive potential of new technologies, but also takes into account its impact on individuals and society. Imagine this: a generation that maximizes all the gifts technology has to offer by exercising due diligence and regard for the welfare of those around them. Some may think this is a lot to ask, and perhaps a grandfather dreaming; I choose to think otherwise, remaining optimistic that it is simply the way it will be.
Editor’s note: This post originally published on CSO.
Editor’s note: P.W. Singer, strategist and senior fellow at the New America Foundation, will deliver the closing keynote address at ISACA’s 2018 CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA. Singer recently visited with ISACA Now to discuss pressing cybersecurity considerations that governments much grapple with, the multi-faceted impact of artificial intelligence and more. The following is a transcript of the interview, edited for length and clarity:
ISACA Now: What are the primary strategic considerations for governments today when it comes to protecting their people from cyberthreats?
The essential problem is that all the issues we've been dealing with the last 10 years – cybercrime, IP thefts, botnets, etc. – are still with us, but we also now have a series of new challenges to face. Governments, not just national, but state and local governments, have to understand the combination of how the internet is changing, and, in turn, the threat landscape. We are nearing the 50-year mark of internet history, an amazing moment when you consider the change, but it is also shifting. Once it was just an internet of people communicating, but it is also now one of “things” operating.
This, of course, brings enormous gains and efficiencies, but also massively grows the attack surface, as well as raises the consequences of attacks, shifting them to the physical realm. In turn, the internet has become one of web 2.0 via social media, where we all share information but also now spread and fight disinformation (what I call LikeWar). Add in the rise of issues like ransomware, hybrid threats from states and criminals, the blight of mega breaches, and it’s a daunting time. So, the key for governments is to ensure they are keeping pace with these shifts in internet use and threats.
ISACA Now: How do you envision malicious uses of AI reshaping the threat landscape in the coming years?
AI – and by that, I mean everything from machine learning to neural networks, will be used by bad actors in everything from developing malware to scoping out for vulnerabilities. But one area I think we really are not ready for is “deep fakes.” created by AI. These hyper realistic videos, that aren’t actually true, will be weaponized against people, companies and governments. We’ve already seen examples tested in labs, where you can create a video of a speech that someone never gave, to how actresses have been put in adult films they never appeared in. This is just the start, where AI will be used to attack our very perceptions and sense of reality, in a malicious manner.
ISACA Now: Which new or emerging technologies can be most useful to governments in bolstering their security capabilities?
AI! Every technology has both good and bad uses, by good and bad people. For instance, AI is the very means to detect emergent cyber threats, scope out new anomalies before they can cause harm, sift through vast amounts of noise. Indeed, the means to detect AI-created deep fakes is other AI that can hunt for their tells. As I explore in an upcoming book, this creates a strange new world where the AIs battle, with us humans in the middle as the target.
ISACA Now: What appealed to you about joining the New America Foundation?
It is an organization that tackles the questions of what happens when technology and policy come crashing together, so people there are always wrestling with fascinating and important questions. At a recent staff meeting, for instance, we had people who were working on topics as varied as how to help the U.S. Army with cybersecurity to aiding the Rhode Island state government on adoption policy reform.
The ISACA Journal has been at the heart of ISACA’s knowledge community for more than 40 years, a tradition we are proud to carry forward into the future.
The ISACA Journal has remained a valued asset to ISACA’s professional community because it has continually evolved to meet the needs and interests of practitioners amid the ever-changing technology landscape. This year, for example, the Journal has highlighted key industry topics such as the future of data protection, innovation governance and smart transformation, with more timely content in the pipeline for the coming months. As much as we focus on the type of content that will be most relevant to Journal readers, we are equally mindful of the way in which the Journal audience is consuming content in the digital era.
In recognition of how more and more professionals prefer to read publications—the Journal included—we are refocusing the way we deliver the Journal with added emphasis on our digital presence, allowing this valuable knowledge resource to better serve our professional community and help us move more quickly toward the goal of realizing the positive potential of technology.
Effective with volume 4, 2018, of the ISACA Journal (July/August edition), you will receive Journal content exclusively in a digital format unless you choose to opt in to receive the print edition. If you wish to continue receiving the print edition, you must opt in by 26 June 2018 to ensure uninterrupted delivery. To do so, follow these simple steps:
- Log into www.isaca.org and navigate to myISACA>MyProfile
- Click on Account-Address-Demographic Info tab
- Click the Edit button at the bottom of the page
- Toward the top of the page, select the My Demographic and Other Information tab
- Scroll down to ISACA Journal Delivery Options—Print and/or Digital and check the box to opt in
- Click Save at the bottom of the page
Accessing the Journal online allows members of ISACA’s professional community to explore the Journal alongside ISACA’s extensive collection of online content, including white papers, audit and assurance programs, blog posts, podcasts, and insights from our network of affiliates, such as the Massachusetts Institute of Technology Center for Information Systems Research and Wapack Labs. As technology transforms the way people consume information, we will continue to identify opportunities that will enhance the robust digital experience for the Journal audience and make the Journal an even more esteemed resource for ISACA’s professional community.
This is an exciting time as ISACA approaches its 50th anniversary celebration in 2019. As we look toward the organization’s future, whether accessing content digitally, in print, or whatever comes next, members of ISACA’s professional community can count on the Journal providing the knowledge resources needed to navigate digital disruption and advance their careers. Opt in today to continue uninterrupted print delivery!
Serving as board chair at any time in ISACA’s history would be incredible. To be able to serve in that capacity right now – as ISACA nears its 50th anniversary and with so much riding on the work of ISACA’s professional community – makes the opportunity ahead even more of an honor.
In an era when technology is driving digital transformation in just about every imaginable way – impacting all geographic regions, both the public and private sectors and industries of all types – ISACA’s professional community is facing challenges like never before. Heightened focus on data security and privacy, a shifting regulatory environment and an expanding threat landscape mean more is expected of practitioners in audit/assurance, governance, risk, information and cyber security, and related technology disciplines.
ISACA is here to be a trusted partner in your professional journey. Together, we will navigate the changes that artificial intelligence, the Internet of Things (IoT), blockchain, quantum computing and whatever comes next will bring to the enterprise landscape – and to society at large. We are laser-focused on providing the industry-leading practices, knowledge resources, training, credentials and networking opportunities needed to advance your career and help your enterprise deliver on the positive potential of technology.
For nearly 50 years, we have helped practitioners make sense of the latest forces impacting the technology workforce. As we approach the half-century mark as an organization, it is important to recognize what brought us to this point – the combination of an exceptional community of volunteers, members and staff professionals who have worked in concert across decades to ensure that ISACA continually progresses to meet the needs of our ever-changing technological landscape.
If ISACA wishes to remain relevant for the next 50 years, we must commit – as a global community – to continuing to adapt and evolve, to showing the world, today, the technology that will be arriving and impacting their lives tomorrow.
Ultimately, though, ISACA isn’t only about technology – it’s about people.
Even more important than preparing for the advancement of technology, we need to ensure ISACA retains the right culture as a community of volunteers, members, and professional staff, all working together toward common goals. ISACA’s community culture needs to be rooted in adaptability and agility, while retaining its half-century of demonstrated commitment to excellence in everything it undertakes.
We are well-positioned to do exactly that, with recent initiatives such as the CMMI Cybermaturity Platform, a rich compilation of resources that helped our professional community prepare for and implement GDPR, the advancement of ISACA’s SheLeadsTech program and the opening of a new office in Beijing serving as promising examples of the organization’s growing reach and impact. There are exciting opportunities to build additional momentum in the year ahead, including developing and executing on a plan for an ISACA charitable foundation and continuing to innovate with our training, certifications and CSX platform.
I want to thank my predecessor, Theresa Grafenstine, for the excellent work she did as board chair during the 2017-18 term. Fortunately, Terry will remain part of the 2018-19 board, which features a tremendous range of talent and expertise from around the globe:
- Robert Clyde, CISM, NACD Board Leadership Fellow, chair
- Brennan Baybeck, CISA, CRISC, CISM, CISSP, vice-chair
- Tracey Dedrick, director
- Leonard Ong, CISA, CRISC, CISM, CGEIT, CFE, CIS, CISSP, CPP, CSSCP, ISSAP, ISSMP, PMP, director
- R. V. Raghu, CISA, CRISC, director
- Gabriela Reynaga, CISA, CRISC, director
- Gregory Touhill, CISM, CISSP, Brigadier General USAF (ret), director
- Theodore Wolff, CISA, director
- Tichaona Zororo, CISA, CRISC, CISM, CGEIT, CIA, CRMA, director
- Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CPA, director, board chair (2017-18)
- Chris Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director, board chair (2015-2017)
- Robert E Stroud, CRISC, CGEIT, director, board chair (2014-2015)
- Matt Loeb, CGEIT, CAE, FASAE, CEO and director
I am proud that we are all part of an organization that devotes itself to aiding the world in recognizing the positive potential of technology. Together, with our members, certification-holders and incredible network of volunteers, we will celebrate ISACA’s proud, 50-year history, while simultaneously helping to position our professional community for its most important contributions yet. I can’t think of a better, or more exciting, time to propel ISACA forward.
Sometimes, in a professional conference, especially one that begins early afternoon, mid-work-week, it can take a while for things to get going. For introductions to begin, animated conversation to spark. For the standard taupe convention meeting room to warm up and for the buzz, well, to buzz. Sometimes, some of this, or all it, never happens; that even though you are there, you’re not "there, there."
That was not the case Wednesday, 30 May, in Edinburgh, Scotland. That day, ISACA’s 2018 EuroCACS wrapped up noonish and the SheLeadsTech™ seminar followed for the balance of the day. The women and men in the room activated SheLeadsTech program elements—raising awareness, preparing to lead and building global alliances, engaging over three hours. I have no doubt many in the room have been actively in touch in the hours and days since and will continue those connections. In doing so, they take up the challenges and embrace the wisdom that three women, long-tenured leaders, in technology, delivered that day.
First up to the podium, but in no way planted there, was Melinda Matthews Clarkson, CEO of CodeClan and the driving force behind Scotland’s first Digital Skills Academy. Her “Get Gritty” theme came through, woven through a quick review of what propelled her into tech (improving efficiencies of networked printers while an admin in the hospitality industry) to her current focus, leading a business “where you have a match of culture where you work, and work with your heart.”
Crediting leaders who’ve inspired her, including Angela Duckworth’s research and book entitled Grit, Clarkson listed grit characteristics: courage, conscientiousness, endurance, resilience and excellence. She underlined their meaning and application in her own life, both professional and personal, and emphasized the importance of mentors, coaches and cheerleaders in her career, and shared how she feels she is valued in those roles serving others.
She remarked on how difficult it is to get women into tech jobs, yet the greater challenge is keeping them there. Yet, “if we get just 10% more women working, our GDP in the UK will go up,” noted Clarkson.
Stats were definitely the storyline of Anne Moises, Scottish government CIO and leader of “Safe, Secure & Prosperous,” Scotland’s cyber resilience strategy launched in 2015 and designed to achieve world leadership and recognition in cyber resilience by 2020.
Moises shared government job data from 2017, noting that while the overall workforce shows a makeup of 52% women, in the government’s digital directorate, only 38% of employees are women. She echoed Clarkson’s call for help to get women to apply for these jobs and stay part of the tech workforce, especially in Scottish civil service where compensation and benefits are strong.
Building and leading the many vectors of Scotland’s cyber resilience program across public private enterprise, the educational system, STEM efforts and extensive up-skilling activities have reinforced long-held lessons for Moises: collaboration is essential; always build awareness; continue to build skills; and share experiences—the good and the bad. Moises noted that these are also strengths she’s seen more often in women than men, a theme affirmed in the murmurs of those present—women and men.
While Moises described a career path solely in civil service, the career course of Gail Coury, Oracle Cloud global CISO, ISACA Women’s Leadership Council member and SheLeadsTech volunteer leader, has traversed roles within Oracle as well as previous information security leadership for PeopleSoft and JD Edwards. Coury balanced her seminar remarks between candid stories of courage and her “pearls of wisdom” list inspired by Oracle’s co-CEO, something of a call to action for the crowd:
- Things need to make sense. Ask questions for explanation and understanding;
- You can recover from a bad decision, but not indecision;
- If you don’t ask, you won’t get—a lesson she illustrated with her experience in building and winning her case to attend the Stanford executive MBA program, supported by Oracle;
- Just because everything can be put online does not mean it should be (also illustrated by the previous day’s firing of American actress Roseanne Barr from her TV show, based on an outrageous tweet);
- Integrity matters; be honest and straightforward;
- Don’t stand still, make it happen. Have a sense of urgency.
