@ISACA Volume 19  18 September 2019

Managing Third-Party Risk


Source: priyanka
gupta; Getty Images

Third-party vendors are integral to delivering products and services for many enterprises, and this can pose a risk to the organization itself. Enterprises must be diligent in fostering safe and healthy relationships with suppliers and be accountable for their own data protection. This requires sound governance and risk management processes integrated into the enterprise and IT business practices.

To learn how to integrate third-party risk management into the overall enterprise risk management (ERM) plan, attend the “How to Manage Third-Party Risk for Better Enterprise Risk Management” webinar presented by ISACA and OneTrust. In this webinar, Kelsey Naschek, CIPM, CIPP/E, privacy engineer at OneTrust, will cover the key processes organizations should undertake to manage vendor risk and the best practices they can put in place when assessing, onboarding, monitoring and offboarding third-party vendors. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

In her role at OneTrust, which is one of the largest and most widely used technology platforms to operationalize privacy, security and third-party risk management, Naschek advises leading organizations on the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR) and ePrivacy Directive (Cookie Law) solution implementations, focusing on formulating efficient and effective responses to data protection requirements and building scalable global privacy programs. With more than 5 years of professional IT experience, Naschek’s background combines extensive crossfunctional solution implementations and program management with business process design. She will use her experience to guide you on how best to manage your enterprise’s third-party vendors.

To learn more about this webinar or to register for it, visit the How to Manage Third-Party Risk for Better Enterprise Risk Management page of the ISACA website. You can also learn more on this topic by downloading the complimentary Managing Third-Party Risk: Cyberrisk Practices for Better Enterprise Risk Management white paper.


Leading as an Auditor and Woman in Tech: A Few Minutes With Deidre Melton, Internal Auditor and Investigator at Florida A&M University

New From SheLeadsTech

Deidre Melton, CISA, CRISC, CISM, CFE, CIA, serves as an assurance, risk assessor, investigator and advisory professional specializing in IT and cybersecurity at Florida A&M University (USA). Her early experience is in educational and local/state government audits for the State of Florida Auditor General’s Office. Melton is the current president of the ISACA Tallahassee (Florida, USA) Chapter and leadership development chair for SheLeadsTech Tallahassee. She shares some of her experiences while becoming a lead auditor and pursuing her passion to encourage other women in tech.

Q: What is one of the biggest obstacles you have faced when stepping into a lead auditor role?
A: Unconscious and conscious biases regarding my age, gender and race. For example, I became a lead senior auditor at age 28 in a work environment where I was the youngest person among more than 30 IT auditors in our division. People often equate age with both experience and knowledge. However, in the world of IT, where technology, regulations, laws and standards change regularly, there is not a direct correlation between age and having the knowledge to excel. Additionally, our client base was predominately older white males who perceived women and people of color as possessing inferior intellect and skills. Hard work, dedication to constantly growing my knowledge base, a high level of emotional intelligence and great communication skills were the keys to successfully overcoming the obstacles placed before me.

Q: What is one of the most important internal (of your own effort) factors that led you to this role?
A: Letting happiness guide me instead of allowing money or other people’s opinions impact my decisions. I went to Florida A&M University where I completed a 5-year business program in which I earned an undergraduate degree in management and a Master of Science degree in business administration. Candidates who graduated the program often left earning close to 6-figure salaries in junior management positions. During a year-long paid internship where I managed a marketing team’s US$90 million budget while living in the heart of Manhattan, New York, New York, USA, I fell in love with the challenge of using my business knowledge to transform IT applications while taking part in a financial software development project. I learned 3 important things during this internship:

  1. I loved IT and wanted a job that involved IT.
  2. The ability to communicate vertically and horizontally across an organization is a critical skill.
  3. I hated cold weather.

After my internship, I turned down lucrative job offers from major corporations located in the Northeastern US to take a job in sunny Florida as an IT auditor. The position paid considerably less than my internship in Manhattan and, while my parents and school advisors were not thrilled, I was happy and I loved my new job.

Q: What challenges do you see women face in being ready to take a lead position?
A: I have found that women often lack complete confidence in their own skills and abilities, which can be a challenge when taking a lead position. Frequently, I see women who will not pursue the lead position because they fear failure or doubt that they have the right knowledge, skills and abilities (KSAs) for the position. However, successful leaders must step out of their comfort zones and overcome the fear of failure to begin to learn new skills. This will allow them to grow into the leaders they are meant to become.

