Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Shining a Light on Shadow IT 

Microsoft: More than 80 percent of employees admit to using unapproved SaaS apps for corporate purposes.

Cisco:  15 to 25 times the number of known cloud services are purchased by employees without IT involvement.

These are just two examples of the quiet, but pervasive, existence of shadow IT in enterprises today. Although the name “shadow IT” sounds like something that might appear in an espionage novel, it is very real and very alarming, as we discovered in gathering material to write ISACA’s new white paper, Shadow IT Primer. We interviewed business and technology professionals whose responsibilities include IT operations, audit and security, and who deal with shadow IT on a regular basis. Their insights and real-world examples give the ISACA publication a perspective that is not reflected in other articles on the topic.

Shadow IT can be defined as applications and services that are used within an enterprise without having been reviewed, tested, approved, implemented or secured by the enterprise’s IT and/or information security function. Or, as one of the professionals interviewed put it: If you want to know what specific and timely functionality employees need but your enterprise is not currently providing, take a look at the shadow IT discovered in your business.

Employees are at the heart of shadow IT – well-meaning, innovative employees. They want to do a good job but are hindered by a lack (or lack of awareness) of the tools they need to do so. They are drawn to shadow IT’s usefulness, which they can generally acquire and start using in minutes by skipping the IT department’s vetting process.

This seems fairly innocuous, so why do enterprises care about shadow IT? Because those applications can enable significant data breaches, which may result in substantial financial loss. In addition to the obvious security risk, the threats associated with shadow IT include regulatory noncompliance, inadequate or unenforced policies, and reputational damage.

Many organizations have found that a range of approaches to address the risk is more effective than a single solution. A few of the controls used by the professionals interviewed for ISACA‘s publication include:

  • A shadow IT policy that outlines expected behaviors
  • Transitioning the IT department from detection and punishment to acceptance and protection
  • Using IT budgeting and procurement controls to shut down unapproved purchases
  • Restricting users’ ability to freely install applications
  • Educating users about the potential risk of shadow IT and the existence of an approval process

In ISACA’s white paper, these controls, and others, are fleshed out with implementation criteria and assessment methods.

Control does not necessarily equate to elimination of risk. In fact, many organizations are taking an “embrace” rather than “eliminate” approach to shadow IT. Of course, sometimes it is necessary to pull the plug. No matter how beneficial an application may appear, if it shows potential to harm the enterprise, it must be shut down immediately. The risk is too great to do otherwise.

But, even in an “eliminate” situation, there is room to “embrace” as well. A progressive approach entails realizing that, although a particular application needs to be dismantled, there is benefit in considering the problem the application is attempting to solve and empowering the IT function to find or build a safe and secure replacement – right away.

It is reasonable to assume that every enterprise contains shadow IT, given the ease and relative affordability of acquiring it, coupled with employees’ desire to fill needs or leverage opportunities with minimal delay. Savvy enterprises recognize this and mine the potential benefits, while managing the associated risk.

Turn Off The USB Port

Matt KippLoss of massive amounts of critical data in one sweep. The network can be hacked through a mouse. Easy introduction of malware into the environment. Mechanism for a bad actor to remotely control your environment.

Are these items that could have an adverse effect on your organization?

Cyber security has become an important focus for companies in today’s environment. Large sums of money are spent each day to ensure that a company’s most vulnerable assets are secure. Companies are buying pieces of software/hardware, hiring new employees or procuring the assistance of consultants to accomplish this. The main theme of securing company environments is to protect valuable information from getting into the wrong hands.

Throughout my career, I have performed multiple audits, risk assessments and reviews of IT landscapes. An easy first step to keeping your company safe, and one that I often suggest to my clients, is to turn off the ability to connect mass storage devices via USB drives. This will prevent employees and other violators from removing large amounts of data from the company. In addition to sensitive information intentionally being transferred outside of the company, USB drives are small and are often misplaced or lost, and can easily end up in the wrong hands.

