Senior IT Auditor, Fortune 500 global manufacturing organization: “I joined a Big 4 firm advisory practice out of college, did two years, and then moved over to IT Internal Audit a year ago. Information security is my next goal. When I look at information security job postings, they all seem more technical than my current skill set, which is heavily ITGC focused. What should I do to build skills that will be marketable to information security?”
IT Audit Director, large financial services company: “Can you please help us find a technical Senior IT Auditor with 3-5 years of experience who has application auditing skills at the level where they can do code review? Some programming skills would be very helpful. We also need mainframe, cyber security, cloud, IoT, and data analytics experience – from an audit project perspective. We need actual experience with IT operational audits – not just ITGC / SOX experience.”
CISO, global eCommerce company: “I’ve met a number of auditors lately (from audits that have hit us), that can't understand why something is NOT a high risk. They are just following a check list and it is really frustrating. Maybe that is something you call "mind-set"? These auditors just want to go through the motions, without really understanding either technology and/or the risk it really represents.”
These comments are real. More importantly, they are BIG signals that point to the critical career directions for IT audit professionals in 2017:
IT audit functions are quickly becoming more focused on technical audits. There is a huge drive for value-added that can be gained from operational IT audits and advisory projects performed by IT internal auditors. Concurrently, information security, IT risk, and data analytics continue to grow, presenting more job opportunities for IT auditors—if they are adequately technical, and develop the thought process needed to join info sec and IT risk teams.
The CISO quoted above provided additional insight into the perspective that career-mobile IT audit professionals need to cultivate: “The advent of cloud computing and the concept of DevOps is challenging the controls that traditional IT auditors have grown comfortable with. For example, cloud represents a way to do infrastructure in a quick and non-structural way (think creating an entire data center by coding/scripting it), while DevOps breaks the segregation of duty model, which makes auditors uncomfortable. But what the auditor does not see is that DevOps is a way that we have developed to ensure we still have ‘control’ in an agile development cycle.”
Beyond mindset and a change in perspective, the problem for hiring managers and practitioners is that the on-the-job experience that many IT auditors have received is in the ITGC space. In the end, both sides of the equation depend on professionals gaining more technical skills.
For the IT auditors, staff through light manager, the task to immediately jump on is a skills gap assessment. What hot skills do you need to acquire to become more marketable internally and externally? If you are in IT internal audit, the annual plan is your guide. For a broader perspective, review professional journals and job descriptions; both will provide clues.
Next, create your road map to your next role. Are you looking to deepen your skills for a step-up promotion within your team, or are you looking to take your skills to an information security or IT risk team? Plot the timeline for skill attainment, which will come from a combination of hands-on work, internal/external training, post-grad coursework, or certification.
Todd Miller, who has led IT audit functions at two global Fortune 500 companies, suggests a 70-20-10 model: 70% on-the-job training; 20% mentoring; 10% formal classroom work.
Let’s start with on-the-job-training through project work.
Determine a technical area that interests you and is feasible within the scope of projects done within your department. Let’s say you want to become more fluent with networks and network security. Explain your plan to your manager and lobby to participate on the upcoming network audit.
Do your homework for the project so you can ramp up quickly and are able to build good rapport with the network team. Once you’ve done a project, and your skills and knowledge deepen, you might see if you can do a stint as a guest resource on a project for the network security team.
Ed Dudek, an IT audit manager at a Fortune 100 company who gained expertise in SAP by moving out of audit into an SAP team before moving back to audit, stresses the need for mentoring. To this end, you’ll want to foster dialogue with the network team members who you have now met on that technical audit you just completed. Get to know team members over lunch or coffee. Ask interesting questions and share what you have been reading, learning. Your goal is to demonstrate intelligence, intellectual curiosity and readiness to learn.
Through this interaction, you’ll be able to identify people on the team who are knowledgeable and might be good mentors. By the same token, various team members will get to know you, and may be receptive to being mentors. Mentoring relationships are developed step-by-step. It takes time.
The goal with mentoring is also to eventually build such trust and mutual respect that the mentor becomes a sponsor. A sponsor will talk up your skills and interest. Through mentors and sponsors, you have the chance to be tapped for an internal opening when it comes along.
At some point in the process, you will need to add coursework, training, or certification to the mix – the final 10% of the 70-20-10 plan. If your employer will pay for training, communicate your plan to your manager and get buy-in. If your company will not pay for the training you want, determine a cost-effective way to get it on your own. It is your career in the end, and investing in your skills is one of the smartest things you can do to create long-term career sustainability.
To cement the concept that a focused action plan for technical skill development really works, here’s the story shared by the head of IT audit and data analytics for a global airline. He explained that he had developed a passion for data analytics when he was a senior IT auditor at a company running SAP. He joined the local ACL users group, studied on his own, and got a data analytics certification. He was then recruited by another company that wanted to build out a new data analytics function within audit.
Once on board, he took post-grad courses in data analytics at a local university to gain additional skills in Structured Query Language (SQL) and Statistical Analysis System (SAS). The build-out of the data analytics program at his company was successful, and this was the stepping stone to a data analytics management role with a Big 4 firm. From there, he was recruited to lead the IT audit function by his current employer.
As a recruiter and career coach, I see similar career planning and skill attainment in the candidates who land the best jobs. Your career is your opportunity to direct a mission-critical project and bring it to fruition.
Technical skill development is the best thing you can do for your career this year and for the foreseeable future. No time like the present: Develop your 70-20-10 plan, and start executing!Category: Audit-Assurance Published: 2/22/2017 3:05 PM
ISACA Now: You’re Southeast Region Geographic Information Systems Coordinator with the U.S. Fish & Wildlife Service; Partner at White Mile Consulting, LLC; and an adjunct professor at Tennessee Technological University – where do you find time for all of that?
JD: I have always been a strong proponent of time management. I work four 10-hour-days with the U.S. Fish & Wildlife Service in a role where I lead our Geographic Information Systems (GIS) program in the southeastern U.S. and the Caribbean. I also serve in an IT role with a focus on IT security and help desk issues. My GIS classes at Tennessee Technological University are taught in the evenings a few days a week after I get off from my primary job. I took the fifth day of the week to start a consulting firm to provide IT auditing, policy creation and penetration testing for commercial banks and credit unions, after working to support them on the side for years. When I am not at work, I spend all of that time with my family traveling or in family activities. I’ve never been one to sit idle and spend any time watching TV. I like to always be doing something and challenging myself. I guess I took that story that I could “grow up and be what I wanted to be” to be true.
