Author’s note: This post was inspired by the discussions among CISOs attending ISACA’s 2016 CISO Forums, plus additional readings and personal experience. The opinions are my own. For more insights from the CISO Forums, read ISACA’s CISO Board Briefing 2017.
A study by K logix Research titled "CISO Trends" found that "53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
This will have implications that go far beyond resource allocation. The CISO’s contribution to the organization is fundamentally to enable growth and support the attainment of the strategic objectives. The CISO will achieve this by ensuring that the information security posture is commensurate with the risk appetite and compliant with industry requirements.
When a group of CISOs discuss reporting, you rapidly come to realize that there is not a unique global best practice. In fact, as indicated in ISACA’s CISO board briefing, "there is not one correct organizational map, not one universal title and not even one universally applicable job description for the information security executive.”
To best fulfill this role, a key success factor is having the CISO as close as possible to those who set the tone at the top. Direct reporting to the CEO is what first comes to mind. Working closely with the CEO helps ensure best alignment of security with business imperatives. This requires an excellent working relationship between the CISO and the CEO.
Being perceived as part of the inner circle has its ups and downs. Other executives and directors will want to display a collaborative attitude and deal with the CISO as a key player but might also see the CISO as a threat to their own agenda.
The same study by K logix points out that "more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO."
There are some public examples in which even the CEO had an agenda that made her avoid her CISO. Googling Yahoo’s Marissa Mayer will provide an example of a situation in which no CISO wants to be part.
A very prevalent option is reporting to the CIO. As information security gained recognition and started to be recognized as no longer a technical issue, the person in charge was promoted and reported directly to the CIO. At the time, this was a very positive enhancement of the role. But while may work well for some, it comes with some risk. The CIO is under heavy pressure to deliver the required projects on time and within budget. In this model, the CIO, who has a supervisory function for security and other matters, may also be influenced by personal financial considerations, such as a bonus – particularly in the private sector.
The CIO will eventually be confronted with conflicting objectives when the project does not meet the security requirements and is running out of time or budget. Security is at risk of being sidetracked. There is a clear rationale for having the CISO function independent of IT.
Other reporting lines may be to the chief risk officer, chief financial officer, chief operations officer and even the chief audit executive.
In “Determining Whether the CISO Should Report Outside of IT, Refreshed” from research firm Gartner, it is noted that:
When the opportunity comes to revisit the reporting lines for the CISO, it’s no time to try to be idealistic. One must determine which is the best option within the context/culture/environment of his or her organization.
Among other considerations, one must assess the organization’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.Category: Security Published: 4/24/2017 3:03 PM
My transition from internal IT auditor to CISO in banking felt natural because, while working as an auditor, I developed a strong knowledge of information security and control concepts while also improving my communication skills.
Communication skills are crucial to the success of a CISO. Effective communication helps build positive relationships with employees at all levels within the organization. As an auditor, I presented audit reports to the Audit Committee. This served as excellent experience because I learned how to communicate effectively with top-level personnel, which was also required in my role as CISO.
Internal auditors are facing new challenges. Sensitive information is pervasive in the digital world because users expect it to be available when needed. Prior to the Internet-connected world, the focus in banking tended to be on business continuity planning, the exposure of sensitive information from threats to physical media, and other financial fraud activity such as physical credit card theft.
In the connected world, data is readily available through connected networks, and that data is the target of cyber attacks. Given the rise of successful attacks, IT auditors must continually educate themselves on the new types of threats and be knowledgeable of information security controls and how to test those controls.
There are many resources available to auditors. Just as a mechanic needs to acquire a toolset, an IT auditor must also assemble an array of resources. An auditor must network with other IT audit and information security professionals by participating in professional organizations. In addition to networking, websites such as ISACA’s and SANS’ provide audit and information security resources. ISACA has an online library with information security and audit books. These are useful resources for professionals new to IT audit.
IT auditors must remain relevant by constantly educating themselves regarding the latest information security threats, trends and controls by using all available resources. IT auditors are no longer an asset to their organization when they stop learning.
Changing career paths from IT audit to CISO was a smooth transition because I developed strong communication skills as an auditor, I had a strong knowledge of the latest security threats and trends, continuous education was a priority to me, and I assembled a set of resources. For those who are interested in a career path change from IT audit to CISO, these key items should help ensure success.Category: Audit-Assurance Published: 4/21/2017 3:00 PM
Today’s cyber security professional is an amalgamation of haphazard professional experience, rapid-fire bootcamps, and smatterings of dynamically defined academic programs.
This has created a vibrant field, full of individuals with creative takes on issues and unconventional approaches to problems that are difficult to predict. However, as the field matures and the online attackers ratchet up their skill sets, the traditional solution becomes less effective.
This isn’t to say that professional experience isn’t helpful. In fact, the adage “there’s no substitute for experience” rings truer now than ever before. Yet, the training mechanisms through which cyber security professionals sharpen their skills must also evolve to match the new nefarious foes and develop a more robust cyber security workforce.
What is needed in cyber security training isn’t a stodgy textbook full of outdated references to Stuxnet and Conficker, nor a five-day firehose learning experience, which pummels students with information before wishing them luck on their sedately static question and answer exam. Instead, today’s cyber security field requires an always updating, perpetually relevant laboratory and assessment environment that offers students a chance to learn what today’s threats are and how to defeat them.
