@ISACA Volume 11  29 May 2019

Risk Analysis Requires Business Acumen

By Jack Freund, Ph.D., CISA, CRISC, CISM

It is relatively easy for those in information security to spend their entire careers without a solid understanding of how the organizations they work for make money. This is true whether they work in a for-profit or nonprofit organization. This kind of insulation from the rigors of a profit-and-loss sheet does not enrich the security professional’s capabilities. In fact, it very often increases stress as a misalignment of priorities engenders cognitive dissonance.

On one hand, the security professional is tasked with protecting an enterprise from bad things and, on the other hand, the organization wants to pursue riskier actions that encourage these same bad things to happen, directly countering IT’s corporate charge to protect. How can an enterprise be serious about protecting its digital assets yet still want to do things that put those assets at risk? This dilemma is not new; indeed, it is as old as information security and the reason security teams have earned the “department of no” tagline.

Business acumen helps add another dimension to the view of security control functions. Having a full appreciation of the trade-offs that need to happen to sell products and services in a competitive marketplace (or to fundraise) will undoubtedly make you a better information security professional. In fact, this skill is the number-1 thing that you need to be successful in information risk analysis.

Far too often, risk analysts are brimming with knowledge of controls and threats but have little understanding of how an organization makes money. This means they are innately unable to complete a risk assessment as they are missing information to appropriately assess business impact. It is a fundamental part of the job of every risk analyst to understand their organizational objectives and know how to connect IT risk to those objectives. IT risk is business risk, and there is no better way to appreciate the connection than understanding the marketplace in which your organization operates. This includes not only understanding how your organization makes money, but also how your suppliers and customers make money. Here is a short list of things to learn about at your organization to improve your understanding of where potential loss could occur:

  • Business strategy, goals and objectives
  • Financial results
  • Business market for your organization
  • Customer segments in that market
  • Your organization’s unique profile in the market
  • How your organization sells its products and services (sales channels including web, mobile, retail, etc.)

Having a working knowledge of these areas of the enterprise enables a risk analyst to better assess loss magnitude forms such as productivity, competitive advantage, fines and judgements, and reputation damage. In a true contradiction of terms, all security professionals need to invest in their soft skills, as they are some of the hardest skill sets to acquire. Upgrading your business acumen will improve your ability to assess business loss and by extension risk.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, member of ISACA’s Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.


Learn to View Your Cybersecurity Program Holistically


Source: stevanovicigor;
Getty Images

With the rise of cloud use, cybersecurity must adhere to more complex requirements. Organizations must consider third parties, IT systems, regulations such as the Payment Card Industry Data Security Standard (PCI DSS) around personally identifiable information (PII), standards (e.g., ITIL, US National Institute of Standards and Technology [NIST]), access management and more when devising their overall cybersecurity program. Chief information security officers (CISOs) must understand and protect data in a manner that helps them act quickly in response to threats. To be successful, organizations must consider implementing a multitiered, holistic cybersecurity program that considers both business performance and security management.

To learn how to take advantage of best practices for implementing a holistic cybersecurity management program, ISACA and ProcessUnity present the “A Holistic Approach to Cybersecurity Program Management” webinar. Todd Boehler, vice president of product strategy at ProcessUnity, will teach you how to understand fundamental transformations in the cybersecurity landscape that will affect your organization; bridge the gap between IT security risk assessments and business continuity; improve communication across all departments; and quickly analyze, predict and prepare for emerging cybersecurity challenges. This webinar takes place on 4 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Boehler has extensive governance, risk and compliance experience, working with organizations’ engineering, services and sales teams to develop solutions, enable sales and deliver customer success. He will use this experience to help enable your enterprise’s successful cybersecurity program as well.

To learn more about this webinar or to register for it, visit the A Holistic Approach to Cybersecurity Program Management page of the ISACA website.


How to Implement Continuous Oversight and Monitoring of Your Enterprise’s Cloud Services


Source: (C)Purestock;
Getty Images

Cloud computing and cloud services are increasingly being used in the implementation of emerging technologies including artificial intelligence (AI), big data analytics and Internet of Things (IoT) devices. These cloud services are often hosted by third parties, which can become a security concern when you consider that most present-day enterprises are hyperconnected, and the boundaries between internal and external domains have been blurred. In this environment, information assurance professionals must not only address known threats and vulnerabilities, but they also must be prepared for new threats.

