@ISACA Volume 7  3 April 2019

David Samuelson Takes Reins as ISACA’s New CEO


David Samuelson became ISACA’s new chief executive officer on Monday, 1 April, bringing an extensive, successful leadership track record in learning products and services, technology innovation, and business strategy and execution to the position.

Samuelson joins ISACA following executive leadership roles as founder and chief executive officer (CEO) of Pinpoint Learning, executive vice president and general manager at Capstone Publishers, and more than 15 years in executive roles at Pearson plc. In recent months, Samuelson served as CEO of GreaterGood.com and on the board of its nonprofit partner, GreaterGood.org.

Samuelson expressed a commitment to help ISACA evolve its modern learning and career advancement capabilities, spurring the organization to reach new levels of service and leadership as ISACA looks to the future while simultaneously celebrating its 50th anniversary year in 2019.

“David Samuelson is the ideal leader for ISACA as we continue to grow and expand globally,” said ISACA Board Chair Rob Clyde, CISM. “His far-reaching experience in learning and technology innovations and his latest nonprofit executive leadership role will be tremendous assets, inspiring the entire organization as we advance the positive potential of business technology worldwide.”

Samuelson plans to initially focus on increasing member value through modern learning and certification delivery worldwide; emphasizing relevant professional learning community opportunities through conferences and chapters; and underscoring the world-class enterprise solutions ISACA offers organizations.

“I am honored to embrace the expansive opportunities for growth, creative solutions and innovation to better serve the ISACA community,” said Samuelson. “I intend to bring a new level of energy, urgency and executional focus to the important services we provide to our members around the world. I am committed to working closely with our members, volunteers, and professional staff to accelerate our mission of advancing global business leaders in technology, information and cybersecurity, governance, and risk.”

For more on Samuelson’s appointment, read the full press release on the ISACA website.


Five Key Considerations When Evaluating Cyberinsurance


Cyberinsurance can be a valuable tool and risk management capability in any small, medium or large organization’s tool box if properly understood and leveraged. It is even more crucial today when many organizations are faced with the reality that cybersecurity incidents are a “when they occur” more than an “if they occur” risk. Cyberinsurance can assist organizations in reducing the financial impacts of cyberincidents by helping organizations recover or reduce the significant financial costs that are often associated with cybersecurity incident response and recovery efforts. At the same time, it is important for organizations to understand that the cyberinsurance industry and its products are still in their relative infancy and are changing regularly. The insurance industry is constantly developing and maturing its actuary tables, financial models, conditions of coverage, and adjuster and payout concepts and capabilities to ensure that it is able to properly manage risk within its own business operations to ensure profitability. This uncertainty means that organizations that are evaluating or adopting cyberinsurance also need to be conscious of these changes and understand how they impact the effectiveness and intended benefits of the policies they purchase.

Information security professionals should understand the benefits, challenges and costs associated with the purchase and use of cyberinsurance policies so they can incorporate policies into their information risk management and security strategies and programs. In some organizations, business leaders have become fatigued with cybersecurity and feel as though cyberinsurance allow them to reduce their focus and investments in cybersecurity. This is a disconcerting situation that security professionals need to proactively address to ensure that they can clearly articulate the use cases, benefits and limitations of cyberinsurance to business leaders. There are 5 key areas an organization should consider when evaluating the adoption of a cyberinsurance policy:

