ISACA Now offers a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
‘Cyborg’ Society Necessitates Governance, Compliance and Security Vigilance
Today’s security professionals face a daunting reality as the attack surface swells and cyber criminals prey upon the speed at which new devices are hurried to market.
2016 Accomplishments Poised to Drive 2017 Growth
We hope 2017 finds you ready for another year of challenges, opportunities and achievements—much like the year we all have just enjoyed.
2018 Predictions for Cyber Security
With rapid digitization and the inter-networked world leading to a huge data explosion combined with the relentless growth of transformative technologies, the importance of cyber security – now and in the future – is unquestionable.
3 IT Tips for Modern Healthcare Organizations
The healthcare industry has been revolutionized as the result of new technologies, advanced data collection methods, and the growth of cloud solutions. It’s equal parts exciting and intimidating. The only question is, are you staying up to date?
5 Helpful Tips for Better IT Change Management
As you know, change management is critical to the long-term success of every organization. This is especially true when it comes to IT, where change happens at an astonishing pace. But is your organization where it needs to be?
5 Security Tips to Keep in Mind When Developing a New Website
Few things put a business at more risk than developing a website and not putting an emphasis on security at a very foundational level.
50th Anniversary Q A with ISACA CEO David Samuelson
David Samuelson was appointed chief executive officer of ISACA on 1 April of 2019, the year of ISACA’s 50th anniversary. Samuelson recently visited with ISACA Now to discuss the meaning of joining the organization during its milestone year and how ISACA can draw upon its decades of industry leadership to become even more impactful in the future. The following is an abbreviated transcript of the Q&A interview.
50th Anniversary Year Provides Inspiration to Look to ISACA’s Future
When ISACA – then known as the Electronic Data Processing Auditors Association – was incorporated by seven Los Angeles area professionals in 1969, “there was no authoritative source of information,” according to ISACA’s first president, the late Stuart Tyrnauer. There was “no cohesive force, no place to turn to for guidance.”
5G and AI: A Potentially Potent Combination
Last week’s US State of the Union address by President Donald J. Trump promised legislation to invest in “the cutting edge industries of the future.”
6 Ways Artificial Intelligence Will Revamp Your Business
Artificial intelligence this, artificial intelligence that … everyone wants to talk about how AI technology is changing various aspects of society.
7 Things That Make Every Website Safer for Customers
Your website needs to be well-designed, functional, and aesthetically reflective of your brand. But — don’t forget—it also needs to be safe.
A Conversation with Mike Walsh: Big Data and Beyond
Mike Walsh, CEO of Tomorrow and futurist, innovation and technology speaker and authority on emerging markets and IoT, will bring his experience and perspective on Big Data to his closing keynote for ISACA’s 2018 EuroCACS Conference. The event will gather information systems audit, assurance, control, governance and security professionals, from 28-30 May 2018 in Edinburgh, Scotland.
A Cyber Perception Gap? What Directors Want to Believe about Cyber Security vs. Real Cyber Risk
Directors and executives want to believe their companies are adequately protected against cyber threats.
A Deeper Look Into the WhatsApp Hack and the Complex Cyber Weapons Industry
On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.
A Digital Payment Case Study - India Goes Hi-Tech
A few months ago, on 8 November 2016, an unexpected announcement jolted the Indian nation.
A Governance Perspective of Audit Policy Settings
The task of establishing and configuring audit policies is usually left to security experts and/or system administrators who are in charge of implementing security configurations, particularly in small-to-medium enterprises with a lean IT structure.
A New Approach to Finding Cybersecurity Talent for the Future
The cybersecurity profession is facing a shortage of qualified talent to fill an increasing demand for positions, as so many reports inform us. What I find self-fulfilling about our “talent dilemma” is the acknowledged rapid rate of technology change, yet the ongoing quest for specific technical experience and expertise. We seek plug-and-play people to match technology components, rather than individuals with foundational skills and an aptitude and desire to learn changing technology.
A Platinum Hit: My ISACA Membership
As January 2018 rolled around, I went platinum. No, this had nothing to do with a New Year’s resolution, nor did I become a platinum blond, though that does bring up some interesting and hilarious possibilities (I can imagine the double-takes every time I would enter an airport or some other location requiring a photo ID). I did not become a platinum album-selling artist (though this would have trimmed one item off my to-do list!). Instead, January 2018 meant that I had entered my 15th year of ISACA membership!
A Prominent Place at the Table for Rural Technological Advancements
When the general public thinks about today’s exciting technological breakthroughs, the imagery that springs to mind is unlikely to be a crowded pigpen in China or yam fields in the farmland of Nigeria. Yet, rural areas are the frontlines for some of the most important gains technology is enabling in modern society.
A Remarkable Time to Provide Leadership for a Remarkable Organization
Serving as board chair at any time in ISACA’s history would be incredible. To be able to serve in that capacity right now – as ISACA nears its 50th anniversary and with so much riding on the work of ISACA’s professional community – makes the opportunity ahead even more of an honor.
A Seat at the Table Internal Auditors as Operational Partners and Organizational Strategists
Action Plan for HIPAA-Compliant Cloud
HIPAA compliance involves treating your data with extreme sensitivity, so you should view any related technology with extreme care.
Addressing GDPR Challenges in Poland
GDPR: An acronym and a buzzword that has set many of us into “alert mode.” Since it was set in motion more than two years ago, thousands of people worked hard to ensure their organizations were prepared by the set enforcement deadline of 25 May, 2018, and continue doing so
Addressing Technology Gender Gap is All of Our Responsibility
I recently met a young woman in Ireland who was working toward a technology-oriented degree, and she recalled being among three women in her course at the beginning of the semester. By the end of the semester, she was the last woman standing.
Advancing a Symbiotic Relationship Between COBIT, ISO Governance Standards
As a 2003 CISA recipient and a former honorary secretary of the ISACA Singapore Chapter’s board of directors, I am honored to be selected as the ISACA liaison to the International Organization for Standardization (ISO) Technical Committee 309 – Governance of Organizations.
Advocating for a Strong Cybersecurity Workforce, IT Audit Standards and NIST Reauthorization Act on Capitol Hill
Members of ISACA’s US Public Policy Working Group recently gathered on Capitol Hill in Washington, D.C., to listen to inspiring speakers and to advocate for issues important to ISACA constituents, drawing from their personal experiences and professional backgrounds.
AI and Healthcare A Life-Saving Combination
Artificial intelligence (AI) and machine learning are common terms in the world of emerging technology. Although still sounding futuristic to some people, AI is already being deployed everywhere from fantasy football weekly recap emails, to retail environments, to advanced, state-sponsored surveillance systems.
AI Factors Heavily into Future of Digital Transformation
The second installment of ISACA’s Digital Transformation Barometer research underscores the ascent of artificial intelligence as a technology with growing potential – and how urgently enterprises must rise to the occasion of addressing the related risk and security implications.
AI: the Challenge and the Solution
P.W. Singer, strategist and senior fellow at the New America Foundation, will deliver the closing keynote address at ISACA’s 2018 CSX North America conference, to take place 15-17 October in Las Vegas, Nevada, USA. Singer recently visited with ISACA Now to discuss pressing cybersecurity considerations that governments much grapple with, the multi-faceted impact of artificial intelligence and more. The following is a transcript of the interview, edited for length and clarity:
All Talk, Little Action: AI and Digital Ethics in People Technology
As we continue the end-of-the year review on all things tech, digital ethics and the progress of artificial intelligence (AI) in people-related technologies springs to mind.
An Agile Approach to Internal Auditing
As internal auditors, we’ve seen an uptick in usage of the term “Agile” in reference to how more and more companies are developing software. Agile software development has grown increasingly popular as both software and non-software companies transition from traditional development methodologies, such as the waterfall model, to a value-driven Agile approach.
An Empowering Start at the UN
On Day 1 of the UN Commission on the Status of Women (CSW62), as I took my place on the floor of the UN General Assembly, the dream of a 7-year-old kid from the Australian bush was realized. So humbling, so exciting, so empowering.
An Overlooked Upside to Cybersecurity Roles – They’re Fun!
Recent surveys and studies have emerged that show interest in cybersecurity as a potential career field at uncomfortable lows. In fact, a recent ProtectWise report showed that only 9 percent of millennials indicate cybersecurity is a career they are interested in pursuing at some point in their lives. This disturbing finding has far-reaching potential consequences in a field that desperately needs a stronger workforce.
Application Security: A Three-Phase Action Plan
If you are like any of the security leaders with whom I typically speak, you face (at least) the following burning problems:
As CISOs’ Roles Evolve, So Do the Reporting Lines
A study by K logix Research titled "CISO Trends" found that "53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
As Smart Home Cyber Security Takes Center Stage, Practitioners Need to be Part of the Solution
Cyber security gets a lot of discussion in terms of small business, but what few outside of the industry know is that many cyber attacks actually take close much closer to home.
Assessing the Impact of the China Cybersecurity Law
The China Cybersecurity Law demonstrates China’s determination to take a more effective and coordinated approach to safeguard cyberspace as part of China’s National Security Initiative. The law applies to the construction, operation, maintenance and use of information networks, and the supervision and administration of cybersecurity in China.
Audit Consideration for Microsoft Exchange
Microsoft Exchange is one of the primary solutions organizations use to provide email services for medium and large organizations.
Auditing and Knowledge Management
Have you ever wondered what happens to all of that data, information and knowledge collected and created by internal auditors? Have you ever thought about audits you performed in the past; all that research, information gathering, development of findings, the useful collection of methods, questionnaires, test plans, etc.? Wouldn’t it be useful to share your learnings with your colleagues?
Auditing Data Privacy Can Bring Major Value to Organizations
As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.
Auditors Play Prominent Role in Effective Cyber Security
As the business benefits from technology grow rapidly, so do related risks.
Automated Systems and Security: Threats and Advantages
Automation is the biggest driving factor for change in most modern industries. By 2030, it’s estimated that automation could fully replace more than 800 million jobs, and in the meantime, automation is changing how we work, how we plan our businesses, and how we engage with others.
Before You Commit to a Vendor, Consider Your Exit Strategy
Vendor lock-in. What is it? Vendor lock-in occurs when you adopt a product or service for your business, and then find yourself locked in, unable to easily transition to a competitor's product or service. Vendor lock-in is becoming more prevalent as we migrate from legacy IT models to the plethora of sophisticated cloud services offering rapid scalability and elasticity, while fueling creativity and minimizing costs.