It is important to understand that there will always be a place for certifications and formal education in the realm of cybersecurity. However, MORE is required – specifically, a shot to the arm full of vitamins I, P, D, Rp and Rv. Readers might know these vitamins as Identify, Protect, Detect, Respond, and Recover –the five pillars of cyber security, as identified in the globally recognized NIST Cybersecurity Framework.
Students need a place where they can learn lessons from those who have gone before them in an interactive, real-time environment where it is okay if they fail. This environment should include labs made from events that occurred within the same year, or even better, within the same quarter. This environment should also allow students to receive their grades and continuing education units immediately upon completion of their labs.
ISACA has taken the first step toward this future of cyber security training with the Cybersecurity Nexus™ (CSX) Training Platform. The platform allows learners to create an account and take live labs anytime, anywhere, requiring only an Internet connection and a browser. Every lab is up-to-date, developed with leading industry partners in the field, to ensure that each lab is relevant to every practitioner. Currently, the platform has more than 100 hours of content, including labs, courses and a virtual bootcamp.
These are modern scenarios brought to life from requirements generated by current threats in network operations centers and security operations centers around the world. Each lab is a live network with live systems – nothing is emulated. Every set of labs, refreshed each quarter, is performance-based and graded on the spot, with students receiving a grade immediately upon completion. Training leads are presented with holistic views and metrics to determine student skill sets and measure improvement.
Students also are provided with an overall view of their performance, with the ability to generate PDF transcripts to provide to all certifying organizations. Finally, the CSX Training Platform presents a one-of-a-kind cyber security assessment capability for enterprises and organizations to ascertain the skills of potential hires and internal personnel, allowing managers to make better informed decisions about how to structure their teams.
All of this is a key step in moving cyber security training forward. By providing real-world training in a dynamic platform, ISACA is addressing the urgent training needs of cyber security professionals and their enterprises head-on.Category: Security Published: 4/18/2017 8:00 AM
Editor’s note: Margaret Heffernan, CEO of five companies and a prize-winning author of five books, will deliver the closing keynote address at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany. Her address will be titled “Can Technology Solve Everything?” Heffernan visited with ISACA Now about her career and her philosophy on innovation. The following is an edited transcript:
ISACA Now: What are some common pitfalls that cause organisations to fall short in leveraging their employees’ innovative potential?
Many organisations work hard to organise innovation, put rules and requirements around it and a lot of measurement. That, I think, is a mistake. While it is clear that some constraints can prompt a great deal of creative thinking, defining innovation before it gets started tends to constrain it and to constrain motivation and discursive thinking. If you try to organise innovation the same way that you organise manufacturing of a defined product, you are bound to fail. Exploration of something new is an utterly different process from repeating something already well defined.
ISACA Now: You have extensive experience as a CEO. How have you sought to capitalize on technology innovations to strengthen your organisations?
I’ve always used tech to strengthen communications, but that is the beginning, really, not the end.
ISACA Now: You have a wide range of experience in the business, media and lobbying worlds. What have you found to be most rewarding from a professional standpoint, and why?
The best part of everything I’ve done has been giving challenging work to eager people who routinely exceed my expectations. I have always operated on the assumption that most people have more imagination, ability and capacity than most organisations ever uncover — and I’ve rarely been disappointed.
While there’s a lot of conversation about cyber security and physical premises security, the two rarely overlap. But when you study wireless security cameras, you experience a rare convergence of digital and physical. Do you know everything you need to know about this potentially risky technology?
Next time you’re walking down a busy street, take a look around. More specifically, take a look up. You’ll notice that there are dozens – perhaps hundreds – of cameras hidden away in corners, on lampposts, above traffic lights, in store windows, and everywhere in between. In fact, make a point of looking around next time you go on a walk through your neighborhood. Where I live, there’s no shortage of security cameras on private property.
As technology has improved in recent years, there’s been an increase in the number of wireless security cameras. Renowned for their ease of installation and convenient viewing options, wireless security cameras have become quite popular. They don’t come without risks, though.
Unlike hardwired security cameras that send footage to a closed-circuit television, wireless cameras rely on the Internet to transmit data to different devices that have permission to access the footage. The problem is that, like anything on the Internet, hackers can find ways to tap into the footage and use it for nefarious behavior.
Many cheap over-the-counter cameras, unfortunately, don’t come with encryption features and are actually relatively easy for hackers to access, which is part of the problem. I know when I was shopping for my first wireless camera, data encryption features were on the top of my list. But for those not as familiar with the technical language involved in cyber security, it’s easy to slip up and choose the wrong camera.
Making wireless security cameras more secure
The goal, from a cyber security perspective, is to make security cameras more secure both through technological advancements and end-user behavior. Some of the various steps to be taken are fairly straightforward, while others are a little less obvious.
“Potentially the most dangerous thing you can do is point a security camera directly at your door where a house number is displayed,” security expert Christian Cawley says. “All it takes is for a security cam hacker to check your IP address, identify the owner of that range (for instance, your ISP) and narrow down your location to find your home.”
It’s also important for wireless security owners to pay attention to the overall security of their wireless networks. Routers should be configured using WPA2-based encryption, and it’s not a good idea to view streams on unsecured networks – such as at cafes and coffee shops.
Wireless security camera owners also need to consider whether they really need to be online. “The ability to stream video of what is happening at home to your mobile device is really useful,” Cawley admits. “But do you really need it? Does your Internet cam really need to be streaming data across the web?” There are always other options to be considered.
