Editor’s note: Vicki Gavin, CRISC, MBCI, is compliance director, and head of business continuity, cyber security and data privacy for The Economist. Gavin, based in London, recently visited with ISACA Now to discuss how her areas of expertise are being affected by the fast-changing technology and regulatory landscape. The following is an edited transcript.
ISACA Now: At InfoSec Europe last month, you were part of a panel that discussed building an agile team for the future. What were the major takeaways for you?
For me, the most significant takeaway was the need to do things differently. Current hiring processes are designed to exclude candidates. We need to get smarter about including candidates from a variety of backgrounds by systematically removing bias from role profiles, job descriptions and advertisements, screening and interviewing.
ISACA Now: How critical is it for organizations to have tech-savvy boards in terms of fostering strong governance?
I do not think the board needs to be tech-savvy. Tech awareness is sufficient. Security professionals need to become more business aware to communicate effectively with the board.
ISACA Now: What are some shortcuts that organizations tend to take in their governance that often come back to haunt them?
I think one of the biggest IT governance mistakes made by technology professionals is the assumption that risk is to be eliminated. Risk is to be managed; the key is to determine what level of risk your organization is willing to accept.
ISACA Now: What are the biggest keys to successful business continuity planning?
The value in planning is the process, not the plan. As Mike Tyson said, “Everybody has a plan until they get punched in the face.” The same is true for BCPs. The process, on the other hand, done properly, ensures a common risk appetite and approach to recovery when the time comes.
ISACA Now: Which emerging technologies present the greatest challenges from a compliance standpoint?
All of them. All change is disruptive. The challenge is to balance the risks and benefits of compliance.
ISACA Now: As we move closer to GDPR taking effect next year, are you sensing a greater sense of calm or of anxiety from your peers?
From my peers, anxiety. From my business, calm. We started on our GDPR journey about a year ago and will be ready by November 2017, giving us plenty of time to bed in new processes.