Security Awareness Maturity Model

INTRODUCING COBIT 2019

The globally recognized COBIT® Framework has been updated with new information and guidance—COBIT 2019 extends its leading role in implementing and ensuring effective enterprise governance of information and technology (EGIT).

COBIT 2019 is an evolution of COBIT 5, so this newly revised governance framework contains everything you love about COBIT 5, plus many new exciting features and focus areas.

COBIT 2019 CORE PUBLICATIONS

LEVERAGE COBIT 2019 TO GENERATE TREMENDOUS VALUE FOR YOUR ENTIRE ENTERPRISE BY CUSTOMIZING AND RIGHT-SIZING THE GOVERNANCE OF INFORMATION AND TECHNOLOGY.

For more information on COBIT 2019, its publications and guidance, and new training opportunities, go to www.isaca.org/COBITjv6 Reg is ter b y 8 J AN — for — 7th Annu al Earl y Reg is tration Eur op ean Pr icin g Com pl ia nce & E thic s I nstitute 10–13 Ma rch 2019 | Berlin , G ermany

Learn f rom t op c om pl iance a nd e thics pr ofession als a nd bu ild y ou r pr ofession al network a t t his c onference d edicated t o l earning a bout t he c hallenges f acing the g lobal c ompliance & e thics c ommunity. Th is i s t he p lace t o ﬁ nd o ut a bout t he latest so lutions t o y our co mplianc e and e thics i ssues, i nc luding ant i-co rruption, data p rotection, and r isk man agement .

European Complian ceEthi csInstitute.org Que stion s? b eckie.smith@cor por atecompliance.or g

The ISACA ® Journal seeks to enhance the proficiency and competitive advantage of its international 3 28 readership by providing Information Security Matters: How We Effective Strategies for Creating and Can Succeed Maintaining a Diverse and Inclusive managerial and Steven J. Ross, CISA, CISSP, AFBCI, MBCP IT Audit Team technical guidance from Julie Balderas, Asim Fareeduddin, CISA, 6 experienced global CISM, CIPP, CPA, Femi Richards, CCEP, CIPP, IS Audit Basics: Affect What Is Next Now authors. The Journal’s Ruwel Sarmad and Jack Wall authors. The Journal’s Ian Cooke, CISA, CRISC, CGEIT, COBIT noncommercial, Assessor and Implementer, CFE, CPTE, 37 DipFM, ITIL Foundation, Six Sigma Growing a Cybersecurity Career peer-reviewed articles Green Belt, and Martin Cullen, CISA, CGEIT, Philip Casesa focus on topics critical to CRISC, COBIT Foundation, COBIT Assessor 41 professionals involved and Implementer, ISO 27001 LA Defining the Chief Digital Officer Using in IT audit, governance, 10 COBIT 5 security and assurance. The Practical Aspect: Why Worry About IoT? João Catarino, Isabel Rosa, Ph.D., and Miguel Vasant Raval, DBA, CISA, ACMA, and Mira da Silva, Ph.D. Ranjit D. Thaker, CISA, MCSM 49 14 A Heightened Sense of Awareness The Network Wade Cassels, CISA, CFE, CIA, CRMA, Kevin Glory Ninsiima, CISA, CompTIA Security+, Alvero, CFE, and Randy Pierson, CISA ISO 27005, ISO 31000, ITIL Foundation, PRINCE2 Foundation PLUS FEATURES 54 Tools: Skill Acquisition in a Rapidly 16 Evolving Workplace Future-Proofing a Career in Cybersecurity Robin Lyons, CISA, CIA ( ) 56 Mike Saurbaugh, CRISC, CISM, CISSP, MSIA Crossword Puzzle Read more from these 20 Myles Mellor Journal authors... Is Artificial Intelligence a Career Journal authors... 57 Path for You? CPE Quiz Journal authors are ( ) now blogging at Larry G. Wlosinski, CISA, CRISC, CISM, CAP, 59 www.isaca.org/journal/ Standards, Guidelines, Tools and Techniques CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP blog . Visit the ISACA S1-S4 Journal blog, Practically ISACA Bookstore Supplement Speaking, to gain practical knowledge from colleagues and to participate in the growing Online-Exclusive ISACA ® community. Features Do not miss out on the Journal’s online-exclusive content. With new content weekly through feature articles and blogs, the Journal is more than a static print publication. Use your unique member login credentials to access these articles at www.isaca.org/journal . 1700 E. Golf Road, Online Features Suite 400 The following is a sample of the upcoming features planned for November and December The following is a sample of the upcoming features planned for ______and ______. Schaumburg, IL 60173, USA The Age of PowerShell Automation, Governance and Launching a Value-Based Telephone Ignacio Marambio Catán, CISA, Security in a Software-Defined Analytics and RPA Program +1.847.660.5505 CRISC, CEH, CISSP, Security+ World Chris Sanders, CISA, COBIT 5 Julio Pontes, CISM, BS7799 LA, Foundation Fax: +1.847.253.1755 CCSK, CISSP www.isaca.org

Discuss topics in the ISACA ® Knowledge Center: www.isaca.org/knowledgecenter Follow ISACA on Twitter: http://twitter.com/isacanews ; Hashtag: #ISACA Follow ISACA on LinkedIn: www.linkedin.com/company/isaca Like ISACA on Facebook: www.facebook.com/ISACAHQ 20TH ANNI VE RSA RY

INFORMA TION SECU RI TY MA TTE RS

How We Can Succeed

In my last article, I excoriated the information Many core business functions are routinely being security community, of which I am a card-carrying performed or supported in the cloud and have been Do you have member, about the state of security today. for several years. For example, organizations something Moreover, I stated my opinion that the underlying increasingly turn to commercial services for to say about this architecture of distributed systems, the most customer relationship management (CRM), payroll, article? commonly implemented since the late 1980s, is human resources (HR), order entry, accounting, incapable of supporting a tolerable level of security. inventory, supply chain and many other automated Visit the Journal pages of the ISACA ® website Thus, we have suffered through viruses, worms, business functions. The economics of using cloud- (www.isaca.org/journal) , denial-of-service (DoS) attacks, botnets and based services just make sense. No single 1 ﬁnd the article and click cyberattacks for more than a generation. organization can afford to have staffs of specialists on the Comments link to to develop and maintain software for each function share your thoughts. in the way that a vendor specializing in that function https://bit.ly/2pBRr1q can do. Recognition of the total cost of ownership (TCO) drives organizations toward the cloud. The RECOGNITION OF question of build vs. buy is passé; today, it makes THE TOTAL COST OF sense to rent. OWNERSHIP DRIVES Security in the Commercial SaaS ORGANIzATIONS TOWARD Environment THE CLOUD. THE qUESTION The same point, overwhelmingly, applies to OF BUILD VS. BUy IS PASSé; information security. No organization that I am aware of has a team of security professionals for TODAy, IT MAKES SENSE each application. But, for cloud-based service TO RENT.

A New Era Just as the distributed model displaced the centralized (i.e., mainframe) one, I now believe that we are on the threshold of a new era, that of a multi- modal, utility, cloud-based, commercial, Software as a Service (SaaS) (choose any two terms at your pleasure) architecture. Both ownership and geography differentiate the “utility SaaS” architecture from those that went before. 2 In the centralized era, ownership of data and software rested within the organization, which kept both of them in one big room. In the distributed era, i.e., today, the organization still owns the data and software, but these may or may not all be in the same place. In the cloud-based multi-modal Steven J. Ross, CISA, CISSP, AFBCI, MBCP Is executive principal of Risk Masters International LLC. Ross has been environment that is now arriving, the organization writing one of the Journal’s most popular columns since 1998. He can be retains ownership of the data, but not the software, reached at [email protected]. nor does it house the computing.

ISACA JOURNAL VOL 6 3 vendors, this is a commercial necessity. The The architecture that can be built on the zero Trust Enjoying incentives for a vendor’s security include not just Model is based on a segmented network with all this article? financial, legal, reputational and regulatory risk—as security-related controls established at a single though those were not enough—but existential risk point of entry and transfer. These controls 3 • Learn more as well. The inability of a cloud-based software constitute a unified threat management gateway. In vendor to implement and maintain security over its practice, this gateway is a “next-generation firewall” about, discuss 7 and collaborate products and services will likely put it out of (NGFW), sold by many equipment manufacturers. on information business. By itself, NGFWs are necessary but insufficient for security effective security. A secure architecture must be management in Zero Trust based on rigorous network segmentation such that ISACA’s Online a user authorized for one domain cannot traverse In fairness, using a variety of cloud-based services the network without returning to the access control Forums. does not an architecture make. And well-secured https://engage. mechanism. That mechanism must include what applications do not by themselves make the entire some have called “next-generation access” (NGA), isaca.org/online environment safe. More is required before we can forums with advanced functionality such as correlation of say that we have improved significantly on the users and uses, machine learning to identify shortcomings of the distributed era. anomalies, and technical integration with the security features at the network level. 8 The complete implementation of the zero Trust Model is being referred to as the zero Trust Extended AS INCREASING Ecosystem (zTX). 9 NUMBERS OF APPLICATIONS ARE BEING Getting to Success USED AS CLOUD-BASED This is all wonderful in theory, but organizations are not about to re-architect their entire IT environment SERVICES, ORGANIzATIONS around an enhanced security. But they are migrating ARE REALIzING THAT THEy to multi-modal environments as a pathway that can lead to zTX, if information security professionals ARE DEALING WITH TOO exert their influence now . As increasing numbers of MANy CLOUDS. applications are being used as cloud-based services, organizations are realizing that they are dealing with too many clouds. They are seeking a “cloud of clouds,” one cloud to control them all. 10 In several previous articles in this space, I have And that is where the zero Trust Model can be referred to the zero Trust Model. 4 It is not exactly a implemented. standard, although it has the imprimatur of the US National Institute of Standards and Technology Let me paint a word picture of what I believe is the (NIST), in a publication called “Developing a future of information security. All uses of Framework to Improve Critical Infrastructure information are defined in domains, and all users Cybersecurity.” 5 In a very brief synopsis, in the zero are associated with one or more domains. All Trust Model, all networks—and, by extension, the security controls are embedded in a central control information systems on the network—are untrusted . point (the cloud of clouds). An authenticated user All resources are accessed securely regardless of can proceed to a domain and do what he or she is location. Access to resources is based on a least- authorized to do and nothing more . To do anything privilege strategy and access controls are strictly else, the user must return to the control point and enforced. All network traffic is inspected and be reauthenticated and reauthorized. All of these logged. 6 accesses are recorded and analyzed at the control point and any anomalies are reported.

4 ISACA JOURNAL VOL 6 The roles of information security professionals will 3 Cytryn, A.; E. Beck; S. Ross; “Hackers, Snoopers, be transformed from passive policy making and and Thieves: How to Handle the Latest Threats,” active implementation to that of vendor Journal of Corporate Accounting & Finance , management and security monitoring. One very June 2014, https://onlinelibrary.wiley.com/doi/ positive sign that this transformation has begun is abs/10.1002/jcaf.21972 that many information security professionals are 4 Ross, S.; “Bear Acceptance,” ISACA Journal , already involved in, and occasionally arbiters of, vol. 4, 2014, https://www.isaca.org/archives SaaS acquisition decisions. 5 Forrester Research, “Developing a Framework to Improve Critical Infrastructure Cybersecurity,” I am not so naïve as to think that all this USA, 2013, https://www.nist.gov/sites/default/ wonderfulness will arrive due to a sudden files/documents/2017/06/05/040813_forrester_ enlightenment in the executive ranks. To be sure, research.pdf some of it will occur because of the persuasiveness 6 Ibid ., p. 5 of chief information security officers (CISOs). I think 7 One such manufacturer has published a guide a lot more will happen because organizations will to implementing the zero Trust Model with its back into intolerable situations with uncontrolled products. Palo Alto Networks, “Designing acquisition and use of services, with only zTX as a A zero Trust Network With Next-Generation way out. And some will happen because, at long Firewalls,” https://media.paloaltonetworks.com/ last, the zeitgeist is ready and willing to pay for documents/zero-trust-solution-brief.pdf secure computing. I am convinced that this is the 8 Cunningham, C.; “Beyond zero Trust: Next- way in which we information security professionals Generation Access,” ZDNet , 11 April 2018, will succeed. https://www.zdnet.com/article/next-generation- access-and-zero-trust/ And then, when that happens, I will not be able to 9 This term is espoused by Forrester Research. author this column because there will be nothing to Cunningham, C.; S. Balarousas; B. Barringham; write about. Nah. There will always be new P. Dostie; “The zero Trust eXtended (zTX) challenges. Keep your seat belts fastened; it could Ecosystem,” Forrester, 19 January 2018, be a bumpy flight. https://www.forrester.com/report/The+Zero+ Trust+eXtended+ZTX+Ecosystem/-/E-RES137210 Endnotes 10 There are many references to a cloud of clouds in the literature. For an easy-to-read overview, ® 1 Ross, S.; “Why We Failed,” ISACA Journal , see Alvarez, L.; “The Second Digital Revolution: vol. 5, 2018, https://www.isaca.org/archives A Cloud of Clouds,” ITProPortal, 15 January 2 I realize that the dates of these eras are 2016, https://www.itproportal.com/2016/01/ approximations. Mainframes did not disappear 15/the-second-digital-revolution-a-cloud-of- in 1985; in fact, they are not gone today. And clouds/. the cloud did not suddenly spring into existence in 2015. The fact that boundaries are fuzzy does not mean that they do not exist. A highly unscientific search for the first mention of “the cloud” came up with “The Self-Governing Internet: Coordination by Design,” by S. Gillett and Mitchell Kapor (yes, the Mitch Kapor of Lotus) in January 1996 ( http://ccs.mit.edu/ papers/CCSWP197/CCSWP197.html ).

