Knowledge Center > ISACA Now

 ‭(Hidden)‬ Admin Links


Opportunities Over the Horizon

Bob TreadwayOver the years, I have watched the stock for internal audit and information security skyrocket. New threats, new risks and unforeseen caginess on the part of bad people—organizations are vulnerable in ways unimaginable only a decade ago. This has raised the value and visibility of the watchdogs of such risks, those belonging to groups such as The Institute of Internal Auditors and ISACA.

But there also are challenges for auditors in maintaining and enhancing their value. I believe the future calls for internal audit and information security professionals to not only be vigilant of what is on the horizon, but to become more of an anticipator for what lies far beyond.

The predictive analytics tools used for insight and warning are evolving into a threat to the auditor’s job. Researchers in academia are forecasting the takeover of formerly exclusively human functions by artificial intelligence, and auditors are squarely in that zone. A recent analysis of the work of Oxford professors Carl Frey and Michael Osborne on the automation of jobs identified the audit profession as one of those most deeply affected in the next decade.

Certainly, technological revolutions have forced shifts in jobs for many centuries, but Frey and Osborne make a compelling case for the impact on non-routine, cognitive tasks like those performed by auditors. The response should be to move to a new level of ability and effectiveness.

Category: Audit-Assurance     Published: 7/29/2014 3:34:00 PM

Using the Weapon of Psychology

Wendy GoucherLet me present before you the information security warriors. They have a decent range of weaponry to use against attack. Those that they use often include firewalls, access controls, system design and audit. And those they use less often include security awareness training, social media security workshops and incident reporting training. But in the bottom of the armoury box, right at the bottom with all the dust and rubbish on it, is another weapon. It looks soft and a bit ineffective, certainly not as cool and shiny as anti-virus. Indeed, you can’t even reliably test its protection level and create graphs, tables and statistics. What would cyberwarriors put on their PowerPoint without that sort of output?

The weapon I am referring to is psychological in nature: understanding the user, or the psychology of security. If this is not your kind of weapon, I have bad news for you. The growth of mobile computing means we cannot leave information security defence to technical tools any more. The proliferation of bring your own device (BYOD) means we do not have access to all devices, and the growth of mobile working takes away physical oversight of users. Traditional information security weapons are losing their power. The psychology of information security needs to come to the front line.

Category: Security     Published: 7/24/2014 3:39:00 PM

SciCast Calls for ISACA members to make predictions

Jamie PasfieldFor those of you who didn't see the news in ISACA's social media channels, you may be interested to learn that ISACA is working closely with SciCast on exciting predictions for our field. Experts from around the world are predicting the next big thing on SciCast, a science- and technology-focused crowdsourced forecasting site. More than 9,000 SciCast participants are predicting events and discussing, as well as competing with, their peers.

SciCastSciCast, launched in 2014, is a federally funded research project being run by George Mason University. Its focus is to bring science and forecasting together (hence the name); in other words, to establish an objective, data-driven, open and "scientific" way to predict future events

If you're wondering what forecasting has to do with ISACA's core mission, stop and think for a moment about the practical ramifications of challenges we have all had knowing with being late to the table on new technology deployments. For many of us, this is a particularly acute pain point: consider how challenging it was (and still is) trying to secure cloud use when business teams have already engaged multiple, potentially overlapping providers. Or consider the challenges involved in trying to establish governance around BYOD only after device use proliferates.

Category: ISACA     Published: 7/21/2014 3:34:00 PM

International President: Cybersecurity Nexus updates and resources

Robert E StroudEarlier this year, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Security (the Cybersecurity Framework, or CSF). ISACA participated in the development workshops, and COBIT 5 was included in the CSF as a core reference.

Robert E StroudNow, as part of ISACA’s Cybersecurity Nexus (CSX), ISACA is offering a free webinar titled “How to Implement the US Cybersecurity Framework using COBIT 5.” This event takes place 29 July at 12 p.m. EST (16:00 UTC) and is the second webinar in a six-part cybersecurity series.

The US Cybersecurity Framework (CSF) helps organizations develop a prioritized action plan for preventing, detecting and responding to today's cybersecurity threats. The webinar will offer guidance on implementing the CSF in a measurable, actionable way. It will also explain how applying the industry-based framework through specific processes, such as those found in COBIT 5, makes it possible to achieve CSF outcomes that are accountable and practical.

Category: Security     Published: 7/17/2014 3:34:00 PM

What we missed at the data centre audit

Robert Findlay

With the advent of cloud computing and major purpose-built data centres, it seems that many organisations do not see the need or do not have the rights to carry out a thorough data centre review. However, there are many aspects of even the remotest of data centres that can be scrutinised.

My first job of managing an outsourced data centre at a previous employer started with a fruitless week of trying to find the signed contractwe had simply lost it! After I had gone, cap in hand, to the provider, I soon found out it was hopelessly out of date and did not reflect the services we were receiving. Of course the data centre itself had been subject to glowing audits and everyone had felt this was perfectly in hand, but the reality was that from a business point of view, it was completely out of control. No previous auditor or IT manager had even looked at it.

Many years later, I see no letup to this fundamental absence of control. And yet, as many companies cannot gain access to the data centre or focus purely on obvious controls, they have lost sight of the most important control of all. This has now happened to the extent that almost every audit of a data centre I have ever seen has not included a review at the outset of the contract. At one major e-commerce company, I was even told that it was none of my business to review it and it should be out of scope. It could not have been more in scopein fact, it was the scope!

Category: Audit-Assurance     Published: 7/15/2014 3:40:00 PM
<< First   < Previous     Page: 1 of 80     Next >   Last >>

 About This Blog


This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.

The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.

Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.


To volunteer to write a blog or suggest a topic send an email here.