To manage cloud services, ISACA and Security Scorecard propose implementing continuous oversight in their Continuous Oversight in the Cloud: How to Improve Cloud Security, Privacy and Compliance white paper. This paper explores the security, privacy and compliance practices around emerging risk domains that can benefit from continuous oversight. Continuous oversight includes continuous assurance for data and processes, continuous cloud assurance, continuous supply chain management, and continuous improvement. This white paper aims to provide professionals with guidance to potentially improve the security around their cloud services and third-party providers.

To learn more, download this complimentary ISACA white paper from the Continuous Oversight in the Cloud: How to Improve Cloud Security, Privacy and Compliance page of the ISACA website.


Risk Analysis: Then and Now

By Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL Foundation, Six Sigma Green Belt

As part of ISACA’s 50th anniversary celebration, I am looking at the past and evaluating how risk analysis has changed by comparing the approach proposed in my recent IS Audit Basics column, “Developing the IT Audit Plan Using COBIT 2019” from the ISACA Journal, volume 3, with the “Automated Audit Risk Analysis,” article written for the EDP Auditor,1 vol. 2, in 1984. A lot has changed from then until now, but it can be incredible to examine the foresight ISACA/EDP volunteers had in the past.

My Proposed Approach

My column’s proposed approach uses the COBIT 2019 design factors as illustrated in figure 1 as risk factors when developing the IT audit plan.

Figure 1—COBIT Design Factors

Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.

To recap, risk factors are those conditions that influence the frequency and/or business impact of risk scenarios. They can be of different natures and can be classified into 2 major categories:

  • Contextual factors—Can be divided into internal and external factors, the difference being the degree of control an enterprise has over them
  • Capabilities—How effective and efficient the enterprise is in a number of IT-related activities

The importance of risk factors lies in the influence they have on risk. They are heavy influencers on the frequency and impact of IT scenarios and should be taken into account during every risk analysis.

My IS Audit Basics column also discusses the influence of the COBIT 2019 design factors as risk factors as illustrated in figure 2.

Figure 2—Cooke Article Risk Factors

Contextual Factor Type

Contextual Factor

Influence on Frequency, Impact or Capability










Enterprise strategy

The strategy archetype will influence the importance of different governance and management processes, applications, etc. Therefore, poor implementation, unforeseen issues, etc., will have a higher business impact.

Enterprise goals

Enterprise goals will influence the selection of IT goals and the importance of different processes, applications, etc., Therefore, poor implementation, unforeseen issues, etc., will have a higher business impact.

Risk profile of the enterprise

Any processes, applications, etc., where a likely event would result in the risk appetite being exceeded will have a higher business impact.

Current I&T-related issues of the enterprise

Known issues (e.g., from previous audits) should increase the frequency (likelihood) of an event. Known issues will also affect IT’s capability to get the job done.

Role of IT

If the business level of reliance on IT is strategic for a given process or application, this would increase the frequency and business impact of an event. The capability of IT will have a business impact.

Sourcing model for IT

If IT is outsourced or relies on the cloud, this increases the reliance on these parties. This, in turn, increases the frequency and impact of vendor issues on a given process or application. The capability of vendors will have a business impact.

IT implementation methods

If the enterprise is moving from a traditional model to Agile or DevOps, this would increase the frequency of events. Different applications may be developed using different methods.

Technology adoption strategy

If the enterprise is a first mover with a particular application or service, this this would increase the frequency of events.

Enterprise size

A smaller enterprise may not have the resources for controls such as separation of duties, in turn, increasing the frequency of events.



Threat landscape

The greater the threats to the enterprise, the greater the frequency of adverse events.

Compliance requirements

If the enterprise is subject to new, complex or everchanging regulations, this will increase the frequency of an event and/or the business impact.

EDP Auditor Approach

Now when examining the EDP Auditor article, Godier notes that in the past, the audit risk factor has been determined largely by personal judgement, which, to date, has been as good as any method of selection. I interpreted this to mean that this was one of the first papers to propose a qualitative approach to risk analysis. The risk factors proposed in the article are described in figure 3.

Figure 3—Godier Article Risk Factors

Contextual Factor Type

Contextual Factor

Godier Article Description






Type of system

This element is used only to indicate where, historically, the greatest chance of fraud exists by system.


This element states that the more a system is processed, the larger the problem it can create. Therefore, activity is defined as how often a system is processed.