Conversations around this topic usually resemble the following:

Turning it off
There are many items I bring to attention during customer engagements that require large-scale process changes, budget increases, time commitments or the addition of FTEs to accomplish. Turning off the ability to connect a mass storage device via a USB drive is not one of them. Most companies have some sort of shared drive to store files. Instead of saving files to a USB stick or USB mass storage drive, how about using the solution already in place and encouraging employees to share the file path internally? By using the shared drive, data can be secured via roles and log files can track activity.

Turning off the ability to connect a mass storage device does not hinder the ability to use the USB drive as a charging port, or being able to use a wireless mouse. Configurations can be set to allow those activities, but still disallow data to be written to a mass storage device.

When USB is a must
I have heard the rebuttal of “We have applications that require a USB drive.” This is sometimes a true statement, but not common. A solution to this is to implement a process to address exceptions. This process should be similar to obtaining access to an application, requiring approvals from the manager and application owner. Once access is approved, the user would receive an encrypted USB stick that is passphrase-protected, providing the ability to continuously monitor the usage. Instead of 100% of employees having the ability to use mass storage devices on the company’s network, the threat landscape is reduced significantly.

When you allow the use of a USB mass storage device, you are allowing the potential for a virus to be introduced into your environment. Employees often use these devices on their home computers, which do not have the same protection as the company’s computers. To reduce these risks, configure your anti-virus software to require a scan of devices plugged into the USB port before it is usable. However, we recommend not allowing mass storage devices at all.

Managing the change with employees
When implementing this change, employees may be upset. Having been part of an organization that has successfully implemented this change, I can say from experience that the shock will subside quickly. Most people don’t like change, but if the reasons are explained and they know they can still charge their phones and use their favorite USB mouse, they may move on quickly.

I have also heard people say, “When we tell people this is coming, employees will connect a USB drive and take the data with them preemptively.” To that statement, consider the following:

  • Create a policy stating why employees should not perform this function and the ramifications if they are caught.
  • Companies need to start implementing this policy and why not now? At least this will stop people from negative actions in the future.

Push-back on this issue also can come from executives. If management is not able to get this quick win for all employees, try different areas of the company where highly sensitive information is stored, such as:

  • HR data
  • Merger and acquisition data
  • Intellectual property
  • Customer data

The list goes on, and what is important to one company will differ from the next.

It is also argued that one could email sensitive files to a personal email account. However, that is limited to a smaller amount of data at a time versus the scale a mass storage device allows. Programs to monitor for this type of activity should be in place as well.

Mass storage devices have become inexpensive and store more data than ever before. As I write this post, a quick search on Amazon shows an external hard drive with 5 TB of space for $119! That could store quite a bit of data, causing great damage.

So, what are you waiting for? Turn off the ability to connect mass storage devices via USB drives because everybody wins.

Physical and Logical Security: Joining Forces to Manage your Enterprise Security Risk

Rachelle LoyearJust a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches. Five years ago, we might have found ourselves having conversations about the blurring lines between the two types of security discipline, and could have easily pointed to aspects of both physical and logical security that crossed over each other.

Today? In organizations that have embraced even the least cutting-edge aspects of operational and information technological advances (consumer IoT, industrial IoT, cloud hosted services, etc.), we can no longer rationally discuss a strictly “physical” or “logical” approach to managing security risks to the enterprise.

Quite simply, in a world where:

  • Every camera and door lock in a facility has an individual IP address
  • All security investigations must happen in the real and virtual worlds at the same time
  • Even the most visibly "physical" of protective measures – security officers – are networked via trackers and devices to provide instant information and communication
    … there are few, if any, areas left that do not require attention to a holistic and comprehensive view of all security disciplines at once.

What does this mean for the personnel and management teams that are tasked with providing security in this borderless environment? How do we, as practitioners who may have long histories in a single discipline, protect the organization in a security environment where the risks and mitigation tactics have converged, regardless of whether our organizational structures have evolved to match them?