While their paths—past, present, future—differed, this SheLeadsTech trio of speakers converged and captivated. They didn’t just speak, they engaged attendees with stirring stories and authentic anecdotes, telling of the bad, and the good behavior; of policies they shaped; and of people who shaped, inspired, motivated them. They talked of overcoming barriers and bias, challenging conventions and, yes, achieving success. And while they were the day's designated speakers, no doubt much the same was exchanged at every SheLeadsTech event roundtable that followed that day.
Despite the many nuances about the new General Data Protection Regulation (GDPR) and questions about how it will be enforced, panelists at Tuesday’s GDPR panel during ISACA’s EuroCACS conference provided some straightforward guidance to organizations – if you don’t need the data, don’t collect it.
Operating within that basic framework can prevent many of the GDPR-related headaches organizations are facing, panelists in Edinburgh, Scotland, said. The panel, moderated by ISACA board chair Theresa Grafenstine, included ISACA board directors Mike Hughes, RV Raghu and Jo Stewart-Rattray, along with Andrew Neal, president, Forensic Technology & Consulting, TransPerfect Legal Solutions, and Ken Macdonald, head of ICO Regions, Information Commissioner’s Office.
Several of the panelists noted that the more stringent data privacy regulation brought on by GDPR must cause enterprises to re-evaluate what data is truly essential to gather and protect.
“It’s just amazing how organizations, just sort of by habit, ask for things that are highly risky to ask for that have nothing to do with the business process for which they’re asking, but they just got in the habit of doing that,” Grafenstine said.
Macdonald brought a regulator’s perspective to the discussion, saying the immediate aftermath of the 25 May compliance deadline has been relatively quiet, although a holiday weekend surely factored in.
“But we will soon be seeing a surge, probably from organizations needing a bit of clarity on the implications of the new act, but also individuals who are starting to enforce their new [privacy] rights,” said Macdonald, who noted that regulators will be more apt to look favorably upon organizations that are making a clear effort to comply, even if they have not yet achieved full compliance.
While there is widespread curiosity about how GDPR penalties might be enforced, Neal said organizations should not expect to get by with lax compliance efforts.
“Governments have a significant amount of coercive power they can bring to bear, and we don’t know what that’s going to look like. … I would recommend against saying ‘I dare you’ to a government,” Neal said.
While the EU has been the epicenter of the wave of GDPR publicity over the past couple years, organizations in other parts of the world that do business in the EU also need to comply. Stewart-Rattray, from Australia, said more awareness about the regulation still needs to be created outside Europe, and called on boards of directors to set a leadership tone at their organizations for more responsible data privacy policies.
Neal said organizations with strong governance programs will be best equipped to thrive in the GDPR era.
“Make no mistake – most of what’s going on with GDPR is a governance problem,” Neal said. “It’s managing your data to be in line with the company’s or organization’s best interests. The ability and the incentive to reduce your data footprint while increasing your data relevancy, and the importance and the utility of that data, I think is a very positive direction.”
Citing recent ISACA data on the challenges of cross-departmental collaboration, Raghu said all stakeholders within organizations need to have more dialogue about the risks and rewards of collecting data, and potentially make changes to their business processes based on those insights.
As the panel concluded, an audience member questioned Grafenstine on whether, given the potential pitfalls of GDPR, the emphasis on big data is becoming a double-edged sword. Grafenstine said she does not view valuing data and valuing privacy to be an either-or scenario.
“I still believe that data is going to be perceived as the air that we breathe because it is absolutely what is going to fuel innovation and move society to the next level,” Grafenstine said. “We just need to make sure that we’re mindful and deliberate in how we do that.”
Editor’s note: For more of ISACA’s resources on GDPR, visit www.isaca.org/GDPR.