ISACA Now: It’s an interesting combination of roles. How does all of that fit together with your skill set and interests?
JD: Geography and computers have fascinated me my entire life. I have always been able to stare at maps and envision layouts of cities and countries and picture them in my mind. From the moment I first opened my Commodore Vic 20 in 1982, I knew that I wanted to have a job where computers were my focus. I guess I was just lucky and in the right place at the right time to make that happen. I get to use some of the most powerful computers available to model our ever-changing planet and assist those working on solutions for the complex environmental and geographic challenges our society faces today. I mix in a strong IT background and travel to remote offices to configure and install servers, firewalls, web cams, and be a general jack-of-all trades.
ISACA Now: You have a lot of experience supporting small and medium businesses’ IT needs. What are some unique challenges – and opportunities – for smaller organizations from a technology standpoint?
JD: I started an IT firm on the side with a partner in 1993. That business grew to the point where it took my wife to help run it and another business partner along the way. We always focused on small-to-medium businesses and served their every need related to IT. … To a small business, all IT issues are vital. That means they care as much about their website most days as their paper shredder or point-of-sale. They need things that work and don't want to hear a bunch of mumbo-jumbo terms from someone acting like they are small fries in a big world. We all have skill sets that we would like to focus on, such as scripting or ethical hacking, but you have to be as excited troubleshooting a faulty motherboard as you are with a social engineering project or a new server virtualization project. The business owner does not understand the IT universe, and that is why they have you there to help. Treating them like they are a part of your own team goes a long way in developing a long-term partnership that creates long-term clients who trust you and need your constant input and services.
ISACA Now: You have several certifications, including ISACA’s CISA, CISM and CSXP certifications. What have each of those certifications added to your professional development?
JD: The first ISACA certification I earned was the CISA certification as I entered the IT auditing field. After completing dozens of audits, I decided to pursue CISM to deepen my IT management credibility based on experience in the field. I work on penetration testing, vulnerability assessments, social engineering and both physical and network security for clients, so the CSXP certification was the next logical step for me. The certification exam for CSXP was challenging and really was a good test of ability for the standards it sets to examine. My next endeavor is CRISC, and I am taking that exam in June 2017. I develop IT risk assessments, business impact assessments, disaster recovery plans and business continuity plans for clients, and the CRISC certification will complete the ISACA certifications that I think will position me to be a leader in my field and challenge me to attain the knowledge I need to do my job better and more effectively.
ISACA Now: What are a few skills that you consider especially critical to keep pace in the fast-moving worlds of IT audit and information security?
JD: Cyber security assessments and security awareness training and simulations for staff are critical. People are still the weakest link in IT security. A great IT staff can secure your network, but hackers are becoming more sophisticated with phishing attempts, and social engineering tests show just how easy it is to get yourself someplace you do not need to be. The proliferation of mobile devices and the disappearance of the desktop, and even many laptops, are making physical security of devices a real priority. With the decreasing physical size of storage media and the powerful devices that fit in your hand, it is too easy to lose devices and not be able to account for data. It is easy to count desktops and servers. Imagine trying to count USB drives, track smartphones that are upgraded on an annual basis and find the 256 GB micro SD card that is somewhere near your desk. Throw in the rapid migration to cloud services as software vendors move to software as a service, and the game just got real.
ISACA Now: What are your major interests outside work?
JD: My personal interests reflect the complex work arrangement I have. I love to restore old cars and have nine Mustangs, a Camaro, an old Ford pickup and a Trans Am. I tinker with them and three motorcycles every chance I get. It is fun to hop in a car with my wife and kids in the others and take a caravan trip. Restoring old cars is not a material thing. It’s the challenge of bringing a classic vehicle back from the dead and the accomplishment you get from doing it. Folks who restore anything will understand that statement. I’ve had my pilot’s license since 1993 and have a plane at an airport near the house that we escape to destinations unknown at times. That allows me to make trips quickly and lets one explore different places without getting tired of the same vacation destination. I love to collect and tinker with old clocks, as well, and collect Coca-Cola machines and memorabilia. My current project is setting up indoor and outdoor wireless access around my church, which is spread across a large area and three large buildings.Category: ISACA Published: 2/20/2017 3:07 PM
A study in 2016 found that 80% of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. In general, these solutions try to attain the following goal(s):
Over the course of a variety of implementation projects, we found that implementing PAM is not only a question of technical functionality; a successful PAM solution, in fact, requires a comprehensive framework comprising the following building blocks:
Why is this comprehensive framework necessary? New privileged accounts and privileged access channels are constantly created in today’s fast-changing IT organizations. These channels are the most desirable target for attackers and any diligent IT organization must strive to protect them. An important enabler in this effort is technology, which allows these channels to be detected. Another important enabler is appropriate processes to manage and protect channels. Governance, in turn, focuses and sustains this technological and organizational effort. Only if governance succeeds in creating a strong security culture can PAM truly succeed. Thus, PAM must not be regarded as a tool, but as an integral part of an ongoing organizational effort to increase the security of the organization.
In our recent Journal article, we introduced our framework to enable organizations to evaluate PAM implementations with regard to their completeness and, thus, viability and efficiency.
What are your thoughts about the building blocks, and dos and don’ts of PAM implementations? Questions, recommendations, hints and amendments to our framework are highly welcomed.
Read Richard Hoesl, Martin Metz, Joachim Dold and Stefan Hartung’s recent Journal article:
“Capability Framework for Privileged Access Management,” ISACA Journal, volume 1, 2017.
The rewards of a career in information technology include above-average compensation, advancement opportunities, intelligent peers and job satisfaction. Employers, to attract and retain talent, have become increasingly flexible about alternate schedules, remote work and family leave—benefits that appeal to many women.
If we look at trends during the past decade, women have not gravitated toward information technology in the increasing numbers that one might expect from an industry that offers the stability of ever-increasing growth and is experiencing a seller’s market (more jobs than qualified candidates), which is likely to continue.
However, according to the National Center for Education Statistics and The Washington Post, “Barely 18 percent of computer science degrees go to women.” And according to the US Bureau of Labor Statistics, 68 percent of women enroll in college (compared to 63 percent of men), and women increasingly outnumber men in college graduation rates. Yet, women still make up only a quarter of the tech industry workforce.
