Other Blogs
There are no items in this list.
ISACA > Journal > Practically Speaking Blog > Categories
The New Normal: The Learning Organization

Philip CasesaThe cyberworkforce gap is well documented. When we look at it from a macro level, it seems straightforward. Studies show between 1-3 million job openings over the next few years, unfilled due to a lack of talent. As schools pump out new cyber grads and push them into the workforce, our prayers are answered, right?

When we look closer at the problem, we see how woefully inadequate the macro view really is. The uncomfortable truth is this: We cannot close that gap by throwing bodies at it. The speed of change in the cyberarena means that new skill gaps are created daily, even on established cyberteams. In other words, every day our teams are not learning and applying new skills, they are a little less prepared for what may come at them. 

This perspective shifts the arms race from buying the most talented cyberstaff to creating programs and cultures that foster development, teamwork, and a focus on continuous and persistent learning.

Success in such an environment requires a level of discipline many organizations are not used to. But something must change if we, as an industry, want to overcome the challenges in front of us. Here are just a few of the key strategies to prepare a cyberteam to be mission-ready at all times:

  • Today’s tech workers are looking for growth opportunities, but this does not always mean moving into management. Mapping roles within the team and the skills and capabilities required from each position give a clear picture of what individuals need to develop to get ahead, both technically and professionally.
  • With knowledge, skills and abilities defined, arm your teams with consistent development opportunities so the staff have adequate training to achieve peak performance. The training must be highly relevant to both the organizational environment and to the threats facing the organization.
  • Put the skills to the test with cyberchallenges that push the limits of what the team can do. It is better to challenge cyberteams to respond to threats simulated on your own terms than to expect them to fend off a real attack without firsthand experience.
  • Recruit for those who have a lifetime love of learning, a passion for the industry and belief in what they are defending. The technical skills can be learned and honed, but passion cannot be taught.

Discipline around workforce development can be daunting, but those that embrace the culture of learning and growth will outperform in recruiting, retention, and ultimately performance against the threats to come.

Read Philip Casesa’s recent Journal article:
Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” ISACA Journal, volume 6, 2018.

A Healthy Way to Think of Metrics

Julio PontesHealthcare has many parallels with information security since both are based on prevention, monitoring, diagnosis and correction to avoid negative results. If medical success, however, were measured only by prevention of death, doctors would be the worst professionals in the world. After all, we are all going to die one day.

Moreover, if we take that same rationale for information security and measure its success or failure only through incident prevention, we will see some successes, but, eventually, there may be failures, perhaps catastrophic. Does this sound familiar?

Instead of waiting for these extreme results, we must track indicators (or risk factors) that can positively affect our situation. AS in healthcare, there are risk factors beyond our control, such as gender, age and family history, and behavioral factors that can have a significant impact on our health, including diet, physical activity level and use of tobacco products. 

Some decisions about which risk factors to address have already been made in your organization—if not scientifically, at least through common sense. The decisions to implement any defensive technology such as firewalls, antivirus software or web filtering were made based on the risk factors inherent to your business—in most cases, to act on something that you cannot control (threats).

So, what should you measure to improve the health of your information security? Although the evidence may not be as conclusive as in the case of healthcare, there are many good sources of good practice provided by ISACA® and groups such as SANS, the US National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The most important thing is to pay special attention to the factors you can control: the processes in place and, in particular, the management of the technologies you have already implemented.

To continue the analogy with healthcare, this can be compared to physical exercise and heart disease: It may not be easy to get off the couch, but the risk of not doing so is high and the benefits are proven. However, measuring these indicators alone will not protect you. We need to cultivate good behaviors—in other words, choosing to "get off the couch" and apply good security management practices (factors that you can control) will have a dramatic effect on your organization and your health as well.

Read Julio Pontes’ recent Journal article:
Automation, Governance and Security in a Software-Defined World,” ISACA® Journal, volume 6, 2019.