Putting security first
The irony of wireless security cameras is that they often introduce additional security risks into your home or business. However, if you understand what you’re getting into and commit to making cyber security a priority, you can avoid most of these issues.
It’s time for the security community to come together and address this topic.Category: Security Published: 4/13/2017 3:05 PM
Cyber security and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organizations face today, according to a recently released survey report from Protiviti and ISACA.
The top-ranking technology challenges revealed are unlikely to surprise anyone. In today’s increasingly digital economy, IT auditors are more important than ever, and they need to be more effective in their roles to deliver on the expectations of the board and management.
The survey identified the following important trends:
• More executive-level interest in IT audit. A majority of IT audit leaders (55 percent) are attending audit committee meetings, and more audit committee members are taking interest in the IT audit risk assessment process. Many IT audit leaders report to the CEO directly.
• More chief audit executives are assuming leadership for the IT audit function. CAEs becoming more technology-literate is a positive trend that underscores the elevated status of the IT audit function.
• The majority of IT audit functions (71 percent) are now involved in major technology projects. However, disappointingly, much of that involvement is in the post-implementation stage.
As I review the survey findings, one word comes to my mind – opportunity. Several of this year’s top technology challenges are very strategic – emerging technologies, an evolving regulatory landscape, and difficulty in bridging the gap between IT and the business. IT auditors can – and are expected to – play an important role in all of these areas. To do so, they need to be well-positioned (both informed and involved) and have strong relationship skills that allow them to partner with their internal clients to deliver value on these strategic items.
Let me offer a couple of recommendations, based on the survey findings:
At the end of the day, the Protiviti/ISACA study points to the importance of IT audit leaders being able to gain the trust of their internal clients. That trust is earned through delivering value and partnering to achieve common objectives. The result is a great opportunity for IT audit to prove itself as a key asset in supporting an organization’s achievement of its strategic objectives.Category: Audit-Assurance Published: 4/12/2017 3:07 PM
Auditors are expected to complete audits on material issues within shorter and shorter time periods. Such audits and their completion depend on the availability of key personnel, who are also increasingly pressed for time as they are involved in day-to-day operations and other, often mission-critical, projects. Yet audit methodology, which involves a rigid separation between audit phases, such as planning, fieldwork and reporting, has failed to keep up with these changing requirements. As a result, the inability to schedule timely meetings with key personnel creates bottlenecks and this causes delays in moving to the next phase typically due to a very small part of the previous phase being incomplete.
IT projects, on the other hand, also face similar challenges and those challenges have been met by adopting more efficient methodologies, collectively called Agile. The key difference is that formal documentation is only produced at the end of the audit rather than during the planning phase. The Agile methodology for audits would entail:
Read Spiros Alexiou’s recent Journal article:
“Agile Audit,” ISACA Journal, volume 2, 2017.
It’s not enough to make customers safe. I’ve worked with several businesses that did everything they were supposed to on the back end, including hiring IT security professionals, developing safer websites, and actively monitoring for threats—but customers never see the back end.
In addition to making customers safe, enterprises have to make them feel safe, which is arguably the harder of the two to accomplish.
Why “feeling” safe is so important
If customers get to your online store and feel like they aren’t safe—even if they are—they aren’t going to make a purchase. Even if they do make a purchase and everything goes through without issue, all it takes is one point of suspicion to make them apprehensive about shopping with you again. That’s why breached companies have such a hard time rebuilding their reputation—even though the company is taking all the proper precautions and most of the damage is already done, customers no longer feel as safe with them. Therefore, customer feelings of security are vital to both acquisition and retention.
The problem, as I see it, is that “feeling” safe is subjective, while “being” safe is objective. You can easily hire security personnel to verify that your customers are safe, but how do you gauge their feelings? Triniti explains that it’s all about collecting, storing and interpreting customer data in an efficient and accurate way. Take surveys. Talk to your clients. Make notes and aggregate your information to understand how your customers feel.
Strategies to build trust
What if you’re having trust issues? How can you make your customers feel safer?
These strategies are proven to help customers feel safer when they shop with you online—assuming you have first done the work to actually make them safer. In any case, the more attention you pay to your customers’ security and feelings, the more they’ll be willing to engage (and spend) with you, and spread the word about your company.Category: Audit-Assurance Published: 4/10/2017 3:08 PM
The technical skill sets of internal incident response (IR) teams are being forced to evolve.
They are transitioning from being predominantly first-alerted to threats and breaches by operational units in their organization to being proactive and self-driven in uncovering and hunting down suspicious events.
The rapid advancement and adoption of centralized log and continuous network event archiving, the construction of “data lakes,” and a new generation of query tools have become the new focus for IR teams.
As a result, they are embracing threat hunting methodologies and employing a new generation of data-mining tools that identify threats in motion and reduce threat discovery and response times from hundreds of days to a few hours.
Senior IR staff – experienced in evidence-gathering and picking through events at a byte-level – have welcomed the new tooling but are increasingly finding themselves being drawn thin on the ground.
As visibility of network and system behaviors increases at an exponential rate, the discovery of anomaly events is happening at a pace far in excess of the ability to deep-dive and pursue a threat to the root cause.
In past years, an event was often “big” before it was noticed, typically by the affected business unit, and the value of throwing in IR resources to understand and mitigate the threat was rarely given second thought.
Now, with hundreds of suspicious events automatically uncovered per hour – and the challenge of detecting events early before they cascade into full-blown breach events – many deep forensic investigative capabilities are being shelved and required less often.