ISACA JOURNAL VOL 6 5 IS AU DI T BA SICS Affect What Is Next Now

To celebrate its 15 th birthday, LinkedIn asked its qualms about imagining an improved world and members to share what they wanted to be when advocating for it, no matter how much derision they Do you have 4 something they were 15. Now, I do not know about you, but an may receive at the hands of the cynical. to say about this auditor was not on my list, nor did I, or any of my article? friends, take turns at playing auditor and auditee! This is not about the next promotion. This is about And yet, we became IT auditors. How did this seeing that things in audit are not as they should be Visit the Journal pages happen? I certainly do not believe (at least, not and they could be better. Those who believe this is of the ISACA ® website entirely) that life is what happens to you when you the case should advocate for it in their enterprise. (www.isaca.org/journal) , are busy making other plans. 1 We are where we are And those who are not sure how things can be find the article and click ® on the Comments link to because of a series of conscious decisions. The better can reach out to their peers in the ISACA 5 share your thoughts. question now becomes how do we make conscious Online Forums. decisions to create, grow, improve and add value to https://bit.ly/2NouIQb our lives, our enterprises and the profession? Engage in Projects That Are Bigger Than You At EuroCACS 2016 in Dublin, Ireland, the closing 6 keynote speech was given by futurist Mark Philosopher Daniel Dennett says that an Stevenson. 2 It was described by a colleague sitting occupational hazard of his profession is being next to me as the best talk he had ever heard. The asked, “What is happiness?” The best definition he talk centered on eight principles that Stevenson has come up with is to “find something more 7 derived from traveling and working with successful important than you are and dedicate your life to it.” optimists. 3 That colleague, Martin Cullen, went on to read Stevenson’s book, so I tasked him to There are many issues directly related to the collaborate with me in reviewing the principles and adoption of new and innovative technologies in the their relevance to IT auditors. world today. Examples range from the erosion of privacy to the lack of female representation in the Have an Unashamed Optimism industry. ISACA is a leading advocate in these areas with the introduction of its privacy principles, 8 of Ambition several documents around the EU General Data Stevenson recommends not feeling embarrassed to Protection Regulation (GDPR) 9 and its say that things can be better. People should have no SheLeadsTech 10 program. Auditors who are

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt Is the group IT audit manager with An Post (the Irish Post Oﬃce based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA ® committees and is a current member of ISACA’s CGEIT ® Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke supported the update of the CISA ® Review Manual for the 2016 job practices and was a subject matter expert for ISACA’s CISA ® and CRISC TM Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certiﬁcation training modules. He welcomes comments or suggestions for articles via email ([email protected]), Twitter (@COOKEI), or on the Audit and Assurance Online Forum. Opinions expressed are his own and do not necessarily represent the views of An Post.

Martin Cullen, CISA, CGEIT, CRISC, COBIT Assessor and Implementer, ISO 27001 LA Is an experienced IT audit senior manager with more than 10 years of experience across different industries. His previous roles were of a technical nature and included IT software engineering, project management, business intelligence development and database administrator. He has previously presented at ISACA EuroCACS, ISACA Ireland Chapter events and in webinars. He is a Gold member of ISACA and is currently serving on the ISACA Ireland Chapter board as certiﬁcation director.

6 ISACA JOURNAL VOL 6 passionate about these topics can do something about them by getting involved.

ISACA is always looking for volunteers, 11 and any ISACA employee will agree that it is the volunteers who make the organization what it is.

Ideas Are for Sharing, Not Protecting Every new idea is, as Matt Ridley 12 suggests, the result of the joining together of two other ideas. Pragmatic optimists happily let their ideas meet and mingle with others. 13

Back in my very first column in this space, 14 I asked why, when we live in a world where it is very much a viable option to run a business using open-source software, we, as an ISACA community, do not We have all made mistakes during our careers and develop open-source audit/assurance programs? To in audits. The key is to learn from them and not be me, this is an idea waiting to meet someone else’s afraid to try again. After every audit, each auditor idea. Would it be possible, for example, to use should take some time to sit back and consider how GitHub 15 , Slack 16 or ISACA’s Online Forums. 17 I am it went. What went well? What mistakes were not certain, but I believe it needs others’ ideas to made? How could it be done better the next time? help push it over the line. Audit-specific items should be documented and added to the audit file as there is every chance the I am also sure that everyone reading this column auditor may be requested to audit this item again. has ideas of their own. I would like to hear them. Only together can we truly move the IT audit You Are Defined by What You Do, Not by profession forward. What You Intend to Do Pragmatic optimists are not interested in what others might do if they had more time or if their AFTER EVERy AUDIT, manager was more understanding or if they were EACH AUDITOR SHOULD the manager or if it was next week. People are what they do. That is it. Get on with it. 20 TAKE SOME TIME TO SIT BACK AND CONSIDER HOW LinkedIn is full of conversations about the unimportance of certifications when compared to IT WENT. experience and, yes, there is no doubt that experience really counts. However, if people are defined by what they do, does not the fact that they have put in the effort to attain that certification say something about Making Mistakes Is Okay, but Not Trying them? Lack of time is no excuse. Make time! Those Is Irresponsible who believe they have all the certifications they need can translate, write 21 or review items. 22 Exam Item 18 As Ken Robinson pithily told the TED conference, Development Working Groups are composed based “Being wrong is not the same as being creative, but on geographical representation. Those who if you’re not prepared to do anything wrong you’ll participate learn so much. never do anything original.” 19

ISACA JOURNAL VOL 6 7 Be an Engineer This is about winning the war, not the battle. All IT auditors have been here. They have identified a Engineers do not build bridges from a left-wing or significant issue and, being conscientious and right-wing perspective. They build bridges from an aware of the politics, they have reported the finding evidence-based perspective and, over time, bridge to management early only to be told at the exit building gets better. Politicians make their decisions interview that there is no issue or the issue has from an ideological perspective and, (in the opinion been resolved and should no longer be in the of many), over time, politics gets worse. No one audit report. should ignore politics, but those who choose engineering will do more. 23 My advice? If there is no compelling reason not to and it is possible to confirm that the risk has been addressed, the item should be removed. The auditor THE AUDITOR MUST UNDERSTAND WHO has done his or her job. The job is to help mitigate HAS THE ABILITy TO MAKE, IGNORE AND risk, not to have findings. Not only that, it has been accepted that the auditor’s recommended course of OVERTURN DECISIONS; WHETHER THESE ARE action was the correct one; this will work in his or TAKEN UNILATERALLy OR By CONSENSUS; her favor the next time a similar issue is found in another application. Furthermore, the auditor is AND THE DEGREE TO WHICH THEy building a relationship of trust with the auditee. This REPRESENT A COMPROMISE. will be helpful the next time there is a finding that cannot be removed.

This is key. Audit recommendations should be Kick Out Cynicism based on agreed criteria 24 and have the required Cynicism has become embedded in society and it is evidence to back them up. If the evidence was often seen as wisdom. yet there is nothing wise or obtained in an interview, it should be documented even likeable about cynicism. For the cynic, and the auditee sent a copy or a draft report everything is just a little too hard to imagine or do. produced in which the auditee is asked to conﬁrm As such, cynicism is both a recipe and an excuse the auditor’s understanding. for laziness. Auditors should have no time for it. 27

As for politics, the auditor should remain suﬃciently It can be very easy to become cynical and even neutral to maintain independence while still being have a sense of futility when working as an IT aware of how decisions are reached. That is, the auditor. This is especially the case when ﬁnding the auditor must understand who has the ability to same issues across different applications and make, ignore and overturn decisions; whether these nothing ever seems to change. I urge IT auditors to are taken unilaterally or by consensus; and the avoid this and try to think differently. Could the degree to which they represent a compromise. applications be audited horizontally? 28 Could the Without such knowledge, the recommendations in issues be tackled from another angle? Remember the audit report may not be followed and the audit culture, ethics and behavior of individuals and of the function could, consequentially, be discredited. 25 enterprise are very often underestimated as a success factor in governance and management Be Prepared to Lose Nine Battles Out activities. 29 Peers in ISACA’s Online Forums may be 30 of 10 a good source of help in this area.

No one can win them all, but anyone is likely to win Conclusion one battle out of 10. In “round two,” the auditor may win one battle out of nine and, by round three, one At the end of the day, if there is one guiding out of eight. By that time, the auditor will have principle that encapsulates all these principles, it is, created enough of a shift for the rest to follow. “Judge your worth not by what you own, but by what Those who worry about losing nine out of 10 will you create.” 31 ISACA is the vehicle that allows IT likely never enter the fray. It is useful to concentrate auditors to learn and create. When I was 15, I was on winning the one. Overnight success is for the torn between IT and journalism. ISACA has enabled movies. 26

8 ISACA JOURNAL VOL 6 me to do both. Along the way, I feel I have created, I 11 ISACA, Volunteer Opportunities, https://engage. have grown and I have improved. This, in turn, has isaca.org/volunteeropportunities/about Enjoying brought value to my enterprise. As it approaches its 12 Ridley, M.; “When Ideas Have Sex,” TEDGlobal 50 th anniversary, ISACA can allow anyone reading 2010, https://www.ted.com/talks/matt_ this article? this article to do more, too. Members can affect ridley_when_ideas_have_sex • Learn more what is next, now. Pragmatic optimism tells us that 13 Op cit Stevenson 2012 ® about, discuss the future is still a game worth playing and all 14 Cooke, I.; “Audit Programs,” ISACA Journal , and collaborate players can make a difference. 32 vol. 4, 2017, www.isaca.org/archives/ on audit and 15 GitHub, https://github.com/ assurance in 16 Slack , http://slack.com/ Endnotes ISACA’s Online 17 ISACA Online Forums , https://engage.isaca.org/ Forums. 1 Lennon, J.; Beautiful Boy (Darling Boy), communities/onlineforums https://engage. USA, 1980 18 Robinson, K.; “Do Schools Kill Creativity?” isaca.org/online 2 Stevenson, M.; “‘Reluctant Futurist’ Mark TED2006, https://www.ted.com/talks/ken_ forums Stevenson Is an Author, Broadcaster and robinson_says_schools_kill_creativity Expert on Global Trends and Innovation,” 19 Op cit Stevenson 2012 https://markstevenson.org/ 20 Ibid . 3 Stevenson, M.; An Optimist’s Tour of the Future , 21 Op cit ISACA, Volunteer Opportunities Avery, USA, 2011, http://anoptimiststourofthe 22 ISACA, Committees, Working Groups, Advisory future.com/ Councils and Other Volunteering Opportunities, 4 Stevenson, M.; “Eight Principles of Successful www.isaca.org/About-ISACA/Volunteering/ Optimists,” The Wall Street Journal , 20 March Pages/Boards-and-Committees.aspx 2012, https://blogs.wsj.com/speakeasy/2012/ 23 Op cit Stevenson 2012 03/20/eight-principles-of-successful-optimists/ 24 “Criteria” is deﬁned as the standards and ® 5 ISACA Online Forums, Audit and Assurance, benchmarks used to measure and present the https://engage.isaca.org/communities/ subject matter and against which an IS auditor onlineforums evaluates the subject matter. ISACA, “ITAF: 6 Encyclopaedia Britannica, Daniel C. Dennett, Information Technology Assurance https://www.britannica.com/biography/ Framework,” www.isaca.org/Knowledge- Daniel-C-Dennett Center/ITAF-IS-Assurance-Audit-/IS-Audit-and- 7 Op cit Stevenson 2012 Assurance/Pages/ObjectivesScopeandAuthority 8 ISACA, Privacy Principles and Program ofITAudit.aspx Management Guide , USA, 2016, 25 Gelbstein, E.; “The Soft Skills Challenge, http://www.isaca.org/Knowledge- Part 2,” ISACA Journal , vol. 3, 2015, Center/Research/ResearchDeliverables/ www.isaca.org/archives Pages/ISACA-Privacy-Principles-and-Program- 26 Op cit Stevenson 2012 Management-Guide.aspx 27 Ibid . 9 ISACA, “General Data Protection Regulation 28 Cooke, I.; “Innovation in the IT Audit Process,” (GDPR) Readiness, Assessment and ISACA Journal , vol. 2, 2018, Compliance,” https://www.isaca.org/info/ www.isaca.org/archives, ﬁgure 2 gdpr/index.html 29 ISACA, COBIT ® 5, USA, 2012, www.isaca.org/ 10 ISACA, SheLeadsTech, COBIT/pages/default.aspx https://sheleadstech.isaca.org/ 30 Op cit ISACA, Audit and Assurance 31 Op cit Stevenson 2012 32 Ibid .