Much of this may stem from lack of exposure to computer science before and during college. Code.org’s research showed that nine out of 10 schools don't even offer computer science classes, and in 28 out of 50 states, computer science doesn't count toward a math or science credit. Girls account for about 46 percent of advanced placement calculus test-takers but approximately 80 percent of them don’t end up taking a computer science class.
Clearly, we have to do a better job encouraging girls to understand the benefits of a career in IT and let them know that they can excel while avoiding the “geek” label. Ideally this encouragement should start early, in the identity-forming phase of roughly 5 to 7 years of age. As the Academy Award-nominated movie Hidden Figures attests, women can be “wicked good” in IT.
This is more than an issue for the individual. Many countries—in particular India and China— require rigorous math and science training and urge their female students to choose related careers. The competitive posture of countries like the United States will continue to lose ground unless the issue is addressed. We have to engage the female workforce.
Once a woman has entered the IT workforce, she may face obstacles such as determining her career path, the availability of mentors, learning her market value, and developing a professional approach and style that balances confidence and assertiveness with collaboration and encouragement to others.
The upcoming webinar, “Self-Empowerment in Technology: Bootstrapping and Belief,” part of ISACA’s Connecting Women Leaders in Technology program, will address practical considerations: how women can be recognized for their intelligence and receive credit for their contributions, how they can learn and leverage their market value, and principles to apply in building a body of achievements that enable agility and continuing advancement. The webinar also will explore some self-limitations to avoid as well as positive adjustments that increase confidence and create a distinctive professional voice.
I hope you’ll join me for this important conversation.Category: ISACA Published: 2/16/2017 3:05 PM
A few months ago, on 8 November 2016, an unexpected announcement jolted the Indian nation. In a nationally televised address, the Prime Minister of India, Mr. Narendra Modi, announced the demonetization of rupees 500 and rupees 1,000 currency notes. This meant that the currency notes would no longer be considered as legal tender.
The rupee 500 and rupee 1,000 notes at the time of demonetization represented more than 86 percent of the total value of currency under circulation.
Withdrawal of such a large quantum of higher value notes from circulation meant that all cash transactions had to be done using currency of lower denomination. This led to a shortage of currency notes of the lower denomination. It is in this context that the government actively pushed digital payments.
The digital payment push had implications and learnings for IT security and IT governance professionals, providing an interesting case study for the adoption of digital payments. The Indian population represents almost one-fifth of humanity, India is among the top 10 economies of the world in absolute value, and its per capita GDP is comparable to countries in the middle tier. Thus, the sample size is large enough that the learning seems relevant to other economies.
The data related to the adoption of digital payments is still under examination. It is, however, abundantly clear that digital payments are gaining momentum. Digital payment adoption, especially using mobile phones, have seen an increase. The adoption is not just by the affluent society but also by common people for daily transactions like buying a cup of coffee, paying for a haircut, paying taxi fares and purchasing daily provisions. App-based payment solutions, including digital wallets that store cash and make digital payments, saw a surge. The significant increase in digital payments did not see serious incidents that dissuaded people from its use. It seems that the environment, the government and stakeholders took the right steps:
More information will emerge that will lead to better solutions with respect to digital payments. The digital payment push, however, has taken a giant step, and provides a learning for the whole world. This change is here to stay!Category: Security Published: 2/15/2017 3:13 PM
As the business benefits from technology grow rapidly, so do related risks.
The ability to communicate and interact with remote stakeholders seamlessly requires points of entry into the enterprises network that would otherwise not be present. Such entries could result in vulnerabilities for organization that should be identified and assessed. In like manner, the identification and assessment of threats that could potentially exploit such vulnerabilities is also necessary. Once there has been sufficient analysis of the potential risks, the enterprise must decide how to respond to them.
Business leaders have a heightened awareness of the existence of cyber risks due to frequent news reports of attacks affecting all sectors, including the government. Thus, we are starting to see significant investments in countermeasures designed to respond and mitigate risks to protect the assets of the enterprise.
The real question is, are the investments appropriate. Studies show most boards of directors and senior management are not educated enough in cyber security to make sound business decisions in this area. However, in most organizations, these are the individuals with the authority to make decisions when it comes to a significant investment in resources. A main goal of most enterprises is to make money and reduce costs. Therefore, the natural question is what will be the return on investment. This is where the audit professional comes in, which includes the audit committee of the board of directors. It is the role of audit to educate those responsible for the protection of the company’s assets on the need for effective and efficient cybersecurity controls.
It is important to note it is management that bears the responsibility of implementing controls to protect the assets of the enterprise. Audit is responsible for determining if controls are in place and whether the controls’ design will be effective in mitigating the risks associated with the asset. Of course, the ultimate goal is to prevent an attack or breach from occurring. Common controls implemented in an effort to prevent this includes authentication techniques such as passwords or biometric technology.
An auditor evaluating such controls usually determines if a password management policy exists and if there is required password syntax in place, as well as periodic password changes and automatic account lockouts after a pre-determined number of failed login attempts. Firewalls also are common. The existence, type and placement of a firewall in a corporate network is important when evaluating these controls. The auditor will also spend some time with the firewall administrator to understand the firewall rules and if they are based on an overall firewall policy. These are just two of many possible controls that may be in place to prevent attacks.
However, controls, as we know, can be circumvented, which is why there are preventative, detective and corrective controls. The hope is management has done a good job in implementing effective and efficient controls in each of these areas.
Ultimately, the audit professional produces a report reflecting its opinion of the effectiveness of the control environment based on the objective and scope of the audit. It is also common for the auditor to provide recommendations regarding how to improve the controls to better protect assets. It is important for auditors to also be proficient in articulating the potential consequences of ineffective controls and the impact it has on the assets of the organization.
Editor’s note: ISACA has produced a new white paper on auditing cyber security.
ISACA also created a cyber security audit program based on the NIST Cybersecurity Framework that contains detailed controls and testing steps.Category: Audit-Assurance Published: 2/14/2017 3:10 PM
We are living in a digital world where a staggering number of data breaches have resulted in the theft of personal data of end users across a broad spectrum of sectors, such as financial, health care and media. The growing adoption of the cloud, mobile devices and social media has resulted in an increase in incidents related to the theft of personal data.
