ISACA’s Past, Future Come Together at North America CACS

ISACA Now Blog - 2019年05月23日 06:42:25

ISACA’s 50th anniversary year is about simultaneously honoring our past while visualizing how our professional community will innovate the future. Last week’s experience at our North America CACS conference in Anaheim provided tremendous inspiration on both fronts.

I will pay homage to ISACA’s remarkable past later in this post, but I want to start by highlighting a member story that underscores why we have such a bright future. I had the privilege of helping to open the conference by sharing the stage with ISACA board chair Rob Clyde and Kelly Lin, an impressive young professional and board member of ISACA's Los Angeles Chapter. Kelly is a rising leader in the IT audit world and an example of how transformative ISACA can be in our members’ lives.

After our time onstage together, I had a 1-on-1 conversation with Kelly that reinforced how fortunate I am to have become CEO last month of such an outstanding organization. Kelly recalled hearing about ISACA from a professor during her time as a college student in Los Angeles, and attending a career night event with ISACA’s Los Angeles Chapter to find out more. She quickly developed connections with members of the chapter, and even took on leadership roles while still a student.

Watch video of David’s
conversation with Kelly

Watch Video



Those ISACA networking connections paid major dividends once she graduated from college as she learned more about career possibilities in IT audit, transitioning from financial audit. Both of Kelly's first two jobs in the IT field, including her current role as AVP IT Audit Lead with East West Bank, came together through her ISACA network. She also continued to gain valuable early leadership opportunities through the Los Angeles Chapter, adding roles as treasurer, programs chair, conference registrar, volunteer chair and her ongoing service on the chapter board of directors.

“This entire journey, ISACA was there to help me put everything together,” Kelly told me. “It shaped who I am today and also my career because if it wasn’t for ISACA being able to provide that networking platform, I would not have had the opportunity to explore and dive into the world of IT.”

David Samuelson and Kelly Lin

True to ISACA’s mission, Kelly is committed to helping the next wave of rising professionals find their professional footing by working with them to provide leadership opportunities, develop their soft skills and – perhaps most importantly – engage them in dialogue about what they want from ISACA to help them grow their careers. That willingness to “pay forward” the benefits Kelly gained through ISACA is the exact mindset that ISACA will need to be even more impactful in the next 50 years.

How did ISACA and its community arrive at this point, so well positioned to meet the challenges of the present and the future? Another component of my experience at North America CACS offered insight. As part of the 50th anniversary celebration, several past board chairs attended the conference, including one of our founding members, Eugene Frank. It was humbling to spend time with these visionary leaders and listen to how meaningful ISACA has been in their lives, both personally and professionally. Each had such genuine passion in their voices as they recounted highlights from their leadership roles, some of which coming from the era when ISACA was known as the EDPAA. Hearing these reflections, it is easy to understand how ISACA has blossomed from Eugene and a handful of his associates in the Los Angeles area in 1969 to become the thriving global association of more than 140,000 members today.

Certainly the growing importance of leveraging technology for organizations around the world has aided in ISACA’s ascent. However, it is clear our greatest resources are the women and men who supplied their visionary wisdom and boundless passion to the organization – the true catalysts of ISACA’s first 50 years and continuing into the future. From Eugene Frank to Kelly Lin, and all of our purpose-driven professionals in between, ISACA has provided the learning network to further great individual accomplishments, strengthen our professional fields of interest, and set in motion lifelong relationships with treasured colleagues.

As Kelly, Rob and I concluded our time onstage in Anaheim, we led a record-setting North America CACS crowd in wishing ISACA a happy 50th birthday. In that spirit, my birthday wish for our professional community is for all of us to build upon the passion that our past leaders have poured into this organization, and to join in Kelly’s pledge to mentor and support the technology professionals of the future.

There is no better way to honor our past than by committing to work together toward an even more promising future.

Category: ISACA Published: 5/23/2019 12:03 PM
カテゴリー: ISACA

Internal Audit Should Take Multifaceted Approach to Robotic Process Automation

ISACA Now Blog - 2019年05月22日 04:22:21

In the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.

There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.

  • First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
  • Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
  • Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.

As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.

  • At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
  • Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.

My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.

RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.

Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.

Category: Audit-Assurance Published: 5/22/2019 3:02 PM
カテゴリー: ISACA

A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry

ISACA Now Blog - 2019年05月21日 05:46:07

On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as clicking a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.

Category: Security Published: 5/21/2019 10:45 AM
カテゴリー: ISACA

The Role of Incident Management in Identifying Gaps During Stabilization Period

Journal Author Blog Posts - 2019年05月20日 23:25:14

Deploying an enterprise resource planning (ERP) system is challenging, and identifying gaps that could lead to risk is one of the most important aspects of stabilization. In my recent ISACA Journal article, I discuss how we can optimize incident management and use it to identify such gaps and risk factors at an early stage to take corrective action.

Here are some key points that any enterprise should consider during the stabilization period:

  • Channel for end users to report issues—A robust process for end users to log issues would generate comfort and provide confidence that issues are routed to the right contacts for timely resolution.
  • Structure of incident management—Ease of logging issues, timely triaging the incidents to the right teams and assigning a level of priority are the fundamentals of a good incident management process.
  • Grading of incidents—The number of incidents that may be encountered could be high, hence, a mechanism to grade and accord priority would optimize resources that are assigned to deliver resolution.
  • Review of incidents—Monitoring of number of incidents and the analysis of such incidents could reveal critical design gaps that could have a long-term impact on an organization’s process, and it could reveal governance issues.

In many of the deployment projects that I have been part of, incident management has not only aided in identifying gaps for early resolution, but also provided a mechanism to avoid a potential control and governance issue at a later date.
Read Rajul Kambli’s recent Journal article:
Incident Management for ERP Projects,” ISACA Journal, volume 3, 2019.

Category: Risk Management Published: 5/20/2019 3:06 PM BlogAuthor: Rajul Kambli, CISA, CMA PostMonth: 5 PostYear: 2,019
カテゴリー: ISACA

Securing Major League Baseball - On and Off the Field

ISACA Now Blog - 2019年05月16日 02:41:11

Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The session traced the rise of prominence of security in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

MLB works with numerous partners, which is often where the most challenging security considerations come into play. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

"There's just a vast amount of partners we work with to pull this off - 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams," Boland said. "There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe."

Recognizing the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyberattacks, standardizing the security stack and integrations. A vastly increased use of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

"We wanted to raise the bar a lot higher," Boland said. "We wanted to be faster than the next guy running from the bear."

Boland encouraged session attendees to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

"Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect," Boland said.

Unlike the sport’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber threats.

"I ring the bell, and I think that's really important to do, because we're all in this together," Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.

Category: Security Published: 5/15/2019 2:31 PM
カテゴリー: ISACA

Controls in the Cloud – Moving Over Isn't As Easy As Flipping a Switch

ISACA Now Blog - 2019年05月15日 22:53:49

Lift and shift.