A new problem is developing. How do you retain or justify the retention of deeply experienced IR and forensic specialists? I’m talking about those senior Tier-3 specialists with decades of experience who often come with law enforcement backgrounds.
Forcing these employees to data-mine, hunt for new threats and deal with several dozen early-stage puzzle pieces per day does not leverage their core skills and becomes a disincentive to stay.
Coming to market is a new movement of threat-hunting platforms that harness artificial intelligence (AI), excel at monitoring network traffic in real time, mining the growing lakes of logs and alerts, automatically correlating events and anomalies, and categorizing and labeling attacks in progress.
The previous generation of tools lacked AI and relied heavily on Tier-1 analysts trained in basic data analytics, data mining, and false-positive triaging. They would bundle up evidence files and make a first-pass determination on overall threat severity and decide who gets an incident ticket.
Too many organizations thought they could retrain their experienced Tier-3 teams to perform these Tier-1 threat-hunting tasks. The unfortunate results have included disenfranchisement of technical leaders and atrophy of deeper technical skills.
AI and the automation of the Tier-1 analyst tasks it facilitates are re-addressing this critical workload balance. These new AI-powered platforms are capable of completely replacing the Tier-1 incident analyst and responder roles.
Instead of forcing experienced Tier-3 employees to absorb Tier-1 workloads, new platforms allow the most experienced IR teams to work more closely with the business to address a correctly prioritized list of outlier events.
These outlier events often require a deep understanding of the business, combined with extracting evidence not typically captured in logs or alert events. And, most importantly, they keep highly skilled and knowledgeable experts in the organization motivated and enable them to continually add value.
The application of AI to the cyber security space is already proving invaluable in entry-level roles such as security operations center (SOC) analysts as well as in event triaging, vulnerability scanning, and identity and access management.
The talent pool in these critical areas is dwindling rapidly, and the overall skills shortage has resulted in difficulty hiring, training and retaining people for the first-rung of a professional career in information security.
The use of AI is destined to fill that Tier-1 talent gap. But, as observed in the IR and forensics fields, AI can also enable an organization’s most skilled and experienced staff to focus on solving problems for which they are uniquely suited.Category: Security Published: 4/7/2017 3:05 PM
The explosion of intelligent connected devices – the Internet of Things (IoT) – is presenting fascinating possibilities for businesses and consumers.
Heart monitoring devices, glucose monitors and other health-related IoT devices are enabling patients to proactively monitor their health and take corrective steps. Mining companies are attaching tracking devices to underground workers to promptly locate them in the event of a disaster, dramatically cutting down evacuation time and improving safety. Meanwhile, farmers are equipping cows with intelligent devices to reduce livestock losses, improve breeding success, maximize pastures and increase milk production—a concept referred to as connected cows.
McKinsey Global Institute, a leading think tank, estimates that IoT-related applications could have US $11 trillion economic impact by 2025, with one-third of that coming from manufacturing.
IoT is virtually transforming every industry sector, but securing these billions of smart devices is complex and daunting. The threats posed to the public are growing by the year. Here are three key reasons why.
The vast amount of personal data generated by IoT devices is generating significant privacy concerns. Take insurance firms, for example, which are considering offering discounts to policy holders who volunteer to wear devices that monitor their health, eating habits, sleeping patterns or other intimate information. While such initiatives can motivate customers to pursue healthy habits, the same consumers also believe companies are getting more intrusive into their lives. Furthermore, these companies could share sensitive information about consumers’ health, activities and location with unauthorized third parties or retain sensitive data way past policy termination. This risk has caught the attention of regulators. In 2016, multiple fitness wearable-makers faced a formal complaint from Norway's consumer watchdog for allegedly breaking European privacy laws and exploiting their users’ information.
Most devices are fundamentally flawed in their security design. In addition, the same devices have limited processing power to run modern security capabilities. Further complicating matters, most manufacturers prioritize device functionality over security. Their motivations are clear: Minimum capital investments, rapid time to market and higher profits.
The 2016 DDoS attack against Internet performance management company Dyn provided a sobering insight into the implications of interconnecting millions of insecure things. Hackers exploited easy-to-guess default passwords in approximately 100,000 webcams, baby monitors, camcorders and other devices; turned them into bots (zombies); and commandeered them to launch a debilitating attack against Dyn, crippling many notable websites, including Twitter and Netflix.
This incident is not isolated. In September 2016, OVH, a well-known web hosting provider, claimed to have resisted a simultaneous enormous DDoS attack of 990Gbps, launched by a botnet consisting of more than 145,000 compromised IoT devices (IP cameras and DVRs).
Industry standards providing cyber security guidance to IoT device manufactures are scarce to non-existent. This also creates a significant challenge for consumers, as they lack baseline IoT device security prior to purchase. But this is slowly changing. For example, on 28 December, 2016, the U.S. Department of Health and Human Services Food and Drug Administration (FDA) issued draft guidance for managing post-market cyber security vulnerabilities for marketed and distributed medical devices. However, given the pervasiveness of these devices across many industries and geographies, more work is required.
The risk posed by vulnerable IoT devices will invariably rise as more of these devices permeate homes, businesses and vital sectors such as healthcare, aviation, manufacturing and transportation. The prospect of online predators taking control of Wi-Fi-connected baby monitors unsettles any parent. Likewise, attacks exploiting security flaws in heart monitoring devices, elevators or web-connected cars could result in dire consequences.
