n the classic movie “The Wizard of Oz,” protagonist Dorothy Gale leaves Kansas and enters a new world, the land of Oz.

As new technologies are developed, we have to stay up to date with them. More so than almost any other practitioner interfacing with information technology, auditors have to work hard at continual education.

Among the most exciting projects I’ve worked on has been the integration of NIST’s Cybersecurity Framework with COBIT.

My first role post-graduation was working as a financial statement auditor. We used tick mark pencils on printed workpapers, and we manually footed (recalculated) balances.

Data privacy and security is more important than ever before. Despite existing policies, the number of data breaches is on the rise and unencrypted personal information is getting into the wrong hands.

US State of California Senate Bill 327 Information Privacy: Connected Devices (SB 327) goes into effect January 2020.

In Greek mythology, the courtier Damocles was forced to sit beneath a sword suspended by a single hair to emphasize the instability of kings’ fortunes. Thus, the expression “the sword of Damocles” to mean an ever-present danger.

As a risk practitioner, have you ever tried to describe what you do for a living to a family member or a friend?

Imagine it is sometime in the 22nd century and that the future you is preparing for a complex surgical procedure at the local robot-run hospital, where it has become commonplace for robots to perform sophisticated, repeatable tasks, such as heart surgery, on human patients.

You may not know it, but artificial intelligence (AI) has already touched you in some meaningful way.

Artificial intelligence (AI) and machine learning are common terms in the world of emerging technology. Although still sounding futuristic to some people, AI is already being deployed everywhere from fantasy football weekly recap emails, to retail environments, to advanced, state-sponsored surveillance systems.

The rapidly increasing pace of technology change and digital disruption leads to an unprecedented pace at which organizations must address opportunities and risks that could make or break their success. In the new decade of the 2020s, technology-driven exponential change will accelerate even more sharply. Unfortunately, most organizations are ill-prepared for what is to come, and will remain so unless they replace their reactionary approach to the technology landscape with an anticipatory one.

The increasing reliance on big data and the interconnection of devices through the Internet of Things (IoT) has created a broader scope for hackers to exploit.

The dark web ecosystem continues to evolve as a place where cybercriminals can sell and access stolen data, purchase black-market items such as guns, drugs and hacking software, and connect with like-minded individuals.

Theresa Payton set the tone for the first day of last week’s Infosecurity ISACA North America Expo & Conference in New York City, delving into the multifaceted landscape of emerging technologies with the audience of information security professionals, and also sharing anecdotes from one of her most high-profile jobs, as White House CIO under the George W. Bush administration—including a story of negotiating with a cyber criminal on the dark web at her kitchen table over three nights.

Deborah Juhnke, senior consultant with Information Governance Group LLC, cited a definition of information governance as “an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information.”

What are some of the major changes you expect to see in the technology landscape in the next decade?

The potential of blockchain technology has inspired hype and buzz for years.

“Imposter Syndrome can be defined as a collection of feelings of inadequacy that persist despite evident success.

Depending on your personal interests, social skills and professional goals, professional networking may or may not be your favorite activity. Whether or not you enjoy networking, it should be a priority in your professional life – especially earlier in your career as you are building your professional network.

Who among us does not sometimes reflect on our journey and certain days that remain nailed to our memory, either because they were too tough to forget or too good to be true?

Though device manufacturers have worked to improve the cybersecurity of their medical devices, there is still a long way to go. Improvements aside, there are distinct steps the IT information security department can take to reduce risk and improve cybersecurity for medical devices.

Consider an organization adopting artificial intelligence (AI) as being represented by a self-driving car.

When most people think about coworking spaces, they immediately picture a bunch of freelancers and solopreneurs working on independent ventures at shared desks. But coworking spaces are more versatile than this.

Cyber risk has understandably become a focal point for enterprise risk managers, but the risk landscape is multi-layered and extends beyond the realm of cybersecurity. In addition to contending with a daunting array of cyberthreats, enterprises are determining how much risk they are willing to accept in deploying emerging technologies, working through a heightened focus on customer privacy and adjusting to changes in the regulatory environment.

The relevance of data cannot be over emphasized in today’s world, where change is the only constant. Decisions that managers and executives tend to make emanate from the availability of data analysis.

A future in which passengers order air taxis, victims of serious accidents tap neurotechnology to rise above limitations and AI/machine learning-fueled space exploration allows astronauts to trek deeper into the universe – for longer periods – was boldly presented on Monday, 28 October, at the Dare Mighty Things technology conference in Chicago, Illinois, USA.