  1. Identify objectives and expected benefits of cyberinsurance—The objective and benefit most often cited by organizations when they acquire cyberinsurance is to mitigate the significant costs that are typically associated with incident response activities associated with material cybersecurity-related incidents (e.g., data breach, ransomware, insider threat). While this benefit is obvious, there are others that may also be strategically beneficial to the acquiring organization as well. For instance, the adoption of cyberinsurance as part of an overall risk management strategy can demonstrate a commitment to and understanding of cybersecurity threats, vulnerabilities and risk and the need to effectively manage them to customers, auditors, regulators and/or partners.
  2. Evaluate the conditions of coverage—Cyberinsurance premiums are often established based on what types and the amount of data an organization handles (e.g., personal identifiable information [PII], personal health information [PHI], intellectual property) and the industries, geographies and environments in which they acquire, process, transmit and store this information, along with financial considerations of the organizations they are servicing. Cyberinsurance providers have developed their own risk assessment methods and practices that establish control requirements to obtain reasonable premiums for coverage and, in some cases, will not provide any coverage without significant controls being in place. Some organizations believe that they can reduce their investments in security capabilities and controls and are often surprised when insurance carriers for cyberinsurance require more investment to obtain coverage.
    It is important for organizations to negotiate the conditions for coverage prior to purchasing a policy, or at least have a clear understanding of the conditions that must exist to be eligible to have a claim paid. For instance, many cyberinsurance policies require that sensitive information that an organization is a custodian of be encrypted at rest and in transit. Policies may also require an extensive set of cybersecurity controls to be implemented and operating at the time of the incident that is associated with a claim. In some cases, the costs to implement and operate the required controls may outweigh the risk management benefits of the policy itself.
  3. Ensure key coverage areas are considered in policy—To manage their risk, insurers will often work in their best interests when offering cyberinsurance policies. Unfortunately, this can be detrimental to the organization purchasing the policy. When reviewing and negotiating policy terms, the following should be carefully considered:
    • Full prior acts coverage, which ensures coverage is not limited to the policy effective date. In many cases, security vulnerabilities and associated exploitations and incidents may have existed before the policy was implemented.
    • Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission for the establishment of the initial policy.
    • Ensure legal counsel is agreed upon in the policy and can be changed by the insured organization without restriction during the term of the policy.
    • Ensure that the organization is not restricted in its selection or use of incident response, forensics or advisory consulting vendors as part of the policy.
    • Eliminate any war or terrorism clauses. Many insurance policies exclude coverage for acts of war such as invasion, insurrection, revolution, military coup and terrorism. With the emergence and growth of nation-state adversaries and international terrorism, this clause should be eliminated from any insurance contract.
  4. Ensure coverage areas and amounts are properly sized—There are numerous coverage areas that can be included in a cyberinsurance policy, and they often provide different levels of individual claim and in-aggregate claim during the life of the policy. In the case of data disclosure situations, the full costs of incident response, disclosure, consumer data monitoring and litigation can vary greatly (i.e., it has been suggested a minimum of US $2 per record up to US $150 per record in many cases). It is important for an organization to understand the total number of records that it feels would be at risk for disclosure and the potential costs for the type of data affected. The organization then can calculate the amount of coverage that it will require for this type of situation relative to its risk appetite.
  5. Ensure an understanding of covered losses—In most cyberinsurance policies, there are 2 categories of coverage that are identified: first-party losses and third-party losses. First-party losses refer to the direct losses that the organization incurred due to a cyberrelated security incident. Third-party losses refer to the costs imposed on related third parties such as partners, vendors or customers as a result of the security incident.
    In recent times, many organizations have been impacted by third party-originated cybersecurity-related incidents that were out of their direct control to manage or remediate. These incidents still caused material damage to their business operations and activities, which required them to incur significant costs. Many cybersecurity insurance policies offer comprehensive first-party coverage, but limited third-party coverage. Organizations that rely heavily on and whose systems and data regularly interact with third-party partners and vendors should consider this as they apply for and maintain coverage levels for their cyberinsurance policies.

Cyberinsurance can be a beneficial and useful risk management tool for organizations of any size and industry if properly understood and leveraged. Like any other tool, cyberinsurance has strengths, weaknesses and limitations. It is important for organizations to be informed and understand all of these as they consider adopting cyberinsurance to ensure that policies meets their expectations and requirements. Organizations need to remember and embrace the fact that having comprehensive cyberinsurance does not replace their need to invest in and maintain comprehensive information risk management and security programs and capabilities. Instead, cyberinsurance should be considered complementary and supportive of these programs.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Securing Your Enterprise’s Digital Records


Source: Photographer
is my life;
Getty Images

Digital records are the way of the future. Organizations must adapt to this change in information storage and distribution by implementing the proper cybersecurity governance measures. Operations data, personal information, criminal records and more must all be protected from risk.