Given the dangers are so significant, it’s critical that industry bodies, regulators and device manufacturers work together toward unified, long-term goals. Device manufacturers have a significant role to play, particularly building tight security into new devices during design and establishing clear product road maps to ensure these controls keep up with the rapidly changing threat landscape. Equally important, businesses should ensure that sensitive data collected by these devices are only used for originally intended purposes, and not passed on to unauthorized entities without customer permissions. Absent these fundamental controls, IoT’s full potential may not be realized.Category: Security Published: 4/5/2017 3:09 PM
Editor’s note: Dan Cobley, a former managing director of Google in the UK and Ireland and current managing partner at FinTech, will deliver the opening keynote address at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany. Cobley visited with ISACA Now about the fintech industry, lessons learned from his time at Google and how to translate a science background into business success. The following is an edited transcript:
ISACA Now: From working with financial tech start-ups, what are some emerging technologies you see as having the most potential to take off in the next 3-5 years?
One, smart biometrics in place of passwords. Fingerprints, eye scans and voice biometrics are all being widely used.
Two, chatbots to deliver engaging customer service and user dialogs. The coaching chatbot used by the UK’s ClearScore is a great example.
Less visible but more powerful is the use of machine learning and AI to optimise everything from product recommendation to automated service query response to credit underwriting. And very promising, but not yet mainstream, is the use of blockchain technology to improve the efficiency and security of many financial processes.
ISACA Now: What are some takeaways that stand out from your time as managing director of Google in the UK and Ireland?
The big organisations Google was working with find it really, really hard to move with the pace that digital transformation requires. That's why I now enjoy working with smaller start-ups so much. We always overestimate the pace and impact of new technology in the short term but underestimate it in the long term.
ISACA Now: You have a strong background in physics but went on to have great success in marketing. What advice might you give people with strong scientific or technical backgrounds who would like to make an entrepreneurial leap but lack confidence in their ability to communicate their ideas to business leaders?
A scientific background should give you three great advantages:
These three attributes are increasingly important to marketers and to business leaders more generally in this increasingly technology-driven world. By using these tools, scientists will be able to hold their own with any MBA!Category: Audit-Assurance Published: 4/4/2017 3:27 PM
We rely heavily on them, yet we are ignorant about the risk exposure from them. We know them, yet we do not know them when it comes to risk assessment and management. We often call them business partners, but we do not know our share in their risk universe. We are talking about vendors, suppliers, service providers and all such business partners collectively referred to as third parties.
So, what are the options for risk identification, measurement and mitigation? Based on the risk appetite and related cost appetite, there are multiple methodology, assessment and technology options for managing this risk. Some of the available options are standards, e.g., Statement on Standards for Attestation Engagements (SSAE) 16 and ISAE3402; best practices-driven programs, e.g., Shared Assessments; and integrated technology platforms from leading governance, risk and compliance (GRC) companies.
The first step in managing risk is identifying the right risk tier of the third party so that risk management efforts are commensurate with the risk exposure. One of the important aspects to consider while determining the risk tier is the inherent risk of the entire engagement with the third party. A combination of the third-party risk profile and engagement risk profile provides a much better risk-based approach for the entire third-party risk management (TPRM) program.
Once you have determined the risk tier of the vendors, then the next logical step is to determine the risk management approach commensurate with the risk tier. There are multiple risk management approach options such as contract clauses, service level agreements, dynamic risk profiling based on financial and nonfinancial data, risk questionnaires, on-site assessments, service organization controls reporting through an independent auditor, utility platforms providing shared risk profiles of third parties, and many other similar options. Effective and efficient risk management is comprised a combination of these options with a suitable technology-enabled platform to manage risk and end-to-end life cycle of the third party.
Our recent ISACA Journal article discusses the finer aspects of third-party risk management with details on available risk management options. What are the challenges you face in selecting and implementing a third-party risk management program? We look forward to your questions, suggestions and inputs on alternative approaches.
Read Vasant Raval and Samir Shah’s recent Journal column:
“The Practical Aspect: Third-party Risk Management,” ISACA Journal, volume 2, 2017.
One of the biggest technology advancements in recent years is the expansion of the cloud, allowing users to have more space on their computers or mobile devices, with access to their documents, videos and pictures that are all conveniently stored in one place.
Similar to the commercial security system, the cloud can be used to ensure the safety of documents and other private information. Companies that use the cloud as storage and also as security take advantage of the unprecedented scalability, the quick deployment and the savings that come with it. There also are risks behind using the cloud that include a bigger chance of unauthorized access to private information, legal risks and a lack of control.
With so many people making the switch to the cloud, there are new opportunities for people both in business and in private employment. The cloud can cause confusion regarding who is actually in control. A business owner has control over what happens and how that business is run, but when it comes down to it, the vendor is the one with all the cards. For example, the vendor can change the pricing at any moment, and with clients depending on the services provided, companies are forced to pay whatever price to ensure those services will continue.
Vendors are having difficulty adapting to the changes caused by the outbreak. As they scramble to keep up, vendors can often lose control of the situation. In a survey by ScienceLogic, it was discovered that less than one-third of IT professionals actually have the control they need in order to keep their business efficiently moving forward.
Cloud use is improving faster than the organizations that control it due to security exposures and unnecessary financial costs. As concerning as that may be, the cloud also leads to new business techniques and opportunities that enable innovation. Businesses worried about the future want to know the best ways to help the company succeed. Sometimes this leads to moments of uncertainty and confusion. These moments can benefit a company by helping it and its employees succeed in different situations and environments.