Benefiting from Chaos in the Cloud
One of the biggest technology advancements in recent years is the expansion of the cloud, allowing users to have more space on their computers or mobile devices, with access to their documents, videos and pictures that are all conveniently stored in one place.
Beyond GDPR Compliance – How IT Audit Can Move from Watchdog to Strategic Partner
IT auditors can act as strategic but independent partners to businesses currently working toward compliance with the European Union General Data Protection Regulation (GDPR), scheduled to come into enforcement on 25 May 2018.
Blockchain Initiatives and Realistic Implementation
These days, when we turn on the television or listen to the news, we are likely to hear about the latest hot topic in technology: blockchain.
Board Leadership Critical in Effectively Leveraging Technology
There is little doubt that better governance of technology leads to better business outcomes.
Breaking Down Silos: Why Auditors and GRC Professionals Need to Grow Their Information Security Knowledge
An SVP of Enterprise Risk Management (ERM) at a highly influential financial services company recently told me that succeeding in ERM is all about “breaking down the silos.” It’s a good mantra – one that IT audit and GRC professionals should take to heart and execute on daily.
Build a Small Business with GEIT and Security in Mind
Despite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development.
Building a Security Transformation Program in Our New Information Security World
From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization.
Building Cyber Resilience Through a Risk-Based Approach
For many organizations to have an effective cyber culture, they must also have a mature cyber culture. A recent cybersecurity culture study conducted by ISACA and CMMI Institute found that only 5 percent of organizations believe no gap exists between their current and desired cybersecurity culture.
Building Skills and Capacity in the Banking System: A Case Study From India
Indian banks have deployed IT-based solutions to cater to increasing demands in the banking industry required for a growing economy.
Business Model Transformation from Blockchain
Our traditional business model as we known is at a crossroads considering the emergence of the Internet of Things (IoT), artificial intelligence and blockchain.
California Goes Beyond GDPR With New Data Privacy Law
This week, in my home state of California, the state legislature passed, and the governor signed, AB 375, officially known as the California Consumer Privacy Act of 2018.
Cambridge Analytica and Facebook: Lessons for Enterprise
There have been many developments for policymakers, privacy advocates, corporate execs and, in fact, the public at large to contemplate considering recent news about Cambridge Analytica and the information collected by Facebook.
Can Blockchain Help Fight Digital Ad Fraud?
If you are a netizen, you must have already noticed how certain ads pop up while you are surfing videos on YouTube. Most of the times, these advertisements have close connections to the products and brands you have been searching recently.
CEO Search Puts Focus on ISACA’s Promising Future
Just as there are no limits to the technological advancements that our professions, and society, will embrace, the impact ISACA’s professional community can make in the coming years has boundless potential.
CIS Audit/Assurance Program Helps Enterprises Navigate Risk
We live in a world full of risk, and nowhere is risk more prevalent than in technology.
CISA Payoff: Immediate and Enduring Throughout My Career
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
CISM Top Scorer Provides Exam Insights
Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score.
Climbing the Ladder of Success With CISA
Anyone can succeed with the right information and tools. One of the best ways for information systems professionals to ensure career success with all its attendant benefits is to earn ISACA's CISA certification.
Clouds, Codebases and Contracts – How the New Era of Privacy is Changing Third-Party Risk
The last two years have taught us that conventional wisdom and knowledge around privacy and security needs a makeover, in particular as it relates to the EU’s GDPR and the California Consumer Privacy Act.
COBIT 2019 is Our Framework and a Framework for Us
I love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.
COBIT 2019 Makes Framework Easier to Understand, Customize
Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework.
COBIT 5 and the NIST Cybersecurity Framework – A Simplified Framework Solution
Picking the right frameworks to support your organization’s governance, risk, compliance and cyber security efforts is overwhelming.
COBIT 5/DMM Practices Pathway Tool Enables More Impactful Data Management and Governance
CMMI Institute became a subsidiary of ISACA in 2016, and the organizations focused attention on the synergies between the current offerings in their combined suite of products.
COBIT: Journey from Control Objectives for Auditors to Governance and Management Framework for Enterprise IT
Collaboration Essential in Contending with Malicious Uses of Artificial Intelligence
To propel that thought process, a great report titled The Malicious Use of Artificial Intelligence: Forecasting, Prevention and Mitigation was written by a group of distinguished authors from prestigious institutions such as Future of Humanity Institute, University of Oxford and University of Cambridge, to name a few.
Combating the Rising Threat of Malicious AI Uses: A Strategic Imperative
A group of academics and researchers from leading universities and thinktanks – including Oxford, Yale, Cambridge and Open AI – recently published a chilling report titled, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation.
Concerted Effort Needed to Assure Data Integrity in Electoral Process
The motivations of cybercriminals are as diverse as their forms of attacks. Many cybercriminals are after money, naturally, but plenty of other incentives exist, including the allure of exerting power and influence. Unfortunately, one of the most impactful ways to do so involves tampering with the integrity of elections, a rising concern in the United States and around the world.
Conducting Cloud ROI Analysis May No Longer Be Necessary
ISACA’s newly released report, How Enterprises Are Calculating Cloud ROI, is a landmark piece of research that, in my opinion, validates the notion that we have reached (or are at least rapidly approaching) that tipping-point where organizations realize that moving their IT infrastructures to the cloud is an inevitable, foregone conclusion.
Connecting Business and IT Goals Through COBIT 5
Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
When growing up, many of us probably heard warnings from our parents to be careful in certain environments—the local woods, a busy side street, or at the beach.
Credible Risk Assessment Establishes Foundation for an Enterprise Cyber Security Program
Just like we learn so much about the state of our health with an annual physical exam, so does a credible risk assessment provide vital insight to improve the quality of an enterprise cyber security program.
Cryptocurrency and Its Future
These days, everyone is trying to understand cryptocurrency. Cryptocurrency is digital money that is designed to be secure and anonymous.
CSX Europe Keynoter James Lyne Takes Great Joy in ‘Geeky Pursuits’
James Lyne, a cybersecurity expert and global head of security research at Sophos, will deliver the opening keynote address at the 2018 CSX Europe conference, to take place 29-31 October in London, UK. Lyne visited with ISACA Now to discuss major challenges faced by the cybersecurity industry as well as which characteristics best position cybersecurity practitioners for success. The following is a transcript of the interview, edited for length and clarity.
Cultural Considerations of Adopting Application Container Technology
The benefits of application containers have been shared across a variety of forums and to a diverse audience.
Cyber Risk List Has a New No. 1 for 2018
I recently presented the predictions for the Top 10 2018 Cyber Risks at the Whitehall Media, Enterprise Security and Risk Management conference in London.
Cyber Security and Risk Should Be Standing Items on Board Agendas
The world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.
Cyber Security Workforce Challenges Require Broader Collaboration
Report after report highlight that there is a gap between the number of skilled cyber security professionals in the workforce and the number of job vacancies.
Cyber Threat Landscape: The More Things Change …
Many analyses of cybersecurity include consideration of the field’s constant state of flux and change. As the battlefield of the internet evolves, typically, so do the attack strategies, weapons, defense mechanisms and actors. However, according to ISACA’s 2018 State of Cybersecurity research, two elements that remain relatively constant are the types of attackers and the type of attack leveraged.
Cybercrime Can Put Reputation of Enterprises At Stake
Worldwide, organizations are concerned about cybercrime – but not necessarily for the reasons most would think.
Cyberpsychologist Mary Aiken: New Threats Demand New Solutions
Aiken recently visited with ISACA Now about several of her core areas of interest, including digital ethics and how parents can combat some of the cyber threats that could harm their children.
Cybersecurity Due Diligence: Inherited Risk
One of the world’s largest hotel chains, Marriott International, recently reported that its Starwood Guest Reservation database was breached – meaning names, mailing addresses, phone numbers, email addresses, passport details and a variety of other personally identifiable information (PII) were leaked, all the way through to member credit card details.
Cybersecurity is a Proactive Journey, Not a Destination
Cybersecurity continues to grab spotlight and mindshare as it pertains to computing and social trends.
Cybersecurity Workforce Development: Takeaways From a NIST Workshop
I had the opportunity to serve as a panelist at the NIST Workshop on Cybersecurity Workforce Development held in Chicago earlier this month. Based on the day’s conversations, there is still much work to be done.
Data Analytics Maturity Models and the Control Environment
Organizations have recently raised concerns on their data analytics capabilities.
Data Breach Preparation and Response in Accordance With GDPR
Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.
Data Governance Is Becoming More Complicated – Enablers Can Help
Enterprises are becoming increasingly digital.
Data Is the New Air
In the infancy of any technology, there are going to be teachable moments. Prehistoric man’s mastery of fire didn’t come without a few scorched fingers and the occasional multi-acre conflagration. As a species, our taming of fire and combustion enabled innovations in everything from cooking to metallurgy to transportation, to an array of other endeavors. Those innovations, however, required a continuous process for humans to learn and establish capabilities to control fire, to use it appropriately, and to make it work for humanity’s benefit.
Data Mapping: A Key Challenge in Achieving GDPR Compliance
GDPR compliance projects around the world are dependent on knowing what personal information data organizations are collecting or processing.
Data Security and Access to Voters’ Personal Data by Political Parties: An EU Case Study
Brexit and the 2016 US presidential election showed that microtargeting voters to deliver them certain political messages may gradually alter voters’ decisions. While less publicized, concerns related to election data integrity also exist throughout the EU.
Deep & Darknet: The Origins of Threats
The deep web and darknet comprise a sort of parallel world compared to the public internet we’re used to.
Demand for CISA Continues to Grow
Many of us ask ourselves: “How can I differentiate myself from others in the workplace?
Demystifying Cybersecurity Terminology
Do you struggle to keep up to date on the latest cybersecurity terminology? Fear not, you are not alone.
Deployment of Emerging Technology in FinTech
Fighting poverty and achieving a high economic growth rate are two key priorities for developing countries.
Design Your Career Destiny So It Doesn’t Happen by Default
I was honored to present the keynote session at last week’s Women’s Forum for the ISACA Chicago Chapter.
Develop Your Information Security/Privacy Career
Information security and privacy careers are expanding. There is more need for such professionals than ever before, as more technologies emerge and are used by businesses, government, healthcare and other types of organizations; as more personal data is constantly being collected through the technologies; and as more laws and legal requirements are enacted to protect that exponentially growing digital ocean of personal data.
