While attending ISACA’s North America CACS 2014 Conference, I was impressed by insightful presentations on cloud security, big data, security GRC, security programs and frameworks, not to mention the opening and closing keynote presenters.
Likewise, I appreciated the diverse events at the conference (everything from breakout workshops to a professional photography station), the role of ISACA’s Young Professionals Subcommittee in promoting engagement among attendees, and the interactive communication opportunities for all.
As I look back at North America CACS, key messages stand out:
People—not computers—catch frauds
Harry Markopolos’ keynote presentation explored his exceptional work on Bernard Madoff’s fraud case, which demonstrated the whistleblower’s process of conducting holistic fraud examinations. Markopolos highlighted the red flags of potential frauds and answered the question, “How did one man lose $65 billion?”
As the presentation ended, I considered how we, as IT professionals, should rethink how IT is aligned with business objectives and strategies. Or, at least, how IT controls are designed and implemented for fraud-detection purposes.
Cloud and big data security
A major issue with cloud computing is data privacy, especially the data-residency problem, as most organizations worry about their business/customer data leaving the country or jurisdiction system. In some cases, your primary data might be stored within a geographic area as required, but the backups are loosely controlled by the cloud service provider (CSP). Organizations must perform due diligence to ensure their data is properly stored and protected. Government agencies will define which types of data can be put into the cloud and the FedRamp certification program can provide independent view on the CSP’s ability to clearly define and describe system boundaries.
Another key consideration discussed at CACS is having a proper notification process in case the CSP makes changes. Old data + old data=new data.
New cybersecurity programs and roles
Cybersecurity is drawing attention from organizations across sectors. Two cybersecurity initiatives were discussed at North America CACS. One is the NIST Cyber Security Program, which is expanding NIST’s main focus from government. I believe that the content overlaps with the existing NIST security risk-management program. Presenter Victoria Yan Pillitteri stated that NIST is planning to clarify the relationship between the new cybersecurity program and NIST SP800-53.
The other initiative is ISACA’s Cybersecurity Nexus (CSX), which will include a certification program (Cybersecurity Fundamentals Certificate) and resources such as webinars, mentoring programs, training courses and an online community.
Be situationally aware of risks
The concept of “risk management” is a constant, all while technologies advance and the context in which technology is used is in perpetual flux. According to presenter Hubert Glover, when people think about high-level risk management, such as technology risk, they must consider every aspect of organizations, as every aspect of organizations are enabled, powered by and supported by IT.
Executive teams are considering how to turn risk into results, especially as they encourage participants to do innovative things in innovative ways. During his “Turning Risk into Results” presentation, Dr. Glover illustrated ways to evaluate risks in the context of time, place and mass. He skillfully demonstrated how turn risk into results by leveraging a business mode and risk framework, focusing on addressing organizational, operational and strategic risks.
Another critical aspect around risk management, proposed by keynote presenter/astronaut Mike Mullane, is to be aware of your risks in diverse situations. Using the Challenger disaster as an example, Mullane explained the dangers of accepting—in a changing work environment—a “tolerance” that was previously defined as “intolerable.” The astronaut stressed that it is not uncommon for organizations to fall victim to a “normalization of deviance”—getting away with shortcuts from best practices until the shortcut becomes the norm, leading to problems.
A few more nuggets from North America CACS
- Do not be a passenger. Everyone’s suggestion on how to manage (security) risks and improve processes counts. The executive team and managers should listen to various opinions—one might save the organization some day.
- Information security should be integrated into business process and systems by design. The add-on approach will cause you more time, money and effort.
- Do periodic resets to best practices standards. The fact that you’ve been successful previously doesn’t mean you will be successful again. To avoid predictable surprise, don’t let a “can do” attitude guide you into a shortcut.
Note: This blog was also recently published on the ISACA.org web site. For more relevant research on information security and risk management from Info-Tech see the following: