@ISACA Volume 1  8 January 2020

Tips for Building a Risk-Optimized Enterprise

By Lisa Young, CISA, CISM

The goal of effective risk management is to align the amount of risk taken with the enterprise’s risk appetite to meet the strategic goals and objectives of the organization. When risk is strategically and thoughtfully taken, there are opportunities for competitive advantage, entering additional geographic markets, or developing new products and services.

The main drivers for enterprise risk management include the need to improve decision-making, to align resources to address risk with the greatest potential impact and to ensure that value is created by maintaining risk within acceptable tolerances and appetites.

In 2019, ISACA led an effort to survey a global population of risk professionals at organizations across many different industries to better understand the state of enterprise risk management programs. Here are some tips from the State of Enterprise Risk Management 2020 report on how an enterprise can improve and optimize its risk management efforts:

  • Periodically revisit the mechanisms for each step of the risk process (i.e., identify, assess, analyze, plan response or treatment, communicate and monitor response) to understand if the step is efficient and effective. For example, if an enterprise is using a risk and control self-assessment (RCSA) as a technique for risk identification, is it updated periodically as conditions change or emerging risk is discovered?
  • Evaluate risk activities to ensure that the most important assets and services are in scope. Some enterprises start with high-value assets that support the most critical business lines, processes, products or critical services, and then expand the scope as the risk management capability matures.
  • Develop a risk management training curriculum for the risk landscape in which your enterprise operates. This curriculum can be a simple set of presentation slides that raise awareness of specific risk factors that have impacted organizations similar to yours or an in-depth, multimedia, computer-based training on the 3 lines of defense (3LoD) structure used by many global financial institutions. One innovative approach is to utilize real-event case studies. In 2 short hours, a group of business professionals can read a case study, perform the role of a risk owner, and have a lively discussion on actions that would have prevented the risk from being realized or decisions that would have improved the response and/or decreased the impact after the risk was realized.
  • Cultivate an early-warning, neighborhood-watch-like alert system comprised of staff on the frontline of defense. Often, the people closest to the day-to-day operations of the business are the first ones to notice that something is not quite right or that policies and rules are often set aside or ignored to meet project deadlines or reduce operating costs. Catastrophic operational risk events are often the result of a series of cascading smaller failures or breakdowns in communication. As part of the risk management training curriculum, invest time in creating job aids, such as a laminated card with a reporting hotline phone or web address, that indicate where areas of concern can be reported anonymously. It is often easier to learn about these areas of concern early so appropriate action can be taken. To mature risk management practices, the line of sight from business operations execution to the board of directors (BoDs) or a senior governing body will require greater transparency.

The State of Enterprise Risk Management 2020 report analyzes and presents the key findings from the survey. This research brief also provides conclusions about risk management practices and risk management areas of opportunity and guidance for BoDs and executive teams. To read the full report, visit the State of Enterprise Risk Management 2020 page of the ISACA website.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Improving Your Security Through Red Teaming


Source: Alessandro
De Carli / EyeEm;
Getty Images

In the past, nonmalicious hackers who found and exploited an organization’s weaknesses and notified it of those weaknesses often faced severe penalties, including jail time. But now, this testing activity is a vital element of cybersecurity. Red team testing can help organizations find their biggest vulnerabilities and fortify the security around them. Despite becoming a crucial component of cybersecurity, the skills gap has resulted in a shortage of qualified red team personnel.

In the recent ISACA Podcast episode “Using Red Teaming to Improve Your Security,” Frank Downs, ISACA’s senior director, cybersecurity advisory and assessment solutions, and Dustin Brewer, principle futurist at ISACA, discuss the origins of the red team and why red teams and blue teams need to have a better understanding of each other’s functions. The podcast also explores some causes of the skills shortage and how those considering a career in cybersecurity can determine if it will be a good fit.

The ISACA Podcast can be streamed on the ISACA Podcast page of the ISACA website, or you can subscribe to it on Apple Podcasts, Google Play, PodBean, Spotify or Stitcher. If you would like to provide feedback on the ISACA Podcast, please fill out this brief survey to let ISACA know how the podcast can be improved.


Manage Enterprise Cyberrisk by Applying the NIST CSF With COBIT 2019


Getty Images

Modern threat actors target enterprises across all industries regardless of their type, size or geographic location. Comprehensive protection against cyberthreats requires enterprises to assess their information and technology (I&T) and digital assets through a broad lens and to develop their cyberposture as part of a comprehensive governance and management framework. With the proper enterprise governance program in place, the audit and assurance function can help inform risk-reward decisions and maximize enterprise value while addressing stakeholder needs.

The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) can help enterprises view cybersecurity as a critical component of all business functions. It can be applied to any enterprise that incurs cybersecurity risk, that is, any business, organization or entity that participates in or supports critical infrastructure. In today’s global economy, this applies to every organization.

To help you apply the NIST CSF within a comprehensive I&T governance and management framework, ISACA has developed the Governance Playbook: Integrating Frameworks to Tackle Cybersecurity white paper, which outlines steps for implementing these frameworks together to create value, accelerate innovation and catalyze business transformation. Improved risk management by enterprises globally could have a cumulative effect and reduce cyberrisk for all.

To learn more, download this complimentary white paper by visiting the Governance Playbook: Integrating Frameworks to Tackle Cybersecurity page of the ISACA website.


Volunteer and Earn CPE With ISACA


Making time to volunteer has both personal and professional benefits and can be a component of professional development and growth. ISACA members have access to a plethora of educational content, networking and professional recognition opportunities. This means you can get more involved in engagement programs in 2020 at no additional cost, and these programs can help you build your professional network, solve challenging problems you encounter at work and even earn free CPE hours. Involvement opportunities include:

  • Volunteering—ISACA relies on volunteers to serve as subject matter experts (SMEs), working group members, onsite conference support, and many other individual and collaborative initiatives that help advance the organization and the tech industry. ISACA’s volunteer program offers ways to participate that align with your interests and availability, and volunteers can often earn CPE hours in exchange for sharing their time and expertise.
  • DiscussionsEngage online forums and special interest groups encourage professionals from around the world to share ideas, ask questions and support each other as they advance in their careers. In addition, 4 certification exam prep forums have helped many individuals pass their Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified in Governance of Enterprise IT (CGEIT) exams. Individuals can also earn digital badges on the Engage platform by completing specific actions and/or participating regularly. The achievements page of your profile displays your new badges as they are earned.
  • ISACA Awards—The ISACA Awards Program recognizes individuals and chapters that exemplify ISACA values and have a positive impact on the community. The peer-recognition program relies on ISACA members to nominate outstanding colleagues and act as judges to select the recipients.
  • CommunITy Day—This global day of service started in 2019 with more than 2,800 volunteers from 92 volunteer teams in 51 countries spending more than 6,100 hours improving their local communities. Save the date for 3 October 2020 and join ISACA to help make the world a better place.

Interested in learning more about these and other ISACA engagement opportunities? Visit the ISACA Engage website.