Five Questions With... 

Download Article Article in Digital Form

Scott M. BaronScott Baron is director of digital risk and security governance for National Grid, where his team has global responsibility for information systems (IS) risk and compliance efforts. Prior to joining National Grid, Baron worked to pioneer the compliance and business continuity effort at Northwest Airlines, and in 2006, Northwest Airlines became one of the first legacy airlines to achieve and maintain Payment Card Industry (PCI) compliance. Baron also founded the professional services company iNETech, where he worked with customers to develop and implement best practices in networking and information security solutions.

Baron enjoys speaking about IT governance, risk and compliance (GRC) with anyone who will listen and has presented at several conferences. He is a member of ISACA’s 2011 ITGRC Conference Development Task Force.

When not working, Baron enjoys music, travel and relaxing with his family. He and his family are self-proclaimed Disney fanatics and have been to Disney World (Florida, USA) more than 10 times since 2006.


What do you see as the biggest risks being addressed by IT auditors and/or security professionals? How can businesses protect themselves?


Recent high-profile cases and global politics have triggered a number of new regulations. These new regulations pose a risk to the organization because they come with stricter penalties and are written with less guidance for interpretation. This means that, oftentimes, the requirements outlined in a regulation are interpreted in varying ways depending upon the reader. If the regulators have a different interpretation of the same requirement, it could result in additional work and/or fines. This makes compliance a costly, moving target.

Regulations are typically based on an industry standard and tailored for the specific vertical. Businesses should protect themselves by implementing a standards-based approach to IT, targeting people, processes and technology across the organization, and utilizing a risk-based methodology.


How would you describe the impact of the increasingly strict regulatory environment on IT auditors and security professionals?


IT auditors find that they are under an avalanche of assurance requirements. Often, these requirements are similar in nature, but impact different areas within the organization. Security professionals, however, find themselves in an increasingly inflexible environment and can feel like decisions regarding which controls are best for the organization are taken out of their hands.

The new regulatory environment has placed a greater strain on the already taxed workload of IT auditors and security professionals. New skills are required to interpret the regulations, and new processes are required not only to perform a function, but also to prove its effectiveness. Corporations, in turn, struggle to show the value derived from the added cost and increased complexity of compliance.


How do you think the role of the security professional is changing? What would you recommend to security students or new security professionals to better prepare them for this changing environment?


Legacy security professionals are focused on the cause of a security event rather than the effect of the event. This typically results in a risk-averse attitude or a culture of “no.” Information security is often perceived as a roadblock rather than a business partner.

New security professionals should focus on business requirements and gain a true understanding of just how each decision will impact the business. True business partners should not try to secure the business, but rather to enable secure business. This will go a long way toward ensuring that security has a seat at the table when decisions are made.


How do you believe the certifications you have attained have advanced or enhanced your career? What certifications do you look for when hiring new team members?


Certifications serve to establish a common language and baseline of knowledge within the community. Certifications can inspire a level of confidence in employers and a level of recognition among peers.

While beneficial, some certifications do little to illustrate specific experience, and no certification can demonstrate a solid work ethic. When hiring an assessor position, I look for a candidate with a Certified Information Systems Auditor® (CISA®) certification. When looking to fill a more technical position, I like to see a Certified Information Systems Security Professional (CISSP) certification. These are well-established certifications, and both have experience and continuing education requirements. The new Certified in Risk and Information Systems Control™ (CRISC™) certification shows promise when partnered with CISA.


What has been your biggest workplace challenge, and how did you face it?


The modern culture of compliance requires that IT professionals document what and how they are going to do something, manage the asset, and provide assurance that it was done according to plan.

A colleague recently recounted a story about an IT professional who asked, “Do you want me to dig the hole, or do you want me to document how to dig the hole?” Of course, the answer is both, but in addition, the professional has to prove that both were done. As you can imagine, this is an unpopular viewpoint in an already overstressed IT environment.

The solution is cliché. IT organizations need to “work smarter, not harder.” They need to build the case that common processes should have the same procedures and controls.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.