The answer: Enterprise Security Risk Management (ESRM).

ESRM is a risk management model that allows all functional areas tasked with mitigating security risk to operate under a converged philosophy and approach to more efficiently and effectively mitigate security risk across the enterprise, regardless of the physical or logical nature of the asset, or the vector of the potential threat.

Recognizing the Role
ESRM allows security personnel to work together to effectively protect the enterprise from a broad spectrum of security risks by first recognizing that it is the role of the security organization, at root, to manage security risk in conjunction with the business, and to protect assets from harm in line with business tolerance.

The tasks we perform to mitigate risks might be different, but the process of identifying the assets to be protected, recognizing and prioritizing the risks to those assets, and then mitigating the assets to within acceptable levels of business tolerance, are the same. Take a look at the table below, excerpted from the forthcoming book, Enterprise Security Risk Management: Concepts and Applications (Allen & Loyear, 2017). It shows a quick side-by-side of the kinds of tasks that security groups do, and how they are essentially mitigation responses to the same security risks

Physical and Logical Security Risk Responses

Because of This

Physical Security Does This

Logical Security Does This

Intrusion Prevention

Gates and Fences


Access Control

Door Locks


Incident response



Threat Detection

Alarm Monitoring

Network Monitoring

Crisis Management

Business Continuity Teams

Cyber Response Teams


Security Gap Remediation

Patch Management

Incident Response

Incident Reporting

Incident Reporting

Security Culture

Security Awareness

Security Awareness

Security Risk Management 

Business Impact Analysis and Risk Assessments 

Business Impact Analysis and Risk Assessments

The overarching risks cannot be effectively mitigated by only a single tactical function. Working together, under a common risk management framework, all security personnel can more effectively protect the enterprise environment against security risk.

The Benefits of ESRM and Cross-Functional Risk Management Collaboration
Managing all security risks in partnership and under a common ESRM approach can bring the enterprise significant gains in efficiency and effectiveness, even with multiple groups participating in the security partnership. A few to note include:

  • Unified security awareness messaging
    • A partnership approach under an ESRM philosophy allows for the creation of a single, unified, security message that include all facets of security awareness.
  • Single security point-of-contact
    • When all security teams operate under the risk-management approach with the same defined processes, any security incident can be reported to a single point in the company and escalated and directed as needed to the appropriate response team.
  • Operational efficiency
    • Employees with different skill sets can more easily collaborate on incident response processes.
    • Information sharing enables cross-department cooperation during security investigations that require both physical and logical forensics.
    • Streamlined processes save hours and money, allowing diverse security risks to be managed by a single process.
    • Consolidated metrics reporting to business management save time and effort.
  • Optimized risk profile
    • All security risks are identified and managed in an overarching program, making the risk identification and mitigation process more robust and decreasing the potential of overlooked risk.

How Do We Get There?
So, how do we get to the point of converging under a common philosophy, regardless of reporting lines and department structures?

All leaders in the organization with any security responsibilities can align with a risk-management approach by asking themselves:

  • Does my team have clear risk management goals aligned with business risk tolerance?
  • Does my team work with other department stakeholders in the risk decision-making process?
  • Do the members of my team work together with other security teams in situations that cross boundaries of scope?
  • Am I communicating to all areas of the business that my role, and the role of all other security teams, is to manage security risks holistically?

When all the security functions in the enterprise choose to embrace a risk management – ESRM – approach, the outcome is that:

  • All security teams follow a formal and consistent process for security risk decision-making.
  • All security teams follow the same incident response approach, including postmortem investigations and root cause analysis to continually improve the security risk situation of the enterprise.
  • All security teams work in partnership with one another, ensuring open communications and collaboration across department lines.
  • All security teams have the transparency, independence, authority and scope needed to do their work in the right way.
  • All security risks, no matter which team mitigates the risks, are considered part of the holistic security risk management program.
  • All security teams, no matter who they report to, understand that security risk management is everyone’s role.
Will Blockchain Disrupt the Lives of Governance and Assurance Professionals?