A Career in Artificial Intelligence

Larry G. WlosinskiThe amount of data accumulated by 2020 worldwide is predicted to exceed 44 zettabytes (or 44 trillion gigabytes), and the data growth rate is about 1.7 megabytes per second for every human being. To manage and understand it, artificial intelligence (AI) was developed, and its use has been increasing at an rapid rate. We see this in the products that are coming to market. 

This new technology is affecting us in many ways:

  • How we live (e.g., digital home assistants such as Apple’s Siri and Amazon’s Alexa)
  • How information is obtained (e.g., sensors, chatbots, automated data searching)
  • How we communicate (e.g., language translation)
  • How we react to security and privacy attacks (e.g., network anomaly detection, fraud detection)
  • How we get around (e.g., driverless vehicles)
  • How we detect and prevent crimes

In my recent Journal article, we look at where the data come from (e.g., sensors, data files, audio and video information), how AI is used, the software technology behind it (e.g., machine learning, virtual agents), the areas of knowledge needed to apply it (e.g., mathematics, computer science principles and techniques, software programming, analytical skills) and where we can get the training (e.g., online, college, universities). Once we have this understanding, we review the current job market, the AI position descriptions (e.g., business intelligence developer, software engineer, data scientist, solution architect) and associated salaries.

The intent of this article is to enlighten the reader about personal AI skills and requirements and additionally to provide guidance on how to go forward with this knowledge if you are interested in becoming someone who molds our future. From the information I have gathered, it has become clear that AI technology can be a benefit to auditors (e.g., when finding internal instances of fraud), aid information security in detecting and responding to cyberattacks, and help privacy professionals look for data breaches.

I encourage you to read the article and share any insights and knowledge you may have on AI as a career path.

Read Larry Wlosinski’s recent Journal article:
Is Artificial Intelligence a Career Path for You?,” ISACA Journal, volume 6, 2018.

Privileged Access Management and Implementing It Smartly

Sundaresan RamaseshanAt this period of time where IT driving “business transformation” is the order of the day, ensuring IT security is not in conflict with business is a very critical concern. Instead, IT should enable the business in realizing value without compromising the expected level of security. This is of paramount importance. Any compromise in IT security citing operational efficiency could result in legal implications to the business, including damage to the enterprise’s reputation, revenues and profits, and even imprisonment.

One area to look at very closely is special access (also called privileged access) that few identified IT operations stakeholders have in making sure required IT systems are operated seamlessly, enabling business to realize its intended value. It is critical for management to have confidence in whomever has special access carries out the activities in line with the expected intent in a transparent manner. 

Management can have trust in privileged access policies if:

  • Only intended people have privileged access
  • Special access is used in accordance with the expectations of the enterprise

But again, in the name of ensuring assurance, IT should not impede business efficiency; rather, applying common sense and avoiding rigid approaches to privileged access benefits IT and, thereby, the organization holistically.

My recent Journal article touches upon a few best practices I have explored and successfully implemented in my work, helping my organization realize greater value.  

Read Sundaresan Ramaseshan’s recent Journal article:
Effective Interactive Privileged Access Review,” ISACA Journal, volume 5, 2018.

Decision Analysis of Ransomware Incidents

Tony Martin-VegueCyberincidents involving ransomware are a common occurrence lately. Hardly a week goes by without hearing about an incident in the news. Some involve an organization paying a ransom to get access to files, and others involve enterprises deciding not to pay and dealing with sometimes costly and protracted recovery processes. Paying a ransom, as tempting as it might be to regain access to files, creates a societal negative externality.

Negative externality is a term used by economists to describe a condition in which a third party suffers a cost as a result of a transaction. One common example is a factory dumping toxic waste into a river: A third party, people who live downstream from the river, are harmed from the economic exchange between factory owners and those who buy the goods the factory produces. A technology example, and the primary focus of my ISACA Journal article, titled “The Downstream Effects of Cyberextortion,” is paying ransomware. There are 2 parties in the transaction—the cybercriminal and the victim, and every time a victim pays a ransomware demand, cybercriminals are emboldened, enriched and encouraged. Paying the ransom creates more future victims, therefore creating a negative externality.