ISACA JOURNAL VOL 6 9 THE PRA CTICAL ASPECT

Why Worry About IoT?

A recent post on a neighborhood blog read: objects over a network. 1 It is a network of items— each embedded with sensors—that are connected Do you have Our camera picked up a suspicious young to the Internet. 2 These objects or devices possess something male, approximately 17-24 years old, who at least two attributes: Each has a unique identiﬁer to say about this approached the house, looked to the right and the ability to share data and interact remotely article? of home, into the side door window, front over a network without human intervention. These door lock and into the camera before Visit the Journal pages devices communicate over the network via wireless of the ISACA ® website walking away quickly. Cannot be certain protocols such as Bluetooth; they are not dumb, but (www.isaca.org/journal) , about his intentions, but wanted to make rather “smart.” For example, the motion sensors ﬁnd the article and click the neighborhood aware. My husband left embedded in the application (app) that supports on the Comments link to message with the police department. share your thoughts. the camera at the front door generated all images and alerted the device owner to the risk of an https://bit.ly/2DVZkcc So, the old door locks are not the same as today’s uninvited visitor. smart locks with sensors, cameras an Internet connectivity. These locks not only prevent physical The concept of IoT has become more real—more intrusion, but also do reconnaissance, record available—with the presence of the Internet evidence along with a time stamp, and alert the combined with smart devices of recent origin. Over owner and others charged with security a relatively short period of time, smart devices have responsibilities to act promptly. become smarter—that is, faster, with greater capacity to work with data, more processing The Internet of Things (IoT) refers to physical capability and at a lower cost. And yet, what objects that have embedded network and seemed like a wave of transformation enabled by computing elements and communicate with other IoT has lost some steam lately.

And yet, there is considerable optimism in what is anticipated in the world of IoT. According to a collaborative report on IoT in logistics, compared to 15 billion connected things in 2015, there will be 50 billion things connected to the Internet by 2020. 3 However, this represents only 3 percent of all connectable things, which continue to grow in number and sophistication over time. The proliferation of embedded sensor technology, wearables and apps has already caused incredible change in just a few short years. It can be concluded that “we are just beginning to connect everything unconnected.” 4

Vasant Raval, DBA, CISA, ACMA Is a professor of accountancy at Creighton University (Omaha, Nebraska, USA). The coauthor of two books on information systems and security, his areas of teaching and research interest include information security and corporate governance. He can be reached at [email protected].

Ranjit D. Thaker, CISA, MCSM Is the chief information oﬃcer for a leading time-critical, same-day air and ground transportation service provider. He has been in this role for more than 10 years. He has served in IT leadership positions in the specialty logistics industry for more than 25 years. He can be reached at [email protected].

10 ISACA JOURNAL VOL 6 Early evidence of the revival of IoT rests in the on privacy and security fronts may be a challenge. arrival of 5G. Citing MOBI, a Wall Street Journal The relative newness of integrating consumers into article suggests that 5G could connect a trillion the IoT ecosystem adds a formidable dimension to devices in the next decade. 5 the implementation of CIoT. It is challenging to understand the IoT footprint and control There are two distinct domains in which IoT has dimensions on each class of IoT devices. Also, IoT flourished. First, early adoption of the concept devices and technology integrate with several emerged in the industrial or manufacturing settings, private and public network segments with a where the supply chain was made more efficient or combination of privileged and open access; hence, effective, perhaps even addressing issues of safety a traditional third-party risk management (TPRM) in the workplace. The following examples of such approach to control devices and software needs an applications are drawn from the transportation IoT technology-specific control domain to mitigate logistics industry: additional risk. The problem with these IoT devices is that they are made by consumer electronics • Tracking —Most used for parcel or delivery service companies. Unfortunately, consumer electronics providers to track shipments and keep customers products change often, adding to the risk scenarios. up to date on location of their And even these organizations are themselves new shipment/estimated time of delivery to this level of computing and, therefore, vulnerable • Environmental parameter tracking —Used for to making rookie errors in their firmware code. 6 sensitive cargo (e.g., specimens, organs, pharmaceuticals) to monitor temperature, humidity, speed, shock, etc. THE RELATIVE NEWNESS OF INTEGRATING • Vehicle maintenance and driver behavior —Used to optimize fuel efficiency, reduce breakdowns CONSUMERS INTO THE IOT ECOSySTEM ADDS and monitor driver behavior (e.g., speeding, A FORMIDABLE DIMENSION TO THE frequent breaking, lane violations) IMPLEMENTATION OF CIOT. • Inventory management and operational optimization within warehouses

• Data analytics —Analytics based on data collected Perhaps there are IoT applications that cut across from IoT devices and their use in improved IIoT and CIoT. However, from an information decision support security viewpoint, it is easier to see the challenges if such applications are identiﬁed using this binary Industrial IoT (IIoT) was a logical extension classiﬁcation. The former is mature, better internally within the organization. The insights controlled, better known to the organization and generated from the supply chain are harnessed into limited to the internal network(s). The latter is new, IoT apps developed and embedded into the supply introduces more devices from more vendors (likely chain support platform. Information security and from the consumer electronics industry), and privacy issues in IIoT are more easily controlled connects the external customer to the internal because the applications are within the boundaries world or internal employee to the outside world. of the organization, and devices and software are Clearly, the IIoT ecosystem lands more comfort on probably screened prior to acquisition. And their the privacy and security front. CIoT is early in its scope is tightly perimeterized, although anchored development and, while popular and exciting to end on the Internet. users, needs more groundwork before an organization ventures into CIoT applications. A later development pushed IoT applications into the consumer arena, which can be called Consumer IoT (CIoT). Because it involves reaching out to Essential Questions customers who may have varying security Here are some essential questions that need to be environments and perhaps a variety of different addressed, among other things, to ensure that IoT is devices among them, achieving reasonable goals introduced to the organization with care and due

ISACA JOURNAL VOL 6 11 diligence. Some of these questions apply equally to • How do you limit the seemingly pervasive IoT Enjoying just about any IT introduction, but are certainly networks? First, a business case for each this article? worth repeating because of the fundamental nature implementation must be made and, if this is done of the question of technology adoption: successfully, the minimum number of networks that should be allowed access to the IoT • Read Assessing • Do you have a business case for the use of IoT? applications should be determined. Second, IoT Audit/ Technology is an enabler of value creation; its use restricting scope and limiting risk is greatly Assurance just for the sake of using it could be valueless. It affected by how well the perimeter of the network Program . is important to ask first, “Does the organization carrying the IoT traffic is controlled and how www.isaca.org/ have the potential to create value through the strong the access privileges to the network are. Assessing-IoT adoption of IoT?” The answer to this question Sound security practices driven by a sound policy • Learn more may change over time; therefore, it is important to framework provide essential big steps toward about, discuss revisit the question at appropriate intervals. secured IoT networks. Finally, user education is and collaborate Leaving the question buried in the past could hurt important, especially in the CIoT environments on emerging the organization’s competitiveness. where users may be remote to the risk; their technologies in • Do you have a policy on the deployment of IoT? awareness and cautious behavior are soft, but ISACA’s Online Do you have other policies that support the IoT important, components of IoT security. Forums. initiative? Once it is determined that IoT adoption https://engage. • How do you keep up with the continued could potentially help create value, the isaca.org/online development of the field (i.e., device, device development and use of a policy toward adoption forums makers, software, firmware)? Should the of the technology should be considered. Without organization trust smart devices its employees such a policy, a controlled and intentional bring to work? As the Strava incident 7 has taught introduction of IoT that meets the organization’s us, any device capable of running software could policy criteria is not possible. Just like the rules in become problematic if that software is configuring a firewall, the first rule is to not allow transmitting intelligence about the enterprise’s anything in, then progressively modifying the rule network. Employees could use their smartphones to embrace what is desired. to run a seemingly innocent Internet speed test, • What appear to be the weakest links in defense- for example, and end up sharing details about the in-depth of the IoT ecosystem? Network internal network architecture that should be kept privileges and access vulnerabilities are the most private. 8 While service level agreements (SLAs) significant. Where to draw the line in terms of could help gain some assurance that devices allowing a network to access IoT applications is engaged in IIoT are secure, it would be difficult to crucial to stemming any compromise of security. implement a similar mechanism on the CIoT side, The security management should be quite for the consumer electronics device makers are discrete about what is essential to provide and too diverse and do not necessarily focus on what is a luxury, causing more risk than benefits serving organizations in a one-to-one relationship to the organization. Another weak link in the CIoT as the third parties. Besides, continuity of environment is smart consumer electronics and electronic device makers or their products may the difficulty of tracking their ability to provide be uncertain. things acceptable under the organization’s policy. The extension of TPRM to the IoT ecosystem is There are few technology fronts where, upon easy to visualize but difficult to implement due to adoption, one can choose to rest without periodic its diversity, vastness and constantly changing evaluation. It is necessary for organizations to characteristics of the devices produced. It is constantly monitor changes in the domain space to doubtful if one can rely on the device makers to determine if any action needs to be taken at their provide adequate security in the product features. end. What might have been launched as a potential Finally, the consumers who get connected to the value could quickly dissipate or could result in IoT may not be aware of vulnerabilities that their greater risk than anticipated. To continue to use of the application would engender, and this leverage the organization’s strategic and operational could consciously or unconsciously enable a excellence, it is necessary to continuously be on the cyber compromise. lookout for the edge of the innovation in IoT.

12 ISACA JOURNAL VOL 6 Endnotes IN AS MUCH AS 1 ISACA ®, Internet of Things: Risk and Value Considerations , USA, 2015, TECHNOLOGy IS AN www.isaca.org/Knowledge-Center/Research/ ENABLER, NOT TAKING ResearchDeliverables/Pages/internet-of-things- risk-and-value-considerations.aspx ADVANTAGE OF IT IN A 2 IEEE, “Special Report: The Internet of Things,” TIMELy MANNER COULD, IN USA, 2014, http://theinstitute.ieee.org/static/ special-report-the-internet-of-things FACT, DISABLE THE 3 DHL and Cisco, Internet of Things in Logistics , ENTERPRISE. USA, 2015, https://discover.dhl.com/content/ dam/dhl/downloads/interim/full/dhl-trend- report-internet-of-things.pdf 4 Ibid. , p. 26 In as much as technology is an enabler, not taking 5 Woo, S.; “Why Being First in 5G Matters,” advantage of it in a timely manner could, in fact, The Wall Street Journal , 12 September 2018, disable the enterprise. Today, it is not a choice to https://www .wsj.com/articles/why-being-first-in- allow a technology to pass by without the 5g-matters-1536804360 organization conducting a thorough review 6 Jones, D.; “Does your Organization Need an regarding its potential role in value creation for the IoT Policy?” Pluralsight, 30 January 2018, organization. A technology may get hot at times https://medium.com/pluralsight/does-your- and cold during other times; however, keeping an organization-need-an-iot-policy-f09e3e3f967 f eye on its edge is an important first step toward 7 Romano, A.; “How a Fitness App Revealed continuing to leverage the technology. Not all Military Secrets—And the New Reality of Data technologies may fit a larger, or any, role in an Collection,” Vox , 1 February 2018, enterprise at any given time. However, scanning the https://www.vox.com/technology/2018/2/1/1694 environment to reflect on where it is today and what 5120/strava-data-tracking-privacy-military-bases it can do for the enterprise is an opportunity that 8 Op cit Jones should not be sacrificed. That is why business and IT leadership should worry about IoT.

BRING MORE LIKE-M INDED PROFESSIONALS TOGETHER—RECRUIT NEW MEMBERS TODAY.