To help you learn how organizations can leverage and manage secure router solutions while transferring and storing data digitally or utilizing the cloud, ISACA and Cradlepoint present the “Secure Mobile, Wired & Wireless Networking in the Public Sector” webinar. It will cover what those who are affected by US Criminal Justice Information Services Division (CJIS) Security Policy guidelines can do to ensure compliance. This webinar takes place on 9 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Todd Kelly, CISSP, is chief security officer at Cradlepoint and is a seasoned network architect and cybersecurity specialist with more than 20 years of experience with enterprise and mobile network operator IP networks. He is known for helping, educating and supporting wireless carriers and enterprises as they build secure, next-generation networks. Kelly will use his experience educating others about how to build secure networks to ensure compliance with CJIS Security Policy guidelines.

To learn more about this webinar or to register for it, visit the Secure Mobile, Wired & Wireless Networking in the Public Sector page of the ISACA website.


Negotiate Your Next Job Offer


When approaching your next job interview, know your market value and how to advocate for it. Coming up with a strategy to negotiate and being able to read the room while you are making your own deal are invaluable skills.

To help you realize your worth and solidify your negotiation strategy, ISACA and the ISACA Tallahassee (Florida, USA) Chapter present the “Closing the Gap: Negotiating Your Next Raise or Job Offer—Part 1” and “Closing the Gap: Negotiating Your Next Raise or Job Offer—Part 2” webinars. The first part of this webinar takes place on 10 April at 11AM CDT (UTC -5 hours), and the second part takes place on 18 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour per webinar by attending and completing a related survey.

Olivia Jaras, who will lead this webinar, is chief executive officer (CEO) and founder of Salary Coaching for Women and is an internationally recognized expert on gender wage gap and salary negotiations for women, as well as the bestselling author of the book Know Your Worth, Get Your Worth: Salary Negotiation for Women. She is also considered one of the top salary negotiation experts in the United States. Jaras will use her experience coaching women to show you how to recognize your own worth and achieve the level of salary and career you deserve.

To learn more about these webinars or to register for them, visit the Closing the Gap: Negotiating Your Next Raise or Job Offer—Part 1 and Closing the Gap: Negotiating Your Next Raise or Job Offer—Part 2 pages of the ISACA website.


Report of the Nominating Committee

By Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA Nominating Committee Chair

The charge of the ISACA Nominating Committee, as described in section 4.5(c) of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors, consisting of a board chair, vice-chair, directors and past board chairs. According to section 4.5(c), that slate is presented to the current board for approval during its regularly scheduled meeting immediately preceding the Annual General Meeting. Said process was followed, and the 2019-20 board slate was presented and approved by the ISACA Board of Directors on 1 April 2019.

The Nominating Committee is chaired by a past chair of ISACA, and its members include 2 additional past chairs and 4 other members with significant ISACA experience and diverse geographic representation.

The committee has an obligation to prepare the best possible slate of individuals who will work together as a team to lead the association. Its evaluation of candidates considers their intent to reflect the organization’s diversity in terms of attributes, skills, expertise, experience and geography, while also balancing continuity and new viewpoints.

The selection process is managed with attention to detail. Deadlines are strictly adhered to, nominations are treated with unbiased consideration, candidates are interviewed and strict confidentiality is maintained throughout the process. The Governance Committee (GC) provides oversight to the committee’s processes and the committee reports to the Board of Directors and the membership of ISACA.

As chair of the Nominating Committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2018-19 Nominating Committee Members:

  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Australia (chair)
  • Chris Dimitriadis, CISA, CRISC, CISM, Ph.D., Greece (vice-chair)
  • Ken Vander Wal, CISA, North America
  • Lilia Liu, CRISC, Panama
  • Tony Noble, CISA, Australia
  • Marc Vael, CISA, CRISC, CISM, CGEIT, Belgium
  • Marianne Azer, Ph.D., Egypt

The 2018-19 Nominating Committee is pleased to present the slate for the 2019-20 ISACA Board of Directors approved by the 2018-19 Board of Directors; the 2019-20 ISACA Board of Directors will be installed at the Annual General Meeting on 13 June 2019.