Q: What is the most important external (not of your own effort) factor that led to this role?
A: Networking with people who have already established their careers, who believe in me sometimes more than I believe in myself and who have advocated on my behalf. These people often take the time to give me advice, make me look beyond the surface of what I perceive to be the issues or obstacles, and continue to challenge me to find various ways to approach each situation. Knowing the impact these people have had on my life, I try to be that same positive influence in the lives of others.

Q: What challenges do you see organizations face as they look to hire more women in your area of expertise?
A: Organizations need to consider the KSAs needed to perform the job functions of their open positions. They should then use those KSAs to write new, more accurate job descriptions instead of recycling 10-year-old job position descriptions that focus more on duties than the underlying KSAs. In my experience, women feel more capable of competing for a job when they know the KSAs for a position vs. having to assume them because a potential employer only gives a vague description of duties.

Q: What do you think organizations can and should do to address retention issues for technology professionals, especially women?
A: I think organizations should provide flexible work schedules, implement mentoring programs and women-in-tech groups, and provide quality education training opportunities that vary in focus (technical, soft skills, leadership) and delivery (local in-person, distance in-person, virtual). Women should not be forced to choose between taking care of their families or gaining the knowledge and skills necessary to be successful at their job and earn opportunities for promotion. Additionally, organizations must regularly assess and address gender pay inequities within their organization.

Q: Have you seen progress in retaining women in the technology field over the course of your career?
A: Over the last 5 years, I have seen more women moving into the tech field. During this same period of time, I have seen higher levels of retention of women in IT who specialize in audit, risk, governance and security. However, from my perspective, women who work on the server and network teams or other highly technical and hands-on aspects of IT are still being pushed or shut out of the perceived “boys club” of IT. Those who work in these areas are still leaving the field or transferring into other areas of IT.

Q: What progress do you see legislatively or culturally in your region toward addressing the gap of women in tech?
A: The biggest legislative progress in addressing the gap of women in tech in the US may be the Executive Order on America’s Cybersecurity Workforce, signed on 2 May 2019. This executive order integrates and highlights the usage of the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework) within the federal government. The use of the NICE Framework is ideal for women because it clearly lays out the KSAs for each job. As mentioned previously, women are then able to focus their training efforts and feel confident communicating their experience for positions. Additionally in Florida, there is currently a growing movement for women to engage in tech careers and progress into management positions. There are a lot of women-in-tech groups, similar to ISACA’s SheLeadsTech, that actively work to engage women in the tech field.

Q: How does being the current president of the ISACA Tallahassee Chapter affect your ability to influence the way people look at women in tech?
A: I believe being the current president of the ISACA Tallahassee Chapter has had a great deal of impact on the way women are perceived in the Tallahassee tech community. My ability to run and grow our Tallahassee Chapter into one of the top IT educational organizations in the area has allowed my male counterparts to view me as an equal. These men now regularly ask for my opinions on a variety of tech topics and career advice, they suggest other female tech leaders to present at events and actively ask how they can become an advocate to help close the gender gap in tech. Over the past year, my team and I worked to implement a year-round SheLeadsTech program in Tallahassee, which consists of a mentorship program, bimonthly educational luncheons with a technical and soft-skill focus, bimonthly webinars focusing on career and leadership development, and lots of networking opportunities. Males within the tech community are also invited and encouraged to participate so that they gain an understanding of the challenges women face, can see women discussing highly technical and complex issues within IT, and can learn how they can become a part of the solution in closing the gender gap. As a result, I am seeing more and more women increasingly land management and other coveted tech jobs within the community.

This article was originally published in the SheLeadsTech newsletter on the SheLeadsTech website.

The ISACA SheLeadsTech program and the SheLeadsTech newsletter shed light on the waves women are making in the tech industry today. By subscribing to the monthly newsletter, you will receive the latest event updates, webinar content, podcast content and insight into what women leaders like Melton are uncovering in the tech industry. To subscribe to the newsletter, visit the SheLeadsTech website.


Proactive Risk Management


Source: Blue Planet
Studio; Getty Images

While no one can predict the future, one can reasonably anticipate negative events and their outcomes, and even plan for appropriate responses. Risk management is a proactive planning process that mitigates and provides plans around negative events, should they occur. Enterprises need a framework for analyzing risk and developing sound treatment plans in response to risk realization.