Get r ecruiting t oda y. It’ s easy t o par ticipate and win fantastic priz es! Learn mor e at www .isaca.or g/GetMembers -Jv6

ISACA JOURNAL VOL 6 13 TH E NETWO RK Building Tomorrow’s Leaders Today Q: How do you think the its control environment know their strengths role of IT auditor is to guard against evolving and capitalize on them, changing or has changed? threats. As the world for there lies one’s moves toward artificial ability to shine. Being A: In the past, the role of the intelligence (AI), the role competitive and IT auditor was to assess the of the IT auditor leans comparing oneself with technical environment and into data analysis and others only breeds report on the control forensics. The IT auditor frustration. Know what weaknesses. Today, the IT also must evaluate risk you are good at and do auditor is taking on an from the perspective of it. The rest falls in place. advisory role to achieving the management on IT-related organization’s strategic Q: What advice do you issues. The IT auditor needs objectives have for IT audit to be able to translate professionals as they technical information into Q: What leadership plan their career paths operations language that skills do you feel are and look at the future of the business can critical to be successful IT auditing? understand and from which in the technology fields? it can derive value. A: It is important to Management needs A: Patience and the network. Use social assurance that it is deriving ability to explain and media to advance your value from IT investments, elaborate the value of career and put yourself that the suggestions being what practitioners are out there. Facebook, made by the IT department delivering, especially to a Twitter and LinkedIn are are strategically driven and nontech-savvy audience. great places to learn will deliver as promised and Soft skills go beyond any more about what is that the security posture of knowledge that one may going on in the the organization is strong. It have. Practitioners must technology field, get to is the role of the IT auditor also be competent and know the buzz in the to review the governance of firm without being profession, understand IT, IT risk and investment, excessively aggressive, the latest trends and and give feedback to as this may overshadow learn how other management in the form of or distract from a professionals are Glory Ninsiima, CISA, CompTIA Security+, recommendations. well-intentioned conducting themselves. ISO 27005, ISO 31000, ITIL Foundation, message. PRINCE2 Foundation The IT auditor needs to look Great communicators Is a certified risk manager and IT auditor with eight forward internally and Q: What is the best way capture an audience and years of experience in information systems externally and identify for someone to develop easily get buy in from management and IT auditing, mainly in the banking issues that could affect those skills? board members and industry. Currently, she is a senior IT auditor with business performance, management. Polish the central Bank of Uganda where she participated assess the control A: Develop and harness your communication and in the implementation of IT systems that facilitated environment against these emotional intelligence. interpersonal skills for the transition from manual processing to and advise management on Take up opportunities to these go beyond automation of all government and nongovernment payments processed by the Central Bank of the best way to avert future lead that are not work technical knowledge. Uganda. Ninsiima serves as secretary of the risk. Technology changes at related to help prepare ISACA ® Kampala (Uganda) Chapter and also as the a rapid pace and IT auditors for leadership roles. Get Find a mentor or make representative of the African region on ISACA’s needs to adapt and think a mentor and request friends with someone International Chapter Liaison Working Group. She is innovatively about how the feedback from trusted you admire in the field also a member of the Institute of Internal Auditors. organization can improve colleagues. One should and seek their guidance

14 ISACA JOURNAL VOL 6 What is the biggest security challenge that will be faced in 2019? D1ata leakage will continue to be the biggest security challenge faced as digitalization increases by asking them specific stay longer. Support and organizations, women in every day. questions about their encouragement from the field, those intending experience and advice. women who have made to join, those exiting and it in this field gives the technology industry Q: What do you think witness to those at large. What are your three goals for 2019? •2 are the most effective starting out that it is Take a long overdue vacation • ways to address the possible to join this Q: What has been your Change the work environment • lack of women in the profession and make it; biggest workplace or Spend more time with family technology workspace? this reduces the attrition career challenge and rate of women from the how did you face it? A: The number of women profession. As women, What is your favorite blog? who pursue computer we need to rise up and A: When I joined the I3SACA’s Nexus, Bright Talk and Gartner. science at the university boldly take on audit profession, I soon I also enjoy health-related blogs. level is typically lower challenges that give us found out that internal than males and it drops visibility. We must have auditors are the least as the students conclude a mind-set that believes favorite people in an university and choose we can. Mentorship organization. I had to 4 What is on your desk right now? career paths. This is not programs are also great develop thick skin and The organization I work for enforces a clear helped by the fact that channels to increase the realize that the work I desk policy, so currently there is a cup of warm there is a decline in the number of women in do as an IS auditor water, a glass of passionfruit juice, a notebook number of women technology. adds value to the to keep track of today’s assignments and a pursuing science or business, improves desktop computer on which I am typing this. computer-related Earning certifications operations and helps courses. These facts that will make one the business see the make it difficult to have recognized at the value of a stronger Who are you following on Twitter? women role models in international level goes control environment I5 mostly follow cyber-related tweets and ISACA this industry. a long way and gives through international news. one a competitive implementation of Programs such as advantage to climb the recommended ISACA’s SheLeadsTech career ladder. Also, changes. All of that How has social media impacted you are a great way to organizations should proved encouraging. As professionally? increase the consider having the years have S6ocial media has helped increase my representation of favorable maternity progressed, I have professional network and keep abreast of the women in technology leave policies and found it to be a latest news in technology. and encourage taking gender balance rewarding profession up leadership roles in recruitment programs because one gets to this field. They give a as part of their know enterprise sense of identity and organizational culture. operations in its What is your number-one piece of advice for security to the women in entirety and, therefore, 7 other IT audit professionals, especially women? the field, they provide an Women need to promote has an edge over the Be bold. Do not wait for the perfect moment; opportunity to share themselves and female rest in managing that moment is now. Use the resources at your challenges and inspire colleagues in their work operations or during an disposal to get to the next level. women to take up environments. Correcting interview. An auditor leadership roles and be the gender imbalance in can easily work in any good at them in a male- the technology field is field they have audited. What do you do when you are not at work? dominated field. Such not an issue that will be I8 enjoy reading inspirational stories, fine dining programs also solved overnight. It is a and spending time with family and friends. encourage women who work in progress that have been in the field to calls for the input of

ISACA JOURNAL VOL 6 15 FEATU RE Future-Prooﬁng a Career in Cybersecurity The Skills Gap

and breaches have led to chief executive officers (CEOs) worrying about security threats. Do you have www.isaca.org/currentissue PricewaterhouseCoopers 2018 report Threats: What something Keeps CEOs Up at Night Differs by Region 2 highlights to say about this article? Help wanted! Millions of security professionals that executives are concerned about cybersecurity needed to help fill critical roles required to protect threats—a concern that was ranked number 10 in Visit the Journal pages the world’s infrastructure, data and people—apply 2017, but has risen to number four in 2018. ® of the ISACA website now! Cybersecurity is now a top executive topic and one (www.isaca.org/journal) , that has the board of directors paying attention, too. find the article and click Security professionals are in high demand, but the on the Comments link to challenge is that there are not enough qualified Though there is seemingly no end in sight for share your thoughts. employees to fill open enterprise requisitions. For enterprise anxiety over security issues, there is no https://bit.ly/2Cq2x23 confirmation, it is worth taking a look at ISACA’s guarantee employees will have perpetual job security report State of Cybersecurity 2018 .1 Part 1 of the and be immune to changes in the industry that report outlines workforce development and disrupt human capital. Security professionals need to mentions that 59 percent of the respondents to the evolve and enhance their careers to better position survey upon which the report is based have open, themselves for continued employment because unfilled security positions. years of costly incidents technology and automation will be a priority for security leaders playing catch-up to the adversary.

Whether candidates are new to the security ﬁeld or have some tenure, it is imperative that they not rest on their laurels and keep advancing the career skills that employers are seeking.

Technical Skills—Taking Initiative and Learning Something New Security practitioners have plenty of opportunity to learn new skills, in many cases at low to no cost. Employers will likely allocate some budget to obtaining new skills, but, regardless, practitioners need to invest in themselves and assume the employer will not. Technology moves too quickly to sit back and get comfortable. Mike Saurbaugh, CRISC, CISM, CISSP, MSIA Employees should be dabbling in new technology to Serves as a director of technical alliances with business development solution integration responsibility for enterprise customers. Previously, he at least understand the basics. years ago, building a spent nearly two decades leading cybersecurity and technology in ﬁnancial lab would have required expensive hardware and services and was the head of cybersecurity for 12 years. Saurbaugh is licenses. Today, there is a plethora of opportunity to faculty with IANS Research and strategically advises Fortune clients on build a lab in the cloud at minimal cost. This is a cybersecurity. Involved from the onset with Security Current when it fantastic way to build something, break something, launched, Saurbaugh served as the research director, leading a number of build it back again and then share the experience strategic projects for global security vendors and CISOs. Saurbaugh is also with others. It is a great story to tell. There is a mentor with cybersecurity accelerators MACH37 and queen City Fintech, signiﬁcant value in explaining this in a technical and he owns a security consulting LLC where he conducts independent interview or, as an experienced hire, being able to advisory and risk assessment engagements. Saurbaugh has served in convey to a potential team the ability to “walk the various curriculum advisory committee roles for higher education. talk.” In many cases, this may be enough to land the next internal or external position.

16 ISACA JOURNAL VOL 6 The list of new technologies continues to grow, but While this is not an exhaustive list, Coursera, 3 edX, 4 5 6 7 there are a few that stand out in the short term, LinkedIn, Udacity and Udemy offer various Enjoying despite the list’s ongoing expansion. Following are a technology courses for free or at low cost. Also, few growing areas where practitioners can and Microsoft offers training on Azure, 8 and Amazon this article? 9 should devote some time to help ensure that they offers training on AWS. • are in a better position to land that next role: Read State of Ultimately, technical skills will more than likely win Cybersecurity 2018– • Python the job for the candidate. This can be hard, Part 1: Workforce • PowerShell especially for experienced candidates who have Development progressed up the management ranks. It is all the www.isaca.org/ • Amazon Web Services (AWS) more reason for managers who are not doing the state-of- • Microsoft Azure day-to-day hands-on work to do their best to keep cybersecurity- their skill set up as much as possible. 2018 • Docker • Analysis and incident response Soft Skills Matter • Application security Conversely, employees who have fewer years of experience, but aspire to a higher-level position • Kubernetes should be working on attributes that will set them • Threat intelligence apart. Soft skills do matter. It is very easy to overlook soft skills in the security and technology ﬁeld. • Threat hunting • Forensics Soft skills are personal attributes that support interaction with other people. It is much different from • Malware analysis the solitude that often comes with technology work • Penetration testing and extended computer time with the screen and keyboard providing bidirectional communication. • Data science fundamentals It is no secret that businesses rely on technology, making cybersecurity a key area of focus for businesses eager to protect systems and data. Soft PRACTITIONERS’ skills are required to obtain buy-in from the CURIOSITy AND INTEREST business. Many technologists excel in technology due to requirements for system security, uptime and IN TRyING SOMETHING functionality, and may not have essential soft skills.

NEW, ESPECIALLy IN THE What soft skills and personal attributes are SECURITy FIELD, SHOULD influential in career growth? Many of these are no BE AN EXPECTATION AND surprise, but they are sometimes given less focus: • Communication (written, verbal) SOMETHING EMPLOyERS • Team orientation SEEK. • Organization • Project management skills When embarking on a course, it may become • Service orientation apparent quickly that it is not the right path. It is • Business finance comprehension okay to fail fast. Practitioners’ curiosity and interest in trying something new, especially in the security • Business acumen field, should be an expectation and something • Emotional intelligence employers seek. Determining that the technology is not interesting or it is too much of a struggle to • Empathy grasp the basics is fine, but it is important to move • Listening on and try something else as opposed to remaining comfortable. • Personability • Negotiation

ISACA JOURNAL VOL 6 17 Soft skills translate into professionalism, too. In security industry will scrutinize the content, so other words, career advancement often depends on speakers need to be prepared to deliver highly professional growth and dropping bad habits that informative presentations. hold people back. Being someone who others want to work with can be a significant career advantage. Give Time to Help Others Managers can always train skill, but ridding Those who have learned a lot should share their employees of a bad attitude is a completely knowledge. What does this do for a career? For different challenge and one that many are not starters, it helps promote a personal brand and willing to fight long term. It goes without saying in recognition in the industry. In addition, it increases information security, but for the sake of full education on the topic among technical and inclusion, it is important to stress the need to be nontechnical people. This is a common outcome of true and genuine and hold a high degree of integrity. conference talks and individual blog posts. The security industry thrives when practitioners and The Importance of a Professional managers share what they have learned, both good Network and bad, in their day-to-day activities. Building a strong professional network is essential. Employees who spend too much time isolated from It is great when security knowledge reaches a others in their industry are likely to find it difficult to technical audience, but what about nontechnical pivot to the next organization when they want to people? The average person who has a smartphone make a change. This is not to say loyalty and and/or a computer uses most of the same dedication to one’s organization is a negative, but applications as the rest of the world when it comes time does need to be made for connecting to office work and social media. Volunteering some with others. time to help educate nontechnical people on how to better secure their data and the systems they use Some may find this rather obvious and are well on can go a long way toward expanding one’s technical their way to establishing a strong professional reach in the world. It also helps practitioners work network. Surprisingly, though, it is easy for some to on communication skills. Acronyms do not work stay within their comfort zone and not engage with well with laymen or the business. This is a chance others. The challenge is that when these individuals to hone in on enhancing communication skills to are seeking their next position, they may have get the point across. trouble finding a role they desire. Many positions are not posted externally and sometimes, before This activity makes for a great conversation with they are even posted, up-and-coming opportunities current and potential future employers. It is a blend may be known to peers. Those who are connected of so many useful traits that employers seek: may stand a better chance of getting an earlier technical prowess, soft skills, contributions to the opportunity to demonstrate that they are the profession and initiative, to name a few. better candidate. Furthermore, it is not uncommon for employers to have a volunteer program initiative for the Obviously, social networking is a great place to get workforce in which professionals can contribute started. Professionals do not have to be the most and help increase knowledge, skills and abilities acclaimed user of Twitter or LinkedIn, but they are among those involved. advised to have some sort of presence (at least on LinkedIn). In addition, conferences are a great place For more experienced professionals, mentoring to meet new people and start to forge new junior employees can be a rewarding experience. relationships. It may be uncomfortable for those Granted, a lot of this will be done within the who are not overly social, but there is a need to start organization itself, but it is not to say that it cannot making connections one by one. There is no be done outside the corporate environment, too. If shortage of low- to no-cost conferences to meet someone reaches out and shows genuine interest new people in the local area. Many global events in learning from experience, it is a good time to lend can be attended online. 10 a hand. At the same time, mentoring should not be overly draining, so managing the time allocated is Conferences need speakers. Consideration should important. be given to submitting to the call for papers (CFP). Speaking at conferences is a great way to improve Additional Options and Resources one’s personal brand. Done well, it is a way to start Certifications have been sought by practitioners for being identified as a leader in a particular discipline. years and still hold a place for many in the industry. However, speakers must beware because the