While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, proper care needs to be taken. Assuming everything is the same can be a fatal mistake, one that is happening on a regular basis.

From a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures. Organizations do not often have the budget, time, or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks as a control to protect from a leaky roof, anyone?). Even the most advanced data centers we see on premise do not match those of the large cloud providers.

What hasn’t changed
Requirements and basic control concepts have not changed as the proliferation of cloud infrastructure unfolds. User access, change management, and firewalls are all still there. Control frameworks such as COBIT, ISO 27001, NIST CSF, and the CIS controls still apply and have great value. Sarbanes-Oxley controls are still a driver of security practices for public companies.

What has changed
How the controls of the past are performed has changed upon moving to the cloud. Here are some common examples:

Security administration is more in-depth. Some of the most high-risk access roles in organizations, admin rights, are a main target of malicious actors. Handling admin rights in the cloud is different and needs proper due care. Knowing which roles are administrative in nature can be confusing, so it’s important to implement correctly from the start. Separation of duties in relation to key administration and key usage is essential. Having the proper tools to administer access can be daunting. Don’t assume your cloud provider will guide you through all these intricacies; plan ahead.

Perimeter security has changed. While layered security always has been important, it becomes even more important in the cloud. Recently, several news stories have appeared where breaches occur due to things like “containers being exposed to the internet” with a large cloud provider’s name associated. At first blush, I have heard most people blame the cloud provider, but most often these breaches are the cloud customer’s fault. Some important items to think about are proper DMZs for critical and/or regulated data, firewall configurations, and proper restriction of admin rights to those resources.

Securing connectivity becomes more important. Servers and other hardware won’t be sitting down the hall when moving infrastructure to the cloud. Access will almost always be remote, thus creating new security challenges. Understanding all ingress and egress points is essential, as is putting proper controls around them.

Encryption. Encrypting data will be a top concern for many organizations, as the data is now “somewhere else.” The good news is the native encryption tools of many large cloud providers are advanced, and most times data at rest can be automatically encrypted using a strong algorithm. This is a huge step up right off the bat for many companies. Because encryption is so important in the cloud, key management becomes a high-risk control. Policies, procedures, and controls around key management need to be well-thought-out.

Fear not, it’s not all bad!
While some challenges may be present as outlined above, moving to the cloud is most often a great move for an organization. Improved security, improved performance, and cost savings are only a few benefits of a cloud migration. Multiple frameworks exist to provide a secure path to cloud adoption, so organizations are not approaching this “blind.” A cloud security framework can guide you through the process of secure adoption and also provide assurance over cloud adoptions you have already performed. We are helping clients in all industries with these cloud migrations/adoptions and have some great perspective on dos, don’ts, and best practices.

Editor’s note: For more cloud-related insights, download ISACA’s complimentary new white paper, Continuous Oversight in the Cloud.

Category: Risk Management Published: 5/16/2019 3:00 PM
カテゴリー: ISACA

The Evolution and Power of Disruptive Technology: Insights From an Executive Panel at NA CACS

ISACA Now Blog - 2019年05月15日 02:49:42

At ISACA’s North America CACS conference Tuesday morning, an executive panel spoke on the past 50 years of tech disruption—and where technology is taking us in the future.

Technology has truly democratized society, according to the panelists.

“I want to impress on everyone how easy it is to disrupt technology today and how little knowledge you need in order to do it,” panelist Jed Yueh, founder of Amavar and author of Disrupt or Die, told the audience. “You can go from idea to building a company in very little time, and there are so many resources available.”

As an example, consider how long it took college student Mark Zuckerberg to effectively transform the world and how we interact socially. He coded Facebook in one week—and he wasn’t even an engineer.

Joining Yueh on the panel were:

  • Kim Bollin, Vice President of internal Audit at Workday
  • Ken Venner, Former CIO of SpaceX
  • Jenai Marinkovic, CTO and CISO of Beyond
  • Moderator Thomas Phelps IV, vice president of corporate strategy and CIO of Laserfiche

The panelists looked at industry predictions—both those that came true (the 1980s prediction that “decisions can and will be made by artificial intelligence, by computers grown large or very small like a pocket encyclopedia“) and those that fortunately never materialized—including Ken Olson’s 1977 statement, “There is no reason anyone would want a computer in their home” and an ISACA (then the Electronic Data Processing Auditors Association) prediction that said, “Many members will leave the association if the name is changed from the EDPAA to ISACA.”

They also shared what they believe to have been the most disruptive technologies invented in the past decades. Among the responses:

  • The internet—It has democratized information and transformed the ability to transfer data
  • Social—We can take the collective minds of humanity and bring them together on social. The privacy considerations are daunting, but while consumers say they absolutely want privacy, they are remiss to hold companies accountable when that privacy is breached.
  • Mobile—We are now living in an always-on world.
  • Cloud—We’ve taken the expense away and enabled accessibility for so many organizations, regardless of size and budget.

The executives also looked at future challenges and opportunities, such as:

  • AI—How do you secure it? But even more importantly, what do you do if the data is laden in bias? If data or systems are biased, there are going to be serious social issues. AI is personalized in many ways. If a system has assumptions about certain races, for example, people’s livelihoods could be at risk.
  • Retail disruption—Amazon is considering a model shift from shop and ship to shift and shop—where predictions are made about what you want and need, and you pay after receiving the items.
  • Blockchain—The benefits are a more trusted, online, portable identity you can take with you everywhere—but there are still security issues and risks inherent with blockchain.
  • Quantum computing—The implications and knowledge needed to understand a totally new technology stack are huge.
  • The need to shift to data-centric organizations—Consider Disney, which has long been an entertainment, theme park and merchandise company. They are increasingly creating content and capturing data, and becoming truly data-centric.

Technology has truly changed the way we live and work for the past 50 years in which ISACA has been in existence —and the pace of change is only getting faster.

Where do you think technology will take us over the next decade?

Category: ISACA Published: 5/14/2019 2:13 PM
カテゴリー: ISACA

A Spectrum of Professions: ‘The World Needs Us’

ISACA Now Blog - 2019年05月14日 04:10:46

From the days of determining how to secure and derive value from early computers to today’s challenges as organizations enact digital transformation, it has been a remarkable 50 years for ISACA’s professional community. That trajectory came into focus Monday during the 50th anniversary-themed “Spectrum of Professions” panel, part of ISACA’s 2019 North America CACS conference in Anaheim, California, USA.

Moderator Marios Damianides and panelists Kelly Lin, Jenai Marinkovic, Dean Kingsley, Paul Regopoulos and Andrew Tinseth took a decade-by-decade look at the advancement of technology before sizing up the challenges faced by governance, audit, risk and security professionals now and in the future.

“There’s been a lot of change in the past 50 years, and there’s going to be a lot more,” said Damianides, a past ISACA board chair. “The beautiful thing is we’ve been able to remain relevant.”