As organizations begin the scramble to comply with the European Union (EU) General Data Protection Regulation (GDPR), there is a dire need to understand its scope and the privacy requirements mentioned in the standard. The regulation is applicable to all organizations that store, process and transmit any personal data related to an EU resident. The GDPR will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The regulation will apply to even those organizations that may not have a presence in the EU, but are processing or accessing the personal data of EU data subjects.
There are an overwhelming amount of privacy requirements that an organization has to consider to enhance its privacy management program, mitigate privacy risk and demonstrate adherence to the GDPR. The following should be considered when developing policy to comply with the privacy requirements of the GDPR program:
It is imperative for organizations to proactively determine their current state of data protection and benchmark it with GDPR requirements to understand whether they are GDPR compliant and identify which gaps must be filled. To bring themselves in line with the GDPR, companies both inside and outside the EU will be required to consider the changes required in the way they interact with customers and the transfer of data. It also means organizations have to invest more on the tools and technologies required to ensure adherence to stringent privacy requirements of GDPR.
Tarun Verma is a senior consultant with Infosys-Information and Cyber Risk Management (iCRM) practice. He has experience in the domains of security governance, IT risk management, regulatory compliances, privacy, cyber security and cloud security. He is responsible for delivering governance, risk and compliance consulting and advisory services to Fortune 500 clients.Category: Government-Regulatory Published: 2/13/2017 3:11 PM BlogAuthor: Tarun Verma PostMonth: 2 PostYear: 2,017
Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent. While the fundamental causes of this skills crisis will take time and sustained focus to effectively address, there are steps that organizations can take in the short term to better position themselves to deal with their challenges.
In ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, while only 59 percent of organizations receive at least five applicants for open cyber security positions. Consider a Glassdoor survey that found most corporate job openings draw 250 applicants, and the scarcity of qualified cyber security professionals becomes all the more striking.
Until the pipeline of qualified applicants can be more adequately filled, organizations will need to be creative, resourceful and resolute in their pursuit of cyber security talent.
That includes placing heavy emphasis on grooming and retaining existing talent through a defined program of training and skills refresh. Investing in professional development and technical upskilling are among the ways to incentivize employees to stay, and job rotations – which round out employees’ skill sets and ward off the frustration that comes with repetitive tasks – can be another effective tactic. These retention efforts are critically important, as allowing cyber security professionals to walk out the door, given how difficult they are to replace, often becomes a crippling setback.
Hiring from within is another approach that is a necessity for many organizations. Given the shortage of qualified cyber security professionals, grooming employees with related skills – such as application developers, data analysts, and network specialists – is a sensible and effective way to fill crucial gaps. Many employees with these tangential skills are interested in learning more about cyber security and applying their skills in new areas, so this approach can be a win-win scenario for professionals and their organizations.
Among the study’s respondents, 55 percent noted practical, hands-on experience as the most important security qualification for cyber security candidates. The ability to demonstrate those capabilities – such as though ISACA’s Cybersecurity Nexus Practitioner (CSXP) certification – provides measureable credibility to employers, but there are additional considerations that should not be overlooked when pursuing cyber security talent.
The cyber security community is relatively small and tight-knit. In a landscape where hiring talented cyber professionals is so difficult, drawing upon industry contacts and personal networks for recommendations can be essential to both find and vet quality candidates. Identifying the right educational backgrounds also should not be discounted, as many hard-to-find skills, such as malware analysis or management of a security program, would benefit from computer science or business degrees, respectively.
The State of Cyber Security Study 2017 shows the immense amount of long-term work ahead, but organizations dealing with urgent cyber security threats now must be proactive and strategic to make the best of a challenging workforce landscape.Category: Security Published: 2/13/2017 7:21 AM
Most organisations, after being impacted by a cyber-attack, began looking at the design of their Security Operations Center (SOC) operating model – their existing engagement with the managed service provider or their in-house SOC program – to identify the missing link because business challenged their effectiveness. This is a reality.
Here is my perspective on how your SOC program can establish this effectiveness proactively and bring value to the business through a couple of measures, though these are not the only measures to strengthen the governance of your SOC program.
Under a well-defined structure, SOC gets initial visibility on the threats from the business, risk management and intelligence function. These (top) threats get translated to specific use cases. These specific use cases will map to business systems – both critical and non-critical relevant data sources.
Now let’s look at two different types of the threats to get a practical view, one of which dictates the availability of the system (DDoS attack), and the other that steals the sensitive information (malware/APT attack).
When the SOC monitors the threats, they should map these threats and their monitoring to kill chain, where these threats are intercepted using a specific KPI – stage of threats intercepted on kill chain. The outcome of this mapping helps SOC advise IT/security/business whether the preventive control in place is effective or not. For example, a malware caused by a spear phishing attack through a zero day exploit on the user browser, operating on a business critical system within retail banking, is passed through on stage 1 of kill chain. This scenario clearly indicates that either the advanced malware protection control on the end user machine did not detect it, or the local event manager did not raise an alert within Security Information and Event Management (SIEM), and hence these controls are not effective.
This type of advisory augments the role of SOC beyond just monitoring the security incidents. Also, the SOC teams have the knowledge of the underlying impacted systems. To that end, the SOC can provide a full visibility on threats, from use case scenario to kill chain stage to the underlying business system that is under attack.
Another KPI is linked to response time to threat incidents. By conjugating these two KPIs, business gets visibility on how SOC is able to protect business systems, which is a primary goal of SOC program by intercepting the threat early and responding to the incident in an agreed time frame (KPI on response time will indicate if time to respond was more than the agreed timeframe). Finally, SOC should provide the estimated value of impact that was safeguarded by the SOC, taking into account the underlying asset value, though this exercise involves a bit subjectivity.
Sometimes business leaders demand that the SOC team should tell them the downtime of critical business systems during an attack, especially in the situations when the organization experiences DDoS attacks. This is a reason some SOC structures have allocated dedicated team to DDoS monitoring. Apart from the above approach, the SOC will use an established process which checks the heartbeat of the underlying data source/asset, which is mapped to the use case(s) in this category. In case of DDoS, when a critical business system is not available, an alert is generated based on this event. When a report is generated from the SOC, business gets visibility on the downtime of the system due to a DDoS type of attack. This report can be compared with one from the IT/business continuity function, which generates a report on non-availability of the system.