To better understand risk frameworks, how they are constructed and how they apply to enterprise risk management, attend the “Introduction to Risk Management” webinar presented by ISACA. This webinar takes place on 2 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Peter C. Tessin, CISA, CRISC, CISM, CGEIT, senior manager at Discover Financial Services, will lead the webinar. At Discover Financial Services, Tessin leads the governance group within the business technology (BT) risk function. He is responsible for ensuring policy, standards and procedures align with corporate objectives and is an internal governance and risk expert resource. Previously, Tessin was the technical research manager for COBIT 5 at ISACA and led the development of other COBIT 5-related publications, white papers, articles and COBIT Online. He will use his experience with frameworks and risk management to help you ensure that your enterprise can properly anticipate negative events and respond in a proactive manner.

To learn more about this webinar or to register for it, visit the Introduction to Risk Management page of the ISACA website.


CISA: The Stepping Stone to an Auditor’s Success

Dapo Ogunkola, CISA, CRISC, ACA, CFE, CFSA, Risk Advisory Manager at EY and Member of ISACA’s 2019 CISA Exam Item Development Working Group, Shares His Experience as a CISA

Dapo Ogunkola discovered the value of the Certified Information Systems Auditor (CISA) certification as an intern early in his career. While interning at a Nigerian bank in 2008, Ogunkola says, “I noticed all my mentors in the internal audit department were all CISAs, very knowledgeable and prominent within the industry.” At this time, Ogunkola also was pursuing an accounting degree and, through his studies, saw that globalization was causing business risk to change quickly. He thought the best way to stay ahead of the curve was by joining ISACA and attaining the CISA certification.

After taking the exam in 2011, Ogunkola found that being a CISA helped him gain his first positions as an IT auditor in a bank and, soon after, as an associate at KPMG. He believes holding the CISA certification, “not only differentiated me amongst my peers, but it also showed my employers I was forward-thinking and had a high level of self-awareness.”

Later in his career, when Ogunkola wished to pursue opportunities outside of Africa, the CISA certification helped demonstrate globally that he had the IS audit and assurance knowledge needed to succeed. More importantly, the certification has given Ogunkola the confidence he needs to land positions, do his job successfully and even earn more than his peers. Ogunkola’s number-one goal as a student was to work in a Big 4 audit firm one day. Being a CISA has given him the opportunity to work in 3 of the Big 4 organizations.

Overall, Ogunkola believes that holding a CISA certification and being an ISACA member helps him and others overcome key obstacles facing professionals today. As technology evolves, there are newer risk factors that his clients experience on a daily basis, and being able to navigate that landscape and provide the best advice/solutions is challenging. But Ogunkola keeps up with changing technologies by reading the ISACA Journal and attending trainings and webinars on emerging issues. Being a member of ISACA and a CISA means he has access to the latest materials on regulatory requirements, emerging technologies, and business changes in the financial sector, and because of this, he can advise on the best global practice to solve his clients’ problems. “The best part of being a CISA is being recognized as a gold standard for IS audit, control and security,” Ogunkola says. “Once people know you are a CISA, the certification’s prestige precedes you. My clients know I am the best resource with the most valuable solutions to their problems because they know I am a CISA.”

To learn more about ISACA certifications, visit the Certification page of the ISACA website.


Why COBIT 2019 Matters for Auditor


The new publication COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution contains key concepts that can help auditors build prioritized audit plans. It also provides new capability levels for assessing process capability and outlines the governance and management objectives for structuring the audit universe and describing control activities.

To review the key concepts of COBIT 2019 and learn more about how to build a prioritized audit plan, attend the “COBIT 2019: Highly Relevant for Auditors” webinar presented by ISACA. This webinar, which takes place on 19 September at 11AM CDT (UTC -5 hours), will be led by Dirk Steuperaert, CISA, CRISC, CGEIT, IT and risk governance consultant at IT In Balance, Belgium. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Steuperaert is an experienced consultant, coach and highly esteemed trainer in IT risk management, IT governance and all COBIT 5-related matters. His current mission is to use his experience as project leader and one of the key authors of COBIT 2019 to teach others how they can benefit from and apply the framework in a pragmatic way. He will use his experience as lead developer of COBIT 2019 to help you apply it to your audits.

To learn more about this webinar or to register for it, visit the COBIT 2019: Highly Relevant for Auditors page of the ISACA website.