Based upon my experience in Enterprise Risk Management, I was not surprised to see respondents to new State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity identify risk identification and risk assessment to be the most employed risk management steps in their organizations

Senior leaders in business and government ought to take note of ISACA’s State of Cybersecurity 2019 research, which details the findings of a global survey of cybersecurity professionals.

Senior IT audit leaders met to discuss a wide variety of topics, including audit analytics, IT audit’s role in cybersecurity and incident management, and agile/DevOps shops, at the recent IT Audit Leaders Summit in Geneva, Switzerland, as part of EuroCACS/CSX 2019. Participants shared opinions and best practices, and strategized on the path forward with new technologies and business practices.

A series of cyber-attacks involving the SWIFT banking network have come to light in recent years. The first public report of these attacks came from the Bangladesh Central Bank, and we have also seen attacks at State Bank of Mauritius, Cosmos Bank (India) and City Union Bank (India).

Is your organization supporting women in reaching leadership positions? Why is this important?

On ISACA’s first CommunITy Day on 5 October, 2019 – a day in which our global professional community came together over one day to volunteer in their local communities – the passion, creativity and industriousness of ISACA’s professional community was on full display.

I graduated college with all the confidence in the world. However, I then entered Corporate America, and I had a rude awakening.

IT auditors new to the profession may hear references to a time when the internal audit function was viewed as the “police.” Years ago, it was not uncommon for organizations to perceive internal audit’s responsibilities of assessment and evaluation as being similar to that of a policing function.

More than 60 women and men gathered on Capitol Hill in Washington, DC, on 7 October for the SheLeadsTech program’s second annual Day of Advocacy.

There has been significant progress in technologies that can be utilized in the livestock industry. These technologies will help farmers, breeders associations and other industry stakeholders in continuously monitoring and collecting animal-level and farm-level data using less labor-intensive approaches.

I am the product of a liberal arts education. On the surface, what I learned in school has very little relevance to my day to day right now, yet, when you dig deeper, the communication and critical thinking skills that education instilled in me helped in ways beyond measure.

The increasing emphasis on data privacy gained widespread attention last year with the enforcement deadline of the General Data Protection Regulation (GDPR).

Increasingly, security professionals use language that makes a distinct comparison between our physical environment and our digital infrastructures.

The tech industry has been burning through talent and losing IP for decades, but this is usually after years or even decades of contributions. Some suggest it is based on work-life balance challenges, but a recent ISACA study, Tech Workforce 2020: The Age and Gender Perception Gap, highlights how millennials factor into this equation, too.

Norman Ralph Augustine once said, “Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters.” This highlights the rise of the auditing profession and the importance that more and more companies are placing on internal and external audits due to increasing regulatory requirements.

In 2003, I had just completed my MSc in Information Security. I was excited about my future career prospects as I believed I had obtained at least the minimum level of knowledge needed to enter the information security field.

Chatting with a colleague recently about local economic issues, she made a remark which I found profoundly interesting at the time.

If perceptions were always reality, why would a company that has hired professionals after conducting reasonable background checks be wary of internally orchestrated fraud and other white-collar crime?

The information security challenges faced by enterprises are dependent on the unique characteristics of the business. This means there is no one “right” answer for where the CISO sits on the org chart.

The 2010s have seen remarkable growth at ISACA.

Edie Brickell (incidentally the wife of singer/songwriter Paul Simon) had a modest 1988 hit titled “What I Am.” The opening lines of the song contain the lyrics “I'm not aware of too many things. I know what I know if you know what I mean.”

The massive cyber breach of Capital One, reported in late July, quickly brought a chorus of condemnation of the company from a wide circle of pundits, concerned customers, competitors and potential investors. Lost in the media fray was Capital One’s exceptional incident response.

In today’s environment, companies all over the globe are experiencing culture risk.

Given the many instances of email security compromises, it has become vital to provide additional security to emails from the domain administrator level. Security protocols such as Domain-Based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Brand Indicators for Message Identification (BIMI) to prevent address spoofing are considered below.

Since 25 May, 2018, the General Data Protection Regulation (GDPR) has been providing unified rules for data processing, requiring wider protection for the rights and interests of data subjects, and establishing important guidelines around the flow of information in the European Union.

The benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.

Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.

Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage.