This element represents the relative importance each system has to an organization.


This element states that the more a system is changed, the greater the chance that its internal controls are affected.

Audit comfort

This element states reasons why the system may not need to be audited at any one point in time. Audit comfort is defined as the amount of confidence the auditor can place in the controls built into a system.

Comparing Old and New

The most striking thing to note is that there are no external contextual factors in the article from the EDP Auditor. The most logical explanation is, first, that in 1984 there was no Internet to speak of, which means that cybersecurity risk did not yet exist and, second, there was little or no IT-related regulation and, therefore, the associated compliance requirements. This may have been a great time to be an IT auditor.

When reviewing the internal contextual factors, my immediate reaction was that much has changed. We are now defining risk factors with the full power of COBIT 2019. Consider all the volunteer hours, over 50 years, before and after the first release of COBIT, that it took to make COBIT 2019 what it is today—one of the most widely respected frameworks in the world. It is, therefore, unfair to expect the 1984 article to meet these standards.

However, after rereading the EDP Auditor article several times, something struck me: Considering the type of system and fraud is considering current I&T-related issues. Considering system activity is considering IT goals. Considering system dependence is considering the role of IT. In taking account audit comfort, the article reflects upon whether the application was purchased or developed in house—in other words the sourcing model for IT. In fact, there is a correlation between the risk factors in both articles, as shown in figure 4.

Figure 4—Article Risk Factors

Godier Article Risk Factors

Cooke Article Risk Factors

Type of system

Current I&T-related issues of the enterprise


Enterprise or IT goals


Role of IT


IT implementation methods

Audit comfort

Sourcing model for IT

When you consider the time period in which the EDP Auditor article was written, it is quite remarkable and demonstrates true foresight. In fact, rather than considering it unfair to make a comparison, it is important to see it for what it is: a building block that has added to ISACA’s understanding, which led to the development of frameworks such as COBIT.


A lot has changed over the years, including the rise of the Internet and more stringent compliance requirements. Nonetheless, even back in 1984, ISACA (or the EDP) was seeing what was next, now. The article from the EDP Auditor added to ISACA’s body of knowledge and enabled other volunteers to develop COBIT, the Certified Information Systems Auditor (CISA) Review Manual and more. Sir Isaac Newton’s saying has never been truer than now, “If we have seen further, it is by standing upon the shoulders of giants.”

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL Foundation, Six Sigma Green Belt, is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA committees and is a past member of ISACA’s Certification in Governance of Enterprise IT (CGEIT) Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke supported the update of the CISA Review Manual for the 2016 job practices and was a subject matter expert for the development of ISACA’s CISA and Certified in Risk and Information Systems Control (CRISC) Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI), LinkedIn (www.linkedin.com/in/ian-cooke-80700510/) or on the Audit and Assurance Online Forum (engage.isaca.org/home). Opinions expressed are his own and do not necessarily represent the views of An Post.

1 Godier, D.; “Automated Audit Risk Analysis,” EDP Auditor, vol. 2, 1984


ISACA and Protiviti Probe IT Audit’s Toughest Challenges and Best Practices in IT Audit


IT audit individual professionals and teams worldwide face challenges with cybersecurity, privacy, data management and governance, building effective partnerships with the IT organization, dealing with ongoing digital transformation and disruption, addressing resource and talent constraints, and shifts in critically needed skill sets.

As IT audit and internal audit functions continue to evolve, they face notable challenges with regard to recruiting new expertise and, in the case of many current staff, retraining in new skills. More than any other skills, IT audit functions are looking to hire professionals with expertise in advanced and enabling technologies. These findings come from the 2019 IT Audit Benchmarking Study, an annual global research initiative conducted by ISACA and Protiviti.

Strategies to address these challenges can be found in the Business and Digital Transformation’s Effects on IT Audit Groups: A Global Look at IT Audit Best Practices—Assessing the International Leaders in an Annual ISACA-Protiviti Survey, which also presents the data and features some analysis. The full 2019 IT Audit Benchmarking Report, with extensive comparative and expert analyses and report assets, will be released in October 2019, around the time of the EuroCACS conference.

To download the Business and Digital Transformation’s Effects on IT Audit Groups: A Global Look at IT Audit Best Practices—Assessing the International Leaders in an Annual ISACA-Protiviti Survey, visit the A Global Look at IT Best Practices page of the ISACA website.