Fernando NikitinThe blockchain’s distributed ledger paradigm is serving as the supporting foundation to some forms of digital transformation, including the utilization of cryptographic virtual currencies (VCs) such as Bitcoin. These virtual currencies are actively utilized around the globe, both within and outside the circuits of formal economies of countries, with important financial implications including increased economic disintermediation, financial inclusion and extended digital pseudo-ecosystems that combine people, business entities, and a new generation of smart connected components. 

Not only is the whole fintech industry becoming substantially disrupted by the paradigm due to the ability to move money in a decentralized and secure peer-to-peer model, but virtually all other industries are prone to substitute often bureaucratic procedures for more automated and smarter business practices.

During recent years, global organizations including the United Nations system, Multilateral Development Banks (MDB), International Financial Institutions (IFI), and the World Economic Forum, were actively engaged in their respective roles trying to commensurate the impact of this paradigm in the societies and economies of the world.

The World Economic Forum, through its intellectual debate about the Fourth Industrial/Digital Revolution, as well as one of its Global Future Councils focused on the “Future of Blockchain,” has been vocal and active on the topic, stating that “blockchain is more than just moving money. It has the potential to transform our lives, and to make the world a more efficient, frictionless place. The number of people around the world living in either broken systems or entirely corrupt systems is staggering. If done right, blockchain could positively reform entire systems.”

In January 2016, the International Monetary Fund released a first-of-its kind professional paper called “Virtual Currencies and Beyond: Initial Considerations.” This so-called staff discussion note gave a serious consideration to how new technologies are driving transformational changes in the global economy, including the emerging utilization of virtual currencies created as private sector systems that, in many cases, facilitate peer-to-peer exchange, bypassing traditional central clearinghouses. The paper also notes that “VCs offer many potential benefits, including greater speed and efficiency in making payments and transfers—particularly across borders––and ultimately promoting financial inclusion. At the same time, VCs pose considerable risks as potential vehicles for money laundering, terrorist financing, tax evasion and fraud.”

In a separate article, the IMF explores the topic of how “The Internet of Trust” is transforming the financial sector. Per its proponents, Bitcoin’s blockchain technology can be used to transform the financial sector fundamentally, for example by reducing the settlement time for securities transactions. With faster settlement, less money needs to be set aside to cover credit and settlement risks—just as collateral is not needed for a cash transaction.

The Inter-American Development Bank (IADB), the main regional development institution for Latin American and Caribbean countries, in March 2017 released the discussion paper “Digital Finance: New Times, New Challenges, New Opportunities,” explaining the financial implications of distributed ledger technologies applied in the region and around the World. The paper explains that “there is growing consensus in the financial services industry that distributed ledger technology (DLT), also known as blockchain, might just be the answer to the need of more efficient management of collateral [risks], resulting in more firms accessing credit, as well as … freeing up intermediaries’ capital for lending, and potential effects on SMEs’ direct and indirect access to multiple ways of credit.”

Now, coming back to the question of what implications and motivations this new paradigm may have in our professional life, I believe that a new generation of the IT governance, oversight and assurance professionals are called to play an elevated role in future ecosystems, economies and societies.

Similar to other emerging topics such as the advanced application of artificial intelligence (AI), big data, cloud computing, and Internet of Things (IoT), this must occur only by providing an unprecedented new level of verification and trust required by the stakeholders to sustain a paradigm that intends to be intrinsically resilient and secure by keeping distributed copies of the thematic ledger supported worldwide, using cryptographic proofs of data integrity and providing tamper-proof ledger entries.

Extraordinary challenges and opportunities are ahead for the millennials’ generation of assurance professionals, when called to provide both holistic and transactional assurance on increasingly complex digital ecosystems that involve people, processes, systems, as well as connected physical entities.