18 ISACA JOURNAL VOL 6 Their value varies, based generally on the enterprise The job market continues to look promising for hiring. If an organization requires certiﬁcations, then quite some time, but it is unlikely to last forever. In there is value in holding one or more. Some the meantime, putting in the extra effort to learn a organizations do not care and are more interested new technology, enhance soft skills and build in job skills than in whether candidates have initials a professional network while giving back in after their name. But, in general, certiﬁcations the process is likely to result in the phrase, carry merit. “you are hired!”

For newer employees in the field, they are certainly worth looking into and obtaining. Credentials from CompTIA, ISACA ®, (ISC) 2 and SANS, along with THE SECURITy FIELD vendor-specific certifications, offer the opportunity to indicate to employers that a certain level of NEEDS ALL KINDS OF mastery has been achieved. Additionally, and this PEOPLE WITH DIVERSE goes for experienced employees, it also shows some dedication to the field and career. After all, BACKGROUNDS AND unless an employer is requiring a certification, a lot EXPERIENCES. of this is based on initiative and exemplifies dedication to and passion for one’s career path.

A respected personal development resource, Endnotes regardless of the employee’s career focus, is 1 ISACA ®, State of Cybersecurity 2018 , StrengthsFinder, 11 which helps people identify their https://cybersecurity.isaca.org/state-of- strengths vs. calling attention to weaknesses. The cybersecurity idea is to continually capitalize on strengths to be 2 PricewaterhouseCoopers, Threats: What Keeps more successful. Too often, weaknesses are the CEOs Up at Night Differs by Region , 2018, focus, which can drag people down. However, by www.pwc.com/gx/en/ceo-agenda/ceosurvey/ leveraging strengths, people tend to excel and are 2018/gx/business-threats.html happier in the process. 3 Coursera, www.coursera.org/ 4 edX, www.edx.org/ Those who wish to remain informed on what is 5 LinkedIn, www.linkedin.com/ going on in the industry job market should check 6 Udacity, www.udacity.com/ out CyberSeek, 12 which is a culmination of career 7 Udemy, www.udemy.com/ path information for employers, employees, 8 Microsoft, “Get Hands-on With Cloud educators and students. Technologies From Microsoft,” https://www.microsoft.com/handsonlab s The National Initiative for Cybersecurity Education 13 9 AWS, “Welcome to AWS Training and (NICE), offered by the US National Institute of Certification,” https://aws.amazon.com/training/ Standards and Technology (NIST), focuses on 10 InfoSec Conferences, “The Community’s education, training and workforce development. The Official Cybersecurity Conferences Directory for 14 outlines framework on which the initiative is based 2018,” https://infosec-conferences.com/ knowledge, skills and abilities that are needed to 11 Rath, T.; Discover Your CliftonStrengths , Gallup perform tasks in a role. Press, USA, 2007 12 Cyber Seek, www.cyberseek.org/ Conclusion 13 National Institute of Standards and Technology, Careers are what people make of them. There are “National Initiative for Cybersecurity Education no guarantees. It is in a person’s best interest to (NICE),” USA, https://www.nist.gov/itl/applied- continue to evolve and not sit back and wait for cybersecurity/nice something to happen. The security field needs all 14 National Institute of Standards and Technology, kinds of people with diverse backgrounds and “NICE Cybersecurity Workforce Framework,” experiences. As mentioned earlier, technical skills USA, https://www.nist.gov/itl/applied- tend to capture the most attention, but there is a cybersecurity/nice/resources/nice-cybersecurity need for well-rounded individuals. When faced with -workforce-framework a choice, it is preferable to err on the side of learning more on security technology, but still putting some effort into soft skills as time allows.

ISACA JOURNAL VOL 6 19 FEATU RE

Is Artificial Intelligence a Career Path for You? AI Definition Do you have First, it is important to know the definition of AI. something www.isaca.org/currentissue There are many, including: to say about this article? Is the world changing too fast? Can society • “The study and design of intelligent agents’ where continue to do the best it can? The population is an intelligent agent is a system that perceives its Visit the Journal pages 1 ® currently more than 7.6 billion. The amount of data environment and takes actions which maximizes of the ISACA website 3 (www.isaca.org/journal) , accumulated is predicted to exceed 44 zettabytes its chances of success.” (or 44 trillion gigabytes) by 2020, with a growth rate find the article and click • “Simply put, artificial intelligence is a sub-field of of 1.7 megabytes per second for every human on the Comments link to computer science. Its goal is to enable the share your thoughts. being. 2 The number and types of data-gathering development of computers that are able to do devices, sensors and mechanisms are growing to https://bit.ly/2DZo2sg things normally done by people—in particular, feed the need to obtain, process and manage the things associated with people acting data. So how can an individual help? intelligently.” 4

What has been happening in industries where • “The theory and development of computer artiﬁcial intelligence (AI) is used is examined herein. systems able to perform tasks normally requiring Also reviewed are the AI software industry human intelligence, such as visual perception, requirements, the skill sets and job requirements for speech recognition, decision-making, and AI, the marketplace and job options available for translation between languages.” 5 entering the ﬁeld of AI, and the earning potential. • “The ability of a digital computer or computer- controlled robot to perform tasks commonly associated with intelligent beings. The term is frequently applied to the project of developing systems endowed with the intellectual processes characteristic of humans, such as the ability to reason, discover meaning, generalize, or learn from past experience.” 6

These sample deﬁnitions show how diverse and evolved AI is. Here, the deﬁnition from a worldly and job requirement perspective (and not necessarily robotics) is examined.

AI Usage AI can be used for many purposes, including answering questions, searching documents, performing language translations, improving Larry G. Wlosinski, CISA, CRISC, CISM, CAP, CBCP, CCSP, CDP, marketing efforts, monitoring information security CIPM, CISSP, ITIL V3, PMP and being a home assistant. Figure 1 contains Is a senior consultant at Coalﬁre-Federal with more than 19 years of examples currently in place. 7 experience in IT security and privacy. Wlosinski has been a speaker on a variety of IT security and privacy topics at US government and professional These examples show that the AI industry started conferences and meetings, and he has written numerous articles for some time ago. Some readers may be thinking that magazines and newspapers. it left them behind. Part of the reason for this

20 ISACA JOURNAL VOL 6 Usage Example Answer questions • (i.e., chatbots, • N ew Y ork City (New Y ork, USA) bui lt a system to answer questions and complaints about virtual agents) city ser vices. • S ur rey, British Columbia (Canad a) dev eloped an application (app) to address 65 percent of questions that m ay be on city w ebsites. • A n instant messaging applicatio n has been programmed to pro vide text and emoji responses. • or dering (e.g., Dominos, 1-800-Fl owers). • TV remote cont rols can retri eve information about requested programming (e.g., types of pr ograms or pa rticular p rogra ms or movies). • • (banks, securities, insur ance) and accounting. • H ealthbots walk users th rough s ymptoms to diagnose the likelihood of a particular illness. • S ome o rganizations use AI t o pr ovide personalized fund management ad vice. Sea rch documents • A chatbot law yer app helps refu gees determine which application to use. • O ne US state go vernment is usin g AI to help citizens search documents on more than 1 million pages while s aving ten s of thousands of US dollars that would have otherwise been spent in upgr ades. • • T urnitin sear ches massiv e databa ses of re ference material and foreign language sources to check for plagiarism. • A ma zon sea rches thr ough its inv ento ry to pro vide recommendations based on relev ance to pr evious user pur chases or sear ches. • B ased on sear ches of existing m edia, some apps can recognize faces in photographs and newsf eeds. Route r equests • A n insur ance company uses a ch atbot to answer questions about its plan and payments and

• A telecommunications p rovider uses AI to search documents to aid call center agents in responding t o inquiries. Pe rform • T he P yeong Chang Winter Olym pics used AI real-time software to respond to questions tr anslations in 14 languages. • S ome apps pe rform text- to-spee ch (TT S) and speech-to -text (STT) to power voice-based sear ch. Dr aft documents • J apa n’s Ministr y for E conom y, Trade and Industry has a system to help parliament member

• N ewsr ooms use AI t o mine data, cr eate text for data sets and write stories. Au dit • A udi tors can analy ze large amoun ts of data to detect anomalies (e.g., fr aud). • A udi tors can use AI t o sear ch docum ents and databases to extract relev ant information for r eview. Information • Softwa re vendors ar e de velopin g AI to ols that can monitor trends and activities on the security network and pe rform data fo rensics. • AI can pr ovide security intelligen ce solutions for detecting, monitoring and managing information security th reats and risk factors. • Mobile phone • Siri and Google Now per form Int ernet searches, set reminders and integrate with assistant users’ calendars. • Alexa cr eates t o-do lists, or ders items online, sets reminders and answers questions via Internet sea rches. • Echo Dot smar t speak ers integr ate Alexa to answer natural language questions, play music, or der pizza, hail an Uber car and integrate smart home devices. • •

ISACA JOURNAL VOL 6 21 feeling may be that AI is technical in nature and AI Technology requires expertise from people who are analytically inclined. Those in the auditing and fraud detection AI technology can mean many things, but it can be fields can see that the world has changed/evolved broken down into the following: from reviewing and cross-checking simple lists and • Machine learning (ML) —“Machine learning is an databases and searching large amounts of data to application of artificial intelligence (AI) that data accumulation, information extraction and provides systems the ability to automatically personal assistance (at home, at work, in transit learn and improve from experience without being and elsewhere). AI can be used as a tool to search explicitly programmed. Machine learning focuses for problems, crimes, anomalies and potential on the development of computer programs that solutions in the mountains of data that are can access data and use it (to) learn for continually growing. So, AI may be a possible new themselves.” 8 tool for many people’s work belts. What follows is • an overview of the technology and insight into the Deep learning (DL) —“Deep Learning is a subfield required skills for this new era of discovery. of machine learning concerned with algorithms

22 ISACA JOURNAL VOL 6 inspired by the structure and function of the brain • Hardware with AI —Contains custom/specialized called artificial neural networks.” 9 AI computer chips • Natural language processing (NLP) —“Natural • Decision management —Rules-based automation language processing (NLP) is a branch of (if-then logic) artificial intelligence that helps computers understand, interpret and manipulate human Figure 2 describes the capabilities of AI technology language. NLP draws from many disciplines, and includes organizations that support this field of including computer science and computational expertise. 12 , 13 linguistics, in its pursuit to fill the gap between human communication and computer Requirements understanding.” 10 Those who want to enter this career field need to • Virtual agents (chatbots or virtual assistants) —“A learn some things. Here is a short list of Virtual Agent is a computer generated, animated, prerequisites for learning AI: artificial intelligence virtual character...that serves • as an online customer service representative. It Strong grasp of mathematics (i.e., linear algebra, leads an intelligent conversation with users, calculus, probability and statistics, multivariate responds to their questions and performs adequate calculus, graph theory, matrices, and optimization non-verbal behavior.” 11 methods) • • Speech recognition —The capability of an Strong experience with programming languages electronic device to understand spoken words (e.g., C, C++, Java, Python, R) and frameworks (e.g., TensorFlow and scikit-learn)

