@ISACA Volume 13  26 June 2019

Can Organizations Afford Proprietary Models for Third-Party Assessments?

By Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah

When implementing a third-party risk management or vendor risk management (VRM) program, there are many decisions that must be made: How many levels of criticality should there be? What security requirements should be considered at each level? Which criteria will be used to evaluate the criticality of services? But most importantly, what compliance assessment mechanism should organizations use?

Since organizations cannot expect any standard to reflect their risk profile and risk management strategy, they cannot rely on a standard, certification or accreditation to assure third-party compliance with specific security requirements. Does this mean that organizations are forced to require third parties to provide evidence of their security measures or, in critical cases, to audit them themselves?

I believe that organizations have another option. They need to establish a consensus on the most efficient and effective way to measure the security of the third-party services they wish to use.

If one thinks about it, this is the same problem that states or provinces have when, for example, they want to define the speed limit of a road. Since all roads are different, and each state imposes its own laws to limit the occurrence of accidents, different roads, and even sections of the same road, have different speed limits. The key is, states have reached a consensus about having speed limits measured by the same metric and can, therefore, manage the issue simply. Since all speed is measured in miles per hour or kilometers per hour, this measure can be used to set the speed limit on each section of road to limit accidents. Though different portions of the same road may have different speed limits, having a common unit of measurement makes evaluating driver speed much simpler as the speed limit changes.

If organizations apply the same logic to this situation, they need to find a consistent measure of the level of security and apply it to the services they receive from third parties.

There are different approaches to this problem but, in my opinion, cybersecurity capability models are closest to providing the “measurement of speed.” Using these capability models that incorporate both process maturity and security robustness, organizations can effectively and efficiently understand the level of cybersecurity capabilities of any third party protecting their information or systems and check if the current level meets the need. Organizational needs are based on the criticality that they have assigned to the process, simply by mapping cybersecurity requirements to the capability categories of the chosen model. Using this method, users need not audit all of their third-party vendors individually (which is virtually impossible), but they can use a common measurement method to share with all their users to signify the level of security implemented for those third-party services. This strategy results in significant savings for both users and third-party providers.

Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah, is founding partner and chief operation officer (COO) at LEET Security Rating Agency, Spain.


Take the Next Step in Your Cybersecurity Career


Source: olaser;

ISACA is introducing 3 new Cybersecurity Nexus™ (CSX) Cybersecurity Career Pathways course offerings to enable those with prior industry certifications and a strong IT/cybersecurity foundation to prepare for a new role or career advancement. The CSX training environment offers course options for all levels of experience to help cyberprofessionals excel in this rapidly changing industry. Within the online CSX training environment, you earn credentials that demonstrate your proficiency to current or potential employers.

Those who take these courses will complete practical, real-world training in a state-of-the-art online environment to build skills critical to their current or target career, and then they will practice and master those skills. Assessments will give you feedback to focus your learning.

To learn more about the Cybersecurity Specialist, Cybersecurity Analyst, or Penetration and Vulnerability Tester pathway courses and credentials, visit the CSX Cybersecurity Career Pathways page of the CSX website. Courses can be purchased for individuals or teams, and training can be arranged by contacting a corporate training specialist.


The Sheer Gravity of Underestimating Culture as an IT Governance Risk


Source: Jason
Getty Images

Poor IT governance can be even worse than no IT governance. Managing IT risk as part of governance of enterprise IT (GEIT) is a key factor to IT governance success, as discussed in Guy Pearce’s ISACA Journal, volume 3, article, “The Sheer Gravity of Underestimating Culture as an IT Governance Risk.” Since poor IT governance can be attributed to many IT failures, organizations need to examine not only their GEIT plan itself, but also the culture they create to foster improved IT governance. Enterprises need to embrace culture around GEIT as a critical success factor (CSF) to prevent future IT failures.

The Merriam-Webster Dictionary defines culture as, “… shared attitudes, values, goals, and practices that characterizes an institution or organization.” In short, it is about how the organization behaves and how it does things. While not comprehensive, figure 1 lists 4 types of negative organizational behaviors with which to be concerned.

Many may have experienced any or all of these behaviors when developing their GEIT policies, processes, standards and guidelines. In alignment with figure 1, risk management will certainly be ineffective if people are in denial about risk, could not care less about risk, do not understand why risk is important or continually find ways not to perform the risk control processes that are established to support the new IT governance program.