But the level of disruption to the assurance profession may not stop there. As another report, "Here's Why Robots could be the Future of Finance" from the World Economic Forum pointed, the traditional tasks of human audit work are also highly subject to substitution by artificial intelligence interventions. Meanwhile, some audit tasks may be better assisted by this advanced application of technology. We, the auditors, will face the challenge of providing assurance to our stakeholders that these algorithms are effectively well designed, implemented, deployed and operating as expected.

In our profession, traditional auditing will remain necessary in many parts of the globe and in many traditional businesses environment for a while. However, and not less importantly, a new generation of millennial auditors will need to raise the bar by providing increasingly complex assurance services in more agile business environments and in support of upcoming digital transformations. A different professional audit mindset and additional expertise will be required to satisfy the expectations of stakeholders and business owners in this new world.

Getting Smarter About Making Cities Smart

Matt LoebHaving had the privilege to have visited a number of cities throughout the world, I have learned that Chengdu is not Mexico City, Brussels is not Houston, Abuja is not Melbourne, and Johannesburg is not Dubai. That’s because the heart of every city beats differently. Each has its own character, its own vibe, and its own goals for assuring the best standard of living possible for its citizens and for the visiting public.

Likewise, every city is evolving at its own particular pace, though all are aligned to a common principle of modernizing their infrastructure services – public transportation, utilities, health care – by leveraging technology and law enforcement in “smart” ways to improve quality of life while assuring operational efficiency, stability and security. As noted by Eduardo Paes, the former mayor of Rio de Janeiro, “Smart cities are those who manage their resources efficiently. Traffic, public services and disaster response should be operated intelligently in order to minimize costs, reduce carbon emissions and increase performance.”

The term “smart cities” has been used recently as a label for those seemingly few cities of the world that are consciously embedding technology into all aspects of city planning. However, with current forecasts estimating close to 50 “megacities” housing over 10 million people and about two-thirds of the world’s population living in urban environments by 2050, the mindset must shift to think of the ‘smartness’ of any urban center as a non-negotiable element.

Many urban centers are claiming to be ahead of the “smart” curve though, in actuality, they are finding themselves handcuffed by custom systems that are not interconnected, interoperable, portable, extensible nor efficient in their operations, maintenance, and overall cost-effectiveness. Overcoming this challenge is burdensome, especially when paired with pressure to make progress that can unintentionally lead to chaos as concurrent initiatives are deployed, leading to uncoordinated solutions that can be misaligned to the intended outcomes. No wonder city planners are not sleeping at night.

The diagnosis is seemingly familiar, and not unlike the challenges many enterprises are facing with what are currently referred to as digital transformation projects. What's different for the urban center, however, is the scale of the complexity. The complexity is not just a question of technology deployment, but also taking into consideration economic, political and social issues that shape a city’s being. It’s an extreme case of a “system of systems of systems and more systems” problem, for which the only “smart” solution is a universal consensus-based governance framework.

Technology companies like Cisco and AT&T have developed their own frameworks, driven by their product strategies, especially for IoT. Standards-developing organizations such as ISO, IEC, ITU, IEEE and a number of others are facilitating the development of new standards related to specific pieces of the overall urban development challenges. Recognizing the fragmented (yet well-intended) and disparate approaches, NIST has launched a working group intended to converge these groups and their respective knowledge assets under the guise of a Smart City Framework.

The key to the success of any framework is its acceptance by universal consensus. This means the framework is created, maintained and endorsed by the professional community for the benefit of the community itself. The framework provides guidance on how to carry out the work aligned to desired outcomes in conjunction with tools that enable stakeholders to self-assess, benchmark, and measure capability maturity and progress toward the goals. This is indicative of the 20-plus year success experienced by ISACA's globally recognized COBIT framework for the governance and management of enterprise technology, which itself has the potential to be foundational for smart urban initiatives.