Slate of 2019-20 Board of Directors


ISACA will hold its Annual General Meeting (AGM) on 13 June 2019 in Seattle, Washington, USA, where it will install the 2019-20 Board of Directors. In accordance with the association’s bylaws, the Nominating Committee submitted and the board of directors approved the following slate for the 2019-20 Board of Directors:

  • Brennan P. Baybeck, CISA, CRISC, CISM, CISSP, chair; vice president of Global IT Risk Management for Oracle Corp.
  • Rolf von Roessing, CISA, CISM, CGEIT, CISSP, FBCI, vice chair; partner and CEO, Forfa Consulting AG
  • Tracey Dedrick, director; senior executive experienced in risk, compliance, treasury and investor relations
  • Pam Nigro, CISA, CRISC, CGEIT, CRMA, director; senior director, information security/GRC, Health Care Service Corp. (BlueCross BlueShield of Illinois)
  • R.V. Raghu, CISA, CRISC, director; director of Versatilist Consulting India Pvt. Ltd.
  • Henry Stoever, NACD Board Leadership Fellow, director; chief marketing officer, National Association of Corporate Directors
  • Greg Touhill, CISM, CISSP, Brigadier General (ret), director; president of Cyxtera Federal Group, Cyxtera Technologies
  • Asaf Weisberg, CISA, CRISC, CISM, CGEIT, director; founder and CEO, introSight
  • Tichaona Zororo, CISA, CISM, CGEIT, CRISC, COBIT 5 Certified Assessor, CIA, CRMA, director; IT Advisory Executive with EGIT | Enterprise Governance of IT (Pty) Ltd.
  • Chris Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director, board chair (2015-17); group director of information security for INTRALOT
  • Rob Clyde, CISM, NACD Board Leadership Fellow, director, board chair (2018-19); executive chair of the Board of Directors, White Cloud Security; independent board director, Titus.

Also joining the Board is David Samuelson, who was named ISACA chief executive officer (CEO) following a global executive search. Samuelson, who took on his new role as CEO and board director Monday, 1 April, was not part of the Nominating Committee annual processes.

In comments on the 2019-20 Board slate, Baybeck, current board vice chair, and Samuelson noted ISACA’s progress in attracting board candidates who are increasingly diverse in their expertise, experience and executive roles, yet noted opportunities for the future.

“As ISACA has grown globally and increased the scope of its professional community across more IT functions and enterprise business roles, our board directors must represent that breadth and diversity, in gender, language, career path, and professional experience,” Samuelson said.

“ISACA is fortunate to have such strong board talent, and passionate, committed volunteers,” said Baybeck. “Yet, together, we acknowledge the need for change. We actively will take up the opportunity to attract more diversity and balance to our volunteer base and to our board leadership worldwide.”

The Annual General Meeting agenda will cover ISACA’s 2018 Annual Report, the treasurer’s report, the approval of the annual auditor and the installation of the 2019-20 board slate.

All ISACA members are invited to attend the Annual General Meeting of the Membership (AGM). If interested in attending, send your name and member number to agm@isaca.org to notify ISACA of your plans to attend in order to ensure adequate seating is provided in the meeting space. Note that travel expenses to/from the AGM are the responsibility of the individual. ISACA does not cover/reimburse travel expenses for those members attending the AGM.