While IT professionals and auditors are not required to be tax experts, they do need to have a certain level of mindfulness with regard to taxation within the digitalized economy going forward as tax collection is slowly but surely becoming part of the natural business ecosystem where taxation happens by default.

All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by RIMS, the risk management society®, and ISACA, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.

These days, just about every software platform or app available has some kind of cloud functionality.

It has been said that leadership cannot be learned and that it is an innate ability. While that may be true to a degree, there are steps young professionals can take to hone their innate leadership abilities through experience early in their careers.

About 10 years ago, when I was deciding on my major in university, I was very anxious about where my decision would lead me. I eventually chose Management of Information Systems, and fast forward 10 years later, I’m working as an information security consultant at a Big 4 firm.

About the only thing shifting as fast as the cyber threat landscape is the typical enterprise’s org chart.

Digital transformation. Digitalization. Digitization. Three business terms in common use today that describe the differences in scope of the organizational digital effort, in this case in order of decreasing scope.

Recently in the UK, the women’s national football team manager, Phil Neville, called for all social media accounts to be verified and accountable as the result of a spate of racist postings, and asked for a boycott of social media until the situation is addressed.

Sustainability has become a key focus in the 21st century.

As ISACA celebrates its 50th anniversary in 2019, we are telling stories of the members, volunteers and staff who have contributed to ISACA’s growth and global impact. Below is an excerpt from a feature article on the ISACA staff father-son duo of Terry Trsar and Tim Trsar.

Certain industries have a better conceptual understanding of their supply chain than others. For instance, in manufacturing, it’s very clear that raw materials come in one end and out the other comes a completed, processed product for consumption.

Trust. Privacy. Transparency. Three words that have invaded our technology lexicon. In an age of fashionable falsehoods, it is probably not surprising that these words permeate almost any aspect of our lives in technology, in government and even in our organizations.

Cybersecurity awareness is a topic that most organizations and leaders know is important, but is typically treated as a check box requirement to remain compliant with regulations or mandates placed on the enterprise. Most leaders will argue that cybersecurity awareness training is very important but only marginally effective.

Consumers are demanding we offer outstanding user experiences and technology interfaces, and we need to strategize how we both safeguard and leverage ever-growing portfolios of data and systems to differentiate ourselves from our competitors.

The trends appear to be presenting themselves all over the place; TV commercials, online ads, corporate product announcements, etc., are all saying the same thing: Artificial intelligence (AI) adoption and use are exploding.

COBIT 2019 is a terrific resource for a wide range of business technology professionals.

As a security consultant, I’ve had the opportunity to assess the security postures of clients of all shapes and sizes. These enterprises have ranged in sizes from a five-man startup where all security (and information technology) was being handled by a single individual to Fortune 500 companies with standalone security departments staffed by several people handling application security, vendor security, physical security, etc. This post is based primarily on my experiences with smaller clients.

Most people are aware of and talking about risk management. However, barring a handful of high-profile and sophisticated IT organizations, for most enterprises, it is more talk vs. the actual implementation of risk management practices.

For those in the ISACA community who are fans of popular culture, you might have noticed in recent years that, in many cases, film and TV stars are beginning to look more like you and I, and less like the muscle men of our youths.

Have you ever stopped to consider the ethical ramifications of the technology we rely on daily in our businesses and personal lives?

Much has been written in recent weeks about the widely publicized privacy concerns with FaceApp, the app that uses artificial intelligence (AI) and augmented reality algorithms to take the images FaceApp users upload and allow the users to change them in a wide variety of ways.

Have you ever audited a computer system’s migration plan when transferring it from on site to the cloud? Here are some recommendations to keep in mind based on lessons learned from migration practices:

It has become almost impossible to face cybersecurity issues just by using the presently available countermeasures; hackers always find aways to bypass them.

Jon Duschinsky, an entrepreneur, social innovator and firm believer in leading a purpose-driven existence, will be the closing keynote speaker at ISACA’s EuroCACS/CSX 2019 conference, to take place 16-18 October in Geneva, Switzerland. Duschinsky recently visited with ISACA Now and shared his thoughts on why being purpose-driven is more realistic than ever in today’s digital age. For more of Duschinsky’s insights, listen to his recent appearance on the ISACA Podcast.

If there is one universal truth we have learned from developments on the cybersecurity landscape in recent years, it is that none of us are free from cyberthreats. Attackers identify and exploit vulnerabilities wherever they might exist, regardless of the target’s geographic location, whether the target is an individual or an enterprise, or which industry sector the target represents.