For now, city planners find themselves challenged across a wide spectrum of issues, ranging from technology to compliance. As members of the technology community, we need to help them by leveraging our knowledge of technology governance frameworks and their development and deployment, our holistic systems thinking and problem-solving capabilities, and our innate ability to assess and mitigate risk to inspire the confidence necessary to enable innovations that can evolve the urban environment by leveraging the best technology has to offer.

Our work has never been more important. And because we recognize the pervasive nature of technology and understand how to leverage its positive potential, I am confident that we can contribute enough to the evolution of so-called “smart cities” that the term “smart” will eventually be dropped from the lexicon. That in itself would be a great accomplishment.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Talking Team-Building, Business Continuity and Risk Management with Vicki Gavin

Vicki GavinEditor’s note: Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape. The following is an edited transcript.

ISACA Now: At InfoSec Europe last month, you were part of a panel that discussed building an agile team for the future. What were the major takeaways for you?
For me, the most significant takeaway was the need to do things differently. Current hiring processes are designed to exclude candidates. We need to get smarter about including candidates from a variety of backgrounds by systematically removing bias from role profiles, job descriptions and advertisements, screening and interviewing.

ISACA Now: How critical is it for organizations to have tech-savvy boards in terms of fostering strong governance?
I do not think the board needs to be tech-savvy. Tech awareness is sufficient. Security professionals need to become more business aware to communicate effectively with the board.

ISACA Now: What are some shortcuts that organizations tend to take in their governance that often come back to haunt them?
I think one of the biggest IT governance mistakes made by technology professionals is the assumption that risk is to be eliminated. Risk is to be managed; the key is to determine what level of risk your organization is willing to accept.

ISACA Now: What are the biggest keys to successful business continuity planning?
The value in planning is the process, not the plan. As Mike Tyson said, “Everybody has a plan until they get punched in the face.” The same is true for BCPs. The process, on the other hand, done properly, ensures a common risk appetite and approach to recovery when the time comes.

ISACA Now: Which emerging technologies present the greatest challenges from a compliance standpoint?
All of them. All change is disruptive. The challenge is to balance the risks and benefits of compliance.

ISACA Now: As we move closer to GDPR taking effect next year, are you sensing a greater sense of calm or of anxiety from your peers?
From my peers, anxiety. From my business, calm. We started on our GDPR journey about a year ago and will be ready by November 2017, giving us plenty of time to bed in new processes.

Use Multiple Guidance Systems for Effective Governance

Mark ThomasIn today’s competitive environment, enterprises are under enormous pressure to focus valuable resources on initiatives that provide value. The inherent issue with most approaches is that the methods used to determine organizational priorities are often flawed by focusing on compliance as a primary navigation aid. A “compliance only” focused program can have a huge effect on performance. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation.

A solution to this narrow approach is to prioritize efforts using multiple perspectives to offer a balanced approach to determining priorities, allocating resources and, ultimately, providing value. As in travel, you need to have a good fix on your coordinates – location, altitude, heading and speed – before determining future moves. Where most companies go wrong is in choosing only one of these perspectives. Just like using a GPS to help you navigate, you should use more than one guidance system to help you focus efforts.

Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial – hence, the GPS analogy. GPS satellites help locate a position on the ground based on their time and position. The GPS receiver communicates with multiple satellites, and therefore determines a precise location on the ground. Decisions around funding, assurance, improvements and compliance are all areas in an enterprise that require resources, and should not be determined with only one signal.  The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.

Using these multiple guidance systems will drastically improve your chances of success. These four GPS signals can include: 1) Goals cascading, 2) risk scenarios, 3) pain points, and 4) regulatory and compliance (see figure 1).