Dialogue Gaining Steam at UN Session on Empowering Rural Women and Girls Through Technology
Negotiations on the second reading of the roadmap document ran long into the night late last week. In fact, I didn't get back to my hotel, which is a five-minute walk from the UN, until 2 a.m. Saturday. The second version was completed with additions and deletions marked, as the facilitator of the sessions has to take all views and offerings into consideration in the most neutral way possible.
Digital Forensics Professionals Encountering New Challenges
When I began performing digital forensics more than 10 years ago, things were relatively simple.
Digital Transformation Brings More Opportunities to Financial Sector
Emerging technologies and the pace of innovation are reshaping the banking/financial industry and operating models, while influencing the shape and dynamics of the broader financial services ecosystem.
Does the HIPAA Privacy Rule Apply to Elementary and Secondary Schools?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information.
Empowering A Safer Tomorrow
It was a dreary Thursday morning. Harriett, an up-and-coming banker, gets on her train at her usual spot and gets ready for the ride into London. She’s a mother of two with a good job in finance and a strong marriage. There is nothing unusual about this morning. All the riders are sleepy. They look at their phones or just stare at the floor of the train.
Empowering Executives with Security Effectiveness Evidence
After decades of presentations and prayers, security has finally become a business imperative for executives and boards alike.
Encouraging Women in Tech is About a Better Future for All of Us
Why is ISACA’s SheLeadsTech program needed? Why does the 2030 Agenda for Sustainable Development consider the technology gender gap to be an important topic to address, and who must be involved in the solutions?
Enterprise AR is Going to ‘Get Real,’ and More Predictions for 2018
Google, Amazon, Facebook, Apple, Samsung and Microsoft all want a piece of the VR/AR pie – not to mention Magic Leap, whose first consumer product is “coming soon.” VR/AR is about extension, engagement and monetization. Not since the 1980s have all the big tech players been battling for consumer attention and dollars. So, what is on deck in 2018, and why should we care?
Envisioning the 2019 Cybersecurity Landscape
Now that we are nearing the end of the year, I thought I would revisit my own write-up on 2018 cybersecurity predictions and see how I can best update them for 2019.
Exchange Server Security Can Keep Email from Becoming ‘Attractive Nuisance’
Anyone who has a swimming pool – or a neighbor with a pool – is probably familiar with the term “attractive nuisance” under US tort law. In layman’s terms, an attractive nuisance is something that may attract children but could potentially harm them.
Experts Share Their Insights on GDPR
The implications of GDPR have become a popular topic of conversation in the information security and privacy communities. Now that we have arrived in 2018, expect those discussions to become all the more prevalent in advance of the May enforcement deadline.
Exploring the Latest Version of Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol for protecting privacy and data integrity of information (logins, passwords, credit card numbers, personal correspondence etc.,) between two communicating applications.
Facebook Hack: Enterprise Lessons Learned
Given the volume of media coverage, there has been no missing the recent Facebook hack that impacted the accounts of 50 million Facebook users.
Faces of ISACA: Bent Poulsen, CISA, CISM, CGEIT, CRISC
The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Bent Poulsen, a longtime officer with the ISACA Denmark Chapter. Interested in joining ISACA and networking with colleagues like Poulsen? Learn more here.
Faces of ISACA: Bhavani Suresh, CISA, CISM, CGEIT
This week, ISACA Now’s “Faces of ISACA” series is highlighting female members who have made outstanding contributions to the technology workforce leading up to International Women’s Day on 8 March. Today, we highlight Bhavani Suresh, CEO of Nbiz Infosol (UAE).
Faces of ISACA: Cynthia Damian, CISM, CRISC, CCSK, Senior Manager of Enterprise Risk Management, T-Mobile
Faces of ISACA: Gabriela Reynaga, CISA, CRISC
This week, ISACA Now’s “Faces of ISACA” series is highlighting female members who have made outstanding contributions to the technology workforce leading up to International Women’s Day on 8 March. Today, we highlight Gabriela Reynaga, CEO of Holistics GRC and president of ISACA’s Guadalajara, Mexico chapter.
Faces of ISACA: Karen Frank, CISM, CPP
This week, ISACA Now’s “Faces of ISACA” series is highlighting female members who have made outstanding contributions to the technology workforce leading up to International Women’s Day on 8 March. Today, we highlight Karen Frank, leader of enterprise IT services delivery for Caterpillar, Inc. (USA), and a former law enforcement professional.
Faces of ISACA: Kimberley St. Pierre
The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Kimberley St. Pierre, territory manager with Check Point Software Technologies, Ltd., and a leader in ISACA’s Vancouver, Canada chapter. Interested in joining ISACA and networking with colleagues like St. Pierre? Learn more here.
Faces of ISACA: Kyla Guru
The ISACA Now series titled “Faces of ISACA” highlights the contributions of members of ISACA’s global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Kyla Guru, a leader in spreading cybersecurity awareness among young people and an active proponent of ISACA’s SheLeadsTech program.
Faces of ISACA: Maria Divina C. Gregorio, CISA, CRISC, PCI-ISA, PCIP, internal audit manager, VSP Global
Faces of ISACA: Michael Thiessmeier, Senior Manager, Technology & Security Risk Management, Oportun
Faces of ISACA: Patricia Watson
The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Patricia Watson, director of cybersecurity, risk & compliance for Kitu Systems, Inc. Interested in joining ISACA and networking with colleagues like Watson? Learn more here.
Faces of ISACA: Satoko Nagaoka, CISA
This week, ISACA Now’s “Faces of ISACA” series is highlighting female members who have made outstanding contributions to the technology workforce leading up to International Women’s Day on 8 March. Today, we highlight Satoko Nagaoka, senior consultant with IIJ Global Solutions Inc. (Japan).
Faces of ISACA: Susan Snedaker, CISM
This week, ISACA Now’s “Faces of ISACA” series is highlighting female members who have made outstanding contributions to the technology workforce leading up to International Women’s Day on 8 March. Today, we highlight Susan Snedaker, director of infrastructure and operations at Tucson Medical Center (USA) and the author of this year’s HIMSS Book of the Year.
FedRAMP: Friend or Foe for Cloud Security?
Cloud security is on everyone’s minds these days. You can’t go a day without reading about an organization either planning its move to the cloud or actively deploying a cloud-based architecture. A great example is the latest news about the US Department of Defense and its ongoing move to the cloud.
Final Gavel at UN Yields Roadmap Forward and Feeling of Fulfillment
ISACA board director Jo Stewart-Rattray has provided updates from her participation in the UN Commission on the Status of Women, which took place from 12-23 March at UN headquarters in New York.
First Things First: Know Your Data
It’s been three years since the U.S. Office of Personnel Management’s (OPM) two data breaches shocked the country and spawned immediate cyber initiatives in response to the theft of millions of highly sensitive records –possibly now resulting in identity fraud, as reported by the Wall Street Journal. In the months that followed, the nation’s agencies were required to make an honest accounting of vital systems and the state of their security.
Five Keys for Adaptive IT Compliance
The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.
Five Questions on Board-Level Cybersecurity Considerations with Dottie Schindlinger
Dottie Schindlinger, VP/Governance Technology Evangelist with Diligent and a panelist on the importance of tech-savvy leadership at ISACA’s CSX North America conference last October, recently told Forbes that cybercriminals target organizations perceived to be low-hanging fruit. Schindlinger visited with ISACA Now to discuss how organizations can avoid falling into that category and other key board-level cybersecurity considerations.
Five Questions with Technology Futurist and North America CACS Keynoter Shara Evans
Technology futurist Shara Evans, founder and CEO of Market Clarity, will deliver the closing keynote address at North America CACS 2018, which will take place 30 April-2 May in Chicago, Illinois, USA. Evans recently visited with ISACA Now to discuss topics ranging from the future of travel to why many executives struggle to take a long view of technology. The following is an edited transcript:
Five Revealing Security Incidents of 2019 and What We Can Learn from Them
Every year has its share of security gaffes, breaches, and hacker “shenanigans.” As we enter into the new year, it is inevitable that we will see articles in the mainstream and trade press recapping the worst of them.
Five Takeaways from the 2018 Governance, Risk and Control Conference
Governance, risk and compliance professionals shared ideas and gathered insights on how their roles are evolving in light of enterprises’ digital transformation efforts, evolving trends in innovation, and growing regulatory and security risks recently at the sold-out 2018 GRC Conference in Nashville, Tennessee, USA.
Five Tips to Make a More Secure Internet of Things
The Internet of Things (IoT) has positively exploded into our daily lives. We see IoT devices everywhere, from our workplace to our homes. It is inevitable that a new technology will become ubiquitous after it hits the headlines, and thanks to the IoT, many have done just that--repeatedly—even if the headlines aren’t always positive.
Five Ways Firewalls Keep Getting Better
Firewalls have been a mainstay for cybersecurity for many years, but they aren’t perfect tools. Despite advances in internet and device technology, basic firewalls haven’t changed much since their inception.
For Whom the Web Trolls: Social Media Risk in your Organization
There is no doubt that social media has penetrated the daily lives of billions of people. According to Statista, the number of monthly users of social media is slated to reach 3.02 billion people by 2021, which is around one-third of the world’s population. With social media becoming second nature to so many people in every corner of the world, the risk associated with its use is staggering.
Fortune Favors the Tech-Savvy: A Portrait of Tomorrow’s Digital Transformation Enterprise Leaders
GDPR – How Organizations Are Adjusting to the New Era
On 25 May 2018, the world did not stop simply because the General Data Protection Regulation (GDPR) became enforceable. For many organizations, however, the enforcement date became a distraction, an unofficial deadline. In reality, there was no finish line.
GDPR Assessment Provides Customized Guidance
Although we are less than two months from the European Union’s General Data Protection Regulation (GDPR) compliance deadline of 25 May, many organizations are not yet confident in their level of preparedness for this landmark new data privacy regulation.
GDPR Can't Fix Stupid
GDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born.
GDPR Deadline Day: Not Compliant Yet?
There are lies, darned lies, and then there are GDPR poll statistics. So, when ISACA recently approached me to help analyze a new poll on GDPR readiness, I was initially apprehensive.
