ISACA Journal
Volume 6, 2,014 


The Network 

Kathleen M. Stetz, CISA, CISM, CRISC, PMP 

Kathleen M. Stetz, is a technical risk and compliance analyst for a Fortune 500 company in the Chicago, Illinois, USA, area. Stetz has spent more than 20 years in the IT security, risk management, compliance and project management sectors. Before taking on her current role, she worked as an outside consultant providing IT direction to audit projects. Prior to this, she was the operational IT risk officer for a major mortgage lending bank in Chicago, where she was responsible for developing policies and providing risk management strategies. Stetz is also an instructor for the local ISACA chapter, teaching and preparing candidates who are working to achieve their professional certifications.

Kathleen M. Stetz

What is your favorite blog?

I really do not read blogs. However, I access the ISACA site very regularly—

What is on your desk right now?

My computer, white papers, books, and risk and control models

As 2014 comes to an end, what are your final goals for the year?

  1. Ensure that all 2014 issues are brought to a successful resolution and are closed—all major risk factors mitigated.
  2. Roll out my control issue trend analysis of potential threats/risk.
  3. Mentor and get feedback from the students of the CISA exam preparation course that I teach through ISACA’s Chicago Chapter.

What is your number one piece of advice for other risk and compliance professionals?

Respect individuals and before taking any action, follow the quality adage:  Think, plan and do.

What are your favorite benefits of your ISACA membership?

  1. Networking opportunities
  2. eLibrary,
  3. ISACA Knowledge Center,

What do you do when you are not at work?

I volunteer to teach the ISACA CISA review course offered by the Chicago Chapter; I enjoy helping those who are striving to obtain this certification. When I’m not teaching, I love to listen to music and play the piano.

Question What do you see as the biggest risk factors being addressed by IT security professionals?

Answer The biggest risk factor has and will always be protecting the organization’s systems and data from harm and adverse conditions by focusing on the security attributes for information integrity, confidentiality or privacy, and availability. This is more difficult to achieve today because systems have integrated mobile technologies and applications causing the operating environment to constantly change and, in turn, increasing the level of complexity. Seeing how these new technologies will impact day-to-day operations throughout the organization is not always apparent.

Security professionals need to take an integrated approach by looking at processes end to end, involving knowledgeable stakeholders from the IT and business sides, and having an eye on the key risk influencers for understanding the emerging threats to the people, processes, technology and possible external events—the operational risk factors.

Question How can businesses protect themselves?

Answer Businesses must take a holistic approach to risk management to see how the fast-changing environment will impact their goal attainment. IT controls no longer belong just to the IT areas, but there is cross-over to the business side, thus involving the right stakeholders from both sides is paramount. It is also important to understand how all of the pieces fit together and identify potential points of failure proactively.

Question What do you see as the biggest compliance challenges on the horizon?

Answer I believe that the biggest emerging compliance challenge is addressing change for new technologies or integration projects while protecting existing information. It is often difficult to separate the data with an understanding of the data classification among diverse test environments and conditions while protecting this information from unauthorized resources. The control environment now spans multiple areas with an increased complexity and perhaps several control owners handling different parts of the processes that at one time existed within one area.

Question How do you believe the certifications you have attained have advanced or enhanced your career?

Answer My certifications have offered me opportunities that have helped me to advance my career. I have several certifications and those offered by ISACA are especially important because each discipline follows a risk-based methodology that can be universally applied to any industry or market. This approach has helped me develop a strategic view of effective risk management to break down the traditional boundaries and barriers between IT and the business to work more collaboratively.

When making recommendations for staffing, I always ask to see if a candidate has any certifications. Those individuals who have achieved professional certifications seem to be more serious with a demonstrated commitment to the profession. They have worked hard to achieve their success and have a level of confidence that sets them apart.

Question You have moved up the ranks in IT audit and transitioned into risk and compliance. For someone new in their professional career or someone looking to make a similar transition, please describe how you have made these changes and adjusted to new roles.

AnswerMoving into the risk and compliance area is a separate function from the traditional IT auditing process. To make this transition, you need to have the desire to transform the auditing role by partnering and consulting with the various IT areas to help them understand key areas of risk. This entails looking beyond the controls to understand the processes of what is being delivered. As an auditor, you are looking to find the exceptions around the control failures to issue a report; whereas, by taking on the role of a compliance analyst or consultant, you are working as partner and change agent helping these areas make process improvements to enhance control effectiveness.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.