As an ISACA® member reading this edition of the ISACA® Journal, you know that ISACA has been the leading professional membership organization in the areas of IT, audit, risk, governance, and cybersecurity for nearly 60 years. The organization has pioneered continuous training and education programs for practitioners, and is committed to helping professionals advance their skills, keep current with emerging trends, and earn credentials that demonstrate expertise in their chosen fields.
ISACA is a global organization with a footprint in 188 countries, serving 180,000 members who are dedicated to advancing the positive impact of digital technology.
As with many long-standing and reputable organizations, ISACA has evolved over the years and adopted modern technology. Doing so is not a trivial undertaking for an entity with the size and scope of ISACA. And given its reputation in the IS/IT space, and the community it serves, leadership teams must choose, deploy, and roll out new systems thoughtfully and carefully to ensure business continuity and efficacy.
Challenge
Digital transformation has impacted every organization on the planet, but none more so than organizations that have been in operation for decades. Digital technology that served an organization in 1970 is no longer appropriate or relevant in 2024. As a result, tenured organizations such as ISACA must grapple with the challenge of replacing legacy systems, some of which are hardware-based, incapable of upgrade, and lack necessary integration with more modern systems and processes. And even though the technology may be out of date and inefficient, the prospect of implementing a new system is daunting—thus requiring careful thought and planning. Introducing a new-vendor analysis is no easy task.
The organization cannot simply say, “We need X capability” and then ask staff to choose from commercially available technology in the stated category. Instead, the team must map out business requirements, learn departmental workflows, and understand technology and process dependencies, as a starting point.
Additionally, when the decision to upgrade technology is made by the management team, departmental leaders must dedicate extra time and effort—on top of their day-to-day work-related responsibilities—to evaluate the market, test solutions, and help launch the new solution to the affected teams. This requirement could cause tension, stress, or resentment, if not handled correctly.
Organizations that have been using certain technology for many years may have employees who are resistant to change. The human aspect of change must be handled delicately to not disrupt business and/or lose valuable employees during the process.
In ISACA’s case, as an organization promoting and teaching about technological advancement and best practices over the years, it is especially prudent to develop a thorough transition plan. Thus, when it came time to upgrade their financial management system (FMS), ISACA teams had to be carefully coordinated, as illustrated by the steps in figure 1.
In mid-2022, the ISACA finance and accounting team was using Sage software for much of ISACA’s payment activity. The version of the tool the team was using was more than a decade old and had undergone very few modifications during the time it was in production. As such, it was not meeting the organization’s needs; much of ISACA’s other technology deployments—for both finance and related business units—had changed significantly over the years, growing more modern with every upgrade. Those systems were more manageable and efficient, and the version of Sage in use, quite simply, was not.
The team wanted a user-friendly, practical, and cloud-based technology that would:
- Reduce manual effort
- Consolidate functionality
- Streamline processes
- Improve analysis and reporting
- Assist with budgeting
The team knew that a modern finance and accounting system could automate a number of tasks and consolidate the tools and consoles needed to manage daily tasks and responsibilities.
Importantly, the senior director of the finance department said he wanted the team to be able to more easily conduct financial analyses of ISACA’s business units and create and update tailored dashboards for cross-business unit communication and collaboration.
Solution
When it was decided that ISACA would move forward with replacing the Sage financial software, the management team asserted that any new solution should be cloud-based. This ensures that, as digital transformation continues and software capabilities evolve, team members will be able (in many cases) to upgrade features and functionality without significant help from the ISACA technical staff.
Once that decision was made, the finance team had to complete its needs analysis and, together with the ISACA IT and security teams, begin the request for proposal (RFP) process. ISACA sent its RFP requirements to several enterprises and chose four to evaluate, including Oracle NetSuite.
As they started the process of evaluation, several criteria were important (figure 2). To start, the senior director of finance wanted to ensure that any new system would provide the ability to preserve automatic processing; this was one area where Sage was strong, and so it was important to him and his team that any new system be at a similar or better level of functionality.
Similarly, the ability to migrate legacy data from Sage into the new system would be necessary. To comply with audit regulations, enterprises must keep seven years of data—in a secure location—and be able to run reports on legacy data on demand and per official request. It was important that data could be exported from the old to the new system accurately and efficiently.
The senior director also wanted to ensure that the chosen system was capable of configuration for all transaction types categorized by their bank. Clean, efficient integration between systems was critical, and the team understood that a more modern FMS was capable of this functionality.