GDPR Means It Is Time To Revisit Your Email Marketing Strategies
Data security always has meant different things to different people. Most have agreed on the importance of using firewalls, but for decades, businesses have been able to choose the level of data encryption they employ.
GDPR Progress Paves Way for Deeper Look at Role of Data in 2019
The European Union’s General Data Protection Regulation (GDPR) commanded the attention of the business community throughout 2018. Thought leadership gatherings such as ISACA conferences and webinars attempted to answer questions like, “What does it take to comply?” and “What will enforcement look like?”
GDPR’s Impact in Hospitality, Incorporating NIST Cybersecurity Framework Concepts
We should all know by now what GDPR is and be aware of its implications and fines, so the goal here is not to repeat what others have covered in depth. Rather, I would like to share some learnings from the field (an international perspective).
Generations of Malicious Attacks
Attacks and security solutions have evolved rapidly over time. Different generations of attacks are identified and related security solutions are put forward. Currently, the attack evolution has overtaken the security level that the industry has deployed.
Global Knowledge: ISACA Certifications Command High Salaries
Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.
Growing Global Spotlight on Privacy, GDPR, Resonating in India
India is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.
Happy ISACA Volunteer Appreciation Week!
Happy ISACA Volunteer Appreciation Week! While my colleagues and I agree that we should celebrate our volunteer partners at the chapter and international levels every day, we are thrilled to participate in a week of highlighting some of the ways volunteer support is essential.
Harnessing the Hacker Mindset
Keren Elazari, cybersecurity analyst, author and researcher, will give the closing keynote address at CSX Europe 2018, to take place 29-31 October in London, UK. Elazari recently visited with ISACA Now to discuss the hacking “ethos,” whether data privacy should be considered a right or a privilege, and more. The following is a transcript, edited for length and clarity.
Here’s How Leading Organizations Keep Remote Workers Safe and Secure
For all of the benefits remote working offers businesses, it’s hard to ignore the security risks and threats.
Hot Industry Topics in the Spotlight at RSA
I was recently very fortunate to attend the biggest cybersecurity conference of its kind, the 27th annual RSA Conference (RSAC) in San Francisco, USA.
How Data Visualization Can Reshape Your Enterprise
Data visualization is being hailed as the next great revolution in data analytics. But besides the fancy name and the slick-looking graphs produced by the technology, how can this new addition improve your already-efficient organization?
How to Drive Home the Importance of Data Security with Company Stakeholders
For the modern business, there are few topics more important than data security. Without a proper appreciation for data security and all that it entails, you’ll find your business falling behind. But getting all of your employees and company stakeholders on board can prove to be a major challenge.
How to Hack a Human
Have you ever wondered just how many ways there are to hack the human mind and just how effective each technique is? I did; so I set about collating all of the techniques for human control and influence:
How To Land Your First Job in Cybersecurity
Taking that first step on the career ladder is a difficult challenge in pretty much any industry. Even for entry-level opportunities, employers generally look for some level of previous industry experience. The question is, how do you get experience without having experience?
How to Properly Review an SOC Report
As a follow-up to a blog post previously published by The Mako Group’s Chief Audit Executive, Shane O’Donnell, let’s dig a little deeper into what you should be reviewing when you receive your vendors’ SOC 1, SOC 2 or SOC 3 reports.
Ignorance is Not Bliss When It Comes to Defending Against the Dark Web
The dark web ecosystem continues to evolve as a place where cybercriminals can sell and access stolen data, purchase black-market items such as guns, drugs and hacking software, and connect with like-minded individuals.
Improve ROI From Technology By Addressing the Digital Risk Gap
All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by RIMS, the risk management society®, and ISACA, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.
Improving Cybersecurity Awareness Through Hacking
Cybersecurity awareness is a topic that most organizations and leaders know is important, but is typically treated as a check box requirement to remain compliant with regulations or mandates placed on the enterprise. Most leaders will argue that cybersecurity awareness training is very important but only marginally effective.
In the Age of Cloud Physical Security Still Matters
As a security consultant, I’ve had the opportunity to assess the security postures of clients of all shapes and sizes. These enterprises have ranged in sizes from a five-man startup where all security (and information technology) was being handled by a single individual to Fortune 500 companies with standalone security departments staffed by several people handling application security, vendor security, physical security, etc. This post is based primarily on my experiences with smaller clients.
In the Age of Cybersecurity, Are Data Centers Ignoring Physical Security?
Maintaining a data center is a huge responsibility. While you certainly have systems in place for dealing with cyberthreats, are you giving enough attention to physical security? This is still a very important aspect of the security equation.
Incorporating Privacy into Data Protection Strategy
Nowadays, the term privacy echoes across boardrooms globally, where each country and enterprise races to update its laws and policies to keep up with the need for data privacy controls.
Information Governance You Have to Start Somewhere
Deborah Juhnke, senior consultant with Information Governance Group LLC, cited a definition of information governance as “an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information.”
Information Security for Biomedical Devices
Though device manufacturers have worked to improve the cybersecurity of their medical devices, there is still a long way to go. Improvements aside, there are distinct steps the IT information security department can take to reduce risk and improve cybersecurity for medical devices.
Infosecurity ISACA Conference Highlights
Theresa Payton set the tone for the first day of last week’s Infosecurity ISACA North America Expo & Conference in New York City, delving into the multifaceted landscape of emerging technologies with the audience of information security professionals, and also sharing anecdotes from one of her most high-profile jobs, as White House CIO under the George W. Bush administration—including a story of negotiating with a cyber criminal on the dark web at her kitchen table over three nights.
Integrating Human and Technical Networks in Organizational Risk Assessments
The US government’s recent efforts to ban the introduction of specific foreign IT vendors’ equipment in government networks is emblematic of the growing concern among organizational leaders posed by global supply chains, highlighting the broad interdependencies between technical and human systems
Interesting Times Ahead Why Young Professionals Should Consider Careers in Information Security
About 10 years ago, when I was deciding on my major in university, I was very anxious about where my decision would lead me. I eventually chose Management of Information Systems, and fast forward 10 years later, I’m working as an information security consultant at a Big 4 firm.
Introducing ISACA’s GDPR Implementation Guide
The purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.
IoT Audits Loom Large in a Connected World
The proliferation of Internet of Things devices is well-documented, with the potential for more than 20 billion connected things by 2020. Installations of connected devices are spanning virtually all industries and cover just about any use case that can be imagined.
IoT Security in Healthcare is Imperative in Life and Death
We go into the hospital with a great deal of trust. We trust that doctors will help us and potentially even save our lives. Beyond hospitals, there are not many places in the world where we are willing to do anything we are asked: take off our clothes, talk about our sex lives, etc.
Is HIPAA Compliance Enough to Keep Your Organization Safe?
The Health Insurance Portability and Accountability Act (HIPAA) has evolved considerably to keep up with the demands of our modern society. Now that protected health information (PHI) is kept via electronic records, healthcare organizations need to comply with the HIPAA Security Rule if they want to keep their patients’ data private (and avoid a hefty fine).
Is it Time for a Cyber National Guard?
With more emerging risks and more data breaches, we continue to hear about the shortage of cybersecurity professionals with the necessary skills, knowledge and experience to protect our information technology infrastructure, especially in the government and public sector.With more emerging risks and more data breaches, we continue to hear about the shortage of cybersecurity professionals with the necessary skills, knowledge and experience to protect our information technology infrastructure, especially in the government and public sector.
Is the NIST Cybersecurity Framework Enough to Protect Your Organization?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity and commonly referred to as CSF, is top of mind for many organizations.
Is There Value in Unstructured Data?
One of the biggest challenges for modern businesses isn’t being able to collect data, but finding a way to organize it systematically and using the data that piles up. Learning how to interpret random data points and unstructured information often proves to be more than some companies can handle, but it doesn’t have to be.
Is Your GRC Program Ready to Thrive in the Digital Economy?
Digital technologies have profoundly changed our lives, blurring the lines between the digital and physical worlds. From its humble beginnings, the current constellation of tools and technologies that empower organizations has grown smarter.
Is Your Organization Supporting Paths to Develop Women as Leaders
Is your organization supporting women in reaching leadership positions? Why is this important?
ISACA Anniversary Celebration – and Social Media Campaign – Are Underway
ISACA’s yearlong 50th anniversary celebration is underway around the globe, and one of the best ways to be part of the global celebration is through social media.
ISACA at Infosecurity Europe Expert Speakers and New Research at Europes Largest Infosec Event
ISACA expert speakers, past board directors and chapter leaders provided insight and new research while ISACA representatives highlighted ISACA certifications and training solutions at Infosecurity Europe 2019, 4-6 June in London.
ISACA at RSA 2019 Sharing Research and Spurring Conversations
The theme of last week’s RSA Conference 2019, “Better,” gave ISACA the opportunity to engage with information and cybersecurity professionals on how we collaboratively move the technology field into a better future.
ISACA Awards: Celebrating 2018 Recipients and Looking Forward to 2019 Nominations
Recognition of service and of outstanding achievements has long been an ISACA tradition, and it has been my pleasure to volunteer on the ISACA Awards Working Group, which was charged with enhancing the prestige and increasing global participation in the ISACA Awards Program.
ISACA Celebrates Volunteer Participation
It’s my favorite week of the year at ISACA – Volunteer Appreciation Week. It is a time when we all reflect on the important and impactful contributions members of our professional community have selflessly made to advance our organization and our industry. It is also a time to invite those who have not yet joined our volunteer corps to participate in ways that align with their interests and availability.
ISACA Opens Doors for Young Professionals with Early Leadership Opportunities
The value of being an active member in a professional organization such as ISACA cannot be overstated.
ISACA SheLeadsTech™ Day of Advocacy: Inspiring Speakers, Relatable Journeys
“My career journey wasn’t through luck; it was hard work and putting myself in situations where I wasn’t always comfortable,” said SheLeadsTech Advocacy Day keynote speaker DeAndra Jean-Louis, Vice President, Global Services Operations at Workday. Providing insights from positions at IBM, Aon-Hewitt and Arthur Andersen, among others, Jean-Louis said her start as a model, after attaining a mathematics degree from Louisiana State University, spurred her to become a technology leader.
ISACA Well Positioned to Advance Learners Journeys
I am the product of a liberal arts education. On the surface, what I learned in school has very little relevance to my day to day right now, yet, when you dig deeper, the communication and critical thinking skills that education instilled in me helped in ways beyond measure.
