@ISACA Volume 20  2 October 2019

Celebrating Success While Acknowledging Risk


During an IS audit, I had the opportunity to observe a financial organization’s disaster recovery drill. They had planned to run the business from an alternate site for 1 full day. Since the audit was in progress, my team and I had an opportunity to witness the drill being completed successfully, including moving back to the original work site and continuing business as usual (BAU) operations the following day. Stakeholders organizationwide were elated at the result because drills are required for regulatory compliance and successful drills reflect a positive organizational image.

After the disaster recovery drill, our team’s audit continued for another week and completed with an exit meeting to discuss audit findings. The sense of euphoria derived from the successful disaster recovery drill still prevailed at the organization at the start of our exit meeting. When the chief executive officer (CEO) asked me for my opinion about the organization’s business continuity planning (BCP), I paused, as this question was not part of the agenda. The CEO insisted that he needed my informal opinion since I had witnessed the drill. I finally gave in and remarked, “In my opinion, your BCP preparedness score is a 3 out of 5.” The CEO was shocked. I had just deflated his euphoria. So he challenged me, “But my team feels it is 4.75 out of 5.” I replied, “I shall be glad to give you that score if you will allow me to pull the main fuse and then observe how smoothly operations continue.” This seemed to resonate with the CEO. He responded, “Now I understand what you mean. Can you suggest how we should proceed?” I suggested he identify a risk manager or chief risk officer (CRO).

I recounted this experience because this situation happens in organizations all the time. Even I have felt this way after the successful completion of a task. Unfortunately in this situation, I had to play devil’s advocate. It is normal to be happy when you achieve a goal—personal or organizational—but it is dangerous to become complacent. Being complacent can lure organizations into a false sense of security.

Sometimes this false sense of security wanes, but other times, it lingers, especially when opportunities to test it are infrequent. In these cases, that sense of security is not shaken until the organization faces a continuity situation or threat materialization and fails to address the actual scenario. This opens eyes and minds to reality, and it is often too late.

The answer to this issue is to be proactive. This means you must have a risk professional such as a risk manager or CRO in place to oversee risk management. A risk professional must be familiar with the environment and internal and external risk factors. An organization’s risk culture is one element risk mangers cannot ignore. In the example given earlier, we could describe the risk culture as optimistic and unwelcoming to negative or apocryphal thoughts. But a risk manager is required to think pessimistically and act optimistically to balance the positive and the negative and bring clarity to facts. Facts supported with data can help identify the gaps that might have been missed while acting optimistically. In short, one should always stay grounded while celebrating achievements.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Maintaining Cybersecurity Resilience


Source: Photographer
is my life;
Getty Images

As organizations continue to innovate with cloud technology and Internet of Things (IoT) devices, they must be diligent in securing these innovations. Technology will only continue to grow and change, and there are basic measures organizations must take to lower threat risk and maintain systems and infrastructure security.

To review the basic steps that must be taken to improve security and resilience at your organization, attend the “Getting Back to Basics: The Fundamentals of Cyberhygiene” webinar presented by ISACA and Merlin. In this webinar, which takes place on 8 October at 11AM CDT (UTC -5 hours), Miguel Sian, director of solutions architecture and engineering at Merlin, will discuss what constitutes good cyberhygiene, why it is important, and how to ensure that both your hardware and software are configured correctly and performing effectively. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Sian has more than 20 years of experience in IT systems engineering, solutions architecture, consulting and technical program management. He currently leads a team of cybersecurity solution architects and engineers who provide technical consulting for federal and commercial customers. He will use his experience to help you identify and apply countermeasures to defend against different types of cybersecurity threats.

To learn more about this webinar or to register for it, visit the Getting Back to Basics: The Fundamentals of Cyberhygiene page of the ISACA website.


Maximize Your LinkedIn Experience


LinkedIn is essential in today’s digital world—as a personal branding, career advancement and networking tool. As you navigate LinkedIn, you may wonder how you can maximize the value of your LinkedIn profile to allow you to stand out in the eyes of potential employers and recruiters.

For guidance on building your LinkedIn profile and network, attend the “Getting the Most Out of LinkedIn: From Beginners to Experts” webinar presented by ISACA and the ISACA Tallahassee (Florida, USA) Chapter. This webinar takes place 16 October at 11AM CDT (UTC -5 hours). In it, Kathy Lavinder, founder and executive director at Security and Investigative Placement Consultants, will give guidance to help you determine who to connect with on LinkedIn and what information to provide potential employers. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Lavinder has 20 years’ experience as a recruiter with clients across all business sectors and geographies. Before founding Security and Investigative Placement Consultants, she held investigative and journalism leadership roles. She has blended her past experiences to develop unique insights on what employers want to see and she will use these insights to help you make your LinkedIn profile standout.

To learn more about this webinar or to register for it, visit the Getting the Most Out of LinkedIn: From Beginners to Experts page of the ISACA website.


How to Better Manage Third-Party and Enterprise Risk


Source: sarote
pruksachat; Getty

Enterprise risk is affected by the overall vendor risk management program. As reliance on third parties to deliver products and services becomes greater over time, building sound enterprise processes and governance around third-party risk management becomes more critical. Part of building sound enterprise processes includes properly vetting all vendors as an initial step before sending any data to them. Data privacy and security are important from the start when considering third-party vendor management.

To provide you with best practices to help manage enterprise third-party risk, ISACA and OneTrust have developed the Managing Third-Party Risk: Cyberrisk Practices for Better Enterprise Risk Management white paper. This white paper not only covers the preliminary steps to building sound enterprise processes, but also the continuing steps, which include regularly reviewing third-party controls and addressing any identified control gaps as they are discovered to ensure data are protected and third-party risk remains in check.

To learn more, download this complimentary ISACA white paper from the Managing Third-Party Risk: Cyberrisk Practices for Better Enterprise Risk Management page of the ISACA website.


ISACA’s Newest Chapter: Ahmedabad, India


A desire to create more awareness about ISACA and its certifications led to the formation of the Ahmedabad (India) Chapter making it ISACA’s 222nd chapter. ISACA is currently represented by chapters in 96 countries across the world. Nitin Pathak, chapter formation committee chair of the ISACA Ahmedabad Chapter, says that the new chapter will strive to encourage members and industry professionals to aspire to earn ISACA certifications and become aware of ISACA’s learning resources on systems, security and COBIT standards.

The members of the ISACA Ahmedabad Chapter also seek to build member skill sets associated with ISACA certifications and to help college graduates further their careers. In the Ahmedabad area, the Big 4 firms are known to look for college graduates who have passed their ISACA certification exams. With the new chapter’s support, the hope is that these graduates not only become ISACA-certified but also earn more money as a result of holding these certifications.

Interested in finding your local ISACA chapter and discovering the benefits of getting involved? Visit the Local Chapter Information page of the ISACA website.