Figur e 2—AI T echnolog y Cap ab iliti es Te chnology Capabilities Sample Org anizations Machine learning Includes pr ocessing algorithms, using Amazon, Google, Microsoft development t ools, progra mming application p rogramming inte rfaces (APIs) and model depl oyment Deep learning platforms Deep Instinct, Fluid AI, MathWorks, Ersatz Labs, Sentient T echnologies, Peltarion and Saffron T echnology Natur al language pr ocessing Speech and writing; used extensi vely in Amazo n’s Alexa, Apple’ s Siri, Microsoft’s service, suppo rt and t ransactions with Cortana, Google Assistant cust omers but has potential to impr ove or ganizations’ internal p rocesses Natur al language gene ration Turns all types of data in to human- Au tomated Insights, Lu cidworks, readable text Attivio, SAS, Narrative Science, Digital Reasoning, Yseop, Cambridge Semantics Virtual agents and chatbots Can r espond t o questions and pe rform Cr eative virtual, eGain, IntelliResponse, nonv erbal beh aviors 24/7 (medical and nextIT , Nuance, Anboto , IBM Watson, Genesis, Inbenta’ s Ve ronica, x.ai, mezi, Abe , Sense.ly, Joy , Ross Speech r ecognition Recogni zes and analyz es spo ken Nua nce Communications, OpenText, language wor ds and phr ases and Verint Systems, NICE conv erts them in to data Hardwa re with integr ated AI Goes far be yond consumer apps such as Goog le, IBM, Intel, Nvidia, Alluviate, Cra y gener ating ente rtainment and bringing about the next l evel of gaming; used t o pr opel deep learning Decision management Manages inter action with empl oyees, SAS, Scorto, Act ico, BigML, Bosch cust omers and suppliers; ma kes it Software Innovations, Clario Analytics, possible t o mak e better choices, Code Ef fects Software, EigenDog, incr easing agilit y, consistency and Experian Decision Analytics pr ecision

ISACA JOURNAL VOL 6 23 • Understanding of the basic concept of Some of the skills that can be gained from AI automation and how it relates to computer training include: Enjoying science this article? • Domain knowledge —Research or business • Understanding of AI principles and techniques related • Read ISACA Tech • Ability to write algorithms for finding patterns and • Visualization —Seeing the story in the data Brief: Artificial learning • Intelligence . Data governance —General oversight, including • www.isaca.org/AI Strong data analytics skills ethics and security • Strong will to learn machine learning languages • Engineering —Understanding the hardware, software and storage capabilities available and One may notice that accounting, auditing and how to utilize them conducting assessments are not on the list. This is • Management/curation —Sourcing, cleaning and because AI is a different profession, but one that manipulating the information can be used to aid accountants and auditors. There are many possibilities for AI to assist those who are • Analytical approaches (data analytics) —Applying confronted with large amounts of data to analyze. various levels of precision for the solution AI can make a job in the audit field easier by taking • Machine learning —Teaching computers to over the tedious work of looking for fraud, crime recognize patterns and supporting information. Auditors should reach out to the AI staff in their organization to identify • Probabilities and applied statistics investigative tools and techniques to help them in • Algorithms and advanced modeling their job. • Applicable AI-related programming language Training and Education • Natural language processing AI training is widely available. The training can be • Computer vision obtained online 14 or formally: • Robotics • Free online —Udacity 15 and Coursera 16 are two companies among many 17 , 18 that provide online AI Marketplace training. With the increase in population and data-gathering • College and university education —AI training is comes big data and data analytics. These two available in 26 countries 19 and there are more topics are propelling the world into a more than 25 colleges 20 that provide training. manageable place and one where unseen • AI certification —Even certification in AI is information is now visible. The top industries that available. 21 Microsoft, 22 Columbia University (New are using and accelerating the fruits of AI are york, New york, USA), Stanford University Internet of Things (IoT) devices, robotics, social (California, USA) and Global Machine Learning media and e-commerce. There are many provide certifications in AI. organizations (some more well known than others) that gather and analyze the data of many diverse The availability of so many avenues to learn AI has areas of interest. Many are listed on the not only helped this field of expertise to grow, but Datamation 23 and Forbes 24 websites, to name only has also led society to an era of better focused and two sources. Areas of new growth include available healthcare, quicker service (e.g., chatbots), microfinance, social justice and medical diagnosis. better crime-fighting tools (e.g., traffic surveillance, These organizations use AI to make their business fraud detection), and a better understanding of grow and be more effective. Other AI-vested existing data. enterprises and job opportunities can be found by searching the Internet.

24 ISACA JOURNAL VOL 6 Position Descriptions prototypes, as well as researching and developing new technologies and materials for use in the Here are some sample AI position descriptions that creation or improvement of products and will help in understanding the AI career ﬁeld. The services.” 25 descriptions, which will vary by organization, • include: Solutions architect —Organizes the development • effort and is responsible for the project ML (or software) engineer —Runs the operations vision/solution and its execution of an ML project and is responsible for managing • the infrastructure and data pipelines needed to Senior product manager —Responsibilities include bring the code to production developing product requirements and road maps; • leading product managers and coordinating with AI programmer —Develops algorithms and engineering, marketing and other teams; and operating software that can be used for robots, AI incorporating feedback and input from programs or other AI applications customers, partners and in-house teams on • Business intelligence developer —Responsibilities product strategy and ﬁnding ways to expand include designing, developing and maintaining product market reach business intelligence solutions; crafting and executing queries; and presenting information Salaries (e.g., reports and presentations) Salaries for people who obtain a master’s degree in • Research scientist/applied research scientist — AI are high. More than 8,000 AI positions were Builds on leads/ideas from data scientists or posted on LinkedIn 26 in May 2018. Figure 3 contains experiments with new approaches average AI-related salaries for positions described, as obtained from Indeed 27 and Payscale. 28 • Data scientist —Tackles discrete problems using preexisting data to validate models Conclusion • Research engineer —“Responsible for performing and analyzing research across various It is clear that AI is an established industry. Many disciplines, working with engineers to conduct organizations are using it, the technology exists, complex engineering testing and analyses, there are many ways to obtain training, and there 29 , 30 , 31 32 designing and implementing new standards, are professional associations, magazines, 33 , 34 , 35 protocols, processes and equipment and competitions and books that support AI. providing technical reports and presentations to assist in planning and direction. Research So, those who are analytical, have an understanding engineers may also be responsible for developing of business, are technically inclined, and love to do

Figur e 3—Sample AI Jobs an d Salaries Job Aver age A nnual Salar y (US Dollars) Payscale (US D ollars) Machine learning (ML) engineer $135,353 Softwa re engineer $89,495 $100,057 Senior softwa re engineer/de veloper/ $110,000-$127,689 pr ogra mmer Business intelligence (BI) d eveloper $95,013 Resear ch scientist $77,698 $110,110 Data scientist $116,000 Resear ch engineer $86,906 Solutions ar chitect $100,639 $132,453 Senior p roduct manager $169,489

ISACA JOURNAL VOL 6 25 research and explore data should consider a career 9 Brownlee, J.; “What Is Deep Learning?” Machine in AI. The benefits include a high salary, a Learning Mastery, 16 August 2016, challenging career and knowing that one’s efforts https://machinelearningmastery.com/what-is- will help not only one’s enterprise, but everyone deep-learning/ affected by it. 10 SAS, “Natural Language Processing,” https://www.sas.com/en_us/insights/analytics/ This information helps illustrate the benefits, not what-is-natural-language-processing-nlp.html just for individuals, but for the future (e.g., 11 Chatbots.org, “Virtual Agent,” healthcare, human and crop genetics, fraud https://www.chatbots.org/virtual_agent/ detection, criminal investigations, forecasting, 12 PAT Research, “Top 15 Artificial Intelligence pharmaceuticals, medical science, teaching, Platforms,” https://www.predictiveanalytics customs monitoring, identity authentication, and today.com/artificial-intelligence-platforms/ space and earth science). 13 Op cit yao 14 quora, “What Is the Best Online Course to Learn Parents, teachers, speakers or leaders may want to AI?” https://www.quora.com/What-is-the-best- talk to their children, students, audiences and online-course-to-learn-AI colleagues about what the future can hold for them 15 UDACITy, “Intro to Artificial Intelligence,” and how they can make an impact on the future of https://www.udacity.com/course/intro-to- society. artificial-intelligence--cs271 16 Coursera, https://www.coursera.org/courses? Endnotes languages=en&query=artificial+intelligence 17 Class Central, “Free Online Courses in 1 Worldometers, www.worldometers.info/world- Artificial Intelligence,” https://www.class- population/#pastfuture central.com/subject/ai 2 Newgenapps, “Big Data Statistics and 18 Marr, B.; “The 6 Best Free Online Artificial Predictions on the Future of Big Data,” Intelligence Courses For 2018,” Forbes , 16 April 25 January 2018, https://www.newgenapps.com/ 2018, https://www.forbes.com/sites/ blog/big-data-statistics-predictions-on-the-future- bernardmarr/2018/04/16/the-6-best-free-online- of-big-data artificial-intelligence-courses-for-2018/ 3 ScienceDaily, “Artificial Intelligence,” #1a056c9e59d7. https://www.sciencedaily.com/terms/artificial_ 19 AI International, Universities With AI Programs, intelligence.htm www.aiinternational.org/universities.html 4 Hammond, K.; “What Is Artificial Intelligence?” 20 Successful Student, “25 Best Artificial Computerworld , 10 April 2015, Intelligence Colleges,” https://successful https://www.computerworld.com/article/29063 student.org/best-artificial-intelligence-colleges/ 36/emerging-technology/what-is-artificial- 21 Sinha, S.; “What Are the Best Artificial intelligence.html Intelligence Certifications?” quora, 5 English Oxford Living Dictionaries, Artificial https://www.quora.com/What-are-the-best- Intelligence, https://en.oxforddictionaries.com/ artificial-Intelligence-certifications definition/artificial_intelligence 22 The Microsoft AI training certification program 6 Encyclopedia Britannica, Artificial Intelligence, covers topics such as Python, mathematics, 21 June 2018, https://www.britannica.com/ ethics, data analysis, Azure machine learning, technology/artificial-intelligence computer vision, natural language processing 7 yao, M.; “14 Ways Machine Learning Can Boost and speech recognition. For more information, your Marketing,” TOPBOTS, 28 February 2018, see https://academy.microsoft.com/ https://www.topbots.com/14-ways-machine- en-us/professional-program/tracks/ learning-can-boost-marketing/ artificial-intelligence/. 8 Expert System, “What Is Machine Learning? 23 Datamation, “Big Data Companies,” A Definition,” www.expertsystem.com/machine- https://www.datamation.com/big-data/big- learning-definition/ data-companies.html

26 ISACA JOURNAL VOL 6 24 Columbus, L.; “The Best Big Data Companies 29 Association for the Advancement of Artificial And CEOs To Work For In 2017 Based On Intelligence (AAAI), https://www.aaai.org/ Glassdoor,” Forbes , 20 May 2017, 30 European Association for Artificial Intelligence https://www.forbes.com/sites/louiscolumbus/ (EurAI), https://www.eurai.org/ 2017/05/20/the-best-big-data-companies-and- 31 AI Societies, www.aiinternational.org/ ceos-to-work-for-in-2017-based-on-glassdoor/ societies.html #44e7b966326e 32 AI Magazine , www.aaai.org/Magazine/ 25 Monster, Research Engineer Jobs, magazine.php https://www.monster.com/jobs/q-research- 33 Baiju, N. T.; “20 Free Books to Get Started With engineer-jobs.aspx?jobid=198547688 Artificial Intelligence,” Big Data Made Simple, 26 LinkedIn, https://www.linkedin.com/ 2 April 2018, http://bigdata- jobs/artificial-intelligence-jobs madesimple.com/20-free-books-to-get- 27 Indeed, “Ms in Artificial Intelligence Salaries in started-with-artificial-intelligence/ the United States,” https://www.indeed.com/ 34 Chase, C.; “The Best Books on Artificial salaries/Ms-in-Artificial-Intelligence-Salaries Intelligence,” Five Books, https://fivebooks.com/ 28 PayScale, “Average Salary for Skill: Artificial best-books/artificial-intelligence/ Intelligence (AI),” https://www.payscale.com/ 35 Amazon.com, “Artificial Intelligence,” research/US/Skill=Artificial_Intelligence_ https://www.amazon.com/Artificial- (AI)/Salary Intelligence/b?ie=UTF8&node=491300

ENSU RE Y OU R ORGANIZ ATION HAS THE CON TROLS IN PL ACE TO H ANDLE CYBE R THRE ATS AND REDU CE RISK

Intr oducing the new ISA CA ® Cybersecu rity A udit > Choos e fr om thr ee tr aining options, based on y our needs. Cer tificate Pr ogr am. Gain the critical know-how t o We off er an online, self-paced course, a vir tual instruct or- include cybersecurity in your audit plan, reduce led course or an in-person tr aining workshop. cyber-r elated ri sk and put mitigati ng contr ols in place. > Companion Study Guide: This handy guide intr oduces y ou ISA CA ’s new Cybersecurity Training and Cer tificate to cybersecurity and audit’ s r ole, cybersecurity go vernance Pr ogr am pr ovides audit /assur ance pr of essi onals and cybersecurity oper ations. It includes case studies and with the knowledge needed t o ex cel in cybersecurity appendices off ering specific cybersecurity audit guidance, audits. It pr ovi des security pr of es sionals w ith an fr ameworks, contr ols and testing steps. understanding of the audit pr ocess, and I T risk pr of essionals wi th an underst anding of cyber-r elated > Cybersecurity A udit Cer tificate Exam V oucher: Once y ou’v e risk and mitigating contr ols. completed your tr aining, schedule and complete thi s online, remote-pr oct or ed exam at y our conv enience.