Additionally, as a user of Sage for many of the years it was in use at ISACA, the senior director had felt the pain of manually creating roles for each of the team’s users. Setting up user roles in the old system was tedious and more complex than it needed to be. The senior director knew that an up-to-date system would make role creation and access permissions easier and more accurate. Further, any newer system would be better equipped to handle system and data security, which was a primary concern for the business. As a global organization with a large internal team and 180,000 members, ISACA collects and stores a tremendous amount of personal data. The risk of data leak or breach is high. Not to mention, given their organizational focus on risk and compliance, ISACA team members wanted to be certain that any new deployment would make it easy to manage and meet regulatory requirements, including the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA), currently the strictest data and privacy regulation in the United States.
The RFP Process
The internal ISACA team contracted with a third-party consultant to assist with the RFP process. The consultants gathered all requirements and responses then coordinated the evaluation between the ISACA stakeholders, which included members of the finance, IT, and security teams, ensuring thoroughness and coverage for the different needs of multiple business units within ISACA.
After careful consideration, the ISACA evaluators felt that NetSuite met all their needs—chiefly, the platform is offered as a cloud-based solution that is user-friendly, efficient, and feature-rich. Several other considerations were factored into the decision, including Oracle’s stellar reputation and consistent offerings. In addition, because NetSuite is an enterprise-focused tool (versus a smaller point product), ISACA felt a NetSuite deployment would help future-proof its technology needs as the organization continues to scale and evolve. NetSuite, as the name implies, is a full-service FMS, which combines functionality for accounts receivable/accounts payable (AR/AP), tax handling, and invoicing. Because of the flexibility of the platform, customization is possible, making it easier for ISACA to tailor the platform’s capabilities to its specific needs as a membership, training, and credentialing organization.
Implementation
Once the decision to deploy NetSuite was made, the internal team coordinated with NetSuite to discuss implementation and rollout. Importantly, although ISACA had originally intended to go live with the implementation of NetSuite earlier, it was decided that, because of other business considerations, they would delay the migration from Sage until after 31 December so that two audits for two systems would not be necessary. According to the ISACA finance team, NetSuite was very receptive to and understanding of the timeline.
In the meantime, to get the ball rolling, the teams scheduled discovery meetings to discuss how to configure the system. One requirement was that the FMS would allow for seamless data connectors between the enterprise portals that handled internal functions and those that handled membership functions. The two teams collaboratively built a plan, with the ISACA IT team coding the APIs according to NetSuite’s guidance, which was based on NetSuite’s prior work with other organizations that similarly required data aggregation.
In addition, the teams evaluated current processes and workflows previously used by ISACA’s finance team and compared them to the functionality offered by the new FMS. The senior director of finance at ISACA said that his team was now able to automate certain functions and add additional workflows that would eliminate formerly manual processes and grant greater employee efficiency.
While the technical aspects were core to the success of the project, both NetSuite and ISACA did not forget that people are also critical; no technology implementation can succeed without trained employees who have a willingness to use the technology in a productive manner. Therefore, the multiple training sessions offered as part of the NetSuite contract were scheduled promptly. NetSuite included training for the finance team as a group and for individual users, which helped make long-time users of Sage comfortable with the switch and made certain that less technically savvy users had the support and knowledge needed to start using NetSuite when it was fully available to them.
The IT and finance leaders at ISACA have said that the implementation and rollout were a heavy lift on their part, but the partnership and support of the NetSuite team made the transition and transformation easier and well worth the effort. ISACA has since praised the NetSuite team for being “always available, always ready to answer questions, and willing to triage problems.” Further, any inevitable hiccups that accompany the deployment of a new system were handled expertly by NetSuite, minimizing downtime and effort for the ISACA team.
Benefits
Since the implementation, ISACA has been very pleased with the new capabilities and the team sees even more potential for use of the product. Given its modular configuration, ease of use has been a key benefit for individual finance team users. Each functional group has permissions to build custom data views, reports, and actions that benefit its needs, preferences, and processes. They have found NetSuite to be “a great tool to satisfy a wide variety of needs from individual teams’ perspectives,” according to both the senior director of finance and the senior IT project manager.
Even though NetSuite was chosen largely because Oracle is a multinational organization that understands the needs of large, complex organizations worldwide, and because the technology suite offers enterprisewide features and functionality, the ISACA team says that they are pleased that the software is built as if from a smaller, agile vendor. In other words, even though Oracle is a major company that could offer an out-of-the-box solution “as is,” ISACA team members have been impressed with not only its customizability, but the NetSuite implementation team’s willingness to be creative and flexible in their approach, helping ISACA tailor the tool for their needs. In ISACA’s view, the NetSuite team’s “expertise and range of experience allowed them to move fast and nimbly.”
Key benefits of the FMS upgrade include:
- Fast and easy migration—A team effort between ISACA and NetSuite led to the successful migration of legacy data into the new FMS, reducing manual efforts and leading to less friction.