Believe it or not, a degree of chaos can be effective. Companies that risk confusion and a lack of control often jump ahead in their industry. Businesses such as Gartner, Amazon Web Services, Microsoft and Azure have used the cloud as a service to their customers. Each business estimated and received an increase in revenue just by switching to the cloud.
In the business world, it is important to be updated when it comes to technology but even more important to be aware of management tactics. In this case, the cloud is both an advancement of technology and a useful management tactic. In order for a company to truly succeed, it needs to have a culture that thrives on new ideas and new technology. Organizations that stick to old, outdated ways often become overwhelmed when trying to gain control in the fast-adapting technological environment.
Technology clears the path for employees and companies to become part of an innovative business landscape. There are always risks when it comes to new technology, but taking the chance to learn the new developments can help a business take the lead in their field. The cloud provides a company with the chance to use the extra space as an opportunity to not only help the business succeed but also to help its employees discover new learning and business techniques.Category: Cloud Computing Published: 3/31/2017 3:05 PM
Many companies are looking at fraud detection using data analysis because, whenever there’s a fraud case in the news, it seems that it was ongoing for more than a year before anyone caught it. There are hundreds of fraud schemes out there, and more are being developed all the time. We can’t come up with a push-button app that will automatically detect fraud, but there are a few warnings in the data. We, as auditors and technology professionals, can try to spot the red flags.
There’s not enough space in this blog post for all the details I will be presenting on this topic at North America CACS 2017, but I can give you a taste of what data analytics can and can’t do to detect fraud. As I mentioned, there isn’t an app that can detect fraud. It seems that fraud often starts as an honest mistake, and if no one notices, then a fraudster “accidentally” does it again.
It would be nice if the internal controls were set up to prevent these mistakes. In many cases, they are. But, far too often, there’s a manual element in controls, and human error comes into play. We have logs, for example, of logins, database changes, firewalls, Internet sites, etc., – gigabytes of log data that often go unmonitored until an issue is raised somewhere else. We have complex enterprise applications that have dozens of modules, large IT support and hundreds of users. No one person is capable of knowing all the interfaces, tables, function calls and transactions that are included in enterprise resource planning (ERP), such as Oracle Financials or SAP. And, while the data is there, it’s difficult to find the fraud indicators amidst the huge number of daily transactions.
So, what can we do in the face of all this data? How do we find the needle in the haystack? We have to take it one step at a time. We can try using Benford’s Law or the relative size factor test to find outliers, but these are exploratory analytics – they might point out an anomaly, but these will often turn out to be normal transactions. We want to find something a bit more specific to the scheme if we’re really going to try to find fraud. This is not the easiest thing to do, but it can be the most fun. It is for me, anyway!
We need to focus our attention on a specific fraud scheme. Think about the process we want to check, and then think like a fraudster. Brainstorm with your peers and a subject matter expert or two, and consider how the system could be misused or gamed to commit fraud. Think outside of the box. Once you’ve collected a number of ideas, assess which ones might be most likely (or most costly, most undetectable, etc.), and start thinking about what data might indicate that such a scheme is underway. Then, design a data analytics test to explore that possibility. Duplicate invoices? Use a fuzzy match on invoice numbers, vendors and costs. Fraudulent travel expenses? Compare travel dates to the expense dates, or look to see if there are taxi receipts along with car rental.
I’ll be going through this in more detail, and providing more concrete examples, at NA CACS in May. I hope to see you in Las Vegas!
Editor’s note: Richard Fowler will present on “Fraud Detection Using Data Analysis” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.Category: Audit-Assurance Published: 3/29/2017 3:09 PM
When I used to run vulnerability management for a previous employer, my colleagues and internal clients would stop me in the corridors and ask, “Hey Mukul, how vulnerable are we today?” Of course, this question was largely unanswerable or, at best, deserving of a rhetorical answer. Yet not wanting to appear clueless about my area of responsibility, over time I found myself responding as to whether we were better or worse off than the last week or the last month. This response would normally satisfy most, but a few curious folks would ask how I knew that. I did not know how I knew, but doing the job day in and day out gave me a gut feeling...or so I thought.
My colleagues and I challenged ourselves to think analytically about what gave us the intuition on whether we were more or less vulnerable than, say, yesterday or last month. Just a little bit of thought made it clear that what we thought of as expert judgment was anything but. We were basing our conclusion on what we knew of the latest metrics on security updates and patches that had been released recently, but had not yet been applied in our environment. Not only that, we were also considering the trajectory of our vulnerability metrics, i.e., the direction in which the trend line was headed and how fast. This realization was the genesis of my recent Journal article, where the proposal is to consider the velocity and distance from a good state and the persistence of badness over time. This contrasts with considering the absolute measure of a metric, which, while important, is often inconsistent with the way humans interpret information over time.
In many human endeavors, and information security is no exception, it is the trajectory that is more important than the absolute positioning of whatever is being measured. The first derivative, or the slope and its sign, carry more significance than the underlying data. That phenomenon explains how the rate of change makes one automobile provide more adrenalin than another, not the eventual steady state. It also explains how the victory of the underdog in a sports contest is more thrilling than a confirmation of the favorite.
My recent Journal article provides a more serious take on this topic, proposing a method to convert the rate of change to a bounded measure to support security decisions.