Figure 1—Using Multiple Perspectives to Prioritize Efforts
Figure 1

Guidance System 1: Cascading goals
I believe that one of the best-kept secrets in our industry today is the goals cascade. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals and enabler goals. The enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can map that goal through the cascade and determine which processes are critical to its success. The model is already done for you in COBIT, where there is a set of tables that map each of these levels.

Guidance System 2: Risk scenarios
An IT risk scenario describes IT-related events that could lead to a business impact. COBIT 5 for Risk contains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities and their effects on overall business objectives. This process results in the risk register and provides valuable information for informed decision-making. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points or guide mitigation responses.

Guidance System 3: Pain points
Pain points are those areas that need little effort to identify. Use pain points as perspectives from which efforts toward the governance of enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and create a sense of urgency and support. The COBIT 5 Implementation Guide identifies some common pain points associated with enterprise IT and maps these pain points to specific processes in COBIT.

Guidance System 4: Legal/regulatory/compliance requirements
No organization can be 100 percent compliant with everything. Synchronize this with your risk management process to determine the right response to each requirement. Some requirements are legally required and must be adhered to, but what level of adherence is the most appropriate?

Aligning your satellites
Each of these guidance systems should result in a very clear list of high-interest areas. Devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified.  These results can assist in scoping assurance activities, allocating and prioritizing resources, and ensuring business/IT alignment.

The enterprise exists to create value for its stakeholders. Realizing benefits while optimizing risks and resources requires more than one perspective, or ‘guidance system,’ to fully understand what is required. This post has identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.

Editor’s note: Mark Thomas will deliver a keynote session on using multiple guidance systems for the governance of enterprise IT at the GRC Conference 16-18 August in Dallas, Texas, USA.

Business Model Transformation from Blockchain 

Kris SeeburnOur traditional business model as we known is at a crossroads considering the emergence of the Internet of Things (IoT), artificial intelligence and blockchain. We live in an era of disruption, and we need to redefine our business models.

We need to accept that almost every sector — from banking and utilities to entertainment and agriculture — can expect to experience major business model disruption as blockchain technologies take hold.

Because blockchain technology originated as the core mechanism of the bitcoin digital currency, there is a widespread belief that its potential is greatest in – or even limited to — the financial sector, but a different reality is unfolding.

Blockchain extends to the core of commercial activity, of wealth creation, and goes to the heart of innovation and what makes an economy work. It raises the prospect of changing the fundamental structure of the corporation, of how we orchestrate capability in society, innovate to create goods and services, and engage with the rest of the world. There are far-reaching business models already emerging that are creating ripples on our traditional models, far from the known Internet we use today.

Musicians will be able to reclaim much of the value they cede to record companies by offering their music directly to fans, movie-makers and broadcasters; individual investors will be able to deal directly with companies they hold shares in rather than go through stock markets; and the exclusive use of cars will start to dwindle as such assets are shared over peer-to-peer networks, just to name a few potential applications.

Further, in five to 10 years, the financial services industry will be unrecognizable.

Banks have a simple business model: they move value, they store value, they lend value, they exchange value, they account for value, they attest to value. Every one of those could be disrupted profoundly by this technology.

Blockchain has made the whole financial services industry sit up and pay attention. But it’s not just the threat – there’s a bigger opportunity if you look closely enough.

Japan’s Mizuho Bank together with technology company Fujitsu have conducted an operational trial focused on cross-border securities transaction settlements, which would ensure it is practically impossible for anyone to tamper with transaction histories, as well as shortening the processing time for cross-border securities transactions from the current three days to same-day settlement.

Such distributed disruption moves will have a liberating effect on consumers and small businesses. A customer tapping his or her card in a small retail store would find a blockchain-based settlement would be instant rather than taking several days to occur, as the process simply invokes a change in the blockchain distributed ledger.

One-third of the revenue of accounting companies is derived from audits. But with blockchains, you not only have double-entry accounting — credit and debit — but automatically make a third entry in the blockchain, a time-stamped record of every transaction that has occurred. So rather than an expensive annual audit, it could be instant and real-time. That would in turn free up the resources of forward-thinking accounting companies to invest in more high-end, value-added activities.