On 5 October 2019, ISACA will conduct its inaugural ISACA CommunITy Day, a day of global service for ISACA members (through their chapters) and staff to give back to their local communities

There has been a heightened surge of questions about data privacy in recent weeks, especially in light of the app called FaceApp.

Quantitative risk has become a growing field of interest for information security professionals.

Extracurricular activities have filled my schedule for as long as I can remember. I was always involved in academic clubs and societies, and in most I held leadership positions.

Taking that first step on the career ladder is a difficult challenge in pretty much any industry. Even for entry-level opportunities, employers generally look for some level of previous industry experience. The question is, how do you get experience without having experience?

How do you transform security and privacy compliance requirements into practical steps that can be executed by a team?

The past decade has seen a significant advance in cyber risk assessment maturity.

What We Should Learn from the Capital One Data Breach. ISACA reviews how learnings presented an opportunity to understand & improve our own security operations.

The prestige of the ISACA Awards Program is evident by the high caliber of recipients who are nominated and selected by their peers. Consider the eight Global Achievement Award recipients honored at North America CACS in 2019.

My recent Journal article on the Internet of Things (IoT) was inspired by an article I read on a botnet takedown that involved the digital recording devices that many people have connected to their television.

Vendor management comprises all processes required to manage third-party vendors that deliver services and products to organizations.

Training is important for marathon runners, but there are a number of specific factors that go into marathon runners achieving their personal best. Take a look at the examples below (and for you non-runners, your COBIT and digital transformation muscles will be exercised soon enough):

While organizations may think that they have done everything needed to prepare for GDPR, they may not have thought about how they arrive at assurance over GDPR, especially considering that being prepared for GDPR is different from having GDPR as part of operations.

Government regulators and representatives of Equifax announced a settlement on penalties and consumer restitution related to the 2017 data breach that exposed sensitive information belonging to 148 million people.

In the 1980's movie Top Gun, the protagonist utters the phrase, “I feel the need, the need for speed!” Peter “Maverick” Mitchell was an F-14 Tomcat pilot, an interceptor jet capable of flying more than twice the speed of sound.

In late December 2018, NIST published a second revision of SP800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Smart home gadgets have been among the most popular holiday, housewarming and any-occasion gifts for the last few years. Whether it’s an interconnected home security system, a pet camera, or a voice-activated assistant like the Amazon Echo, homeowners and renters alike love having these tech gadgets in their homes.

Stafford Masie, CEO of Google Africa (2006–09) and Non Executive Board Member at ADvTECH, will be the closing keynote speaker at the 2019 Africa CACS conference, to take place 19-20 August in Johannesburg. Masie, an inventor, mentor and keen observer of how to humanize technology, recently visited with ISACA Now to discuss how enterprises in Africa and beyond can take advantage of the major technological forces of the day, such as artificial intelligence and advances in fintech. The following is a transcript, edited for length and clarity:

In his opening remarks to the general session of the Institute of Internal Auditors (IIA) 2018 Midyear Meetings in Orlando (Florida, USA), IIA Global Board Chairman Naohiro Mouri said that throughout his international travels while in office, he rarely heard from audit practitioners about the “pain of automation” despite the oft-cited benefits of automation technologies and their potential to revolutionize the internal audit function.

A recent article about information security challenges in healthcare pointed to the lack of resources many security teams report.

The explosion of DevSecOps has caused a lot of excitement and worry within the cybersecurity community. It is no longer of question of should an organization implement DevSecOps, but rather when and how?

The Information Security Management Systems Certification (ISO 27001:2013) helps organizations prove they are managing the security of clients’ and stakeholders’ information, and can generate the need for three types of vendors: certification body, internal audit and implementation.

For many months, infosec and privacy colleagues alike have been telling me that the FUD (fear, uncertainty and doubt) about the terrifying levels of EU fines under the European Union General Data Privacy Regulation (GDPR) have disappeared from the boardrooms and executive management meetings.

It is said that anything with two heads is a monster. I usually think of this saying when carrying out IT governance reviews, as inclusive governance seems to be a missing link.