Read Mukul Pareek’s recent ISACA Journal article:
“Standardized Scoring for Security and Risk Metrics,” ISACA Journal, volume 2, 2017.
Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.
It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.
The RACI model outlines the roles and responsibility of each actor in the process being reviewed. I will describe it the way I tell my auditees. This is, to simplify and get them to clearly understand how our work affects one another (see Table 1)
DefinitionsResponsible The guy or girl whose hands get dirty. Accountable The wind breaker or simply the fall guy or girl. Consulted I am not getting my hands dirty but I can share my knowledge. Informed Just want to know what you are up to.
See Table 2 below for proposed roles and responsibility of actors in internal control systems
COBIT 5 MEA02 Monitor, Evaluate and Assess System of Internal Controls
To analyze the internal control system, I will discuss five keys about the responsibility of audit, risk and management.
Internal auditors are not accountable for ensuring that controls are monitored. Auditors are only responsible for ascertaining that controls have been adequately designed, implemented and are operating effectively, thus including assurance on the monitoring of controls by IT management. It’s a fact that auditors can get their hands dirty but they are not the fall people. The accountability and responsibility role in monitoring of controls does not seem to be clear. The majority of controls relating to monitoring of certain controls by management are almost always in the audit report; for example, the monitoring of user access, audit logs and activities carried out by users with high privileges. The accountability of management over internal controls should not be considered mitigating control, as many have relegated it to be.
Auditors and business process owners share the same responsibility of reviewing the effectiveness of the controls. Refer to table two above, MEA02.02. A prudent manager always carries out a self-audit and reports on the department’s weaknesses. I have sat in meetings where the manager of a division would say, “I am worried about this area. Could you ensure that you focus on it?” It’s not wrong for management to request internal audit to scrutinize a certain area in his or her division, but it’s always worrying when the tone appears to suggest that the manager has no idea of the processes followed in that particular area. That shows that the manager is not aware of his or her responsibility to ensure effective controls. The auditor’s role in assuring effectiveness is only for reporting purposes, while the process owner’s role is for operational purposes and is far more imperative than the auditor’s report. Likewise, self-control assessments coordinated by the risk division are the responsibility of the process owner.
IT management has a right to ensure that qualified internal auditors carry out audit assignments in a professional manner. A balance needs to be found when training auditors, especially on complex assignments. I know this is potentially stepping on my own toes, but after management gives time and resources to the auditor to carry out their work, it is disappointing for management to receive a report that does not show that the auditor understood the process being audited. It is not surprising then, when reviewing Table 2 above MEA02.05, to note that the process owner and IT management have been tasked with responsibility of ensuring that qualified assurers are engaged.
The business process owners’ fingerprints are all over the entire internal control system. From Table 2 above, it is clear that the process owner is responsible for all controls within the process of monitoring the internal control system. This why it’s imperative for internal auditors to work hand-in-hand with the process owner, as the latter’s input is required in all aspects of the system. The notion that we will only disclose information that the auditors ask for does not hurt the internal auditor but, rather, hurts the process owner. Auditors merely provide feedback on the status of the system while the process owner builds the system.
In an analysis of the roles that audit, risk, process owner and chief information officer play in monitoring the internal control system, it is clear that all players have their hands dirty. Those with a quantitative mindset can count the R’s listed in table 2 under each player. It then becomes quite clear that all actors have a role to play. For the internal control system to mature, each player needs to understand their role and support others where their input is required, even if it is just to receive information. The goal of the system is not to police, expose gaps, or show faults but rather to ensure that collective efforts lead to a more sustainable operation environment.Category: COBIT-Governance of Enterprise IT Published: 3/27/2017 3:08 PM
How do we stop hackers without understanding their true nature? What are they after, what is valuable to them? And how does what is valuable to them translate to our losses?
Being in the business of threat intelligence, we see how disproportionate hackers’ gains are when compared to the losses they inflict upon affected organizations. By far, not every stolen record gets abused. Yet, since there is no easy way to determine what becomes of the stolen data, the organization has to declare a total loss, even in a case of a minor breach.
Let’s try to understand hackers a little bit more. Who are they? Who do they work for? Where do they reside? What motivates them? How did they learn their craft? What do they do with the stolen data? What are they afraid of?
Today, brazened hackers take over our systems and demand a ransom. They give interviews to the press, they walk around their hometowns with their head held high, far away from justice. The world’s current political environment serves as their encouragement and provides cover for their evil acts.
In our plans to discuss these issues at North America CACS 2017, we will take real-life examples from personal experience and make them relatable to your realm of expertise. That includes how to combat seamless or unstoppable threats, like DDoS or ransomware, by understanding who is behind these attacks. Further, we will illustrate how to avoid being collateral damage or the lowest-hanging fruit.
The practical defense advice detailed in the presentation should prove invaluable. Sure, we have regulatory security to give us the guidelines on what is the standard of care for our data, yet the hackers do not care about “certified” secure sites. They look for the vulnerabilities beyond patches and beyond application faults. They are moving into the arena of exploiting the end-users.
You cannot “patch” a person. Yet, hackers are getting smarter and creating repeatable formulas playing on people’s empathy and/or feelings.
The primary goal is to stop hackers. Even with the current level of knowledge and experience gained from previous hacks, stopping hacking is not an easy task. There are no universal hacker deterrents, but there are ways to slow down their advances over time.
Better access management is one of the keys. That not only focuses on better passwords, but on leveraging available authentication techniques, variances and safety measures. We also will address the development of honeypots, not only as systems that are perceivably weaker, but as applications, components and even credentials, where a compromise will alert when attempted to be exploited.
