ISACA Journal
Volume 2, 2,014 


The Network 

Ketan Dholakia, CISM, CRISC, CISSP 

Ketan Dholakia is the chief executive officer (CEO) of Maclear LLC, an enterprise governance, risk and compliance (eGRC) company based in Chicago, Illinois, USA. He brings more than 20 years of experience in delivering sustainable solutions for businesses to manage their compliance and risk. With Maclear’s award-winning eGRC Suite™ (based on the COBIT framework), Dholakia provides an array of strategic and practical perspectives on how to build and manage an organization’s GRC program.

Dholakia’s previous experience includes senior-level roles with large and midtiered, multinational corporations, guiding them on regulatory and risk management. As a consultant, Dholakia has leveraged his extensive background in risk and compliance for many organizations in various industry verticals.

Ketan Dholakia

My Favorite Blogs

  • Maclear’s GRC blog
  • Forrester
  • GRC 20/20

My Three Goals for 2014

  1. Hire several people in various roles with the best talent I can find.
  2. Build new, and enhance our existing, partnerships in EMEA.
  3. Improve marketing of Maclear.

My Favorite ISACA Benefit

  • Chapter meetings
  • ISACA Bookstore
  • eLibrary

My No. 1 Piece of Advice for Risk and Compliance Professionals

Understand the strategy that your company is trying to implement and make sure that the risk appetite meets that strategy, doing so via open communication channels across all business units and business processes.

When I’m Not at Work

I love to watch movies with my family and have hundreds of books on my iPad that travel with me everywhere.

On My Desk Right Now

  • My computer attached to 2 screens
  • My iPad
  • A lot of to-do items organized by priority

Question What do you see as the biggest risk factors being addressed by governance, risk management or security professionals? How can organizations protect themselves?

Answer Many of our customers seem to be struggling with third-party or vendor risk management. One of the reasons for this is because many organizations do not have processes in place to ensure that the vendor can meet the customer’s regulatory requirements. To be effective with vendor management, a thorough vetting process has to be implemented using automation to filter out high-risk vendors. Automation is necessary as there can be hundreds of vendors that supply to a customer, and, without automation, it is humanly impossible to manage the risk posed.

Question How do you believe the certifications you’ve attained have advanced or enhanced your career? What certifications do you look for when hiring new members of your team?

Answer I have been in the GRC field for several years and I started out in this field by transitioning from managing IT vulnerabilities and determining the controls in place to mitigate the threat. As I was progressing through my career, it was evident that the business saw me as “just another IT guy making a big deal about risk.” To change this, I looked to certification.

The Certified Information Security Manager (CISM) certification was the most beneficial for me. I was a member of ISACA and decided to take the CISM exam. CISM exam training provided me with an understanding of how to articulate and walk a business person through the impact that risk can have on the business, using language the average business person can understand. Today, at Maclear, the first thing we do when hiring new team members is ensure that they have at least a Certified Information Systems Auditor (CISA) certification—it gives us the confidence to know that the potential team member understands risk and is comfortable explaining it to the business.

Question What has been your biggest workplace or career challenge and how did you face it?

Answer My biggest career challenge has been in convincing a very large client to implement a governance, risk and compliance (GRC) strategy effectively. The client’s risk appetite did not meet its risk strategy. The risk professionals were well qualified and understood risk at a tactical level for their business unit, but did not understand the strategic direction toward which the company wanted to go. Communicating the strategy and having senior management work across the business units, we were able to build a GRC program that leveraged risk and controls across all business units so that there was a common source of data and understanding. Three years into this endeavor the strategy has been successfully implemented.

Question What will be the biggest compliance challenge in 2014? How should it be faced?

Answer I believe the biggest challenges facing compliance are building awareness and providing training for compliance and risk managers for some of the regulatory changes and updates. For example, as PCI 3.0 starts to get established, companies will have to change their approach to be more risk-based in their assessments and will require a thorough understanding of risk and compliance, not just an understanding of vulnerabilities and threats. Training and awareness will be required to meet these challenges.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.