- Increased functionality based on greater collaboration—Collaboration between teams drove the successful implementation of IT integrations; these are necessary for ISACA to operate as a modern, efficient organization—one that does not need to spend much time or effort switching between technologies. Teamwork between the NetSuite and ISACA solution architects streamlined the development processes.
- Modern look and feel—The NetSuite implementation provides thoughtful, intuitive functionality that helps the ISACA team move faster, easily.
- Tools consolidation (ease of use)—ISACA was able to consolidate multiple tools into a single platform by deploying NetSuite, making it simpler and more manageable for the team.
- A single pane of glass (pain reduction)—NetSuite has given ISACA a single database that provides critical capabilities for the team, including organizationwide reporting and dashboarding, easy access to real-time data, and accurate accounting across functions and personas.
- Speed (without sacrificing accuracy)—Because NetSuite allows the finance and accounting team at ISACA to automate many low-level daily tasks, ISACA’s speed of business has improved.
Results
As a result of the switch from an old version of Sage to the cloud-based and contemporary NetSuite, the ISACA finance team has experienced dramatic time savings by replacing manual efforts with automated tasks for numerous, repeatable processes.
Setting up workflows for the team, and even individual workflows per functionality, has been simple. Because of the user-friendly nature of the workflow capabilities, users (especially those who were comfortable with the old system) quickly felt confident that their use of NetSuite would allow them to accomplish their required activities, only now at a faster pace and with reduced effort.
Along similar lines, due to the multiple training sessions provided by the NetSuite team, users felt equipped to use all available system functionality from the get-go. According to the senior director of finance, the team “was able to pick up and go, with minimal disruption.” Because education and skill building were included in the transition process, employees generally felt at ease with the new tool quickly, even though it introduced unfamiliar processes. While there were occasional usage challenges due to the scope and variety of options with NetSuite (new features and functionality), the leadership team feels the advantages gained more than outweigh any individual, temporary obstacles.
Deploying the NetSuite FMS has also resulted in organizational advantages that extend beyond the finance team. To start, from a cybersecurity and business continuity perspective, ISACA now has a cloud-based, thoroughly backed up data archive readily available. ISACA’s IT and security teams no longer need to copy and store data backups on a hard drive, or separately contract a backup provider to ensure they have what they need, should a disaster strike.
From a people and operations perspective, like many organizations in the wake of the COVID-19 pandemic, ISACA now supports hybrid and remote work (and thus, remote access requirements). A centralized, cloud-based system helps the team manage remote workers and ensures that those workers can log in easily and securely, from anywhere, at any time, and have a ubiquitous experience. Specific security functionality such as single sign-on (SSO) with designated access rights (data scopes) ensures that employees have access to what they need and are not overprovisioned, and that the organization is abiding by modern-day security standards. This helps ISACA operate at the pace of modern business, stay current with leading information security practices, facilitate auditing, and ensure compliance with industry rules and regulations such as GDPR and CCPA.
Conclusion
The idea of a technology “rip and replace” is daunting for any organization, no matter how big or small. This is especially true when upgrade projects require moving from older, antiquated, and low-functionality systems to cloud-based technology; migrating data can be extremely difficult if the new vendor does not have the requisite experience, or if the incumbent vendor’s technology is incompatible with cloud systems. However, in certain circumstances, and when old systems are a drain on or a risk to the enterprise, it is necessary.
This is why it is crucial to select providers that will also be partners, not merely technology developers and sellers.
ISACA, as a leading information systems/information technology training and best practices provider, utilized the knowledge and processes its teams had built and honed over the years. This ensured that moving to a modern FMS was as painless as possible. Though there were some challenges along the way, as there will be with any major technology replacement, the ISACA team felt it picked the best solution backed by an expert team behind the solution.
By sticking to its core requirements for a new solution—a cloud-based FMS that was easy to use and would allow finance teams to move more efficiently and accurately—the team ultimately received far-reaching departmental and enterprisewide benefits in the areas of security, audit, and compliance. Additionally, the team feels it is now in a better position to upgrade when the time comes. The adoption of more flexible and modern tooling has helped make ISACA agile today and into the future, enhancing everyday business operations.
KATIE TEITLER-SANTULLO
Is a product marketing and product strategy leader with a strong track record in business growth, thought leadership, and market research. Over the course of her career, she has been a product marketer, evangelist, industry analyst, research director, content marketer, freelance author, and conference content curator. Currently, Teitler-Santullo is the director of product marketing for OX Security, a leading application security posture management (ASPM) and application security (AppSec) vendor. She contributes to The Cyber Why newsletter and podcast, and is a co-host on Enterprise Security Weekly.