While much has changed in the realm of computers, information systems and technology – the panelists nostalgically recalled using Commodore 64s, early Apple computers and a range of other outmoded devices – Regopoulos emphasized some of the principles that have endured over the decades.

“There’s always going to be change, whether it’s a new topic, a new tool, a regulation, whatever it may be,” said Regopoulos, senior manager, information security audit, with The Walt Disney Company. “The fundamentals are always going to be what are the risks associated with them, and how do we respond?”

Kingsley, principal with Deloitte & Touche, said today’s professionals are uniquely positioned at the intersection of risk/governance and technology. While pursuing a technical career track in areas such as audit or cybersecurity are viable options, being mindful of the broader implications of technology on businesses, the economy and society can also make for exciting career options, he said.

“If you think about yourself first and foremost as a risk and governance professional who happens to focus on technology, I think that gives you so many options,” Kingsley said.

On the career progression front, Marinkovic said that those in attendance at the conference are logical candidates to advance into high-impact organizational roles such as chief information security officer and chief technology officer.

“The reason is that no one knows the business – the intersection of business and technology – better than auditors and better than security people,” Marinkovic said.

Citing the proliferation of sensors and the rise of artificial intelligence, Marinkovic finds the growing interplay between technology and biologic systems to be intriguing. She said there could be valuable lessons learned from a renewed focus on science.

“I would say it’s time for us to go back to our high school biology and start studying because there are a lot of things the natural world can teach us about this new world that we’re about to go into,” Marinkovic said.

Lin, AVP IT Audit Lead with East West Bank, said adaptability will be essential to excel amid the shifting technology landscape, providing the example of IT auditors needing to be able to add auditing cybersecurity to their traditional skill sets.

In his closing comment, Kingsley noted some of the major technology-related risks threatening society, and called on attendees to be part of the solution.

“Be brave and have an opinion,” Kingsley said. “It’s our time in the sun. … The world needs us. There’s never been a better time to be in this profession.”

Category: ISACA Published: 5/13/2019 3:00 PM
カテゴリー: ISACA

IT Audit: Stay Relevant or Perish

ISACA Now Blog - 2019年05月11日 05:13:13

“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole

The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.

An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:

  • IT security and privacy/cybersecurity
  • Data management and governance
  • Emerging technology and infrastructure changes—transformation, innovation, disruption
  • Resource/staffing/skills challenges
  • Third-party/vendor management

Let us discuss in detail every challenge and the ways to get ahead of them:

IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.

Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.

To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.

Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.

Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”

Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.

Resource/staffing/skills challenges
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.

Third-party/vendor management
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.

IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.

Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.

Category: Audit-Assurance Published: 5/13/2019 3:23 PM
カテゴリー: ISACA

Driving or Driven by Disruption: The AI Maturity Model

ISACA Now Blog - 2019年05月09日 02:18:17

On 25 April 2019, Microsoft passed the trillion-dollar market cap threshold and passed Apple as the most valuable company in the world.

Almost a year earlier, Satya Nadella, Microsoft’s CEO, talked about a new world vision that has helped propel the organization’s cloud and revenue growth. “It's amazing to think of a world as a computer,” Nadella said, referring to a planet filled with smartphones, Internet of Things devices and cloud computing.

And in a world that is a computer, Nadella has put AI at the heart of Microsoft’s business strategy: “AI is the run-time which is going to shape all of what we do going forward in terms of applications as well as the platform.”

The three dominant cloud vendors—Microsoft, Amazon and Google—are all aggressively selling AI offerings to enterprises today, weapons providers for a technology arms race. And by the looks of Microsoft’s latest earnings report for the second quarter of 2019, the strategy is working, led by phenomenal 76 percent Azure revenue growth.

Today, product teams can quickly take advantage of natural language processing (NLP), image recognition, machine learning, deep learning and a range of other AI services available in all the major clouds. Companies can add these technologies to their web sites, internal operations, applications and products—all imbued with the limitless speed and scalability of modern clouds.

With so much focus and availability of AI technologies, it’s important to understand how companies are positioned when it comes to AI—perhaps the most disruptive technology wave since the internet itself.

Companies embarking on AI projects and opportunities can be classified according to an AI maturity model.

At Level I, companies run AI programs that drive operational efficiency. These are the “dabblers” – companies that drive tens of billions in revenues a year but save only a couple million using AI to automate tasks previously done by human employees. Level I companies generally apply AI to internal opportunities with a clear cost-benefit analysis, like call center automation, and use AI services like NLP along with robotic process automation (RPAs) to eliminate manual repetitive work.

At Level II, companies run AI programs to drive significant earnings or revenue impact. These are the “practitioners.” They layer machine learning through their businesses and use it to transform user experience and customer value. They reimagine digital and even physical products with AI services, adding value and improving interactions at every turn.

At Level III, companies run AI programs that drive industry change and transformation. This is often the domain of big tech—the “experts.”

Facebook determines what we see in our feeds with AI. Apple uses AI and AI chips to power marquee iPhone features like Face ID and Siri. Microsoft, Amazon and Google sell their AI services to arm the rest of the world.

But companies in every industry have an opportunity to remake their worlds with AI technologies. Here are some questions to ask when you look at your internal AI initiatives to determine your level of AI maturity:

  • Are you applying AI to a practical, internal project, with a clear target benefit? Then you are operating at Level I.
  • Are you layering AI throughout your business, making a material difference in user experience, growth, revenues, or earnings? Then you are operating at Level II.
  • Are you designing products that will redefine the future of your industry? Then you are operating at Level III.

If you haven’t started AI programs at all, you are at Level 0, and already falling fast behind the rest of the world.

In 10 years, the leading companies in nearly every industry will have taken full advantage of AI technologies to redefine their industry and solidify their positions. Companies need to use AI to drive disruption or will have competitors drive them to disruption.

Editor’s note: Jedidiah Yueh will be part of the “From Disruptive to Daily Dependence: 50 Years and Future Tech” panel on Tuesday, 14 May, at ISACA’s 2019 North America CACS conference in Anaheim, California, USA.

About the author: Jedidiah Yueh is the bestselling author of “Disrupt or Die,” a book that refutes conventional ideas on innovation with proven frameworks from Silicon Valley. Prior to his book, Jed put his frameworks to the test, leading two waves of disruption in data management, first as founding CEO of Avamar (sold to EMC in 2006 for $165M). Avamar pioneered data de-duplication and generated over $4B in cumulative sales. After Avamar, Jed founded Delphix, which accelerates enterprise data delivery for over 30% of the Global 100. In 2013, the San Francisco Business Times named Jed CEO of the Year. Jed has over 30 patents in data management and graduated Phi Beta Kappa, magna cum laude with a degree in English from Harvard.