Author and journalist Jamie Bartlett will be the closing keynote speaker at the Infosecurity ISACA North America Expo and Conference, which will take place 20-21 November 2019 in New York City. Bartlett recently visited with ISACA Now to discuss his outlook on how technology is reshaping society, beginning with his contention that the internet is killing democracy. The following is an edited transcript of the interview:

On 23 October 1969—just a few months after Apollo 11 landed on the moon—the Electronic Data Processing Auditors Association (EDPAA), later to become ISACA, was incorporated.

Part of growing as a young professional is being willing to continually learn and knowing your education should never stop.

Are you a student or an early-career professional seeking to kick-start your career in tech? Do you feel a bit overwhelmed by the possibilities out there, unsure of yourself, and lacking a clear idea not only of where you'd like to go, but how you can get there?

Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.

No corporate executive should feel secure. Every day, we keep hearing about yet another company getting hacked or losing sensitive data.

The time for making predictions about the number of IoT devices in future years and waiting for that time to come is long gone (however, if you really want to know, one source predicts there are going to be 75 billion IoT devices in 2025).

Small and medium-sized businesses (SMBs) lack the resources of a large business, in both finances and personnel, making it more difficult to extract client value from a robust cybersecurity program.

As a follow-up to a blog post previously published by The Mako Group’s Chief Audit Executive, Shane O’Donnell, let’s dig a little deeper into what you should be reviewing when you receive your vendors’ SOC 1, SOC 2 or SOC 3 reports.

As my relationship with ISACA unfolded through various volunteer roles for the past 25 years, I have had the privilege of seeing the organization evolve – through good times and challenging times – just as many of us have experienced in our personal lives and careers.

Unpatched systems represent a very serious IT security threat with potentially extremely important consequences, as documented in a large number of high-profile breaches that exploited known unpatched vulnerabilities.

An individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career.

The nature of risk management has changed over the past 2 decades. Previously isolated IT infrastructures are more connected with the outside world, and organizations face an ever-expanding threat landscape.

Have you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.

CIS Controls Version 7.1, released in April 2019, was developed by Center for Internet Security (CIS), which consists of a community of IT experts.

Managing cyberrisk is critically important for organizations. Interconnectedness, digitization, the focus on utilizing data and providing enhanced client experiences expand the attack surface and expose an organization to increased cyberrisk.

ISACA expert speakers, past board directors and chapter leaders provided insight and new research while ISACA representatives highlighted ISACA certifications and training solutions at Infosecurity Europe 2019, 4-6 June in London.

The US government’s recent efforts to ban the introduction of specific foreign IT vendors’ equipment in government networks is emblematic of the growing concern among organizational leaders posed by global supply chains, highlighting the broad interdependencies between technical and human systems

I was a member of an innovation team because of my expertise in servers, Active Directory and general information security practices.

The MIT CISR Research Forum (Europe), hosted by Heineken, recently was held in Amsterdam. As a partner of MIT CISR, ISACA was represented at the event. Presentation titles on the agenda like “Quick Look: What Is Your Digital Business Model?” by Joe Peppard, “Digitized Is Not Digital” by Jeanne Ross, “Managing Organizational Explosions During Digital Transformation” by Nick van der Meulen, and others, provided a good general sense of what the event would be all about.

It was 150 years ago that Sir Edward Tylor first referenced culture (in an anthropological sense) in his book Primitive Culture.

I’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.

The innovative capabilities of technology – as well as the potency of that technology – is advancing at a remarkable pace, creating new possibilities in today’s digital economy.

It can be surprising for professionals entering the workforce to realize that grades and knowledge is not the ultimate definer of your success.

The value of being an active member in a professional organization such as ISACA cannot be overstated.

Internal auditors are under increasing pressure to add value to what is valued while, at the same time, helping to protect their enterprises from risk such as cyberattacks.

I was always fascinated by the complexity of the technology discipline. The truth is, it’s very broad. ISACA helps to define some of the career pathways for young professionals through its educational resources and certification program. This made me think about where I saw myself adding value to the industry.

ISACA’s 50th anniversary year is about simultaneously honoring our past while visualizing how our professional community will innovate the future. Last week’s experience at our North America CACS conference in Anaheim provided tremendous inspiration on both fronts.

On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

Deploying an enterprise resource planning (ERP) system is challenging, and identifying gaps that could lead to risk is one of the most important aspects of stabilization.

While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door.

Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At ISACA’s North America CACS conference Tuesday morning, an executive panel spoke on the past 50 years of tech disruption—and where technology is taking us in the future.

From the days of determining how to secure and derive value from early computers to today’s challenges as organizations enact digital transformation, it has been a remarkable 50 years for ISACA’s professional community.

