@ISACA Volume 5  8 March 2017

Risk and Regulation

Jack Freund, Ph.D., CISA, CRISC, CISM

Information security professionals are likely to come across 2 questions in their careers that are difficult to answer. Unfortunately, neither of them are used to request additional security. The first is “What are our competitors doing?” You want to improve security and protect customers. Your organization is likely looking to avoid unreasonable costs and inconvenience to their customers (either real or perceived). There are several reasons why this question is difficult to answer. First, good security details are not advertised, or as I like to say, nobody likes a chatty security person. We really do not want our security staff telling all our security secrets, which makes knowing how others are managing security particularly difficult. It is almost the same as asking your competitors what their margins are so that you can compare.

There are information sharing groups that entertain questions and benchmarking activities, but they are often shared under explicit nondisclosure agreements and/or under the Chatham House Rule. Still, this is best effort: you do not get participation from all members of the groups, or often of the ones that the line of business would even consider a competitor. Additionally, what another company chooses to do with its security is a matter of their unique risk posture. Just because they compete with you does not mean you have the same ability to spend on security that they do. This is never made more obvious than when you get an answer back that indicates that your competitors are doing significantly more than what your control recommendation was. Your experience may be different, but when this has happened, I have never had one person advocate that we increase controls to match or exceed our competitor’s.

The second general line of questioning tends to be a version of “Why do we have to do this?” This is an explicit appeal to understand what regulations are requiring that this control configuration be made the way that it is. I think this question is dangerous for a few reasons. First, information security professionals should not be eager to outsource their profession to lawmakers. This may have some benefits, but the political process of lawmaking tends to water down any significant security requirements to be palatable to special interests. Second is the oft-repeated mantra that compliance is not security. Were we to advocate for simply what is in the regulations, we would often find our organizations with significantly less security than our organizations want and need. Also, when lawmaking does occur, it is often not at a level of detail that is useful for the minutiae of managing security configuration on the systems we have to protect. Lastly, law tends to trail technological innovation. Your organization will likely find itself awash in all sorts of new Internet of Things (IoT) devices long before any legislation addresses how they should be secured.

We do not necessarily need regulations to define a secure state for our organizations. Organizational controls should be set by risk and regulation. That is, the controls that are required for a secure organization should flow from the applicable risk scenarios they may encounter and the regulations with which they are obligated to comply. Overreliance on the latter at the expense of the former will place the organization at risk. As a profession, I believe it is sufficient for us to answer the question of “Why do we have to do this?” by asserting that our collective information security experience, good practice standards and security certifications have afforded us the ability to opine on which controls are necessary to operate in a secure state.

Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA, a member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk. He is a 2016 inductee into the Cybersecurity Canon and IAPP Fellow of Information Privacy.


Secure Mobile Device Usage


Source: Akiko Aoki/
Getty Images

While mobile devices have provided enterprises with an effective communication method for both corporate and personal uses, they have also become a source of risk. Any enterprise leveraging mobile devices should consider several security controls when deploying mobile devices. To assist enterprises with this task, ISACA is presenting the “Top Ten Mobile Security Considerations” webinar. This webinar will take place on 11AM CST (UTC -6 hours) on 9 March. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Tara Kissoon, CISA, CISSP, managing director, head of ITRM, CSA, GITRM at BMO Financial Group, will lead this webinar. In it, she will provide an overview of the mobile landscape that focuses on understanding current mobile threats. She will identify areas of risk exposure and provide a recommended risk mitigation strategy.

To register for this webinar or to learn more about it, visit the Top Ten Mobile Security Considerations page of the ISACA website.


The State of Cyber Security


ISACA surveyed security leaders around the world to gather their insights and experiences with various cyber security issues. Workforce challenges and the emerging threat landscape were among the most commonly perceived concerns. To help security professionals understand upcoming cyber security challenges and how to address them, ISACA compiled the survey findings in the State of Cyber Security 2017—Part 1: Current Trends in Workforce Development white paper.

Part 1 of this white paper outlines how the cyber security skills gap affects organizations. The white paper explains how quality and quantity of qualified professionals affects organizations. It also outlines the qualities cyber security candidates should have and the challenges associated with filling cyber security roles.

To download this complimentary white paper, visit the State of Cyber Security 2017 page of the ISACA website.


Trends and Challenges in IT Audit


Cyber security, the role of IT audit and skills gaps were among the top challenges experienced by survey respondents in the ISACA and Protiviti IT Audit Benchmarking Survey. Additional findings from the survey will be presented at the Protiviti webinar, “Today’s Top Technology and the Relationship to the Audit Plan.”

The A Global Look at IT Audit Best Practices report contains an in-depth look at survey responses. The survey results indicate that, compared to previous years, IT audit leaders are more involved with technology initiatives in their enterprises. However, the survey indicates that many audit functions have little or no involvement in significant technology projects in the organization. Many auditors who are involved focus on postimplementation efforts rather than planning, design or testing. The report outlines some of the concerns associated with this lack of involvement and provides IT audit leaders with guidance on making their function more strategic and involved.

To download this report, visit the A Global Look at IT Audit Best Practices page of the ISACA website. To register for the webinar, visit Today’s Top Technology and the Relationship to the Audit Plan.


Adopting Commercial Drone Technology


Source: Richard
Newstead/Getty Images

While the commercial use of drone technology has increased in recent years, organizations considering adopting this technology must consider many factors.

ISACA’s recently released Rise of the Drones white paper outlines the uses of drone technology and the critical questions to be considered before using it.

The commercial use of drones is fairly new, and the regulatory environment has had to keep pace with this technology. The white paper outlines some aviation regulations and how they impact an enterprise’s use of drone technology. ISACA also has a checklist to help an enterprise determine if it is prepared to launch a small unmanned aircraft system program.

To download this white paper and checklist, visit the Rise of the Drones page of the ISACA website.