Category: ISACA Published: 5/9/2019 10:13 AM
カテゴリー: ISACA

The Features and Challenges of IoT-Based Access Control

ISACA Now Blog - 2019年05月08日 03:48:06

Employees and guests can use IoT-based access control for convenient access. Through their mobile device, they can be connected to a facility’s access control through digital ID securely.

IoT is an integrated network of devices that are connected through internet, capable of communicating with each other without human intervention. Every device in the network has a unique IP address assigned for communication. They are connected with specific sensors to perform some action at a trigger of an event.

In IoT access control systems, each lock, access controller, card reader and other associated devices are provided with unique IP addresses with which they communicate among themselves. These devices are connected through wireless networks to their mobile/software application. An alert is generated if any malicious activity is generated in the system. The alert could be in the mobile application or in the software application. Authorized mobile devices gain access to the electronic access control through their unique IP address.

Here is a closer look at the features and challenges of IoT-based access control:


  • Indoor wayfinding. Users can benefit from indoor wayfinding and their accessibility options can be seen on their mobile devices.
  • Secure access control. Access credentials are easy to manage and update. Doors can be opened from a distance.
  • Instant confirmation. Users can get instant confirmation of access requests.
  • Convenient interaction. It provides easy interaction with other users and also provides location details to users.
  • No physical ID. Physical ID is not required; therefore, the risk of it being stolen or lost is eliminated. 


Category: Security Published: 5/8/2019 3:00 PM
カテゴリー: ISACA

The Importance of Cyberresiliency

Journal Author Blog Posts - 2019年05月07日 01:14:59

Cybersecurity is an endless process of chasing and preventing known attacks; anticipating attacks; and monitoring, alerting, patching, remediating and implementing solutions. It is becoming a maintenance function that trails hackers and other bad actors.

Cyberresilience refers to the ability to constantly deliver intended outcomes despite negative cyberevents. It is keeping business intact through the ability to effectively restore normal operations in the areas of information systems, business functions and supply chain management. In simple terms, it is the return to a normal state.

Cyberresiliency is the ability to prevent, detect and correct any impact that incidents have on the information required to do business. Examples of the enterprise cyberresiliency goals are:

  • Anticipate—Stay informed and ready to expect compromises from adversary attacks.
  • Withstand—Continue the enterprise’s mission-critical business operations despite a successful attack by an adversary.
  • Recover—Restore mission-critical business operations to pre-attack levels to the maximum extent possible.
  • Evolve—Change missions/business functions and/or the supporting cybercapabilities to minimize adverse impacts from actual or predicted adversary attacks; change cybercapabilities for mission-critical business operations to minimize impacts from the actual or predicted adversary attacks.

Cyberresiliency has progressed to enable enterprises to withstand and rapidly recover from cyberattacks that have a criminal intent to induce harm, cripple and extort enterprises. Cyberresiliency is a board-level responsibility with high business content. It is based on initiatives under the auspices of corporate governance, enterprise cyberprograms and supply chain network.

The trend and severity of serious cyberbreaches underscores the fact that enterprises will face a serious breach with intent to harm. The organization and its board of directors (BoD) ought to, in anticipation of such an attack, plan how to withstand it, rapidly recover from it, and how to evolve to reengineer its business and cybersecurity processes.

It is the enterprise’s responsibility to evaluate and measure its current state of cyberresiliency and how to transform itself to strengthen its cyberenvironment to withstand serious cyberthreats.

A methodology was developed to build a cyberresiliency decision model (CRDM). It quantifies and compares the degree of impact of each proposed cyberresiliency initiative on any of the enterprise-stated goals and objectives and develops a road map to the containment of the threats.

Determining the portfolio of cyberresiliency investment and the realized value of such initiatives is highly correlated with an organization’s willingness to articulate the following:

  • The risk of potential costs of security incidents that the enterprise is willing to bear
  • The level of risk that the enterprise is willing to accept when running its business
  • The enterprise’s recognition that investment in cyberresiliency ought to be mapped and prioritized to the desired outcome and types of threats.

Read Robert Putrus’ recent Journal article:
Enterprise Transformation to Cyberresiliency,” ISACA Journal, volume 3, 2019.

Category: Security Published: 5/6/2019 3:34 PM BlogAuthor: Robert Putrus, CISM, CFE, CMC, PE, PMP PostMonth: 5 PostYear: 2,019
カテゴリー: ISACA

ISACA-Infosecurity Keynoter Theresa Payton: Design Security for Humans

ISACA Now Blog - 2019年05月04日 01:07:34

Editor’s note: Theresa Payton, former White House CIO and a prominent cybersecurity expert, will deliver the opening keynote address at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. Payton recently visited with ISACA Now to reflect upon her time in the White House and provide analysis on how the technology and cybersecurity landscapes have evolved in her time since leaving the role. The following is a transcript of the interview, edited for length and clarity.

ISACA Now: Are there aspects of working as White House CIO that you miss? What might those be?
Working at the White House was truly like no other experience I’ve had – it was thrilling and ever-changing. The nature of the work is one thing, but when you add to it the fast pace with the rapid advances in technology during my tenure, it made supporting the mission of the White House exciting and challenging, to say the least! I enjoyed that pace and that mission, and do still miss it. I also miss the talented staff that I worked with, many of whom still serve today.

ISACA Now: How different would that White House CIO role be if you started today as opposed to in 2006, from a technology standpoint?
I was CIO at the White House from 2006-08, right at the beginning of the social media revolution, Internet of Things devices, and the first iPhone released in 2007. It was a fabulous time for integrating digital transformations while still maintaining high levels of operational stability, resilience, and security. We were laying the groundwork for today's cybersecurity.

Moreover, while cyber criminals have been active since technology has existed, it’s the pervasiveness and creativeness of cyber criminals that differs today. Anyone with a laptop and $20 can buy a ransomware kit on the dark web, so the access to malicious tools and the ability to learn how to use them has never been this easy to do. The attacks for 2019 and beyond will be both nation-state sponsored as well as attacks sponsored by criminal groups and hacktivist groups. The past attacks of 2016-2018 provide a barrage of alarming wake-up calls. The slowdown and widespread unavailability of the internet in the US and parts of the EU on 21 October, 2016 due to the DDoS attack against cloud services host provider, Dyn, reminded us of the fragility of the internet infrastructure we rely upon.

The disturbing trend of an increasing number of nation-states with more advanced cybersecurity capabilities continues to threaten destabilization across the globe from a national security and economic security perspective. However, there is also an increased ability for a relatively unsophisticated threat actor to be successful within the cyber domain. The reason for this is twofold. First, the increasing availability of automated hacking tools in the public domain provides the ability for individuals or groups of individuals with a basic set of skills, or just financial means to buy their way in, to achieve success. Second, the increasing availability of elastic computing infrastructure provides attackers with the ability to design and deploy relatively sophisticated attack infrastructures with ease.