“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole

On 25 April 2019, Microsoft passed the trillion-dollar market cap threshold and passed Apple as the most valuable company in the world.

Employees and guests can use IoT-based access control for convenient access. Through their mobile device, they can be connected to a facility’s access control through digital ID securely.

Theresa Payton, former White House CIO and a prominent cybersecurity expert, will deliver the opening keynote address at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. Payton recently visited with ISACA Now to reflect upon her time in the White House and provide analysis on how the technology and cybersecurity landscapes have evolved in her time since leaving the role. The following is a transcript of the interview, edited for length and clarity.

Cybersecurity is an endless process of chasing and preventing known attacks; anticipating attacks; and monitoring, alerting, patching, remediating and implementing solutions. It is becoming a maintenance function that trails hackers and other bad actors.

Cyber risk is business risk. Business are digitizing and governments are putting in place policies to promote digitalization and smart-city projects. While this helps citizens and organizations to adopt technology advancement, the continuous increase in cyberattacks, in both frequency and sophistication, pose significant challenges for organizations that must defend their data and systems from threat actors.

Managing projects for the best possible outcome is a bit art and a bit science. From a high-level view, stakeholder management includes: identifying the people that could impact a project, understanding the expectations of the stakeholders and their impact on a project, and developing strategies for effectively engaging the decision-making project stakeholders.

The fast-changing technology and regulatory landscape calls for members of ISACA’s professional community to continually refresh their knowledge and training.

When I produced my auditing Amazon Web Services (AWS) Journal article for volume 3, I was just wrapping up my very first audit against an AWS environment.

Cybersecurity may soon become an issue of higher concern than physical safety. We already share too much personal information online without paying attention.

Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.

Patrick Schwerdtfeger, closing keynote speaker at the GRC Conference 2019, to take place 12-14 August in Ft. Lauderdale, Florida, USA, is a business futurist specializing in technology topics such as artificial intelligence, blockchain and FinTech. Schwerdtfeger recently visited with ISACA Now to discuss how these and other components of digital transformation will reshape the business landscape going forward. The following is a transcript of the interview, edited for length and clarity:

With each highly publicized data breach or cyberattack, it becomes increasingly evident that businesses can’t sit back and hope their security strategy is strong enough to withstand an assault.

In the past 5 years, the cybersecurity agenda has been raised and discussed and in many forums because cyberattacks have been developed for various purposes, and the number of cybersecurity incidents or data breaches have increased dramatically every year.

I recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice.

We are in 2019, and have all witnessed the effects of disruptive start-up companies, the growth and stability of the cloud market, the emergence of CI/CD practices and the simple need for agility. Inversely, there are organizations where none of what I mentioned is happening.

Building automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.

My motivation to pursue ISACA’s CRISC certification was to improve my skills, knowledge and understanding of enterprise and IT risk management.

It’s my favorite week of the year at ISACA – Volunteer Appreciation Week. It is a time when we all reflect on the important and impactful contributions members of our professional community have selflessly made to advance our organization and our industry. It is also a time to invite those who have not yet joined our volunteer corps to participate in ways that align with their interests and availability.

My first job in security – and in fact my first job out of school – was for a biometrics company.

As I begin my time as ISACA’s new chief executive officer, having just completed my first week in the role, one thing continues to impress me – the passion our professional community feels for ISACA.

How many enterprise risk analysis reports must an organization release? A few years ago, I faced this question in light of cost, time and complexity of the solution.

Recently, I celebrated a birthday (no, I am not going to tell you which birthday), and my 6-year-old niece who called to wish me a happy birthday asked me if I was wise now.

Sekou Andrews, a prominent poetic voice performer who blends inspirational speaking and spoken word poetry, will be the closing keynote speaker at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA. Andrews recently visited with ISACA Now, discussing why technology practitioners should also consider themselves to be storytellers and how changes on the technology landscape will lead to “a rediscovery of what it means to be human.” For more of Andrews’ insights on these and other topics, listen to his recent appearance on the ISACA Podcast.

When looking at innovation, it may seem daunting to involve audit properly to protect the organization. With any new effort, there are a lot of unknowns. In traditional project processes, there should be enough time to discover major issues and handle the risk revealed.

It’s important to think about leadership in the cybersecurity realm through the lens of the “lines of defense” model.

Organizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security.