In summary, SOC programs are maturing to augment their role beyond serving just as an operational entity to bring in value to the business by implementing business KPIs and SOC processes. Mapping the use-case scenarios to kill chain is a crucial step in building this value by increasing the possibility of intercepting threats at an early stage.Category: Security Published: 2/10/2017 3:10 PM
More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.
Those concerns, highlighted in ISACA’s annual IT Risk/Reward Barometer, are reflective of insufficient security measures by IoT device manufacturers.
One of the main culprits is IoT devices running old versions of Linux – sometimes as much as 10 years old. This happens for a variety of reasons, such as the version becoming outdated while the device is in development, or manufacturers building on top of existing devices and sticking with the old software to speed up development time. The result is devices hitting the market with easily anticipated vulnerabilities.
IoT manufacturers also need to make sure their devices have the capability to automatically and reliably run security updates. This should be considered a must-have feature by consumers and businesses when making their purchases. If the devices are able to be updated, without it being a time-intensive process for users, security threats can be addressed much more quickly and effectively.
Making some of these adjustments will be critical, or trust in IoT devices’ security among professionals and consumers will be further damaged, given the threat landscape in 2017 and beyond. The proliferation of IoT devices will result in escalating instances of DDoS attacks this year, according to Deloitte – potentially along the lines of the massive Mirai DDoS attack that used infected IoT devices to cause widespread disruption in October.
That attack, while certainly a wakeup call to some device manufacturers, might not have resonated with many consumers, who did not see a direct impact on their lives, even if their own device was infected and part of the attack. But there is little doubt more and more individuals will be affected by IoT security shortcomings as the devices – and the related threats – grow at a staggering rate.
That could include the emergence of IoT ransomware threats. Ransomware exploded on PCs in 2016, resulting in estimates of about US $1 billion in payments. Given how lucrative the attacks have proven to be, it’s not much of a stretch to anticipate that criminals will explore how they can target IoT devices in their ransomware schemes. For example, imagine a smart lock on your home or car that won’t open until you pay a small ransom. From a criminal perspective, ransomware attacks on IoT devices could make for an efficient strike, with the possibility of holding customers’ device or data hostage and extracting money from the same individual or organization in a single step.
As attacks on IoT devices continue to evolve, none of us will be able to say we didn’t see them coming – 80 percent of professional respondents in the Risk-Reward Barometer survey expressed a high or medium belief in the likelihood of an organization being breached through an IoT device. Enterprises can use network segmentation to isolate IoT devices from their production network. Consumers also recognize the security threats; more than 75 percent of consumer respondents in each of five regions surveyed – Australia, India, Singapore, the US and the UK – expressed concern that augmented reality enhancements could make their IoT devices more vulnerable to a breach. Home IoT network security devices like Dojo by BullGuard, CUJU, and BitDefender BOX can help consumers protect their IoT devices from cyber attacks – some even have enterprise-like network segmentation capability.
Connected devices are becoming increasingly prominent in our daily lives. It is up to consumers and organizations to send the message to device manufacturers that insufficient security design will be a deal-breaker when it is time to consider a purchase.Category: Risk Management Published: 2/8/2017 3:04 PM
Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think. While many organizations worry about the technical issues that are posed by a cybercrime attack, such as ransomware locking up entire swaths of servers – bringing business operations to its knees – most are even more concerned about their public perception and loss of clientele.
In fact, while an attack or exploitation by a cybercriminal may be technically damaging to an organization, the fallout over the attack’s handling may be even worse, revealing some of the companies’ true fears.
Understanding the technical implications of an attack are incredibly important. That’s why many organizations employ incident response teams. Analysis of an attack and restoring business operations is key to ensuring that organizations do not fall prey to the same attack or, ideally, the same attacker. However, with a proper incident response and disaster recovery element, technically recovering from an attack simply becomes a matter of restoring services and implementing the appropriate cybersecurity controls to protect an exploited organization.
What takes much longer to restore is public brand perception and customer retention. Companies have shown their fear of customer loss in the past by implementing rather dramatic controls in an effort to keep their customers. For example, after Yahoo revealed its most recent breach in 2016, it immediately disabled the automatic email forwarding feature.1 While this was a small change on the behalf of Yahoo, it was a huge change for its customers, who may have wanted to change their email provider to another service while ensuring that they did not miss anything pivotal sent to their old address. Thus, users had a much harder time making the switch over to another email provider out of fear of potentially missing an important email. It goes without saying that users, and the media, reacted adversely.
In comparison to Yahoo, the University of Maryland, which suffered from the theft of student personally identifiable information (PII) in 2013, pivoted dramatically by announcing the attack and its response in the same week. Each student with compromised information was provided five years of credit monitoring. Additionally, public presentations were made that explained the attack as well as the types of controls placed to deter future attacks. Thus, the situation was quickly relegated to memory and barely discussed beyond the ensuing weeks.
The Yahoo and University of Maryland examples are just two that illustrate the real damage that can occur from cybercrime attacks, reputational damage and loss of consumer confidence. Those working in cyber security should keep this in mind during an incident response or disaster recovery – though the technical impact to an organization may be damaging, the reputational damage could be leagues worse.
Editor’s note: Through its Cybersecurity Nexus (CSX), ISACA has issued new guidance providing insights on some of the top emerging cyberthreats and the methods through which enterprises can defend themselves.
Exponential increases in the computing power and availability of massive data sets, among other factors, have propelled the resurgence of artificial intelligence (AI), bringing an end to the so-called AI winter—a bleak period of limited investment and interest in AI research. Commercial deployment of AI systems is fast becoming mainstream as businesses seek to gain deeper customer insights, lower operating costs, improve efficiency or boost agility.
The proliferation of AI raises intriguing opportunities; however, associated risk exists, and it should be considered, as its impacts can result in significant consequences. My recent Journal article provides practical strategies to mitigate 3 crucial risk factors associated with the commercial adoption of AI:
Businesses should build cyber security into innovation programs from the outset. But unified efforts by policy makers, business leaders, regulators and vendors are a prerequisite for long-term success.
To maximize AI potential while minimizing business exposure, businesses need to align their strategies with their risk appetite, anticipate major pitfalls and embed governance into transformation programs.
Read Phillimon Zongo’s recent Journal article:
“The Automation Conundrum,” ISACA Journal, volume 1, 2017.
ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.
Together, we have teamed up to create a new product that leverages the deep guidance available within each of the models. Specifically, COBIT 5 and the CMMI maturity models each have extensive guidance in establishing practices that permit users to better align stakeholder requirements with the utilization of IT-enabled investments; using them both together can yield a resultant value that is greater than the sum of their respective parts.
Many users of framework products look for mapping tools to assist them in using both models or to reduce initial planning and implementation resources needed to bring the second model into use. Mapping tools serve a useful purpose in that regard but have always had one significant drawback: They only attempt to reveal direct connection points between the models being mapped. That serves to speed up implementation time for the second model, but is limiting in the degree to which it unlocks the additional value that using that second model could bring.
The other issue that comes up with traditional mapping tools is that they are designed to be used in one direction only. That is, a user looks up an element in model A and finds which element or elements in model B relate are related. What if you want to start with an element in model B? That element likely exists in multiple places throughout the map and isn’t easy to isolate to determine what in model A is related. These traditional maps are unidirectional.
ISACA and CMMI saw an opportunity in this gap to produce a tool between COBIT 5 and the CMMI maturity model. Called the COBIT 5 CMMI Practices Pathway Tool, users will now be able to quickly and easily navigate from either COBIT 5 or CMMI and uncover relevant guidance in the other model. This bidirectional capability is unique and will permit users greater flexibility in deriving value from the tool.
The tool is built in Excel to provide access to a larger number of people. It takes advantage of native functionality in Excel and uses filtering to provide a quick and easy means of selecting elements of interest. There also is a guidance document with the tool to better describe its function and use.
The end result will be the ability for business IT practitioners to deliver additional value to their stakeholders.Category: COBIT-Governance of Enterprise IT Published: 2/3/2017 3:15 PM
Demand never has been higher for the IT advisory skill set. At our firm, we’re seeing more competition now than even existed in the SOX boom of the mid-2000s. Positions across the United States are re-maining open for months at a time. Your company wants to make sure it’s not settling on the first ap-plicant who knows the difference between CISA and COBIT and, instead, wants to attract the brightest talent that will really make a difference to your team.
We’ve seen some common themes among our clients who consistently attract the best candidates, and I’d like to share them with you so that you can win the talent war in 2017 and beyond.
The number one motivation for making a job change that I hear time and time again goes something like this: “I don’t feel like my position really makes a difference. I just check up on everyone else.” You need to make sure you’re marketing your position as one that allows the applicant to see the meaning and purpose of his or her work. Tell them success stories about your department and paint a picture for them about how you are perceived in the organization.
A recent example from one of our clients was a project where the business operations and IT security teams could not agree on the best way to move forward on a large product rollout. The IT audit team (through years of showing its value to the business) was instrumental in making sure both sides came to an agreement in order to release a workable product. Not only does this IT audit team now have the pride and satisfaction from helping shape one of the company’s most important initiatives, but is has also turned into a great recruiting story allowing them to attract top talent. That’s true impact.
The rise of the Silicon Valley style corporations with unlimited vacation time, a whole year for paterni-ty/maternity leave and game tables in every conference room has made it difficult to win the talent war without offering an appealing work/life balance. At the management level, I know you’re not able to change large policies like I’ve mentioned above, but what you can do is make your department one that embraces technological advances that allows your employees to work when they can, where they can.
I realize that this is more easily said than done, but companies that are doing this are able to attract the best talent. Perks such as working a day a week from home, flexible work schedules (get in early/leave early, etc.,) and making sure on-site time is used to maximize face-to-face encounters with internal customers and team members while the rest of the work is done from a coffee shop, etc., will help you to be much more appealing to the generation that has grown up with information available any-where, on any platform.
Obviously, your goal is to retain the talent you are able to attract. The best way to do that is to make sure your employees are challenged, able to grow and never bored: “I want to make sure I’m not a (insert job title here) forever.”
It’s a common concern among candidates I speak with and human nature to not want to feel trapped. Candidates want to feel there is a career path for them and know that they won’t be doing the same thing every day. They crave variety, challenge, growth and advancement. If you plan to hire someone who already knows how to do everything in your job description, you’re setting yourself up to have someone leave your department early if there is no significant growth or challenge for them if they stay. In so far as possible, create opportunities for your employees to add to their skill sets, and enable them to advance within and eventually beyond your department. If you don’t have a compelling story about the growth opportunities you can provide for your new team members, you will continue to lose that talent to other companies who can show them a challenging career path.
Use what sets you apart
If you search for the term “CISA” on LinkedIn, Indeed, Monster and CareerBuilder, you’ll find thou-sands of available roles. On ISACA’s own job board, there are 500. With competition like that, you need to be sure your company and opportunity stands out from the rest.
What is special about your company that attracted you to work there? How do you address mentoring younger talent? What processes do you have in place to groom the candidate for future leadership roles? Also, make sure to allow the applicant to go to lunch with potential co-workers, not just manag-ers. Applicants who leave the interview believing they will enjoy working beside the people they meet will be much more inclined to want to work for you.
Highlighting smaller perks doesn’t hurt, either. Do you have a generous 401K match? Does your com-pany offer free lunches in the cafeteria? Have an onsite daycare? Make sure you advertise those.
My goal for this article was to provide value to you and help you identify some things you can do to attract the talent you need to succeed. If I can answer any questions to help you win the talent battle, write your questions in the comments below!Category: Audit-Assurance Published: 2/1/2017 3:01 PM
While we become more and more connected and dependent on technology, we also become more and more vulnerable. Most organizations spend a large amount of resources defending against the outsider threat, but what about the insider threat? The insider threat can be just as costly and devastating as the outsider threat, but how do you control and monitor the people who must have access to the systems and data that you are trying to protect? Do we as cyber security professionals really understand what options we have when dealing with an insider threat? Here are some methods to mitigate the insider threat:
Which methods are used and how they are used is dependent on the organization. There are other factors that affect the method used, such as budget, amount and types of data, importance of the data, and leadership buy in. The way we deal with the insider threat may vary, but it is a threat that each organization must understand and mitigate.
Read Rodney Piercy’s recent Journal article:
“The Persistent Insider Threat,” ISACA Journal, volume 1, 2017.