ISACA Now: What are the most important components of successful incident response?
The most important thing when considering incident response to a cyber incident is the upfront planning before something bad happens. Without proper preparation, your company could be utterly non-functioning for days or weeks. Ensuring that you have the correct backups in place to restore your systems and making sure that all employees know the proper protocols and chains of command makes an already stressful situation much better. Storing logs for the correct amount of time and capturing the right elements of information is crucial to determining who has attacked you, how they got in, if they are still there, and how catastrophic the incident will be to your company's operations and reputation. Digital forensics also is essential because you can review the logs and facts as to what happened to prevent another attack.

The reality is that business execs can’t outspend the issue – it’s an IF not a WHEN – and they must be prepared. Cybersecurity no longer is something that can exist in a vacuum. It must be elevated to the board level and given a seat at the table. Companies can face extreme backlash and brand reputation issues if they mishandle a cyber breach. Conversely, companies that handle a breach well can not only rebound, but grow.

ISACA Now: Privacy is another of your major areas of interest. Do you sense that GDPR and other similar regulations that are being enacted will have the intended impact of more responsible data privacy and data governance?
A big fear I have is that regulation is often onerous and expensive to implement, the money spent on regulation prevents start-ups from entering the space, and it’s money diverted away from R&D. To date, the US Congress has kept legislation “technology-neutral.” If legislation were to pass and be signed by the President, technology companies would owe consumers certain legal duties for the first time. That’s an incredible first step. What I'd like to continue to see is a culture change in big tech that consistently prioritizes consumers. That will require a close partnership between big tech, public officials and users of technology.

ISACA Now: What do you consider to be the most pressing challenges for cybersecurity professionals as we move forward?
Cybersecurity approaches and plans are evolving , and so are the tactics of cybercriminals. Cybersecurity professionals need to know as much as they possibly can about cybersecurity, and I highly recommend that they stay a constant student of their profession. We are seeing more and more cyber professionals have responsibility for the business side of security, not just the technical side of the matter. I’d encourage all cyber professionals to know the strategic business priorities of their organization and how security relates to those priorities. Several years ago, cybersecurity was seen as only a technical issue – and while that’s still true – cybersecurity is more than anything a brand issue. Cyber professionals must acknowledge the significant implications an adverse event can have on a company’s reputation and do everything in their power to balance implementing technologies and to create interoperability while also fending off cybercriminals.

We must design security for the human. They can’t enact these processes and procedures that are so complex that regular, non-tech employees find ways around them. You have to figure out where your company stands on the secure-ease of use continuum, and go from there. For example, many of us have installed child-proof or safety items in our houses for toddlers or pets, yet we still tell them, “Don’t touch this.” But, just in case they do, we have designed safety features into your house with them in mind. We must build the same security safety nets into our work and daily lives. Design them for your employees and for yourself. Just know they will use free WiFi, they will recycle passwords, they will respond to emails that are tricking them into giving up information – they will break all the security rules because they are not security employees.

Category: Security Published: 5/6/2019 3:02 PM
カテゴリー: ISACA

Putting Cyber Threat Intelligence Feeds to Good Use

ISACA Now Blog - 2019年05月03日 02:45:21

Cyber risk is business risk. Business are digitizing and governments are putting in place policies to promote digitalization and smart-city projects. While this helps citizens and organizations to adopt technology advancement, the continuous increase in cyberattacks, in both frequency and sophistication, pose significant challenges for organizations that must defend their data and systems from threat actors.

Most organization has outsourced their IT security management tasks to MSSP (managed security service providers) and very few still retain their internal SOC (security operations centers). These organizations generally started their journey only with security device monitoring management services (such as managed firewall services) and slowly added security event monitoring using SIEM solution components. The growing threat landscape and difficulty in hiring security cybersecurity professionals with the needed expertise makes it more difficult for organizations to understand the tools, techniques and tactics used by adversaries.

Need for cyberthreat information sharing
The need for cyber threat intelligence has become better understood by governments and organizations lately. NIST encourages greater sharing of cyber threat information among organizations.

In today’s large security product and service industry, offerings such as firewalls, endpoint protection and managed security services (MSSP), are enhanced by threat intelligence capabilities. The threat intelligence cycle has key steps, as depicted in the figure below.

According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Cyber threat intelligence feeds for security operations
Often, organization need to detect the threat quickly and do not want to waste time investigating false negative alerts, thereby remediating the vulnerabilities and mitigating the attack vector more quickly. The typical questions that the security operation center has are:

  • Has our sensitive information been leaked?
  • What threat actors could be targeting my organization’s capabilities in the coming months?
  • Who are my top adversaries? Are they credible?
  • Can I be advised of their activity within a short period of time of it occurring? Which underground sites do they frequent? Who is known to be associated with these adversaries?
  • Is a connection to this Internet Protocol (IP) address bad? Who owns the IP? To which internet service provider (ISP) is this IP address connected? What other IP addresses are registered by this company?
  • Is this URL dangerous? Who registered the domain? Have they registered others? If yes, which ones? Which types of threats were served from this website? Is other malicious activity linked to this URL?
  • Which vulnerabilities in my environment are actively being exploited “in the wild”? Who are the threat actors selling or using these vulnerabilities? Which malware and other threats are leveraging these vulnerabilities? What types of organizations are being attacked via these threats?
  • Is this “Zero Day” attack rumor true?
  • What do the bad guys know about my organization and its staff? Are they selling access to my systems or my intellectual property?

If cyber threat intelligence feeds can provide answers to the above questions, it allows security teams to more efficiently address threats.

Use cases of security telemetry enrichment with cyber threat intelligence in today’s security operations centers
Taking a use-case-centric view is still the ideal and pragmatic way to start a journey for the SOC with cyber threat intelligence and improve the overall security program. A few use cases/examples include:

  • SIEM tool integration for maintaining threat watch lists with existing logs flowing in from existing SIEMs. Threat intelligence data is overlapped on top of existing logs to detect threats by matching indicators of compromise (IOCs), such as IP addresses, file hash and domain names (examples: IBM XForce Threat Intelligence, EclecticIQ’s Fusion Center, Anomali).
  • Threat intelligence has been a boon for IDP (intrusion detection and protection) in recent years, and many clients report improved detection and blocking capabilities for a range of threats simply by enabling the intelligence subscription for their IDP systems (examples: Trend Micro’s Reputation Digital Vaccine for its TippingPoint IDP, Palo Alto Network’s MindMeld).
  • Phishing is a pernicious and prevalent threat that remains an effective way to gain access to organizations’ resources. Threat intelligence can help identify elements of phishing campaigns to speed up detection/response actions and help with proactive measures, such as prevention/prediction (examples: Proofpoint, ThreatConnect).
  • Vulnerability management prioritization has moved away from thinking about vulnerability severity. Instead, the No. 1 priority is on “which of your vulnerabilities are being exploited in the wild.” Threat intelligence gives organizations the ability to determine which vulnerabilities present the biggest risks (examples: Kenna Security, Recorded Future).
  • Surface, “Deep” and “Dark” Web Monitoring customers can use threat intelligence services to get prior warning of threats and better understand how the threats work and where they’re being seen. This helps them to perform brand monitoring (examples: ZeroFOX, Kela Targeted Threat Intelligence, SpyCloud).