It’s a wrap. At approximately 7.30 p.m. in New York City on Friday night, the final gavel fell on the negotiations at the 63rd session of the Commission on the Status of Women at United Nations headquarters.

Security improvements are often viewed skeptically, as they always seem to be associated with higher time requirements and rising costs.

In the aftermath of GDPR, the next big change in the IT compliance standards landscape is here. The period of applicability for the new System and Organization Controls for Service Organizations: Trust Services Criteria (SOC2 2017 Trust Services Criteria) has just begun – all SOC2 reports with an examination period ending on or after 15 December, 2018 will have to be issued as per the new standard.

The increasing amount of cybersecurity incidents cause a serious negative impact on enterprises, prompting legislators around the world to explore new policies and regulations.

Your company has decided to adopt the cloud – or maybe it was among the first ones that decided to rely on virtualized environments before it was even a thing. In either case, cloud security has to be managed. How do you go about that?

Billy Beane was one of the first general managers in the history of Major League Baseball to use data to build out a successful team with a fraction of the budget relative to his peers. Like many IT leaders, he had to do more with less.

The theme of last week’s RSA Conference 2019, “Better,” gave ISACA the opportunity to engage with information and cybersecurity professionals on how we collaboratively move the technology field into a better future.

SheLeadsTech was back this week at the United Nations for the 63rd Session of the Commission on the Status of Women to continue the critically important work of empowering women and girls by providing access to social protection and appropriate infrastructure, including technology infrastructure.

We know that phishing attacks are on the rise, but did you know that more and more executives are falling for these phishing emails every day? New phishing campaigns targeting executives are intelligently crafted and difficult to spot.

I live in Austin, Texas, USA, where the bumper sticker quotient is fairly high, although diminishing with every vehicle that comes here from places like Dallas (no offense, Dallas — I don’t have any bumper stickers on my car either). One of my favorites is, “If you’re not appalled, you’re not paying attention.” I’m sure it was written with politics in mind, but it’s absolutely relevant for cybersecurity, too.

It is often said that a good auditor is a good communicator, and this is particularly true when dealing with smaller organizations.

If there were any question about the critically important role that information and cyber security practitioners play in the welfare of today’s society, there is new evidence spelling it out in stark, attention-grabbing terms.

Cybersecurity is a manpower-constrained market – therefore, the opportunities for artificial intelligence (AI) automation are vast.

Don’t look at your device when I ask you this question: How many apps do you have on your smartphone? Or, if you use your tablet more often, how many apps do you have on your tablet? Remember this number or write it down.

Your cybersecurity tools are working, optimized, and providing real, measurable, business value. They are successfully blocking attacks, detecting nefarious activity, and alerting the security team.

A report released in January by the Healthcare & Public Health Sector Coordinating Councils details the need for better security for medical devices, a topic infrequently discussed in healthcare until recently.

My recent ISACA Journal article, “Data Privacy, Data Protection and the Importance of Integration for GDPR Compliance,” describes how the movement and processing of personal data, along with the procedures around those workflows, are central to General Data Protection Regulation (GDPR) compliance.

Digital technologies have profoundly changed our lives, blurring the lines between the digital and physical worlds. From its humble beginnings, the current constellation of tools and technologies that empower organizations has grown smarter.

New highly validated data from 3,305 employers reveals that the average cash market value for hundreds of tech certifications is at its lowest point in four years. Meanwhile, pay premiums for non-certified skills in the same period have gained 6 percent in value on average.

Data Analytics in Internal Audit: State of the Data, 2019. ISACA reviews successful IT auditors can translate complex technical analytics or non-techies.

Last May marked the beginning of the application of the General Data Protection Regulation (GDPR), which harmonized and unified the rules governing privacy in the European Union. Leading up to and following the adoption of the regulation, data protection has been in the focus of attention all around the world

Compliance procedures are notoriously demanding, and European Union General Data Protection Regulation (GDPR) compliance programs are no different.

As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts.

Before beginning my career in cybersecurity recruitment, I worked in the female-dominant industry of travel public relations. I was largely oblivious to the challenges of being a female in the workplace because I was surrounded by other strong businesswomen on a day-to-day basis.

Guy Kawasaki, a Silicon Valley-based author, speaker, entrepreneur and evangelist, will be the opening keynoter at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA. Kawasaki recently visited with ISACA Now to discuss some of the themes he will explore at North America CACS, including innovation and entrepreneurship. The following is an edited transcript. For more of Kawasaki’s insights, listen to his recent interview on the ISACA Podcast.