ISACA’s Inaugural SheLeadsTech™ Day of Advocacy in DC: Congressional Visits Highlight Cyber Education and Workforce Issues
Dozens of women in the SheLeadsTech program attended ISACA’s first fly-in advocacy event in Washington, DC, just a week ago with a plan to bring their voices and views to US Congressional leaders on a host of relevant legislation.
ISACA-Infosecurity Keynoter Theresa Payton Design Security for Humans
Theresa Payton, former White House CIO and a prominent cybersecurity expert, will deliver the opening keynote address at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. Payton recently visited with ISACA Now to reflect upon her time in the White House and provide analysis on how the technology and cybersecurity landscapes have evolved in her time since leaving the role. The following is a transcript of the interview, edited for length and clarity.
ISACAs Future Brimming With Opportunity
As my relationship with ISACA unfolded through various volunteer roles for the past 25 years, I have had the privilege of seeing the organization evolve – through good times and challenging times – just as many of us have experienced in our personal lives and careers.
ISACAs Global Impact To Be Celebrated on ISACA CommunITy Day
On 5 October 2019, ISACA will conduct its inaugural ISACA CommunITy Day, a day of global service for ISACA members (through their chapters) and staff to give back to their local communities
ISACAs Past Future Come Together at North America CACS
ISACA’s 50th anniversary year is about simultaneously honoring our past while visualizing how our professional community will innovate the future. Last week’s experience at our North America CACS conference in Anaheim provided tremendous inspiration on both fronts.
ISACAs SheLeadsTech Second Day of Advocacy in DC
More than 60 women and men gathered on Capitol Hill in Washington, DC, on 7 October for the SheLeadsTech program’s second annual Day of Advocacy.
IT Audit Co-sourcing Requires a Strategic Touch
The 7th annual IT Audit Benchmarking Survey shed light on several IT challenges that are at the top of the agenda for executive management and will have a direct impact on IT audit plans for many enterprises in 2018.
IT Audit in 2019: Hot Topics and Trends
The turn of the calendar to a new year is always a great time to take pause and reflect. Now that 2019 is in full swing, I wanted to take a quick snapshot of hot topics and trends for the IT audit field in 2019. And just to make sure I wasn’t completely winging it, I checked in with a couple valued industry contacts.
IT Audit Stay Relevant or Perish
“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole
IT Careers = Money, Advancement and Job Satisfaction. Why Aren’t More Women Pursuing Them?
Key Considerations for Assessing GDPR Compliance
The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.
Key Takeaways from a Recent Cloud Training
I recently began taking my first crack at auditing an Amazon cloud platform that comprises over a dozen managed services.
Key Takeaways from the NotPetya Malware Infection
When we talk about risk management, we are often fixated on protecting data confidentiality and mitigating related risks, but there are other equally compelling concerns, such as data availability. Consider the case of the NotPetya malware, which last year attacked the shipping giant Maersk among other companies.
Keys to More Effective Vendor Risk Management
Certain industries have a better conceptual understanding of their supply chain than others. For instance, in manufacturing, it’s very clear that raw materials come in one end and out the other comes a completed, processed product for consumption.
Know Who Your Customers Really Are or Prepare for Trouble
Recently in the UK, the women’s national football team manager, Phil Neville, called for all social media accounts to be verified and accountable as the result of a spate of racist postings, and asked for a boycott of social media until the situation is addressed.
Lessons from the Reddit Breach
An attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.
Live from New York: Ready to Make Progress with UN Delegation
When I left Adelaide on QF 738 with a lump in my throat, knowing how significant this journey is in my life, I was blown away to observe that there was an all-female tech crew on the flight deck. What an auspicious start!
Look Back at ISACA’s First Half-Century – and Into the Future
Consider the year 1969. The Beatles played their last concert. The Godfather was a best-seller. Astronaut Neil Armstrong became the first human to set foot on the moon. The microprocessor was invented – although it would be another two years before the Intel 4004 processor helped launch the personal computer revolution.
Lower IT Department Expenses Without Compromising on Security
The IT department has risen to prominence as one of the more integral components of successful, modernized organizations. However, in the midst of this growth, IT has also become increasingly expensive for many of these companies. Discovering what it looks like to manage a cost-effective IT department could be the difference between running a profitable business and straining to make ends meet.
Make 2018 the Year for Securing the Internet of Medical Things
News of medical device security flaws are increasingly in the news. Consider the announcement from the U.S. Food & Drug Administration last year about a flaw in one model of a St. Jude Medical implantable pacemaker.
Make Your Risk Management Processes Proactive, Not Reactive
Some form of risk management occurs on a daily basis in any organization currently in business. In many enterprises, risk management activities are ad-hoc, compliance-based, focused on the latest threat in the news, uncoordinated, and use arbitrary means for analyzing whether the risks warrant any action.
Marriott Breach Places Dwell Time Back Under Microscope
Many of you may be wondering how can a major, multi-billion dollar organization not have sufficient cybersecurity in place to detect the theft of hundreds of millions of customer details?
Meltdown/Spectre: Moving Forward
Yesterday, we provided some background information on Meltdown and Spectre, the two issues that are taking the security world (and in fact users of technology in general) by storm.
Meltdown/Spectre: Not Patching is Not an Option
The most prominent data security events of 2017, such as WannaCry and Equifax, were direct results of poor patching practices. Now, 2018 is off to a menacing start with disclosure of two hardware vulnerabilities affecting most modern microprocessors and requiring a number of patches on several levels of defenses.
MIT CISR Research Forum Designing for Digital Leverage
The MIT CISR Research Forum (Europe), hosted by Heineken, recently was held in Amsterdam. As a partner of MIT CISR, ISACA was represented at the event. Presentation titles on the agenda like “Quick Look: What Is Your Digital Business Model?” by Joe Peppard, “Digitized Is Not Digital” by Jeanne Ross, “Managing Organizational Explosions During Digital Transformation” by Nick van der Meulen, and others, provided a good general sense of what the event would be all about.
Modernized Maritime Industry Transports Cyberthreats to Sea
If there is one universal truth we have learned from developments on the cybersecurity landscape in recent years, it is that none of us are free from cyberthreats. Attackers identify and exploit vulnerabilities wherever they might exist, regardless of the target’s geographic location, whether the target is an individual or an enterprise, or which industry sector the target represents.
Moving Beyond Stubborn Reluctance to Comply with GDPR
Last May marked the beginning of the application of the General Data Protection Regulation (GDPR), which harmonized and unified the rules governing privacy in the European Union. Leading up to and following the adoption of the regulation, data protection has been in the focus of attention all around the world
My Organization’s HIPAA Data Got Hacked: Now What?
You’ve been hacked, and electronic protected health information (ePHI) has been exposed. You have certain compliance requirements, and there are also (intertwined with the needs of compliance) reasonable steps to take to halt the compromise and protect your patients.
Navigating a Challenging Cybersecurity Skills Landscape
As much as tools and technology evolve in the cybersecurity industry, organizations remain reliant on clever, well-trained humans with incisive critical thinking skills to protect themselves from the perilous cyber threat landscape.
Navigating Change An Imperative for Technology Professionals
The fast-changing technology and regulatory landscape calls for members of ISACA’s professional community to continually refresh their knowledge and training.
Networking Advice from an Introvert
I’m a classic introvert. Early in my IT career, I had no interest in networking with others. I did not see the tangible benefits or understand how networking could be useful to advancing my career interests.
New Cybersecurity Pilot Program to Expand Career Pathways for Women in Chicago
Women in the Chicago area who are interested in exploring a career path in cybersecurity, particularly those who are underrepresented in the field, will now have the opportunity to join a pilot program launched last week by ISACA, along with AnitaB.org and the City Tech Collaborative.
New Strategic Vision Needed to Thrive As a Digital Enterprise
Stakes are increasing when it comes to leveraging technology to define and deliver new value. The CEO and the executive team leaders are reeling with the challenges of identifying and implementing new digital business models while also wrestling with making smart capital investments to develop and mature organizational capabilities that enable agility and rapid response to new market opportunities.
New Year, New Technology Energizing ISACA’s Professional Community
Technology advances at a remarkable pace, connecting enterprises with customers in new ways and positioning organizations to achieve greater success through digital transformation. As ISACA’s professional community is acutely aware, those advancements are accompanied by new security threats, new legal and regulatory challenges, and questions about what all of this will mean for the business technology workforce.
NIST Risk Management Framework What You Should Know
In late December 2018, NIST published a second revision of SP800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
North America CACS Keynoter Guy Kawasaki Sizes Up Innovation, Entrepreneurship
Guy Kawasaki, a Silicon Valley-based author, speaker, entrepreneur and evangelist, will be the opening keynoter at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA. Kawasaki recently visited with ISACA Now to discuss some of the themes he will explore at North America CACS, including innovation and entrepreneurship. The following is an edited transcript. For more of Kawasaki’s insights, listen to his recent interview on the ISACA Podcast.
North America CACS Keynoter Sekou Andrews Technology Pros Should Be Storytellers Too
Sekou Andrews, a prominent poetic voice performer who blends inspirational speaking and spoken word poetry, will be the closing keynote speaker at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA. Andrews recently visited with ISACA Now, discussing why technology practitioners should also consider themselves to be storytellers and how changes on the technology landscape will lead to “a rediscovery of what it means to be human.” For more of Andrews’ insights on these and other topics, listen to his recent appearance on the ISACA Podcast.
Offshoring: Getting it Right Through a Security and Privacy Lens
The offshoring industry is at a turning point. There is a growing demand to further saturate offshoring hubs with a view to increase profits.
Organizations Outside the EU Must Not Overlook GDPR Requirements
With less than 100 days to 25 May, many organizations outside the European Union have the same question: “Does the General Data Protection Regulation (GDPR) apply to my organization?”
Overcoming Legacy Thinking a Key Strategy for Actively Shaping The Future
The rapidly increasing pace of technology change and digital disruption leads to an unprecedented pace at which organizations must address opportunities and risks that could make or break their success. In the new decade of the 2020s, technology-driven exponential change will accelerate even more sharply. Unfortunately, most organizations are ill-prepared for what is to come, and will remain so unless they replace their reactionary approach to the technology landscape with an anticipatory one.