Common advice is often “Never pay!” This might be good guidance if one wishes to improve the overall computer security ecosystem, but is this good advice for the small community hospital that does not have good backups and where lives may be at stake? This is the question—and decision—that I analyze in the article. Thinking about this problem as a series of decisions helps frame the problem, identify risk and identify opportunities in which cybersecurity professionals can disrupt or influence the decision. If one is faced with this kind of problem, the decision flow can be broken down into these 3 high-level steps:

  1. Restore from system backups; if backups do not exist, follow step 2.
  2. Obtain assistance to decrypt the files without paying the ransom (e.g., security consulting firm, the No More Ransomware Project); if unsuccessful, follow step 3.
  3. Decide whether to pay the ransom or deal with data loss.

I also briefly touch on the nudge theory. Nudge theory has been explored in the field of behavioral economics and describes ways that actors can be nudged into good decisions without government interference, coercion, etc. I believe the nudge theory can be very effective in helping solve the ransomware problem. Some possibilities are:

  • Helping smaller firms with preventative measures, such as patching and other security basics
  • Pro bono or low-cost response assistance: negotiating with cybercriminals, forensics, data restoration
  • Encouraging projects that develop decrypter kits such as the No More Ransomware project. It might be worthwhile to set up a bug bounty pool, funded by corporate donations, that pays independent security researchers to develop countermeasures to ransomware strains.

Let us continue the discussion in the comments section. Do you find this type of decision analysis useful? Can it help solve common cybersecurity problems? How would you nudge people to make better decisions?

Read Tony Martin-Vegue’s recent Journal article:
The Downstream Effects of Cyberextortion,” ISACA Journal, volume 4, 2018

Knowing What to Protect

Sridhar GovardhanWith so many compromises leading to data breaches, one common concern is even after so much investment going into technology, people and processes, why are breaches occurring? Are we “barking up the wrong tree”?

Perhaps, yes. Today there is a different challenge that security professionals are faced with: where to focus and what to protect. The traditional approach of protecting everything is failing; focus and effort should be on critical assets.

Knowing what to protect is extremely relevant for deciding the level of security protection required. The asset could either be raw data or processed information along with the ecosystem (e.g., operating system, application, web, data or application programming interface [API]). Lack of visibility to this key and critical piece of information leads to:

  • Excess security focus on irrelevant assets
  • Deficient security focus on critical assets
  • No security focus on critical assets

Is there a well-designed and sustainable approach to identify and protect assets based their criticality and risk exposure?

The solution is to analyze the end-to-end (creation, storage, transmission, access and archival/destruction) data flow once the activity is completed a create a detailed blueprint of the data life cycle, including information on:

  • Gateways (entry and exist)
  • User roles and access rights
  • Upstream and downstream information flow
  • Upstream and downstream interface protocols
  • Internal and external connectivity
  • System and platform
  • Implemented security controls
  • Environment
  • Storage location and type (transient or permanent)

The previously mentioned information will help in aligning the required focus and effort for designing, implementing and monitoring security measures. This approach can easily be adopted for blueprinting all existing data/information assets. Having a data life cycle blueprint will be beneficial for:

  • Providing a clear visibility on data assets for faster design decisions and having a clear overview of all impacted components
  • Providing a quick overview of controls to be added due to a changing threat environment, regulation or incident
  • Enabling investigators with required information at a glance during an incident
  • Providing field-level information along building blocks

Read Sridhar Govardhan’s recent Journal article:
Data Spill Lessons From the Oil Industry,” ISACA Journal, volume 4, 2018.

SWIFT Infrastructure Needs to Be Secured in a Structured Manner

In the last few years, SWIFT has become a favorite target for hackers across the globe. The frequency of SWIFT-targeted cyberattacks is a good indicator of the same. In most of these SWIFT-targeted attacks, the network perimeter was compromised before the core SWIFT platform was touched. It is first important to ensure that we have a foolproof network perimeter built around SWIFT infrastructure with appropriate security solutions in a defense-in-depth manner.

