That was the mission of the roundtable I co-moderated recently, when ISACA partnered with The Institute of Internal Auditors (IIA) to host a team of chief audit executives and their IT audit directors to focus on emerging IT risks and the latest technological innovations. Moderating with me in Austin, Texas, USA, was Jeff Spivey, president of Security Risk Management and international vice president of ISACA.
An early discussion at the roundtable focused on effective detection controls and their role in protecting confidential data and other sensitive information. “When it comes to IT security, you better get it right, and you better get it right soon,” said Jeff, citing examples of recent data-security breaches, some created by enterprise insiders.
Attendees discussed steps they’re taking in their enterprises to mitigate these breaches:
- Using detective controls
- Partnering with the C-suite
- Reaching out to law enforcement
- Hiring staff with the right skill sets
Roundtable participants also discussed threats to data integrity caused by system changes resulting from ineffective—or nonexistent—change-management controls. “Change-management controls, such as those restricting who can make system changes, who has approval rights, or even who can retrieve sensitive data and under what circumstances, should be considered standard practice in all organizations, but it is surprising how many executives do not realize where their security vulnerabilities are until a major crisis occurs,” said an IT audit director.
Another topic we focused on is the risk associated with cloud usage, an issue that has been central to ISACA and its members in recent months. (ISACA member thoughts on the cloud are summarized in the 2012 IT Risk/Reward Barometer.) We at the roundtable agreed that managing cloud-service contractors boils down to vendor-management best practices.
“It is interesting to get management’s perspective on what they consider to be a cloud service,” a roundtable participant said. “Many times a business owner will say that they do not use any type of cloud service, but the truth of the matter is that even uploading a corporate document on an FTP site is a cloud activity. It’s been my experience that many companies are leveraging the cloud more than they realize.”
The conversation then moved to finding qualified internal auditors with technical backgrounds and integrating them into a data-analysis strategy that is part of internal audit’s overall technology strategy. “Most organizations do not have a data analysis strategy,” said my co-moderator, Jeff. “Going through the exercise of developing a data-analysis strategy will help drive the skill sets needed to provide value-added IT audit efforts.”
We then touched on risk associated with social media and the Bring Your Own Device (BYOD) trend, agreeing that management of risk associated with those two emerging realities becomes the responsibility of all employees. Said Jeff, “How the organization incorporates the use of personal employee devices and what tools are used to monitor IT risk and risky social media activities can help the organization thwart…a network intrusion attack.”
This ISACA/IIA roundtable was an excellent opportunity to brainstorm with like minds on topics that are affecting all of us. I was happy to moderate the lively discussions, and I certainly learned a few things that I’ll be implementing during and beyond my tenure with ISACA.
What stands out most as I look back at the roundtable is this: while the intent of the meeting was to share knowledge among ourselves, a concept that kept popping up was just that—the importance of sharing knowledge. Attendees repeatedly discussed the value of maintaining a dialog with peers across departments within their enterprises.
“Given the rapid pace of IT development, and the different risks that are introduced with newer and faster technologies, it is essential to learn as much as we can from each other,” said one attendee. “The sharing of best practices, especially in the realm of technology, has helped our internal audit team to be better equipped to provide management with valuable recommendations that they in turn can implement, thus making the organization stronger from a security standpoint.”
I could not agree more.
Greg Grocholski, CISA
International President, ISACA and the IT Governance Institute
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.