The IoT, or “Internet of Things” (everyday objects and systems that have connections to a network to provide data-sharing and virtual control), is a fast-growing arena of technology growth. The potential uses of the IoT to build a “smart world” of connected devices is enormously convenient and brings a whole new level of mobile management to every aspect of consumer and business activities. We are now able to start our cars from our phone, lock our front doors from our PC, or turn on the crockpot in our kitchen from a tablet in the office. Who knows what we will be able to do in the very near future?
Unfortunately, the IoT brings with it not just convenient access for users of the “things” on the IoT, but also convenient access for those wanting to exploit those things. More access points mean more places for attackers to get in. More remote control means more ability to hijack that control. All that leaves big problems for the organizations that design, build, and sell, or buy, implement, and use these products. With HVAC systems, point of sale systems, communications systems, manufacturing lines – entire organizations, in fact – tied into the connected world, the IoT is opening increasing risk (security and operational) every day to businesses whose operations are more and more often tied into the network, whether they are making or using IoT devices.
Dealing with Risks on the IoT
The key to dealing with the changes in the security risk environment brought about by the ongoing evolution of the IoT is to focus, not on a detailed plan for any specific risks (which are ever-changing), but more on organizational resilience and risk-principle-based security management in general. The protection and continuation of business operations in the risk environment of the IoT goes beyond the scope of just information security. The risks associated with these networked devices transcend technology and reach deep into the realm of overall business resiliency and, as such, must involve stakeholders from across the business.
Organizational resilience enables enterprises to respond nimbly, pivot on a dime to change focus and alter activities, and keep fulfilling their mission no matter what is happening around them. It’s a philosophy that relies more on an attitude of preparedness – on understanding that a crisis is likely to occur no matter how many mitigation plans you put in place – than on hard-and-fast rules for responding to a crisis event. Organizational resilience is a team approach that allows the risk managers and business leaders to work together in a partnership to ensure that critical functions can continue no matter what. It’s an outlook that enables a quick response to events that can quickly escalate – exactly the type of events we can expect when dealing with a fast-changing environment like the IoT.
Enterprise Security Risk Management (ESRM) is a security paradigm that is gaining significant traction in the security world and is a perfect response to the kinds of changing risk environments associated with the IoT. It’s a risk-based security management philosophy that is based on building partnerships across the business to manage security risk and to ensure that business leaders are making educated risk decisions for their assets and critical functions. ESRM embraces risk identification and mitigation while at the same time recognizing that businesses need to sometimes take risks to succeed. It enables business owners and security practitioners to work together to find the best solution for protecting the company while not stifling its ability to get the job done.
Using the two complementary philosophies of enterprise security risk management and organizational resilience, the business organization is in a better place to both protect itself from harm and embrace positive change due to uncertainty in the business environment. Resilience works both ways in an enterprise, to flexibly adapt to good or bad risk outcomes – both are highly possible when dealing with the IoT universe.
These philosophies drive all parts of the business to recognize and proactively deal with security risk, not simply put the responsibility solely on the technology or security department. ESRM is a security management system that any organization can take and adapt to its needs to build out a flexible and business-based program that will help it along the path to true organizational resilience, no matter what risks it is exposed to in the present or the future. Now is the time for security leaders to embrace these philosophies and strengthen the resilience of their enterprises, because the future of the IoT is already here.Category: Risk Management Published: 1/30/2017 3:05 PM
Claudia Johnson always has had a knack for mathematics and statistics.
But even Johnson has trouble calculating the exact impact artificial intelligence and robotics will make on society. Her background qualifies her well to at least estimate.
“The opportunities through artificial intelligence and machine learning, particularly for security, are enormous,” Johnson says.
Johnson, an ISACA member and security specialist at Infoblox, spent about six years researching AI early in her career. She has continued to follow the field with great interest, saying she has come “full circle” given AI’s role in the cybersecurity space.
“Today I see machine learning making huge strides in IT security,” Johnson says. “One major advance in the world of today is that this approach is being combined with big data. This is an approach that will take us away from recognized, predictable threats and onto the plane of warding off zero days. The Infoblox Data Exfiltration detection algorithm based on machine learning and big data, for example, detects malicious activities where even next generation firewalls fail.”
After earning master’s and doctoral degrees – but ultimately tiring of academia – Johnson’s first job in the IT field was as a knowledge engineer at the Siemens Central Research division for artificial intelligence. Johnson found the material intriguing – especially as it pertained to how brains work and learning language – but noted that those involved in research today can leverage big data and other modern tools to accelerate their progress.
Johnson grew up in the United States – in the Seattle area – but has spent most of her adulthood in Germany, where she attained her Ph.D in Meteorology at Max-Planck-Institut. She briefly relocated to Australia for family reasons, and it was while there that fellow security professionals recommended that she join ISACA. Johnson is glad she did, calling it “a great way for me to further my security knowledge and network with other security colleagues.”
Although enthused about the potential of AI, Johnson shares a common concern that AI and robotics will displace a segment of the workforce.
“Robotics will change a lot of daily tasks,” Johnson says. “Entry level work like working at a cash register will disappear. Cleaning house, washing windows, will go down the same path. There will only be a privileged few who will still have well-paid jobs. What about the rest? How will they make ends meet?”
That sort of empathy is central to Johnson’s worldview. Upon returning to Munich from Australia last year, the flood of refugees who have entered Germany while she was away have made a profound impact on Johnson’s thoughts and priorities.
“Now that we as a family are back in central Europe, I would like to help with the refugee situation by volunteering,” says Johnson, who also counts hiking, bicycling and swimming among her interests. “A number of our personal friends are helping out – in small ways - and it is the small things that can add up.”
Johnson also is passionate about encouraging more women to enter the IT security realm.
“My current personal goal is to give back to the community, both in terms of social responsibility as well as IT security,” Johnson says.
Editor’s note: ISACA’s family of more than 140,000 members and certification holders consists of truly outstanding individuals who are making significant contributions to the profession and the world. Watch for more stories like Claudia’s coming soon, and contact email@example.com if you have a member story you’d like to share. If you are not a member, consider joining our community. View the ISACA Member Advantage here.Category: ISACA Published: 1/26/2017 3:11 PM
We live and work in a high-tech, interconnected world that is seeing increases in the volume and sophistication of cyberattacks. In order to function safely in this technology-driven, digital world, we must have strong cybersecurity controls. But how do we know if we have the right controls or if our controls are functioning as planned?