There are many cyber threat intelligence service providers in the market, and the number appears to be growing. Not all services that are marketed as threat intelligence actually provide that type of content, so it is important to understand what problem customers are trying to solve. While both commercial-based premium services and open-source feeds exists in market today, security operations needs to validate the solutions that help them to acquire, aggregate and act upon the threat intelligence that they need.

About the author: Rasool Kareem Irfan is a trusted cybersecurity advisor with wide experience across various industry verticals including healthcare, life science, banking, financials, insurance and telecom sectors. He holds the global security certifications (such as CISM, CEH, ISO27001 Lead auditor) and multi-vendor technology certifications (such as Palo Alto, Symantec, Cisco, Checkpoint, Proofpoint). He is prominent blogger ( in areas including cybersecurity, blockchain, IoT, artificial intelligence, robotic process automation, open compute project, and cloud, and works closely with reputed national and international forums and institutions.

Category: Security Published: 5/3/2019 2:50 PM
カテゴリー: ISACA

Stakeholder Management: Push or Pull? (Or Is it More About Building Trust?)

ISACA Now Blog - 2019年05月01日 03:55:08

Managing projects for the best possible outcome is a bit art and a bit science. From a high-level view, stakeholder management includes: identifying the people that could impact a project, understanding the expectations of the stakeholders and their impact on a project, and developing strategies for effectively engaging the decision-making project stakeholders.

OK, so that’s good. But, in looking at effectively engaging the decision -makers, what kind of strategies do you use for bringing them into the process and getting their buy in? Do you and the stakeholders all agree on the project goal? Are you heading in the same direction, with the same destination? Ideally, yes. Otherwise, your job engaging those stakeholders just got a lot harder.

When faced with a challenging stakeholder, you might tend to want to push this individual in the direction you want them to go. That direction should be the direction (and goal) in which most of the stakeholders agree. But, how often do you start pushing, only to realize the stakeholder is resisting and pushing back?

OK, now what? Maybe pulling this person along is a better idea? But, that also will likely result in resistance. Maybe you’re strong enough to overcome the stakeholder’s resistance, but is winning that battle going to win you the war (a successful project conclusion)? Maybe, maybe not. Some might choose to take that chance, but there might just be a better way.

Perhaps you should engage those challenging stakeholders who can influence the outcome and success of the project. At a minimum, you really need to engage all the influential stakeholders in a conversation about the project goal. This can be done either one-on-one or in a group. Ultimately, you need to discover why the challenger has a different goal than other stakeholders.

What’s wrong with the goal in which most stakeholders agree? Engaging in a dialogue about the pros and cons of the varying goals can help you (and the stakeholders) understand the problem space better and help all of you develop a better solution for the project — with a unified project goal being the ideal result.

So, what are you really doing here anyway? You’ve decided not to push the stakeholder down the road. You’ve decided that pulling the stakeholder down the road isn’t any better. So, perhaps you decide to just walk with them side-by-side on this journey and help this stakeholder along as needed. Perhaps you need to nudge or coax them a little bit here or there, but nothing to cause the stakeholder to become defensive.

And while you’re walking together during this project, you’re probably building trust with your stakeholders. I would call that stakeholder “relationship development,” not “management”. The golden rule here is: while you’re managing the process, make sure you don’t manage the stakeholder.

My guess is your stakeholder did not hire you to manage him or her. This individual wants you to solve a problem, and needs your help. Build a trusting relationship with your stakeholders, and you’ll find much greater project success.

About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.

Category: COBIT-Governance of Enterprise IT Published: 5/1/2019 3:01 PM
カテゴリー: ISACA

Navigating Change: An Imperative for Technology Professionals

ISACA Now Blog - 2019年04月30日 04:38:05

The fast-changing technology and regulatory landscape calls for members of ISACA’s professional community to continually refresh their knowledge and training.

ISACA is committed to providing the needed resources for professionals and their enterprises to thrive in that change environment. In ISACA’s newly released 2018 Annual Report, find out how ISACA equipped its professional community for change throughout 2018, delivering resources such as a refresh to the COBIT framework, a new Cybersecurity Audit Certificate Program, an online hub of GDPR resources and much more.

As Rob Clyde, CISM, ISACA Board Chair wrote, “by embracing the importance of lifelong learning and diligently enabling the positive potential of technology, no matter what changes the future brings, we are poised to adapt, provide leadership in our fields of interest, and prosper.”

For more insights on how ISACA is working to help its professional community navigate change – including the full 2018 Annual Report and a related video – visit

Category: ISACA Published: 4/30/2019 10:00 AM
カテゴリー: ISACA

Building an Audit Program for AWS

Journal Author Blog Posts - 2019年04月30日 01:16:38

When I produced my auditing Amazon Web Services (AWS) Journal article for volume 3, I was just wrapping up my very first audit against an AWS environment. During the planning stages of my audit engagements, I do as much research as possible to determine how the in-scope technology works, how to find the configurations and if others before me have documented their findings on key risk factors, controls and areas that I can leverage as I complete audit planning. Sadly, AWS had the most readily available documentation that discussed how to go about performing a basic audit of their products and what to focus on, but nothing further existed, at least as far as my Internet searches led me.

As it was difficult to readily find one and there was not unlimited time to locate a previously documented audit program for AWS, one had to be developed from scratch. The backbone of the audit program and the article was inspired by the specific areas in the AWS Auditing Security Checklist (Governance, Network Configuration, etc.). When it came to selection of and discussing the particular controls to focus on in the article and audit program, there was the glaring challenge of not everyone using AWS in the same way or using the same services like Cognito or Glacier, so the focus of both the article and audit program were kept as basic as possible and around its core services, including S3, IAM, etc.

As I further produced the article, I wanted to very briefly touch on what I felt were the fundamental pieces of information for a given focus area and then elaborate on any tricky items that could be easily overlooked and why that is important. A prime example is the IAM root account. Without doing some research or if questions are not asked in a certain way, auditors may be unaware of this superuser account existing and the limitations that presently exist to secure it.

Find the companion to my Journal article, the AWS Audit Program, on the ISACA website.

Read Adam Kohnke’s recent Journal article:
Auditing Amazon Web Services,” ISACA Journal, volume 3, 2019.

Category: Audit-Assurance Published: 4/29/2019 3:06 PM BlogAuthor: Adam Kohnke, CISA, CCNA:Security, ITIL v3, Security+ PostMonth: 4 PostYear: 2,019
カテゴリー: ISACA

Five Software Programs To Improve the Security of Business Websites

ISACA Now Blog - 2019年04月27日 00:19:28

Cybersecurity may soon become an issue of higher concern than physical safety. We already share too much personal information online without paying attention. When it comes to businesses, the risks of data leakage and inefficient software is even more serious. Forbes has recently published 60 predictions regarding cybersecurity in 2019, and one of the first facts mentioned is quite obvious: data should be protected by technology, not just legal regulations. It is the right time to implement web security software for your business.