Data confidentiality in SWIFT can be achieved through the encryption of all payment-related data and having all links controlled by SWIFT using strong encryption algorithms. Access to SWIFT payment data should be protected by means of one-time passwords (OTP). Controls such as unique sequencing of all messages, dual storage, real-time acknowledgement to the user, and message authentication procedure between the sender and receiver also help ensure SWIFT data integrity by protecting from fraudulent modification of SWIFT data, which was the technique used by hackers in many recent SWIFT-targeted attacks. Availability of SWIFT infrastructure can be achieved using several measures, many of which are built into organizations in the form of continuity planning, duplication, and, in some cases, triplication of equipment, extensive recovery schemes and automatic rerouting of payments in the event of failure of some network nodes.

In addition to the confidentiality, integrity and availability-related controls mentioned previously, having controls, such as well-defined segregation of duties, logical access controls, control of paper output and timely validation of error reports, helps protect the SWIFT infrastructure across the Cyber Kill Chain.

An assurance that an optimum level of SWIFT security has been achieved needs to be provided by execution of well-defined internal and external audit programs on a periodic basis.

Read Vimal Mani’s recent Journal article:
Securing the SWIFT Infrastructure Across the Cyber Kill Chain,” ISACA Journal, volume 4, 2018.

The Assessment Will Help Your Organization Tackle Any Security Obstacle

When faced with an obstacle, how do you take the first step? I have found it helps to follow the steps outlined in Lisa Avellan’s article “Five Simple Steps When You Don’t Know Where to Start”:

  1. Breathe and relax
  2. Prioritize
  3. Make the best decision
  4. Act immediately
  5. Evaluate

Today’s obstacles in business are typically around managing information security and the growing cyberthreats. As you are faced with security obstacles, these 5 steps can help:

  1. Breathe and relax—The scope and complexity of an assessment can seem stressful and overwhelming at first. Take a breath, relax and begin to tackle it step by step. You will find the actual process to be less agonizing then at first assumed.
  2. Prioritize—I recommend that you start by conducting an assessment. Assessing the risk and gaps in your information security structure will help you identify what type of information is stored, how it is transmitted and accessed, and determine what risk poses possible threats to the information. The risk assessment enables you to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards, and determine the best course of action to mediate the harms and risk.
  3. Make the best decision for your organization—As I outline in my recent Journal article, every organization has different needs—some may need a complete overhaul, while others just need a tune-up. There are a number of different approaches to assessing the security needs of your organization. A risk assessment helps you to determine your security needs to mitigate risk. A gap analysis helps you to find the holes. A security audit is an extensive overview of an organization’s security systems and processes and helps you determine specific security needs.
  4. Act immediately—No need to panic! Since the assessment precedes your proactive security efforts, it is important that you first take inventory. An effective risk assessment is the foundation of an effective risk management program. Regular assessments are important to the success of any business and form the foundation of an effective IT risk management program. If you are looking to improve your security posture and boost your compliance, risk assessments and gap assessments are the key to continuous improvement and well-informed leadership decisions.
  5. Evaluate—Think of an assessment as a way to evaluate where you are. For example, a risk assessment is about gathering data, determining threats, analyzing risk factors and prioritizing to determine mitigation.

When it comes to managing information security, I would add a sixth step to Avellan’s list:  breathe and repeat. Repeated assessments and tests allow for continuous, targeted improvements that allow for optimal risk mitigation over the long term.

Read Tyler Hardison’s recent Journal article:
Building a Strong Security Posture Begins With Assessment,” ISACA Journal, volume 3, 2018.

Formalizing the Cybersecurity Role in MDM

While some cybersecurity teams may be anxious to get involved with master data management (MDM), there are prerequisites that we strongly recommend be in place prior to starting down the implementation path. Having a well-defined software development life cycle (SDLC) in place is important. Even more important is that adherence to the SDLC be institutionalized. Tied into this is the architecture review board, which should be reviewing all significant changes or new implementations of data, systems, technology, etc. These 2 processes should be addressed in the information security policy and, where applicable, the data governance policy.