Panel Shares Guidance in Immediate Aftermath of GDPR Deadline
Despite the many nuances about the new General Data Protection Regulation (GDPR) and questions about how it will be enforced, panelists at Tuesday’s GDPR panel during ISACA’s EuroCACS conference provided some straightforward guidance to organizations – if you don’t need the data, don’t collect it.
Panel: More Automated Services Needed to Support GDPR Requirements
Where calls to “get ready for GDPR” permeated last year’s InfoSecurity Europe conference in London, keynote speakers at this year’s event—conducted just 10 days after the European Union’s regulatory enforcement deadline—put a stronger spotlight on GDPR compliance and sunk more serious messaging teeth into their talks.
Paying for Apps with Your Privacy
Don’t look at your device when I ask you this question: How many apps do you have on your smartphone? Or, if you use your tablet more often, how many apps do you have on your tablet? Remember this number or write it down.
Payment Security and PSD2
This year has welcomed the Revised Payment Services Directive (PSD2), but what is the core reasoning behind writing the new security regulation? “There is a revolution in commerce,” Jorke Kamstra stated in his session Monday at ISACA’s 2018 EuroCACS conference in Edinburgh, Scotland.
Peer Recognition of Outstanding Achievements Within ISACA Community
The prestige of the ISACA Awards Program is evident by the high caliber of recipients who are nominated and selected by their peers. Consider the eight Global Achievement Award recipients honored at North America CACS in 2019.
Perimeters Aren’t Dead – They’re Valuable
Since I first began building internet firewalls in the late 1980s, I have periodically encountered claims that “the perimeter is dead” or “firewalls don’t work.” These claims are rather obviously wrong: your firewall or perimeter are simply a way of separating things so you can organize them better.
Persuasion: A Core Competency for GRC Professionals
Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted. You are going to own this.
Peter Weill: Avoid the ‘Big Bang’ in Digital Transformation
Peter Weill, senior research scientist and chair of the Center for Information Systems Research (CISR) at the MIT Sloan School of Management, is an award-winning author who focuses on the role, value and governance of digitization in enterprises. Weill, who co-authored What’s Your Digital Business Model? with Stephanie L. Woerner, recently discussed enterprise digital transformation themes with ISACA Now after addressing chapter leaders at ISACA’s Global Leadership Summit in Chicago. The following is a transcript of the interview, edited for length and clarity:
PowerShell: A Powerful Tool for Auditors
Some auditors may not know it, but a useful audit tool has been sitting right at your fingertips all along
Practical Recommendations for Better Enterprise Risk Management
Based upon my experience in Enterprise Risk Management, I was not surprised to see respondents to new State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity identify risk identification and risk assessment to be the most employed risk management steps in their organizations
Preventing the Next Digital Black Swan: The Auditor, The CISO and The C-Suite
Their brand names are notorious in cybersecurity circles: Equifax, Uber, Maersk and Saudi Aramco. Each of these businesses suffered a big breach – cyber incidents that, together, affected many millions of customers. But it wasn’t only consumer data that was compromised; these companies took huge reputational hits as well
Protecting Patient Records in 2019 and Beyond
A program called MyHealthEData was unveiled in 2018. Through this program, the US Centers for Medicare & Medicaid Services (CMS) is promoting the adoption of IT environments that allow simpler sharing of health data to outside organizations, as well as better access. The CMS will also allow easier access to claims data by medical beneficiaries.
Putting Cyber Threat Intelligence Feeds to Good Use
Cyber risk is business risk. Business are digitizing and governments are putting in place policies to promote digitalization and smart-city projects. While this helps citizens and organizations to adopt technology advancement, the continuous increase in cyberattacks, in both frequency and sophistication, pose significant challenges for organizations that must defend their data and systems from threat actors.
Rebuilding Institutions for an Online World
Author and journalist Jamie Bartlett will be the closing keynote speaker at the Infosecurity ISACA North America Expo and Conference, which will take place 20-21 November 2019 in New York City. Bartlett recently visited with ISACA Now to discuss his outlook on how technology is reshaping society, beginning with his contention that the internet is killing democracy. The following is an edited transcript of the interview:
Regulatory Landscape Provides Added Incentive for Enterprises to Explore Blockchain
The increasing emphasis on data privacy gained widespread attention last year with the enforcement deadline of the General Data Protection Regulation (GDPR).
Reimagining the Enterprise Landscape Through Advanced Technology
Stafford Masie, CEO of Google Africa (2006–09) and Non Executive Board Member at ADvTECH, will be the closing keynote speaker at the 2019 Africa CACS conference, to take place 19-20 August in Johannesburg. Masie, an inventor, mentor and keen observer of how to humanize technology, recently visited with ISACA Now to discuss how enterprises in Africa and beyond can take advantage of the major technological forces of the day, such as artificial intelligence and advances in fintech. The following is a transcript, edited for length and clarity:
Remembering My Friend and Mentor: 1984-1985 ISACA Board Chair John Lainhart
In my presentations on leadership, I always cite one example of an incredible leader who has touched my life and hundreds—probably thousands—of others: John Lainhart. John, an ISACA volunteer for nearly 40 years, introduced me to ISACA and the value of professional associations. He was my champion and my friend.
Remembering Robert E Stroud
This weekend, all ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a dear friend. Robert E Stroud, CGEIT, CRISC, 2014-2015 ISACA Board Chair, and Board Director 2015-2018, will be deeply missed.
Tim Mason, ISACA Chief Experience Officer and SVP, Operations, and a six-year member of ISACA’s executive leadership, passed away unexpectedly on 31 October. As members of ISACA’s professional community, we extend our condolences to Tim’s family. Tim’s leadership and his commitment to incredible member and customer
Remembrances Pour in for Tim Mason
The loss of Tim Mason, ISACA Chief Experience Officer and SVP, Operations, who unexpectedly passed away this week at age 59, has prompted an outpouring of love, respect and admiration for Tim from staff colleagues and throughout the professional community.
Representing Australia, SheLeadsTech and ISACA at United Nations a Dream Come True
Growing up as a girl from the Australian bush, the United Nations was a long distance away, physically speaking, but not as far from my thoughts as one might think.
Rethinking Cost Analysis in the Era of Cloud Computing and Emerging Tech
Have you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.
Rising Complexity Higher Stakes for Enterprise Risk Management
Cyber risk has understandably become a focal point for enterprise risk managers, but the risk landscape is multi-layered and extends beyond the realm of cybersecurity. In addition to contending with a daunting array of cyberthreats, enterprises are determining how much risk they are willing to accept in deploying emerging technologies, working through a heightened focus on customer privacy and adjusting to changes in the regulatory environment.
Risk Professionals Pave the Way for Transformational Smart Contracts
In 1999, Harvard Law professor Lawrence Lessig wrote in Code and Other Laws of Cyberspace that code is law.
Ryan Envisions ‘Very Positive’ Future for Women in Cybersecurity
Pat Ryan’s wide-ranging career included serving as an analyst in the British intelligence community, partnering with her husband on an oil exploration consultancy specializing in underwater seismic operations and satellite imaging, setting up and running a non-profit that installed IT equipment and educational software into UK hospitals where children were being treated, and founding Cyber Girls First, which encourages girls in the UK to take up coding and cybersecurity. Ryan, who spoke last month at ISACA’s UK Chapters conference, recently visited with ISACA Now to share about her past experiences and current efforts to inspire girls in cybersecurity. The following is a transcript of the interview, edited for length and clarity:
Saluting the Spirit of Volunteerism That Made CommunITy Day a Success
On ISACA’s first CommunITy Day on 5 October, 2019 – a day in which our global professional community came together over one day to volunteer in their local communities – the passion, creativity and industriousness of ISACA’s professional community was on full display.
Securing 3D Printing
3D printing is fast becoming a disruptive technology in production and manufacturing. It grew to be a $5.1‐billion‐dollar industry by 2015 with an average growth rate of about 30%, and 5.8 million 3D printers are expected to be shipped annually by 2019.
Securing Major League Baseball - On and Off the Field
Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.
Securing the SWIFT Cross Border Payment System Within Banks
A series of cyber-attacks involving the SWIFT banking network have come to light in recent years. The first public report of these attacks came from the Bangladesh Central Bank, and we have also seen attacks at State Bank of Mauritius, Cosmos Bank (India) and City Union Bank (India).
Securing Your Data The Crown Jewels of Your Enterprise
Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.
Security of Biomedical Devices Presents Unique Challenges
Compliance and security professionals are regularly challenged with unique security situations. However, the harder the challenge, the more rewarding it is for those who successfully solve the problem—part of what makes the profession so fulfilling.
Security, Audit Professionals Need New Approach to Software
I’m here to let you know about a new Perspective that I’ve created for the ISACA audience.
Senior IT Audit Leaders Discuss Cybersecurity Data Analytics
Senior IT audit leaders met to discuss a wide variety of topics, including audit analytics, IT audit’s role in cybersecurity and incident management, and agile/DevOps shops, at the recent IT Audit Leaders Summit in Geneva, Switzerland, as part of EuroCACS/CSX 2019. Participants shared opinions and best practices, and strategized on the path forward with new technologies and business practices.
Shedding Light on the Dark Web
The Dark Web is the part of the internet that is inaccessible by conventional search engines and requires special anonymizing software to access.
SheLeadsTech EuroCACS Seminar Recap
Sometimes, in a professional conference, especially one that begins early afternoon, mid-work-week, it can take a while for things to get going.
SheLeadsTech Returns to United Nations
SheLeadsTech was back this week at the United Nations for the 63rd Session of the Commission on the Status of Women to continue the critically important work of empowering women and girls by providing access to social protection and appropriate infrastructure, including technology infrastructure.
Shifting Technology Landscape Positions Auditors for Greater Impact
Enterprises are exploring opportunities driven by digital transformation, identifying technology-driven paths to deliver more value, more quickly, while also benefiting from new process efficiencies. IT auditors must do the same to ensure they remain valued partners by the organizations for which they work.
Shining a Light on the Biggest Healthcare IT Challenges
Healthcare has experienced significant modernization and is now closely intertwined with IT. But as the industry changes and marketplace demands evolve, new challenges emerge. Understanding how to address these challenges is paramount to the future success of healthcare organizations and their stakeholders.
Shortage of Communication, Analytical Skills Part of Widening Cybersecurity Talent Gap
A few days ago, in between catching flights and dozing off in an airport terminal, I read an article about the recently published findings from the 2017 Global Information Security Workforce Study.