As we take stock of the global landscape, we can see every industry, in every major economy, is starting to see big disruptions occur.

The concept of hyper ledger, as we sometimes call blockchain, can provide answers to issues of transparency and so much more. Nevertheless, as with all technology, we need to be wary of how we design the solutions. We will have unequivocal risks, as with the introduction of virtually any technology, but the implementation of blockchain can revolutionize business activities for enterprises across many industries. Designing a blockchain solution with the right controls in place can easily transform many of the models we have come to accept.

Editor’s note: For more ISACA resources regarding blockchain – including a new research report, tech brief and e-learning course – visit www.isaca.org/blockchain.

Shedding the Human Bias in Risk Identification and Analysis

During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops. The amount of information to be analyzed depends on the risk maturity of an organization, as some risk managers continuously collect information that they deem relevant to improving the risk process. The question is, to what level is the information used objectively? How much reliance is placed on what we remember or what we deem as being important?

Behavioral physiologists believe the amount of information we remember has an impact on how we analyze and rate risks. Prior to analyzing risks, we identify events or threats that can exploit vulnerabilities identified in organizations’ processes and systems. It is during the “What can go wrong?” stage that we need to be careful. In his book “Thinking, Fast and Slow,” Daniel Kahneman notes three factors that can manipulate our minds:

A salient event. Get a team of executives and ask them what is an important asset to their organization. I bet you will get different responses. The level of importance on organizational assets differs, and this bears the most influence on the agenda each executive is pushing. As part of environmental reviews, I have come across some organizations (especially small enterprises) that do not carry out fire drills or train employees on any natural disasters. When reviewing risk registers of such organizations, it is normally not surprising to note that there are no risks pertaining to employees in those organizations.

How were employees’ lives not regarded as critical? At the time of the assessment, memory on what is important shifted to assets management. Risk managers should be mindful that what is deemed important influences which assets are identified as vulnerable, subsequently shaping the risk profile of the organization.

A dramatic event. The majority of risk managers come to the table with a list of serious events for a period, audit reports and market intelligence information. Some events tend to come to mind more quickly than others, especially political events over which the organization does not have control. Deciding which event might translate to one asset being more vulnerable than another can be influenced heavily by recent media or internal incident reports if these reports are not scrutinized carefully.

Personal experiences. We can never divorce our personal experiences from the analysis process. It is indeed every risk manager’s dream that some of the employees can divorce themselves from such during risk workshops, but risk managers also are guilty of bringing along databases of risks they have been compiling for years from different organizations, particularly so for consulting risk managers, who tend to influence their organizations to focus on the risks they identified in similar organizations. However, strategies, policies, processes, organizational structure and culture all change the risk landscape of every organization.

Kahneman further contends that effort is required to reconsider impressions and intuitions by asking questions. Simply because a risk has been identified in an audit report does not mean the risk manager needs to include it in his risk register. Simply because a charismatic executive says everything in his department is on fire does not mean every asset in that department is critical. Risk managers need to develop questions that they can ask to eliminate natural bias. Every report’s merits should be verified.

Without nullifying the importance of the systematic approach risk managers take to identify and analyze risks, it is equally important that risk managers take the cognitive human element into account to develop objective lists of risks and ratings.

Incident Response – Being Prepared for the Worst-Case Scenario

It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.

Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.

Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.

The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:

Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.

Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.

Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.

Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.

Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:

  • An executive commitment and endorsement of the incident response initiative
  • An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
  • A defined communication plan
  • A plan to support, maintain and test the incident response plan on a regular basis
  • An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
  • A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
  • A well-defined plan on how to monitor and analyze potential threats to the environment
  • An operation plan that defines how incidents are declared and initial steps for information gathering
  • A post-incident process for lessons learned and process improvement

A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).

1 - 10 Next