Discover more about 5G and AI: A Potentially Potent Combination. Readapting to 5G and AI integration on smartphones chips for cloud & on-device processing.

Whether from a conformance (compliance) or performance perspective, 2 enterprise governance tasks of particular interest are knowing what questions to ask in the process of performing due diligence and knowing what data and information to request to support the due diligence process.

Women in the Chicago area who are interested in exploring a career path in cybersecurity, particularly those who are underrepresented in the field, will now have the opportunity to join a pilot program launched last week by ISACA, along with AnitaB.org and the City Tech Collaborative.

Blockchain has emerged as one of the most promising technological developments of the past decade.

ISACA’s yearlong 50th anniversary celebration is underway around the globe, and one of the best ways to be part of the global celebration is through social media.

A program called MyHealthEData was unveiled in 2018. Through this program, the US Centers for Medicare & Medicaid Services (CMS) is promoting the adoption of IT environments that allow simpler sharing of health data to outside organizations, as well as better access. The CMS will also allow easier access to claims data by medical beneficiaries.

Nowadays, the term privacy echoes across boardrooms globally, where each country and enterprise races to update its laws and policies to keep up with the need for data privacy controls.

The ISACA Now blog occasionally highlights the impact ISACA certifications have in the evolving business landscape, as well as how certifications have impacted individual members of the ISACA professional community. Today, we profile Marco Schulz, CISM, CISA, CGEIT, CEO at marconcert GmbH (Germany).

For those of us who work in information security, data privacy and governance, we seem to traverse daily from one headline to another. A new corporate victim announces they were breached to the tune of 100 million records.

The turn of the calendar to a new year is always a great time to take pause and reflect. Now that 2019 is in full swing, I wanted to take a quick snapshot of hot topics and trends for the IT audit field in 2019. And just to make sure I wasn’t completely winging it, I checked in with a couple valued industry contacts.

Practical implementation and management of data loss prevention or protection (DLP) solutions or a portfolio of solutions should follow a logical process to ensure the holistic protection of information resources.

I am often asked by women young and old, “Were you intimidated by technology or afraid to start your first job in tech?”

Cybersecurity and its critical role in the global economy – a very interesting topic indeed, and one that is taking center stage this week at the World Economic Forum in Davos after being identified as one of the top five global risks.

A recent report from the British research firm Netcraft showing that 80 US government websites had expired Transport Layer Security certificates during the ongoing US government shutdown rightfully has caused quite a stir, and ISACA members ought to be paying attention.

Like in many professions, the new year is traditionally a time for planning for IT auditors. This year, I am willing to wager that many of your resulting IT audit plans include something to do with the EU General Data Protection Regulation (GDPR).

As the new year begins and business leaders refine their 2019 plans, how to effectively deploy technology increasingly will be a focal point of conversations in the boardroom and elsewhere throughout the enterprise.

Last year was a milestone in the field of privacy as the General Data Protection Regulation (GDPR) put privacy into the spotlight in and outside the European Union.

The cybersecurity profession is facing a shortage of qualified talent to fill an increasing demand for positions, as so many reports inform us. What I find self-fulfilling about our “talent dilemma” is the acknowledged rapid rate of technology change, yet the ongoing quest for specific technical experience and expertise. We seek plug-and-play people to match technology components, rather than individuals with foundational skills and an aptitude and desire to learn changing technology.

The new white paper, Auditing Artificial Intelligence, provides an overview of what AI is, why auditors need to be aware of AI, and how the COBIT 2019 framework relates to AI auditing.

Have you ever wondered just how many ways there are to hack the human mind and just how effective each technique is? I did; so I set about collating all of the techniques for human control and influence:

In today's world, all large and small companies are required to show and prove constant compliance to do or sustain business. The task may be somewhat easy for large companies by hiring more employees to achieve; small businesses do not have the luxury to hire more people at competing rates with large companies as well as reduced revenue.

When ISACA – then known as the Electronic Data Processing Auditors Association – was incorporated by seven Los Angeles area professionals in 1969, “there was no authoritative source of information,” according to ISACA’s first president, the late Stuart Tyrnauer. There was “no cohesive force, no place to turn to for guidance.”

Transformation offers many key benefits, and any enterprise that would like to sustain and grow in this ever-changing, fast-paced world would be subject to the deployment of new systems.