Should CISOs Expand Their Portfolios?
CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.
Simple, Structured Approach Needed to Leverage Threat Patterns
IT risks come from various sources that are not always easy to identify in advance, making prevention and mitigation really challenging.
Sizing Up Email Security Protocols
Given the many instances of email security compromises, it has become vital to provide additional security to emails from the domain administrator level. Security protocols such as Domain-Based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Brand Indicators for Message Identification (BIMI) to prevent address spoofing are considered below.
Smart Cities: How Data and Visibility are Key
ISACA recently conducted a smart cities research survey in which it asked approximately 2,000 security and risk professionals questions focused on smart cities and their management, risks, and future technology initiatives.
SQL Databases and Data Privacy
If anyone had any doubts, data privacy is still kind of a big deal. Beyond being at the core of regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States to the global, far-reaching General Data Protection Regulation (GDPR), data privacy has its own annual day of recognition – 28 January.
Stakeholder Management Push or Pull
Managing projects for the best possible outcome is a bit art and a bit science. From a high-level view, stakeholder management includes: identifying the people that could impact a project, understanding the expectations of the stakeholders and their impact on a project, and developing strategies for effectively engaging the decision-making project stakeholders.
Start with the Why: A Strategic Lifecycle for Information Security
Many presentations by information security managers for stakeholders within their organizations include the depiction of a lifecycle in one form or another to underline that information security is not a one-off project, but a continuous activity.
Stripping Off the Monster Tag from IT Governance An Inclusive Approach
It is said that anything with two heads is a monster. I usually think of this saying when carrying out IT governance reviews, as inclusive governance seems to be a missing link.
Takeaways from SheLeadsTech Event in Shanghai
ISACA successfully organized a SheLeadsTech event focusing on career development of female IT auditors in Shanghai earlier this month. This was a milestone event in China, believed to be the first female-themed event of this scale among IT auditors in China.
Taking Precautions With Smart Home Gadget Security
Smart home gadgets have been among the most popular holiday, housewarming and any-occasion gifts for the last few years. Whether it’s an interconnected home security system, a pet camera, or a voice-activated assistant like the Amazon Echo, homeowners and renters alike love having these tech gadgets in their homes.
Talking Poker – and Risk – with EuroCACS Keynoter Caspar Berry
Motivational business speaker Caspar Berry will bring his unique poker player’s perspective on risk to his opening keynote address at EuroCACS 2018, which will take place 28-30 May in Edinburgh, Scotland. Berry recently visited with ISACA Now to discuss topics such as overcoming the fear of failure and the dynamics of risk-aversion. The following is an edited transcript:
Tapping into ISACAs Network to Shed Light on the Psychology of Information Security
I was always fascinated by the complexity of the technology discipline. The truth is, it’s very broad. ISACA helps to define some of the career pathways for young professionals through its educational resources and certification program. This made me think about where I saw myself adding value to the industry.
Tech Certifications Are Earning Cash Premiums, and Info/Cyber Security Certs Are the Hottest
Technology a Key Driver in UN Conclusions
It’s a wrap. At approximately 7.30 p.m. in New York City on Friday night, the final gavel fell on the negotiations at the 63rd session of the Commission on the Status of Women at United Nations headquarters.
Technology Emboldening Innovators on the Ground in the Air and Beyond
A future in which passengers order air taxis, victims of serious accidents tap neurotechnology to rise above limitations and AI/machine learning-fueled space exploration allows astronauts to trek deeper into the universe – for longer periods – was boldly presented on Monday, 28 October, at the Dare Mighty Things technology conference in Chicago, Illinois, USA.
Technology Must Be Part of Solution for Empowering Rural Women and Girls
Given my upbringing in the Australian bush, I have long been mindful of the many challenges faced by rural women and girls. Nonetheless, the 62nd United Nations Commission on the Status of Women provided a comprehensive and jarring view of just how many systemic challenges demand the world’s collective commitment to address.
The 2010s A Decade of Growth and New Focal Points for ISACA
The 2010s have seen remarkable growth at ISACA.
The 6 Most Important Qualities of a SAP Implementation Partner
If you’re not seeing the results you want, you may need to switch SAP implementation partners. SAP implementation is becoming more important than ever, with revenues from enterprise resource planning (ERP) software expected to reach $84.1 billion by 2020, according to Apps Run the World.
The Age of the DPO
Articles 37 and 38 of the General Data Protection Regulation (GDPR) provide information on the principles and impartiality of the critical data protection officer (DPO) role, specifying the high-level rules on what can and can’t be done. But like most of the GDPR, it leaves wide open the interpretation of the how and when it is appropriate to have a DPO.
The AI Calculus – Where Do Ethics Factor In?
While artificial intelligence and machine learning deployment are on the rise – and generating plenty of buzz along the way – organizations face difficult decisions about how, where and when to introduce AI.
The Beginnings of a New Privacy Framework Through NIST
NIST conducted a workshop on 16 October in Austin, Texas, USA, to discuss plans for a voluntary privacy framework, and attendees had the opportunity to have a robust discussion about what such a framework should entail. The workshop was attended by individuals from industry, academia, and government.
The Business Benefits of a Strong Cybersecurity Culture
I recently discovered a fascinating C-suite report that used an apt metaphor to capture why culture is so challenging for businesses: Organizational culture is like an iceberg.
The Business Risks Behind Slow-Running Tech
Entrepreneurs and IT leaders frequently underestimate the true power that slow technology has to negatively impact a business.
The Case for a KYC/AML Blockchain
Early in my career, I had the opportunity to work with big retailers and non-profit organizations around the promised land of EDI protocol (Electronic Data Interchange, for those too young to have seen this acronym).
The Challenge of Assessing Security for Building Automation Systems
Building automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.
The Digital Age A New World of Purpose-Driven Opportunity
Jon Duschinsky, an entrepreneur, social innovator and firm believer in leading a purpose-driven existence, will be the closing keynote speaker at ISACA’s EuroCACS/CSX 2019 conference, to take place 16-18 October in Geneva, Switzerland. Duschinsky recently visited with ISACA Now and shared his thoughts on why being purpose-driven is more realistic than ever in today’s digital age. For more of Duschinsky’s insights, listen to his recent appearance on the ISACA Podcast.
The Evolution and Power of Disruptive Technology Insights From an Executive Panel at NA CACS
At ISACA’s North America CACS conference Tuesday morning, an executive panel spoke on the past 50 years of tech disruption—and where technology is taking us in the future.
The Features and Challenges of IoT-Based Access Control
Employees and guests can use IoT-based access control for convenient access. Through their mobile device, they can be connected to a facility’s access control through digital ID securely.
The Film Industry and IT Security
For those in the ISACA community who are fans of popular culture, you might have noticed in recent years that, in many cases, film and TV stars are beginning to look more like you and I, and less like the muscle men of our youths.
The Gap Within the Skills Gap What Does Cybersecurity Really Need
I recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice.
The Impact of GDPR on Cybersecurity Managers
Around six months have passed since the General Data Protection Regulation (GDPR) took effect. Among many unclear implication of GDPR, the vaguest might be how to ensure compliance with the security requirements, including data protection by design and by default.
The Impact of Net Neutrality on Cloud Computing
The US Federal Communications Commission (FCC) recently repealed the net neutrality guidelines that it implemented less than three years ago.
The Importance of Securing Your Cloud
One of the biggest misconceptions regarding the cloud is that you can rely on the cloud provider service to protect your business, your data and everything else your firm holds dear.
The ISACA Journal’s Digital Transformation
The ISACA Journal has been at the heart of ISACA’s knowledge community for more than 40 years, a tradition we are proud to carry forward into the future.
The ISACA Way How I Earned the CISM CISA CRISC and CGEIT in 10 Months
Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.
The Key Point Everyone is Missing About FaceApp
Much has been written in recent weeks about the widely publicized privacy concerns with FaceApp, the app that uses artificial intelligence (AI) and augmented reality algorithms to take the images FaceApp users upload and allow the users to change them in a wide variety of ways.
The Multiple Options for Multi-Factor Authentication
How do you prove you are you? In the physical world, we have birth certificates and driver’s licenses to prove we are who we say we are. Yet this question becomes more difficult when you are trying prove yourself to a computer system. Thankfully, Multi-Factor Authentication (MFA) can help in a variety of ways.
The Next Challenge in IT Compliance Reporting SOC2 2017 Trust Services Criteria
In the aftermath of GDPR, the next big change in the IT compliance standards landscape is here. The period of applicability for the new System and Organization Controls for Service Organizations: Trust Services Criteria (SOC2 2017 Trust Services Criteria) has just begun – all SOC2 reports with an examination period ending on or after 15 December, 2018 will have to be issued as per the new standard.
The Outlook for Auditors and Infosec Professionals in the Fourth Industrial Revolution
The Future of Jobs Report 2018, published by the World Economic Forum, presents a well-researched reading with a thorough and comprehensive coverage of global industries and regions. The essence of the report can be captured in the preface by Klaus Schwab, founder and executive chairman, World Economic Forum, which states “Catalysing positive outcomes and a future of good work for all will require bold leadership and an entrepreneurial spirit from businesses and governments, as well as an agile mindset of lifelong learning from employees.”
The Path to Improved Cybersecurity Culture
The recent ISACA-CMMI Institute cybersecurity culture research illustrates the accomplishments and gaps that are seen in organizations’ cybersecurity culture. The survey-driven research focuses on culture and continuous improvement, both essential components to a successful cyber risk management program.
The Socially Responsible Society I Want for my Granddaughter
There is nothing quite like the birth of a child to redirect our thinking from our daily patterns and prompt us to consider the big-picture view of where our world is heading.
The Time is Now for a Comprehensive, Risk-Based Approach to Build Cyber Resilience
As one who attends a number of industry conferences, it’s almost a guarantee that you will hear the cliché question “What issue keeps you up at night?” posed to enterprise security executives on stage.
The US Government Shutdown’s Potentially Lasting Impact on Cybersecurity
The partial US government shutdown is the longest in modern history and continues to drag on as both political parties remain entrenched, refusing to budge from their respective positions. The inability to reach an agreement, or at least to open the government, may have lasting impacts on the effectiveness of cybersecurity in the federal government.
Third-Party Vendor Selection If Done Right Its a Win Win
The benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.