AD V ANCE Y OUR CAREE R T OD AY. Learn mor e at www .isaca.or g/ cybe rse cu rity audit

ISACA JOURNAL VOL 6 27 FEATU RE

Do you have something Effective Strategies for Creating to say about this article? and Maintaining a Diverse and Visit the Journal pages of the ISACA ® website (www.isaca.org/journal) , Inclusive IT Audit Team find the article and click on the Comments link to Broadly put, it is widely accepted in today’s demand for individuals with skill sets in information share your thoughts. corporate world that diverse organizations are security. The cybersecurity market is “expected to https://bit.ly/2Cq3hEn preferable to their homogenous counterparts. grow from (US) $75 billion in 2015 to $170 billion by Empirical research reveals that diversity yields 2020,” which is a threefold increase. 4 Further, by 2019, myriad advantages, including increased productivity, the number of information security/cybersecurity job enhanced problem-solving and heightened levels of openings is expected to rise to 6 million. 5 “There are employee engagement, among other benefits. one million unfilled security jobs worldwide,” out of which “more than 209,000” are in the United States. 6 The value of diversity in the context of IT audit Unfortunately, there is a shortage of skilled teams is worth discussing and a number of candidates to fill these jobs. practical strategies for creating and maintaining a diverse and inclusive IT audit team as part of an To some, these demographic realities, coupled with organization’s overall diversity program are offered. the inexorable shifts in the job market toward an information worker-driven economy, are unsettling Many countries are experiencing demographic shifts. and rattle long-held notions about the very nature of For example, by 2055, the United States will not be society. In the alternative view, these seismic shifts comprised of a single racial or ethnic majority. 1 can be viewed as evidence that the increasing Millennials are now the largest generational cohort in importance of workplace diversity cannot be denied. the US, having surpassed baby boomers, and they are unapologetically challenging the status quo in the What Is Diversity? workplace. 2 Women are the primary wage earners in approximately 40 percent of all households with Asking 10 people to define “diversity” is likely to children. 3 Simultaneously, there is an increase in generate a wide range of definitions. To some,

Julie Balderas Is a master’s student in actuarial science, studying the mathematical applications behind risk and insurance at Georgia State University (USA). In 2017, Balderas worked for RELX Group in IT security auditing, assisting with internal information security auditing of various LexisNexis applications. She can be reached at [email protected].

Asim Fareeduddin, CISA, CISM, CIPP, CPA Is vice president, IT security and regulatory controls assurance for RELX Group. He has more than 17 years of experience in privacy, security and audit. Prior to RELX Group, Fareeduddin worked in big four IT audit/security. He also serves as the program coordinator for the LexisNexis Risk Solutions African Ancestry Network (AAN) ERG (Alpharetta, Georgia, USA chapter). He can be reached at Asim.Fareeduddin@relx.com.

Femi Richards, CCEP, CIPP Is the vice president, compliance assessment and programs at RELX Group. He is responsible for ensuring that RELX maintains a world-class compliance program. In 2010, he was recognized by Savoy Magazine as one of the “Top 100 Most Inﬂuential Blacks in Corporate America.” Before joining RELX, he was a senior associate with Holland & Knight LLP, where he practiced in the corporate diversity counseling, education policy and government relations practice groups. He can be reached at [email protected] .

28 ISACA JOURNAL VOL 6 “diversity” is defined narrowly in terms of race, an IT audit team, might pivot on the desire to gender, age or those attributes that fairly easily lend embrace team members with different educational themselves to visual inspection. To others, their and professional backgrounds, not limited to definition may depend on whether the attributes in experience in IT alone. Given the shortage of question are afforded legal protection under federal experienced candidates and the strong demand for and/or state laws such as Title VII of the US Civil IT audit skill sets, it is important for hiring managers Rights Act of 1964, the Americans with Disabilities to think “outside the box” and seek out candidates Act, the United Kingdom employment equality law, who may not come from traditional IT backgrounds, or the Employment Equality Directive and Racial from both an educational and a professional Equality Directive in the European Union—core experience perspective. antidiscrimination statutes that make it unlawful to discriminate against individuals on the basis of sex, race, national origin, color, religion and physical disabilities. 7 yet others may choose to adopt a DIVERSITy, WITHIN THE SPECIFIC broader, more nuanced view that encompasses an CONTEXT OF AN IT AUDIT TEAM, MIGHT expansive range of characteristics that include the aforementioned differentiators, but also embraces PIVOT ON THE DESIRE TO EMBRACE TEAM such traits as cognitive style, years of service, MEMBERS WITH DIFFERENT EDUCATIONAL education, personality, parental status, geographic location and organizational function. Ideally, a AND PROFESSIONAL BACKGROUNDS, NOT comprehensive definition of “diversity” is a relatively LIMITED TO EXPERIENCE IN IT ALONE. fluid concept that reflects a combination of both external and internal elements ( figure 1 ).

In the corporate world, the manner in which “diversity” The Benefits of a Diverse IT Audit Team is defined is important in establishing the context in Broadly stated, diverse teams afford which individual differences are recognized and underrepresented groups the ability to connect with celebrated. Moreover, it is critical for the definition to their peers and colleagues on a level that is be broad enough that all employees can visualize comfortable and inclusive. However, this is not the themselves within the framework of the definition. For only driver behind the decision of many organizations example, if the corporate definition is overly narrow to expand the makeup and composition of their and primarily speaks in terms of “advancing organizations. An enterprise could simply be historically underrepresented minorities,” it is motivated by a desire to maximize the effectiveness conceivable that some white males may feel of its professionals in pursuit of the organization’s excluded and undervalued by the organization strategic business objectives. For example, having a rather than seeing themselves as key contributors diverse IT audit team could help an organization to establishing an engaged and inclusive work achieve a competitive advantage because environment. Diversity, within the specific context of professionals with varied backgrounds can contribute

Ruwel Sarmad Is an IT security and regulatory controls auditor at RELX Group. She is responsible for performing internal security assessments of RELX Group products and services and the underlying technology that supports them. Sarmad can be reached at [email protected].

Jack Wall Is an IT security and regulatory controls auditor at RELX Group. Wall joined RELX Group after starting his career with a CPA ﬁrm in the Atlanta (Georgia, USA) area. During his career, Wall has engaged in Sarbanes-Oxley-related internal control assessments and advisory, SOC1 and SOC2 reporting and internal security and privacy assessments. During his time as a graduate student, Wall served as president of the ISACA ® Student Chapter at Georgia State University.

ISACA JOURNAL VOL 6 29 Figur e 1—D imensions of Div ersity

Primar y Dimensions (inner cor e): Secondar y Dimensions (outer cor e): Permanent and beyond an Subject t o e volution over time, less individual’s contr ol. visible, and disclosur e t o others is mor e of a choice. Work Style Education

Appearance Religion Physical Ability Age

Socioeconomic Parental/Family Status Race Sex ual Status Orienta tion

Political Geogr aphic Persuasion Location Ethnicity Gender

Job Communication Classification Style

Veteran’s Status

innovative thoughts and ideas and a “variety of team by bringing in a rich skill set from their various solutions on how to achieve a common goal.” 8 professional backgrounds. For example, a recent new hire with work experience in quality assurance (qA) at Strong interpersonal skills are critical attributes for a global technology enterprise in India was able to a person to excel in the IT audit arena. For example, use his prior experience to document the qA controls within RELX Group, the information security within the audit work papers and assist his assurance team is composed of IT auditors who not colleagues on any qA-related questions. In addition, a only possess considerable technical knowledge of senior IT auditor on the team leveraged his prior operating systems, platforms and security controls, experience working for a US senator, where he served but who also feel comfortable interacting with as a correspondent, event planner, researcher/writer senior business leaders, mentoring students or and manager of large projects. His experience volunteering in the community. By focusing on enhanced the team’s ability to multitask eﬃciently leveraging each employee’s unique skills, the and communicate with stakeholders across different productivity and performance of the entire team is business areas via email, phone and in-person enhanced. The experienced employees on the team meetings. These examples demonstrate how serve as coaches to the campus hires, which allows candidates with diverse professional backgrounds them to develop and demonstrate their leadership can be an asset for an IT audit organization seeking skills. The junior employees also contribute to the to achieve a higher level of performance.

30 ISACA JOURNAL VOL 6 A diverse IT audit team can bring together employees born persons from high-skilled occupations. To the with different thought processes and backgrounds. contrary, non-native workers simply buttress and This enables a single scenario or situation to be sustain the creativity and growth of organizations and examined from multiple perspectives so all possible have a positive influence on the global economy. outcomes can be evaluated. When seeking to build or augment an IT audit team, hiring managers should ensure the candidate talent pool has individuals with diverse professional backgrounds. By adhering to a By NOT CONTEMPLATING DIVERSITy, more traditional homogenous candidate pool, a hiring HIRING MANAGERS RUN THE RISK OF manager may overlook and discount some of the more critical skill sets that are required for an IT CREATING A TEAM IN WHICH EMPLOyEES auditor. Also, by not contemplating diversity, hiring POSSESS NOT ONLy SIMILAR TECHNICAL managers run the risk of creating a team in which employees possess not only similar technical PERSPECTIVES, BUT ALSO SIMILAR perspectives, but also similar aspirations regarding ASPIRATIONS REGARDING CAREER career progression. In other words, a homogenous IT audit team is likely to engage in similar problem- PROGRESSION. solving modes of thinking and may heighten the risk of increased employee attrition rates if employees choose to leave the organization after reaching an Common debates also exist as to whether the arbitrary ceiling based on similar goals. The IT audit presence of gender diversity in top-level field has numerous job opportunities for qualified management truly aids the prosperity of firms. candidates, and there is considerable mobility Simply put, it does. Based on a 2015 study by available for both lateral and vertical career growth. McKinsey & Company, “companies in the top Organizations should challenge their employees to quartile for gender diversity are 15 percent more broaden their skill sets by encouraging them to work likely to have financial returns above their respective on special projects outside their comfort zone in national industry medians.” 10 Furthermore, results addition to their regular assignments so they can from The Journal of Business Ethics ’ study of continue to develop relevant and transferrable skills. gender diversity in top management teams indicate For example, an IT auditor who would usually work on that gender diversity positively correlates with information security control audits can also assist enhanced capability and innovation. 11 Although the with performing periodic risk assessments to gain data are clear, it is intuitive that there is much to be more experience in a different, but adjacent, field. gained by being exposed to diverse perspectives and experiences when trying to tackle complex Creativity and Innovation issues and challenges. For example, if a city is Viewing diversity through the prism of immigration thinking of building a new subway system, it would reveals that the inclusion of skilled immigrants in the be advantageous to bring civil engineers, workforce results in an appreciable boost to environmental scientists, politicians and other innovation that can be empirically measured. Data relevant stakeholders to the table. The rationale for from the United States can be used as one example. bringing together disparate groups is that there is The US National Bureau of Economic Research finds value in hearing from and understanding a that an increase of just 1.3 percentage points in the multitude of views before embarking on such an workforce population of immigrant college graduates ambitious, complex project. Indeed, it would seem results in roughly a 20 percent increase in the share of odd to convene a subway system implementation patenting per capita. 9 It is common to perceive any team composed solely of rail vehicle engineers, for influx of skilled immigrants as unassailable evidence example, when so many other constituent groups of the dearth of native innovation. However, one have a vested interest in the efficacy of the group should proceed cautiously when concluding that this and the decisions that are made. Similarly, in the increase in diversity automatically crowds out native- corporate C-suite, it would make sense to leverage