Because of the need for audit and assurance programs and processes around cybersecurity, ISACA has developed a new IS audit/assurance program, Cybersecurity: Based on the NIST Cybersecurity Framework. The goal of this program is to provide organizations with a formal, repeatable way to validate cybersecurity controls.
The program is based on the NIST Cybersecurity Framework and is built around the following five critical cybersecurity activities:
The program is offered as a Microsoft Excel file with columns created so users can define controls to be tested (including frequency and results), as well as add references and comments. Testing steps have been identified for each NIST Cybersecurity Framework functional subcategory. These subcategories are labeled “Controls” in the program.
In addition, controls are referenced to COBIT 5 and ISO/IEC 27001:2013, making it easier for professionals to integrate the program into existing frameworks and/or audit programs.
Editor’s note: To download the Cybersecurity: Based on the NIST Cybersecurity Framework audit/assurance program, visit: www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybersecurity-Based-on-the-NIST-Cybersecurity-Framework.aspx.
ISACA also is offering a one-day workshop entitled “Cybersecurity for Auditors” immediately following the 2017 North America CACS conference in Las Vegas, Nevada. For more information and to register, visit: www.isaca.org/Education/Conferences/Pages/North-America-CACS-Presentations-and-Descriptions.aspx#ws7.Category: Security Published: 1/25/2017 3:08 PM
The Internet of Things (IoT) is quickly becoming a highly populated digital space. Two popular types of IoT items are the Amazon Echo personal helper, that answers to “Alexa” (or “Echo” or “Amazon”), and the Google Home personal helper, that responds to “OK” (or “Google”). These highly proclaimed smart gadgets are always listening; as are generally all similar types of smart gadgets and toys.
Listening can quickly change to recording and storing the associated files in the vendors’ clouds because of how these devices are engineered. Let’s consider the privacy implications of how those recordings are made, where they are stored, how the recordings are used, and who has access to the recordings.
Amazon and Google both claim that their smart personal assistant devices do not keep any data that they are listening to before those keywords that trigger the recordings. However, here are just a few important privacy-impacting facts:
There are other privacy issues, of course. But, for now, let’s focus on these, which are significant on their own.
Privacy protections currently require manual intervention
While the Amazon and Google privacy policies each boast of privacy protections, those policies fall short of providing full explanation for full privacy protections specifically for Alexa and Home. And for the most part, consumers must take actions to protect their privacy, particularly for the issues listed previously. For example, users must, at a minimum, take the following six actions to establish a minimum level of privacy protections for themselves:
Effective privacy protections must be built in and automatic
These manual actions need to be taken for current versions of smart personal gadgets to protect privacy in the short-term. However, the time is long overdue for privacy protections and security controls to be engineered into every type of smart device available to consumers. The amount of data collected and the potential privacy harms that could occur with that data are too great to allow IoT vendors to simply take a few incomplete actions that only start, and do not complete, the implementation of all privacy protections that are necessary to protect the privacy and security those using the devices.
For example, to address the issues discussed here, Google and Amazon could have engineered the devices so that:
Over the past couple of years, I’ve chatted with my friends at CW Iowa Live about the privacy issues involved with these IoT devices. For more information on this topic beyond this blog post, you can listen to them here and here.
Utilize ISACA Privacy Principles to build privacy into processes
So how should engineers approach building privacy controls into IoT devices? Use new ISACA privacy resources! I am grateful and proud to have been part of the two ISACA International Privacy Task Force groups, both led by Yves Le Roux, since 2013, and to have been the lead developer authoring the newly released ISACA Privacy Principles and Program Management Guide (PP&PMG), incorporating the recommendations and input of the International Task Force members, as well as a complementary privacy guide targeted for publication in mid-2017.
The ISACA PP&PMG outlines the core privacy principles that organizations, as well as individuals, can use to help ensure privacy protections. These privacy principles can be used by engineers to build the important privacy and security controls into IoT devices right from the beginning of the initial design phase, and use them all the way through the entire product development and release lifecycle. Aligned and compatible with international privacy models and regulatory frameworks, the ISACA Privacy Principles can be used on their own or in tandem with the COBIT 5 framework.
The second ISACA privacy guide that will be released this year will include many examples throughout the entire data lifecycle and a detailed mapping of where to incorporate privacy controls within the COBIT 5 control framework component.
Editor’s note: Saturday is Data Privacy Day, and ISACA is an International Data Privacy Day champion.Category: Privacy Published: 1/24/2017 3:00 PM
In my recent Journal article, I stated that our profession needs to adopt quantitative methods of risk analysis to enable well-informed executive stakeholder decisions. Common reactions to this notion include:
I will be the first to admit that quantitative analysis will always take more time than sticking a wet finger in the air and proclaiming high risk. Then again, you get what you pay for. In my own experience working with numerous organizations, I have found that between 70% and 90% of high-risk issues in risk registers and top 10 lists do not, in fact, represent high risk. So the question becomes, how much value is there in effectively prioritizing and understanding the cost-benefit of risk management investments?
My experience as a 3-time chief information security officer (CISO) who has been using quantitative methods for a decade is that the time spent in “getting risk right” is well worth the effort. The executives I have served have shared that opinion. In addition, performing quantitative risk analysis when using proven methods, e.g., Monte Carlo, project evaluation and review techniques (PERT) distributions, and calibrated estimation, is much less time consuming than most people imagine.
But what about the concern regarding data? Here, again, there is legitimacy to the concern, but it is tainted with misunderstanding. A common belief is that to do quantitative risk analysis, you must have a statistically significant volume of data regarding both likelihood and impact. Although that would be ideal, the methods I mentioned above are specifically designed to enable quantitative analysis with uncertain data. For example, if you are trying to estimate the likelihood of a specific attack, but you lack significant historical data and/or the threat landscape is in a state of flux, then you express your likelihood estimate as a wider, flatter distribution than you would if you had high-quality data. This faithfully represents the lower confidence in your data, which can be a crucial data point in and of itself to decision makers.
The bottom line is that the means of doing high-quality quantitative risk analysis exist and are being applied successfully and pragmatically. If we hope to evolve as professionals, we need to at least be aware of these methods so that we can leverage them when appropriate.
Read Jack Jones’ recent Journal article:
“Evolving Cyberrisk Practices to Meet Board-level Reporting Needs,” ISACA Journal, volume 1, 2017.