Given the complexity of institutionalizing change, there are at least 4 drivers of change that help encourage changes in mind-set and that help address undesirable behavior:

  • Fostering understanding and conviction to ensure that what is being asked is understood
  • Role modeling and ensuring that leaders behave differently
  • Developing talent and skills to enable behaving in the new way
  • Reinforcing with formal mechanisms where structures, processes and systems support the change

Of these, it was found that role modeling is the greatest driver of successful transformation. In terms of the rest of these, communication, especially regarding progress, was found to be the next most important consideration, raising further questions about why some in the business community do not see communication as a risk CSF.

The significance of culture as a CSF adds to the matters the practitioner needs to consider in developing and sustaining their enterprise IT governance initiatives, especially with respect to the change management that is clearly every bit as important to successful GEIT as are its 5 documented domains. While there could be items in the GEIT implementation plan pertaining to competency development (training), fostering understanding (communication) and reinforcement (e.g., deploying supporting technology), there is often nothing in the plan about identifying role models. Leadership role models address one of the greatest drivers of effective risk management (i.e., tone at the top) through a chain of activity as illustrated in figure 2. Quite simply, if leadership does not live the change they are advocating, if they do not set the example, then their IT governance efforts will be ineffective.

With culture clearly so critically important to the success of risk management and, ultimately, GEIT, and with “increasing interest in better understanding the role of culture in IT governance,” it is concerning that only 15 academic research studies looked into the role of culture in IT governance and, of those, only 1 study explicitly looked into the impact of culture on the risk domain of IT governance. There is clearly both a pressing need and an opportunity for more work to be done in this area.

Read more about GEIT success and its dependence on good IT risk management, including the correct organizational culture, in Pearce’s ISACA Journal article “The Sheer Gravity of Underestimating Culture as an IT Governance Risk.”


Understanding Technology Shifts in the Financial Sector


From mobile payments to the use of artificial intelligence (AI) to the introduction of new security risk, technology has had a profound impact on how the financial sector operates. In this 50th Anniversary Series episode of the ISACA Podcast, Ashley Holmes, governance and compliance manager at Delta Airlines, analyzes the past, present and current state of financial technology (fintech).

Holmes notes that banks and other financial services providers have to manage a balancing act in embracing innovation and automation while continuing to support customers who still expect a certain level of human-to-human service and accessibility. Even in this current space, AI and machine learning help to provide all users with more personalized, tailored experiences in banking and financial services in the future.

This episode is available along with dozens of other podcast episodes on the ISACA Podcast page of the ISACA website and can be streamed or downloaded from Apple Podcasts, Google Play, Stitcher or SoundCloud.


North America CACS Conference Highlights Impact of Disruptive Technologies


The North America CACS 2019 conference took place 13-15 May 2019 in Anaheim, California, USA. This conference, which is held for IS audit, assurance, control, governance and security professionals, highlighted the need to face disruptive technology. In his closing general session presentation, 2019-2020 ISACA board chair Brennan P. Baybeck, vice president of security risk management for global customer support services at Oracle Corporation, said, “Brick by brick, we need to understand and utilize the technology that is driving change and fueling our enterprises’ digital transformation activities, and we need to learn and train in areas in which we may not have realized we would need to understand when we entered the field.” His words reiterated the overall theme of this year’s event, which offered more than 100 sessions focused on artificial intelligence (AI), blockchain, DevSecOps, cloud, robotic process automation (RPA), big data, and the security trends and threats of 2019 and beyond. Attendees were also able participate in sessions dedicated to developing soft skills, pre- and postconference hands-on workshops, and listen to panel discussions.

Panels highlighted ISACA’s 50th anniversary and disruptive technology. In “A Spectrum of Professions: The ISACA Global Community, Past, Present, Future,” Paul Regopoulos, senior manager, information security audit, with The Walt Disney Company, stressed the importance of fundamentals from the beginning of ISACA until today. The “From Disruptive to Daily Dependence: ISACA Pros Look Back and Look Forward to the Future in Technology,” session explored the evolution of workplace and personal technology, the need to secure AI, retail disruption, blockchain, quantum computing, and enterprises’ need to shift to being datacentric. The conference also featured keynote speeches by Guy Kawasaki, a Silicon Valley-based author, speaker, entrepreneur and evangelist, and Sekou Andrews, a prominent poetic voice performer who blends inspirational speaking and spoken word poetry.

Interested in attending North America CACS 2020 in Baltimore, Maryland, USA, 12-14 May 2020? Please visit the North America CACS page of the ISACA website to register and download the Quick Takes From the 2019 North America CACS report to learn more about this year’s event.