Top five must-have security tools

Computer Antivirus
Sensitive data on your PC often becomes an object of interest for competitors and hackers. The first thing you need to do is to install a good computer antivirus program to prevent data theft and deal with malware.

Computer antivirus programs can delete, isolate or cure a file, depending on a situation. In all cases, these programs aim to prevent expansion. However, they cannot provide 100 percent protection. A lot depends what regular updates are happening, new viruses that are constantly appearing and evolving, whether smart online behavior is occurring, etc. PCMag has come up with a rating of the best antivirus software, which can help identify an optimal solution for your business site.

SaaS Security
SaaS is a model of using business apps in the form of web services. These software solutions work on a provider’s server, and users get access via a web browser, by renting them and paying monthly.

A provider takes care of the proper software functioning, ensures technical support, installs the updates, improves protections, etc. Thus, users don’t have to think about technical support and can focus on their business goals. Other SaaS advantages include:

  • low cost of exploitation
  • short terms of implementation
  • low barrier of entry (you can test it for free)
  • providers provide full support
  • full mobility limited only by internet access
  • uniting geographically distant workers
  • low requirements to computer specifications
  • cross-platform solution

Some would argue that SaaS has serious disadvantages, like insecure commercial data transfer via third-party platforms, low speed, and difficulties with access in case of connection interruptions. However, the reputation of SaaS providers improves together with the development of encryption technologies and broadband web connection, helping business owners to address these challenges.

Content Management Systems
WordPress is currently the most popular CMS in the world, used by more than half of all website owners. Those who are familiar with its functionality will wonder how an ordinary CMS can help to make a website more secure? The advantages may not be as obvious as in the case with antivirus.

However, if you use WordPress, you don’t have to share files via emails that are easier to hack. Thus, it helps to prevent data leakage before a serious launch. You can create many accounts with different rights and permissions. One or multiple people can be in charge, while the access to some sections by other content managers will be restricted. Moreover, there are numerous extensions and plugins designed specifically for security upgrades. You just need to conduct research and start using tools that will make your business website a safer place for users.

CMS may not be the key software that serves security purposes, but the right choice of software will help to avoid some security issues in the future (particularly by easy integration of additional solutions).

Monitoring Tools
The more profitable your website is, the higher the cost of mistakes. Critical event monitoring helps to control your income and stay aware of the most important changes. Good monitoring tools help enable secure business sites do the following:

  1. Be the first to find out about the current indexation status of important pages. Set up email notifications to learn instantly about changes in server response code, indexation status in robots.txt files, meta tags, etc.
  2. Generate content ideas by learning what your competitors do. Just follow new URLs and changes on old pages of the chosen website. Use this information to evaluate SEO strategies and extend to your content plan.
  3. Estimate the activity of people involved in website development. Control your employees and contractors with the help of a detailed report.
  4. Don’t let anyone hack your website. Detect suspicious redirects, adding/deleting of pages, and similar activity during the early stages.
  5. Compare changes on particular pages to changes in ranking positions. It will help to detect the effect of changes and to build a successful strategy for website development in the future.

Monitoring tools are numerous, each offering a specific approach and solution for your business. is one of the best. It offers convenient navigation, step-by-step guidelines, unique monitoring strategy, and an all-in-one platform that allows for performing audits of the website and of separate pages as well.

eCommerce Software
If you plan to sell something, you will need to deal with a lot of personal data: names, addresses, emails, phone numbers, credit card numbers, etc. This is a huge responsibility. Keeping this information secure in the digital environment is crucial for customers and for your business. A single mistake can infringe on your customers’ privacy and ruin your reputation.

eCommerce platforms help to simplify the process of securing your website, also by easy integration with the other software, plugins and other features. You will be able to view the history of changes and orders, and view or download reports without needing to share data with other programs. Only the authorized users will be able to access this information.

eCommerce software helps to integrate other software solutions and apps. If you choose a proper solution, you can handle all tasks at once:

  • Process and manage orders on all stages, from current selection to delivery and feedback, with changing an order and payment processing in between.
  • Manage the inventory to organize a convenient and attractive catalog, to replenish items that are in high demand, etc.
  • Improve ranking positions thanks to built-in SEO tools that help to take your web resource to higher positions in the organic search without additional expenses.
  • Computerize the calculations, including shipping costs and taxes that vary depending on the clients’ location.

Bottom line
According to TechRadar, the average costs of cyberattacks exceeds US$1.6 million. Over the next five years, it is expected to cost businesses over US$5.2 trillion. Sometimes an attack can lead to a data leakage that delays the start of a project. Sometimes it ruins a business completely, regardless of its type and specialization. A question is not whether to use the above tools or not. It is about which one to start using to keep your business successful. 

Category: Security Published: 4/29/2019 2:56 PM
カテゴリー: ISACA

The ISACA Way: How I Earned the CISM, CISA, CRISC and CGEIT in 10 Months

ISACA Now Blog - 2019年04月25日 05:27:31

Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.

1. The disclaimer.

  • What you will read below is based on my personal perception and experience. Therefore, it might not necessarily apply to or work for you. To my mind, preparing and taking an exam is not an exact science that’s completely replicable across individuals. While I do think the material below will be useful for anyone preparing to take these exams, I make no guarantees of success.
  • No certification can replace actual work experience and knowledge obtained from getting your hands dirty. At the same time, certification prep can help in expanding your knowledge, and the certifications themselves certainly don’t hurt your career prospects.

2. The motivation.
Several people have asked me why I did it and if there is any value to getting all four of these certifications. I would say that for many in jobs focusing on siloed aspects of information security, the answer is “No”- they would be better served by getting the one or two certifications most relevant to them. But, for an information security and risk consultant like me whose work encompasses a wider universe, there’s definite value in preparing for and getting all of these certifications. At the same time, I believe anyone desirous of expanding his or her overall knowledge in this area will find them useful.

On a more personal note, there’s also a sense of personal achievement tied to this. Balancing client, firm and family commitments in order to study and take these exams was a major motivator.

3. The preparation.
To my mind, the best preparation for getting the ISACA certifications is getting experience in the field. The second best would be to get the CISSP. I believe the CISSP covers a much broader area than any individual ISACA exam and puts one in good stead to ace ISACA’s certification exams later. However, none of these are deal-breakers – you can definitely succeed at the ISACA exams without the CISSP or 12-plus years of experience (like me).

As for the materials I used, I confess that I found the official manuals to be dry. I focused on Questions & Answers databases after going through the free training videos available at I would extensively take notes while watching the videos and when reviewing my answers on practice tests using the databases. When reviewing before the exams, I would refer only to my notes.