Auditing GDPR for Small and Medium Enterprises


Source: Drazen_;
Getty Images

Enterprises of all sizes that handle European Union (EU) citizen’s data must comply with the EU General Data Protection Regulation (GDPR). Even small and medium enterprises should perform annual compliance audits to ensure GDPR-related compliance controls are operating effectively. The audit should assess the enterprise’s policies and procedures for managing and protecting personal data and include a review of the tools and technology used to input, process, transmit and store information regulated by the GDPR. To help aid small and medium enterprises test the proper controls and control attributes surrounding their GDPR implementation, ISACA has released the GDPR Audit Program for Small and Medium Enterprises. It includes guidance on how to:

  • Provide management with an assessment of GDPR policies and procedures and their operating effectiveness
  • Identify control weaknesses that could result in increased use of unsanctioned GDPR solutions (and higher likelihood that the solutions are not detected)
  • Evaluate the effectiveness of the organization’s practices and ongoing management of GDPR

Conducting a formal assessment of the small and medium enterprise’s GDPR implementation and compliance allows auditors to provide management with an evaluation of how effectively GDPR is being governed, monitored and managed.

To download this audit program, visit the GDPR Audit Program for Small and Medium Enterprises page of the ISACA website.


Study and Register for the Updated CISA Exam Now


The Certified Information Systems Auditor (CISA) job practice has been updated to ensure that the exam and the related review materials reflect the most current industry trends impacting IT audit and related professional disciplines. The updates are based on global input from industry experts identifying the most relevant knowledge and experience needed in the profession. ISACA periodically updates the job practices for its CISA, Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Manager (CISM) and Certified in Governance of Enterprise IT (CGEIT) certification exams to ensure relevance.

Beginning in June 2019, CISA exam tests administered will reflect the updated content. The existing job practice will be tested through the May 2019 testing window. Also beginning in June 2019, ISACA will launch continuous test administration for the CISA, CRISC, CISM and CGEIT exams that gives each registrant a rolling 365-day eligibility for testing, starting after the date of registration.

New study materials for the updated CISA exam are available on the IT Certifications Training page of the ISACA website. The CISA Review Manual, 27th Edition, CISA Review Questions, Answers and Explanations Manual, 12th Edition, and the CISA Review Questions, Answers and Explanations Database have been revised and updated to reflect the 2019 CISA Job Practice. These resources are the best to use when preparing for the updated CISA exam.

Registration for the updated CISA exam, refreshed with the new 2019 CISA Job Practice, is now available on the Exam Registration page of the ISACA website. For more information on the 2019 CISA exam update, visit ISACA’s Customer Support Center website.


Listen to How You Can Start Building Your Career Network Early With ISACA


Source: Don Farrall;
Getty Images

In a recent 50th anniversary series episode of the ISACA Podcast, Mais Barouqa, CISA, CRISC, CGEIT, COBIT 5 Foundation, GRCP, ISO/IEC 27001:2013 LA, ITIL, discusses how ISACA credentialing and volunteer opportunities have helped her grow as a young professional. Her story is an example of how those new in the workforce can utilize ISACA’s resources to accelerate their career paths and expand their networks early on.

To learn more about this podcast, visit the ISACA Podcast page of the ISACA website, and you can subscribe to the ISACA Podcast on iTunes, Google Play and SoundCloud. The ISACA Podcast highlights cybersecurity trends, women in technology, ISACA Journal articles and white papers, the ISACA 50th anniversary, and more. You can also learn more about ISACA’s 50th anniversary by visiting the ISACA 50th Anniversary website.


Applying Marketing Techniques to Raise Security Awareness


Security awareness and training is key to both the enterprise’s and its employees’ responses to security threats. Training employees on the proper response can help prevent security incidents. In an age where more regulatory compliance is required, this becomes even more crucial, and most organizations could employ their security awareness programs more smoothly and systematically. One can look to marketing techniques used to gauge brand awareness and interactions with potential customers and apply them to enterprise security awareness plans to get better engagement from end users and more reliably achieve the results intended from security awareness campaigns.

To learn to apply these marketing techniques to systematically build and launch more effective security awareness efforts, ISACA and InfoSec have developed the Improving Security Awareness Using Marketing Techniques white paper. This white paper demonstrates how to integrate those security efforts into your enterprise's broader security program.

To learn more, download this complimentary ISACA white paper from the Improving Security Awareness Using Marketing Techniques page of the ISACA website.