This is Me and My (Private) Identity
Do we really need regulators to come and tell us that each person’s data is, well, private? A few years before the GDPR regulation came into effect in Europe, the Law for Protection of Personal Data Held by Private Parties (LFPDPPP) in Mexico stated basically the same principles with which many companies are now struggling to comply:
Three Keys to a Cybersecurity Culture That Will Stick
Everyone doing business today shares an unfortunate truth: no matter how strong your cybersecurity program, your employees are your biggest potential source of failure.
Three Keys to Improving Medical Device Security
A report released in January by the Healthcare & Public Health Sector Coordinating Councils details the need for better security for medical devices, a topic infrequently discussed in healthcare until recently.
Tightening Cybersecurity Assurance in Supply Chains: Three Essentials
In October 2018, Bloomberg Businessweek sent shivers through the business and intelligence community when it published an astonishing report that claimed that Chinese spies had exploited vulnerabilities in the US technology supply chain, infiltrating computer networks of almost 30 prominent US companies, including Apple, Amazon.com Inc., a major bank, and government contractors.
Tips for the Novice IT Auditor
Norman Ralph Augustine once said, “Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters.” This highlights the rise of the auditing profession and the importance that more and more companies are placing on internal and external audits due to increasing regulatory requirements.
Tips to Prepare for ISACAs CRISC Exam
My motivation to pursue ISACA’s CRISC certification was to improve my skills, knowledge and understanding of enterprise and IT risk management.
Top 3 Security Governance Practices Not to Miss During Blockchain Implementation
Everyone is talking about blockchain and is curious to know more. In addition to blockchain conversations among cybersecurity and IT professionals, TV programs are discussing the topic, investors are clamoring about it and many people are asking just what the heck it is. Blockchain is the trending topic in seemingly every technology conference, journal and summit.
Traits of a Successful Threat Hunter
Threat hunting is all about being proactive and looking for signs of compromise that other systems may have missed. As defenders, we want to cut down the time it takes to detect attackers. To accomplish this, we assume the bad guys have penetrated our defenses, and then proceed to look for traces that their activities have left behind.
Transitioning GDPR Preparations Into Operations
While organizations may think that they have done everything needed to prepare for GDPR, they may not have thought about how they arrive at assurance over GDPR, especially considering that being prepared for GDPR is different from having GDPR as part of operations.
Transparent Use of Personal Data Critical to Election Integrity in UK
The ISACA Now blog is featuring a series of posts on the topic of election data integrity. ISACA Now previously published a US perspective on the topic. Today, we publish a post from Mike Hughes, providing a UK perspective.
Transport Layer Security Bolsters Secure Remote Data Transmission
It is an amazing time to be alive for many reasons, one of which is the ability to communicate almost seamlessly and securely with people from all over the world. Technology allows us to connect with individuals with whom we most likely never would have before.
Trsar Family Helps Ensure ISACAs Growth in Good Hands
As ISACA celebrates its 50th anniversary in 2019, we are telling stories of the members, volunteers and staff who have contributed to ISACA’s growth and global impact. Below is an excerpt from a feature article on the ISACA staff father-son duo of Terry Trsar and Tim Trsar.
UN Member-States Focused on Empowering Rural Women and Girls
ISACA board director Jo Stewart-Rattray is providing onsite updates from her participation in the UN Commission on the Status of Women, which is taking place from 12-23 March at UN headquarters in New York.
Understanding Big Data and Machine Learning Projects
Big data and machine learning have rocketed to the top of the corporate agenda. Executives look with admiration at how Google, Amazon and others have eclipsed competitors with powerful new business models derived from an ability to exploit data.
Understanding Meltdown and Spectre
There’s a tempest in progress – and, no, I’m not talking about the “bomb cyclone” currently hitting the US eastern seaboard. Instead, I’m referring what’s going on in the technology and security communities in the wake of the newly published Meltdown and Spectre issues.
Understanding Risks to Data Drives Controls Efficiencies
As we reflect on recent regulatory changes and trends, we notice a heavy focus on privacy and cybersecurity across the globe. The European Union has recently passed the General Data Protection Regulation (GDPR) and the Payment Services Directive 2. Taking it a step further, in July 2018, the EU proposed a new Cybersecurity Act (9350/18) mandating cybersecurity certification for critical infrastructure industries.
US Government Innovates Cyber Job Fulfillment
Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.
Using COBIT to Manage Shadow IT
Shadow IT is an (in)famous phenomenon in today’s business environments. Business departments source, develop and maintain systems on their own to support their processes.
Value Professional Networking Early in Your Career
Depending on your personal interests, social skills and professional goals, professional networking may or may not be your favorite activity. Whether or not you enjoy networking, it should be a priority in your professional life – especially earlier in your career as you are building your professional network.
Vendor Selection for ISO 27001 2013 Certification
The Information Security Management Systems Certification (ISO 27001:2013) helps organizations prove they are managing the security of clients’ and stakeholders’ information, and can generate the need for three types of vendors: certification body, internal audit and implementation.
What Capital One Got Right
The massive cyber breach of Capital One, reported in late July, quickly brought a chorus of condemnation of the company from a wide circle of pundits, concerned customers, competitors and potential investors. Lost in the media fray was Capital One’s exceptional incident response.
What Do You Expect in the Next Decade of Tech
What are some of the major changes you expect to see in the technology landscape in the next decade?
What I Wish I Knew When I Started in IT Audit
Who among us does not sometimes reflect on our journey and certain days that remain nailed to our memory, either because they were too tough to forget or too good to be true?
What is Driving Growth for AR/VR?
Gartner’s recent list of top tech trends for 2019 included immersive experiences, which they described as follows:
What is Standalone Virtual Reality, and Why Are Enterprises Betting On It?
If you are interested in virtual reality, you surely know that the buzzword of 2018 is “standalone.” All the major VR companies are betting on standalone VR devices: HTC Vive China president Alvin Wang Graylin announced in a recent interview that his goal for 2018 is to see standalone devices becoming successful and Oculus’ Hugo Barra has expressed a similar opinion.
What is the Path to Self-Securing Software?
As digital business hastens the speed of application development and gives way to complex, interconnected software systems (think Internet of Things, microservices and APIs), we need to address that penetration testing, although thorough, is slow and expensive.
What Role Will IoT Play in Edge Computing?
While no one doubts the power that cloud computing has on our present and future digital needs, it still has basic flaws that are cause for alarm: notably concerns over privacy of data and its ability to handle large-scale, constant computations.
What the Skills Shortage Means for Existing Cybersecurity Practitioners
By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals.
What We Should Learn from the Capital One Data Breach
Another day, another data breach. Or so it seems. When the latest organization to suffer a big breach hits the news, it is easy to think, who is going to be next?
When Everything Old is New Again How to Audit Artificial Intelligence for Racial Bias
You may not know it, but artificial intelligence (AI) has already touched you in some meaningful way.
When it Comes to Cyber Risk, Execute or Be Executed!
Nestled in William Craig’s book Enemy at the Gates, which recounts World War II’s epic Battle of Stalingrad, is the story about a Soviet division that was plagued by failure in the face of the enemy. Desertions were rising, officers’ orders were not being followed, and the invading enemy was making gains.
When it Comes to ERP, Cybersecurity is a Chief Concern
For businesses that have a lot of resources tied up in logistics and inventory, enterprise resource planning (ERP) systems can be a lifesaver. However, you should never invest in an ERP system blindly. With so much valuable data filtering through such a system, you must pay attention to cybersecurity.
Who Am I CRISC Equips Professionals and Organizations with a Valuable Identity
As a risk practitioner, have you ever tried to describe what you do for a living to a family member or a friend?
Who Should the CISO Report To It Depends
The information security challenges faced by enterprises are dependent on the unique characteristics of the business. This means there is no one “right” answer for where the CISO sits on the org chart.
Who Will Harness AI More Effectively in the New Decade Cybercriminals or Cybersecurity Professionals
We know artificial intelligence will loom large in the new decade, and we know cybersecurity will be critically important as well. How those two forces intersect sets up as one of the most fascinating – and consequential – dynamics that will shape society’s well-being in the 2020s.
Why (and How) I Passed ISACA’s CISM Exam
After I passed the CISM exam late last year, ISACA offered to let me share my experience of how (and why) I chose to become a CISM, and what I did to accomplish my goal. I hope this article provides some useful ideas to help you go after your professional development goals, as well.
Why Dont We Apply Due Diligence in Selecting Social Media Providers
I’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.
Why IT Teams Should Avoid Complacency
We are in 2019, and have all witnessed the effects of disruptive start-up companies, the growth and stability of the cloud market, the emergence of CI/CD practices and the simple need for agility. Inversely, there are organizations where none of what I mentioned is happening.
Why Ive Gone From Avid Skeptic to Avid User of Biometrics
My first job in security – and in fact my first job out of school – was for a biometrics company.
Why Problem-Solving Can Detract from Innovation
Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, will give the closing keynote address at the GRC Conference 2018, to take place 13-15 August in Nashville, Tennessee, USA. Williams recently visited with ISACA Now to discuss how enterprises can spark more innovation, the concept of disruptive hypotheses and more. The following is a transcript of the interview, edited for length and clarity:
Why You Need to Align Your Cloud Strategy to Business Goals
Your company has decided to adopt the cloud – or maybe it was among the first ones that decided to rely on virtualized environments before it was even a thing. In either case, cloud security has to be managed. How do you go about that?
Will Women in Tech Benefit from Millennials Weighing in or Exiting
The tech industry has been burning through talent and losing IP for decades, but this is usually after years or even decades of contributions. Some suggest it is based on work-life balance challenges, but a recent ISACA study, Tech Workforce 2020: The Age and Gender Perception Gap, highlights how millennials factor into this equation, too.
Women in Cybersecurity Often Worth More Than They Realize
Before beginning my career in cybersecurity recruitment, I worked in the female-dominant industry of travel public relations. I was largely oblivious to the challenges of being a female in the workplace because I was surrounded by other strong businesswomen on a day-to-day basis.
World Economic Forum Report Reinforces Rising Prominence of Cybersecurity
The recent Global Risks Report by the World Economic Forum offers the latest evidence that cybersecurity is rising among the top global risks. Cyberattacks are now the global risk of highest concern to business leaders in advanced economies. This reflects the inability of enterprises to keep pace with today’s challenging threat landscape, and points to an urgent need for increased prioritization of and investment in cybersecurity by executive leadership.