With these building blocks in place, the following steps will get you started mapping a data protection plan that can be outlined in a governance standard document and referenced in your company’s information security policy and data governance policy:

  • Step 1—Identify and document data owners for governance decisions. Ask the business to identify who can make decisions regarding data retention, data destruction, data classification, disaster recovery and business continuity planning.
  • Step 2—Validate with the IT team their responsibilities for providing the hardware, operating systems, software patching, maintenance and systems support. Follow this by asking what disaster recovery plans are in place. If there is a discrepancy between disaster recovery needs and documented disaster recovery plans, bring the business and IT teams together to resolve and record the details. The same goes for any associated business continuity plans.
  • Step 3—Develop a detailed document regarding the standards and procedures for access control, logging and monitoring, privileged access management, and compliance guidelines for backup data retention and any other relevant processes. It is an imperative that the cybersecurity team holds a seat on the architecture review board to ensure the identification of sensitive or protected data and to recommend the appropriate protection level.
  • Step 4—With the appropriate cybersecurity training, authorize the MDM staff to act as cybersecurity deputies owning the guardianship of data sources, data access and data egress. The MDM team also needs to maintain the data map that documents MDM data storage and flows.
  • Step 5—Institute quarterly meetings between the cybersecurity team and the MDM team to review the configurations of all related data tools ensuring access is appropriately assigned.
  • Step 6—Of great importance, user access reviews should be instituted for all data flows. This is typically done by performing quarterly access reviews for the applications that interact with MDM. We suggest assigning this task to each application team. Then turn it over to internal audit team for their review.
  • Step 7—In organizations where data loss prevention (DLP) software can be funded, we recommend its implementation because it adds real-time, preventative control for keeping data secure.

In the process of implementing the previous list, the cybersecurity team should perform the governance role of defining the levels of security for each data type based on its classification (e.g., public, confidential and restricted).

Ensure that your classification names align with your company’s documented management terms and that they are congruent with the corporate document management definitions.

It is important to outline which data require encryption during transmission, what data require encryption at rest and what data requirements apply if the data are transmitted to a 3rd party. Within this guidance, cybersecurity also sets the standards for compliance, which should include considerations for Payment Card Industry Data Security Standard, General Data Protection Regulation, personally identifiable information, the Health Insurance Portability and Accountability Act, etc.

Read Sonja Hammond and Chip Jarnagin’s recent Journal article:
Cybersecurity vs. Master Data Management,” ISACA Journal, volume 3, 2018.

Understanding the Threat Landscape

Privacy and security are issues society struggles with on a daily basis, both in our private lives and in our work. We all strive to be happy, and safety is an important but an uncertain factor in our lives. When I was younger, I worked in prison, where I felt safer than I do these days on the Internet. In prison, there was insight into the threat landscape and the measures you had to take when threats occur. It was clear and visible. You simply had to press a red button and a guard or fence was there to protect you. The Internet, on the other hand, is complex, invisible and difficult to handle. There is a sense of urgency to have information security in place, but often one has no idea how to do this.

It is no longer a question if, but when, an organization will fall victim to a cyberattack. It is against this background of increased opportunity for information security breaches and heightened awareness of the repercussions of such breaches that organizations are seeking to protect their information and minimize the risk of possible damage resulting from a breach.

We observe an increase in awareness that adequate business information security (BIS) is needed, but with the increasing complexity of information security, it is important to ask ourselves how we can apply BIS effectively. The aim of our Journal article is to establish a core set of critical success factors (CSFs) that organizations can take into account when establishing a security strategy or implementing an information security program. We certainly tried to provide fresh and new insights in the CSFs needed to implement an effective business information security strategy. One of these CSFs is to “never waste a good security incident” and use it to accelerate.

Read Yuri Bobbert and Talitha Papelard-Agteres’ recent Journal article:
Never Waste a Good Information Security Incident: An Explorative Study into Critical Success Factors for the Improvement of Business Information Security,” ISACA Journal, volume 3, 2018.

1 - 10 Next