At the end of the talk, we are not going to be afraid of the unknown. Each attendee will come out with a list of viable steps to formulate a plan to deter hackers – to make them turn away at the door, and even if they try their virtual assault, to ensure they are met with alarms and proactive actions specific to their attack type.
Editor’s note: Alex Holden will present on “Threat Intelligence – Exploiting Hackers” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.Category: Security Published: 3/24/2017 3:08 PM
Deloitte Technology, Media and Telecommunications predicted recently that more than 1B devices would be reader-enabled for biometrics by the end of 2017. This is a very significant milestone for many reasons.
Over the years, there has been a lot of hype about the potential of biometrics for authentication and other purposes, but the lack of availability to consumers meant adoption was behind the hype curve. Device manufacturers have since changed this picture with native biometric support of mobile and tablet devices.
In a broader sense, it is important to understand the benefits of biometrics and how they can fit into an organization’s security strategy.
The death of the password – are we there yet?
Biometrics are used for individuals to authenticate to a service or a device. In some instances, authorization of a transaction has been built into applications. Due to its many intuitive uses, biometrics have long been a favorite of those who sing the tales of the demise of the password. While it is unlikely that we’ll get rid of passwords anytime soon, biometrics can offer a lot of value.
Biometrics have some significant benefits. Their adoption into ever more uses bring with it a number of benefits.
For a start, biometrics are user-friendly. After years of passwords and pins on fiddly mobile device keyboards, having a simple fingerprint reader is a welcomed alternative, particularly when, as Deloitte research noted, biometric readers are used on main devices, on average, 30 times a day.
Another benefit of biometrics is increased accountability. As biometrics rely on something you are, the days of sharing authenticators could be numbered.
Biometrics also are cheap. The device manufacturers have already distributed upwards of a billion readers to date.
Lastly, where the system is properly architected, biometrics can have the advantage that attacks won’t scale. Proper design entails not using the representation of the body feature as a secret and, in turn, not storing such representations in a central location. Often it is these databases that are a target for motivated attackers.
How do I embed biometrics in my digital strategy?
Organizations should definitely consider using biometrics in their consumer authentication strategy, but this should be part of a wider security model. Having a single factor (in this case of biometrics, something you are) might be enough for simple uses – for example, to log into your electricity provider to review your latest bill. This will not be enough for other uses, though, such as authorizing a major payment from your bank current account. There are a few things to keep in mind for organizations in all industries:
Multifactor authentication is here to stay, and biometrics are fast gaining pace. As part of your overall customer-facing initiatives, build in a strong authentication mechanism, and leverage the growing presence of biometrics to enhance security and user experience.
Category: Security Published: 3/21/2017 1:57 PM
One of the most influential conversations in Cheryl Santor’s career required plenty of gumption.
Santor, working in IT at a mortgage banking firm in the 1990s, had major concerns about non-proprietary memory that had been installed, jeopardizing the main system for collecting loan information. She voiced her concerns to her CIO in no uncertain terms, believing the integrity of the loan origination system was at stake.
It turns out, Santor’s candor – and insights – were respected more than she could have anticipated. About a year later, that same CIO hired her to work at a national bank where she eventually became CISO.
“He appreciated my diligence, integrity and forthrightness,” Santor said. “This boosted my career and provided the backdrop for my future.”
Santor, a longtime ISACA member, recently retired as the Information Security Manager of Metropolitan Water District of SoCal, where she ensured the security of the business and SCADA network systems. Her responsibilities included review of all national and global intelligence that might affect water system reliability. She continues her ISACA involvement, and work with the FBI InfraGard and other professional organizations, to provide expertise in her areas of focus.
The fourth-generation Californian recently was nominated by a colleague as a finalist in the Los Angeles Business Journal’s CTO Awards.
“I have been in this work for 28-plus years and it has always been a passion, so to be recognized for that passion is reward in itself,” Santor said.
An information security professional “before there was such a title,” Santor said she emphasizes awareness of security best practices, including disaster recovery exercises and access controls.
Santor has been actively involved in ISACA’s Los Angeles chapter for 17 years. She was an IT auditor when she first joined.
“Seeing that audit and security went hand-in-hand, in providing the best for any organization, I joined ISACA,” Santor said. “I knew that ISACA would provide me the intelligence and expertise as I moved through my career.”
In recent years, Santor has become especially passionate about ISACA’s Cybersecurity Nexus (CSX) program as a resource for cyber security professionals to gain the needed skills and training to keep pace with fast-evolving cyber threats.
“Whether they are entering the field, changing careers or just becoming the person who is taking cyber security on for their company, they can look to ISACA’s knowledge to support their efforts,” Santor said.
Santor and her husband, Louis, have four children and eight grandchildren. Rather than having a hard time keeping up with her grandchildren, it might be the other way around; Santor is a car enthusiast whose hobbies include racing Corvettes and Cadillacs. A less adrenaline-infused passion is quilting, which Santor said benefits from a similar mindset to her professional wiring.
“I like to take fabric, cut it up and create a new version or outcome,” she explained. “To me it is somewhat like computer forensics. You are presented with a puzzle and you need to make sense of it as the final outcome – an investigative process in both instances.”
Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.
“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”
The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.
Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:
COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.
“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”
Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?”
Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.Category: COBIT-Governance of Enterprise IT Published: 3/15/2017 3:04 PM