ISACA Now Blog


 ‭(Hidden)‬ Admin Links

Knowledge Center > ISACA Now

Top digital trends affecting organizations today—and what you should do about them

Ed Moyle Posted: 7/1/2015 3:00:00 PM | Category: ISACA | Permalink | Email this post

When it comes to the use of technology decision making, the stakes for the business have never been higher. Investing in the right technology at the right time can very often mean direct competitive advantage to the business. Investing poorly, at the wrong time, or not at all (especially when competitors do so) can instead mean the business operates at a disadvantage relative to peers and competitors.

At the same time, the time window that organizations have to consider the options available to them is decreasing. It seems like digital trends and new technologies arise quickly and appear from seemingly out of nowhere, leaving organizations relatively little time to evaluate trends, understand the risk and rewards, and make an informed decision about investment. And, as we know, making an informed decision about value and risk tradeoffs for any technology or digital trend can be complicated. We need to consider business value added, new risks introduced (and old risks potentially mitigated), cost of the investment, possible disruption to business teams and numerous other factors.


Cybersecurity akin to being in a war zone—you have to be “left of boom” to survive

Bruce A. Brody Posted: 6/25/2015 3:39:00 PM | Category: Security | Permalink | Email this post

Being a chief information security officer (CISO) is not unlike being in a war zone. Professionally and politically, your survival is dependent upon being “left of boom”—to coin a term from the US Pentagon when dealing with Improvised Explosive Devices (IEDs). In other words, constructing your defensive measures to be in place to prevent “boom” from occurring is the most prudent course of action. About 10 to 12 years ago, as a CISO in the US federal government, the job was to protect and defend because at that time we were most concerned with the basic security hygiene of the enterprise and viruses in the wild, so we tried to do basic preventive maintenance. We were not yet facing sophisticated, targeted attacks. We were trying to keep our configurations up to date, and then we thought we would be okay. CISOs’ perspectives have evolved because of the advanced persistent threat (APT) becoming a larger problem in the past few years. We have gone from protect and defend, to early detection and rapid incident response with immediate recovery so that businesses can continue to operate in a compromised environment. Essentially, we have gone from risk management to risk tolerance.


Engaging with clients on EMV migration

Branden Williams Posted: 6/23/2015 3:10:00 PM | Category: Security | Permalink | Email this post

Cyber security is universally important to businesses, whether they are large, global enterprises or small business retailers. Its importance is underscored by the looming October 2015 Europay, MasterCard, Visa (EMV) liability shift that can transfer transaction fraud responsibility in the US from financial institutions to businesses. With the shift now less than five months away, it is essential for individuals who advise businesses—including security, governance, and audit professionals—to broadly help companies understand the rewards of EMV adoption and risks of non-adoption so business owners can be adequately prepared to meet the new status quo for transaction security.


Making IT management and assessment more reliable via automation

Ketan Kulkarni, CISA Posted: 6/18/2015 3:04:00 PM | Category: Audit-Assurance | Permalink | Email this post

I am a technology enthusiast and hence, I am more inclined toward newer and developmental methods when it comes to auditing approach. I have worked on both sides of internal audit assignments—the auditor side and the process consultant side. In my experience under both these functions and despite various auditing standards and expected objectivity of the auditor, there are instances of unfair assessment.

The reason for such misrepresentation can range across multiple factors, right from lack of expertise to lack of objectivity in audit execution. Risk of incompetency cannot be completely eliminated; however, in order to eliminate the risk of bad judgement and thus unfair assessment, we can employ utilities provided by the system itself to generate customized reports with more insight into the system. While use of auditing tools is discretionary for auditors, and these tools come with more functionality than just report generation, IT systems could be designed to generate anomaly reports to reduce risk of inadequate sampling. Similarly, reports can be generated from systems to reflect the impact of failed IT controls. When this much analysis is available with the system itself, risk of misjudgment gets eliminated from the execution, thus reducing the auditor's burden to a greater extent.


US Executive Order on information sharing: A government security leader’s perspective

Christopher P. Buse, CISA, CISSP, CPA Posted: 6/16/2015 3:03:00 PM | Category: Government-Regulatory | Permalink | Email this post

Recently, US President Barack Obama signed a new Executive Order to promote cyber security information sharing. As a government security leader and member of ISACA’s Government Relations and Advocacy Committee, I believe that this directive was significant because it demonstrates that government leaders can take bold steps to improve our security posture without an act of Congress. Some may argue that without legislative edicts, the new voluntary information sharing framework lacks the teeth to be successful. But I wholeheartedly disagree. As a longtime voluntary member of the Multistate Information Sharing and Analysis Center (MS-ISAC), I know from firsthand experience the value proposition of being part of an information sharing community, even one that is voluntary. If they build it, people will come, because in today’s threat-laden world, prompt access to actionable intelligence is vital.

<< First   < Previous     Page: 1 of 99     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.