As many before me have surmised, there IS an ISACA way. Don’t be alarmed; it’s not completely at odds with your knowledge gained from experience, but there may be subtle variations. The best way to understand it is to analyze, with a fine-toothed comb, the answers to the database questions. The wrong answers should also be part of your analysis, as they clearly explain why they are NOT right for a particular question but can be for a different one.

Rule of thumb: if you’re consistently scoring 75 percent in the database Q&A for a particular test, you’re ready for the actual one!

4. The key takeaways.

  • IT exists to serve business. Business exists to serve stakeholders’ interests.
  • People are the most valuable asset; people are also the weakest link in security.
  • Governance is “doing the right things”; management is “doing things right.”
  • Security and audit decisions should be risk-based and meet business requirements. Organizational structure and culture are key decision factors.
  • The first step before implementing change is to understand the current state.
    • Understand the composition and responsibilities of the board, senior management, operational management, IT Strategy Committee, IT Steering Committee and IT Architecture Review Board.
  • Understand the composition of the IT Strategic Plan, IT Investment Portfolio, IT Operational Plan, IT Acquisition Plan, IT Implementation Plan, IT Outsourcing Plan, IT Risk Register, Enterprise Architecture, IT Balanced Scorecard, policies, standards and procedures, etc.
  • Realize that accountability and responsibility are different things. Usually, the board or senior management are held accountable for security-related decisions. The term “ultimate responsibility” refers to accountability.
  • IT strategy should be an extension of enterprise strategy. Enterprise architecture aligns IT strategy with enterprise strategy.
  • IT goals should align with enterprise goals. Any IT investment has to be supported by a business case.
  • “You cannot manage what you cannot measure” – understand metrics (KPIs and KRIs), how they are selected and measured, and what kind of information they can provide.

5. The D-Day experience.

The best preparation is of little use unless put into practice. Here are some tips around exam day:

  • Try to schedule practice tests and the actual exam at the same time of the day. I can’t quote any scientific studies to support this, but I believe the body and mind acclimatize themselves for peak performance during the time you practice most.
  • Read the question carefully to understand your role – are you the advisor, auditor or implementer? Your role will determine the answer you should choose.
  • For multiple choice questions, it’s usually easier to eliminate two of the four options; selecting the right option from the remaining two is where the difficulty lies.
  • The questions often mention “first” or “best”; this is very important when choosing the answer. Multiple options may be right, but only one will be “first” or “best.”
  • If “first” is not explicitly mentioned, choose the option that is the root cause. For example, if option A leads to option B and both are correct answers to the question, choose option A.
  • If you’re stuck on one question, mark it for review and move on. There’s enough time for you to revisit it later.
  • Take frequent breaks. Four hours should be enough to answer all 150 questions and review them. Use the time wisely to pace yourself. I personally took a break after every 50 questions.
  • Ensure you answer all questions. There are no negative points for wrong answers, and even a completely random choice has a 25 percent chance of success. Best of luck!
Category: Certification Published: 4/25/2019 3:06 PM
カテゴリー: ISACA

GRC Keynoter Patrick Schwerdtfeger: Endless Insights Within Organizations’ Reach

ISACA Now Blog - 2019年04月23日 00:40:11

Editor’s note: Patrick Schwerdtfeger, closing keynote speaker at the GRC Conference 2019, to take place 12-14 August in Ft. Lauderdale, Florida, USA, is a business futurist specializing in technology topics such as artificial intelligence, blockchain and FinTech. Schwerdtfeger recently visited with ISACA Now to discuss how these and other components of digital transformation will reshape the business landscape going forward. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: In what ways to do you consider the human imprint on business to be most valuable as automation becomes increasingly commonplace?
Human interactions remain the foundation of almost every business, not only because humans are the ones making purchases, but also because humans are the ones controlling the delivery of products and services. In the near term, the risk is not that machines start acting more like humans; it’s that humans start acting more like machines. In order to have any longevity as a business, and loyalty from customers, businesses need to keep track of employee engagement levels, customer satisfaction levels and public perception levels.

ISACA Now: Do you think AI’s value will ultimately outweigh some of the potential malicious ways in which it can be misused?
Machine learning is affecting every industry segment, including cybersecurity. Hackers are using increasing sophisticated tactics to infiltrate corporate systems, whether to steal intellectual property, sell personal information, or extort money. These are scary propositions, and cybersecurity professionals are working overtime to stay ahead of malicious parties. Nevertheless, the same technology is poised to revolutionize every industry, delivering better outcomes for fewer dollars. The benefits of artificial intelligence and machine learning will vastly outweigh the risks. In the world of accounting and finance, in particular, the ongoing digital transformation will yield enormous efficiencies and reveal endless insights that businesses can use to enhance their business models.

ISACA Now: Social media certainly isn’t new anymore, but what might be a few new ways of approaching it that can provide organizations some quick wins?
The opportunities with social media have not changed and, similarly, the way in which most businesses fail to capitalize on social media have also not changed. Businesses typically use social media to announce promotions, describe products and/or services, and ask potential prospects to buy.  Meanwhile, those are the worst possible messages for the social media medium. Social media is about human connection and telling stories. Social media posts should only provide value. They should never ask for anything – only give, give, give. Once the prospect has clicked on something to arrive on the business’ website, that’s when an offer can be made, not before. Companies can get some quick wins by developing a series of content pieces (including blog posts, white papers, videos, or PDF cheat sheets) to give away for free, and then present recipients with a compelling offer to engage on a deeper level.

ISACA Now: What are some overlooked ways in which organizations can make use of big data?
Big data offers endless possibilities for profitable insights. Each use case presents unique opportunities.  However, it’s worth noting that the profitable use cases thus far have almost all involved predictive analytics. In other words, how can we evaluate existing data to anticipate future behavior? These days, companies are building increasingly complex models involving hundreds of different variables, to gain a better understanding of the customer or the process being analyzed. And since deep learning and reinforcement learning benefit from larger data sets, businesses are in a race to accumulate as much data as possible.

ISACA Now: What other technological trends do you expect to have the greatest business impact in the next 10 years?
The most impactful technology trends will all be driven by either (1) machine learning or (2) blockchain protocol. The machine learning trends include autonomous driving (Tesla, Waymo, Uber), cashier-less retail stores (Amazon GO stores), automated socialbot call centers (Google Duplex, Apple’s Siri, Amazon Alexa), and streamlined security checkpoints (airport security, etc.). The blockchain trends include more efficient supply chain systems (smart contracts, custom clearance), traceability and chain of custody (diamonds, GMO foods, title insurance), digital identity ledgers (ID2020, healthcare, KYC), and digital payments (Facebook cryptocurrency, Apple’s credit card, AliPay, WeChat Pay).

Category: ISACA Published: 4/23/2019 2:59 PM
カテゴリー: ISACA