ISACA JOURNAL VOL 6 31 the abilities of both men and women (and other It is no revelation that cyberthreats are evolving as available diverse employee resources) to ensure quickly as the media through which they act. In that problem-solving efforts draw from the recent years, cyberattacks have been launched collective wisdom of the team in a way that leads to against both the public and private sectors by a the best possible result. Moreover, in the variety of actors. State-sponsored attacks, including information security context, the Arizona (USA) Korean ransomware attacks against healthcare governor’s office recently sought to leverage the providers and Russian meddling in US democratic strength of a diverse team to solve complex processes, have occurred. Criminals have cybersecurity challenges when it announced the penetrated the credit juggernaut Equifax. Social creation of the Arizona Cybersecurity Team (ACT). hacktivist groups such as Anonymous have The team consists of 19 state officials with released sensitive information pertaining to backgrounds in homeland security, infrastructure, prominent government officials and corporate academia, the private sector and more. 12 executives. The list goes on, but the point is clear: There are a multitude of faces and intents acting in To be sure, innovation is a social process that is the threat universe, and those faces are daily amplified when different backgrounds interact. The becoming more varied. This begs the question: Why strength of diversity in its myriad forms is that by would forward-thinking organizations fail to expand harnessing the heterogeneity associated with their information security and IT audit talent pools individual experiences and knowledge, to include experiences, backgrounds and cultures organizations can naturally stimulate the work that can help them cast a broader net across the environment in a manner that fosters innovation. array of motives, modes and origins behind these attacks? To this point, former US Deputy Chief Information Security Officer, Mischel Kwon, asserts, “In cybersecurity, I always take the view that our …[T]HE HUNT FOR qUALIFIED, AVAILABLE adversaries don’t fit into one demographic, TALENT IS FIERCE. EMPLOyERS WHO therefore, why should we? When security professionals have a broader lens through which to CHOOSE TO RELy ON THE SAME TRIED-AND- look at security, we’ll be able to provide better TRUE RECRUITMENT STRATEGIES THAT answers and support in protecting our systems.” 15

WERE EFFECTIVE WHEN THERE WAS A Kwon has also strongly advocated for greater SURPLUS OF LABOR MAy FIND THEMSELVES female involvement in the field of cybersecurity. According to an (ISC) 2 study, women represent UNABLE TO FILL CRITICAL POSITIONS. nearly 50 percent of IT users, but only 11 percent of the global cybersecurity workforce. Regardless of where the blame may lie for the latter figure, one Expansion of the Talent Pool and Assistance With organization in particular, Girl Scouts of America, Recruitment has taken action. In a move to get more females Global unemployment rates have steadily improved involved in cybersecurity, the organization has since 2000 and, as a result, the hunt for qualified, focused on offering a curriculum and certification to available talent is fierce. 13 Employers who choose to educate young girls about cybercrime, network rely on the same tried-and-true recruitment security and computing basics. 16 strategies that were effective when there was a surplus of labor may find themselves unable to fill While it is understandable that employers will critical positions. Data breaches have become continue to focus primarily on the applicable skill inevitable over time, and with the “wide skills gap sets, education and professional experience of the for cybersecurity jobs,” 14 there is a dire need to fill candidates they are recruiting, it is important not to these cybersecurity job positions. overlook potential candidates who may emanate from nontraditional educational and/or professional

32 ISACA JOURNAL VOL 6 backgrounds. For example, it may be natural for a industry knowledge and incorporate it into their hiring manager to seek out candidates from his or her daily job activities. In addition, attendees can university or individuals who share similar interests or network with other experienced professionals at Enjoying hobbies. However, this method, if followed these events to learn and benefit from their this article? consistently, is likely to result in a recruitment strategy experiences. The organization’s support of • that does not add sufficient richness to an employee involvement in professional organizations Read Business organization’s talent pool. A more thoughtful strategy will make employees feel valued, which will help to and Digital may involve seeking candidates who are a departure increase retention. Transformation’s from the standard recruit, but who still possess the Effect on IT Audit necessary skills and experience and complement the Conversely, organizations must be careful to not Groups . organization’s culture. In this regard, the US military push employees into closed circles, as it may limit www.isaca.org/ has been successful in trumpeting the numerous the full capacity of exposure to career growth business-and-digital- transformation benefits and incentives to organizations that commit opportunities. Organizations must instead balance • to hiring veterans. 17 the representation of all employees to avoid Learn more about, creating artificial subcategories that subvert the discuss and Reduced Turnover minority’s and the majority’s contribution to the pool collaborate on audit Enterprises have come to understand that an of knowledge. An example is affinity groups and the and assurance in engaged workforce is one in which the employees reality that the many of these efforts are not ISACA’s Online feel a sense of comfort and belonging. If employees properly funded and are managed only in the spare Forums. believe the organization values their contribution to time of a willing leader. 18 This can lead to well- https://engage.isaca the enterprise, they are more likely to be productive intentioned, but ineffective, support groups that, if .org/onlineforums and loyal. However, an aesthetically pleasing office improperly managed, may divert attention away or gourmet coffee in the break room may not be from overall assimilation and toward division and sufficient to keep employees wedded to the seclusion. Inevitably, the summation of all organization if they feel marginalized and alone. minorities is evolving to be the majority. However, Humans are social beings by nature who tend to the responsibility to assimilate should not be placed associate with others who have similar interests, solely on these “outside groups.” Instead, backgrounds and culture. By working hard to organizations must push for the “inside groups” to increase the representation of diverse groups also reach outside their comfort zone and enter the through targeted recruiting efforts and, equally normality of diversification. The key to reducing important, implementing a diversity retention turnover is not simply recruiting for diversity, but to strategy that contemplates everything from acknowledge that inclusion is key and reaching out mentorship opportunities to the adequacy of should come about from all sides. compensation to the reputation of the organization in the community, it is possible to send an Improved Customer Service unambiguous signal to existing employees that the This is an area in which changing demographics will organization’s commitment to diversity and have a major impact. For example, the United States inclusion is more than mere lip service. is expected to grow to a population of 417 million by 2060, with undeniable growth in the number of There are various professional organizations that what are now considered minorities. Moreover, by focus on information security, IT governance and IT 2060, nearly 20 percent of the country’s population auditing that could be resources for new employees will be born outside the United States. 19 If these entering the field of information security. ISACA ®, predictions come to pass, businesses must also the Institute of Internal Auditors (IIA) and the adapt to the changing composition of their International Association of Privacy Professionals customer base. Organizations that have staff (IAPP) are a few examples of organizations that representatives who can speak a multitude of lead in their respective fields. Employers should languages, understand various cultural nuances and support and encourage their employees to attend mirror the communities in which the business training/conferences hosted by such organizations resides will be competitively well positioned to so that those employees can gain cutting-edge serve, satisfy and retain customers.

ISACA JOURNAL VOL 6 33 Strategies to Build and Retain a Diverse background. The easiest solution to this complaint is and Inclusive IT Audit Team to target groups and universities where diverse candidates can be identified. Much like a sales Successfully building and retaining a diverse and pipeline for selling products/services, building these inclusive IT audit team requires tackling the issue relationships can take time to see the end result. as a business problem, not a human resource (HR) Because of this time-intensive nature, an efficient way issue. Much as an organization would tackle any to implement such an initiative is to start small. A business issue, such as building a new product or good start is to build a relationship with an system, it must have a clear, documented go-to- organization or school and ultimately create a market strategy (with buy-in from the appropriate repeatable process that can be leveraged across stakeholders) including the following areas: multiple organizations. This is where ERGs can play a • Development of a diversity vision and strategy key role. It also helps to develop the ERG members’ (tone at the top) soft skills, which will play a significant part in on- campus recruiting, guest lecturing/presentations, • Targeted recruitment and relationship building interviewing candidates and mentoring, to name just • Investment in employee development and training a few areas. • Mentoring Once diverse candidates are hired, it is important to • Use of metrics to track success ensure that these employees are retained and feel welcome in the organization. ERGs can be used to assign mentors to candidates to help them navigate the enterprise and its culture. Employees with SUCCESSFULLy BUILDING AND mentors are less likely to leave the organization and RETAINING A DIVERSE AND INCLUSIVE IT can use the mentor as a support system as they grow through their career. Along with mentorship, it AUDIT TEAM REqUIRES TACKLING THE ISSUE is important to invest in specialized training and AS A BUSINESS PROBLEM, NOT A HUMAN development for new employees so they feel constantly challenged and experience growth in the RESOURCE (HR) ISSUE. environment.

Organizations should prioritize the professional A diversity vision and strategy should come from development of different groups through their the top down and should be viewed as a business internal ERGs. issue owned by the C-suite. To work effectively, the vision and strategy must be adopted at all levels of Predefined steps on the career ladder also assist in management. Formal goals should be set, and retention so that employees have an idea of managers should be held accountable for these potential opportunities and specific milestones to goals just as they would for revenue and sales achieve those opportunities. Without this targets. A good starting point for carrying out senior infrastructure in place, diverse candidates are more management’s vision is the use of employee likely to leave the organization, as they may feel that resource groups (ERGs), also known as affinity nobody in the organization “looks like them” or groups. ERGs can partner with different areas of the cares for their well-being and success. business, including HR and talent development, to execute a clear strategy to fruition. The old adage “what gets measured, gets done” is as true in the diversity context as it is with any The chief complaint from hiring managers is that they important business-focused initiative. The success would hire someone from a certain background, but or failure of a diversity and inclusion program they were not presented with any candidates with that cannot be effectively quantified without metrics in

34 ISACA JOURNAL VOL 6 place. Goals and objectives should be set up as part of the overall organizational strategy and must be measured at least quarterly, much like ﬁnancial THE SUCCESS OR FAILURE OF A performance indicators. By assessing metrics on a quarterly basis, senior management will have DIVERSITy AND INCLUSION PROGRAM current information with which to assess the CANNOT BE EFFECTIVELy qUANTIFIED effectiveness of the strategy and make any changes or tweaks along the way. To effect change, these WITHOUT METRICS IN PLACE. goals and measurements should be part of a manager’s annual performance review. 5 Morgan, S.; “One Million Cybersecurity Job Openings in 2016,” Forbes , 2 January 2016, Conclusion https://www.forbes.com/sites/stevemorgan/ Diversity is more than compliance with laws and 2016/01/02/one-million-cybersecurity-job- rules. It is more than a mere empirical exercise of openings-in-2016/#449738e827ea counting people and assigning them to discrete 6 Cisco, “Mitigating the Cybersecurity Skills boxes on a spreadsheet. It is even more than just Shortage,” 2015, https://www.cisco.com/c/ “doing the right thing.” Diversity in the enterprise dam/en/us/products/collateral/security/ context should be about creating an environment in cybersecurity-talent.pdf which all people feel included, valued and free to 7 Civil Rights Act of 1964, section 7, 42 U.S.C. achieve the best of which they are capable. A section 2000e et seq., USA, 1964 and diverse IT audit team brings together different Americans with Disabilities Act of 1990, Pub. L. minds and perspectives to facilitate innovation, No. 101-336, 104 Stat. 328, USA, 1990 solve problems and advance learning—all of which, 8 Johnson, R.; “What Are the Advantages if harnessed properly, are likely to have a positive of a Diverse Workforce?” Chron, impact on audit quality and overall team http://smallbusiness.chron.com/advantages- performance. diverse-workforce-18780.html 9 Hunt, J.; Gauthier-Loiselle, M.; “How Much Does Endnotes Immigration Boost Innovation?” National Bureau of Economic Research, USA, September 1 Cohn, D.; A. Caumont; “10 Demographic Trends 2008, www.nber.org/papers/w14312.pdf That Are Shaping the U.S. and the World,” Pew 10 Hunt, V.; D. Layton; S. Prince; “Why Diversity Research Center, 31 March 2016, Matters,” McKinsey & Company, January 2015, www.pewresearch.org/fact-tank/2016/03/31/ www.mckinsey.com/business-functions/ 10-demographic-trends-that-are-shaping-the- organization/our-insights/why-diversity-matters u-s-and-the-world/ 11 Ruiz-Jiménez, J. M.; M. Del Mar Fuentes- 2 Ibid. Fuentes; “Knowledge Combination Capability 3 Egan, M.; “Still Missing: Female Business and Innovation: The Effects of Gender Diversity Leaders,” CNN Money, on Top Management Teams in Technology- http://money.cnn.com/2015/03/24/investing/ Based Firms,” The Journal of Business Ethics , female-ceo-pipeline-leadership/ May 2016, vol. 135, no. 3, p. 503-505, 4 Morgan, S.; “Cybersecurity Market Reaches $75 https://link.springer.com/article/10.1007/ Billion in 2015; Expected to Reach $170 Billion s10551-014-2462-7 by 2020,” Forbes, 20 December 2015, 12 Oﬃce of the Governor Doug Ducey, “Governor https://www.forbes.com/sites/stevemorgan/ Ducey Announces Appointments to Arizona 2015/12/20/cybersecurity%E2%80%8B- Cybersecurity Team,” USA, 7 March 2018, %E2%80%8Bmarket-reaches-75-billion-in-2015% https://azgovernor.gov/governor/news/2018/03/ E2%80%8B%E2%80%8B-%E2%80%8Bexpected- governor-ducey-announces-appointments- to-reach-170-billion-by-2020/#392c483830d6 arizona-cybersecurity-team

ISACA JOURNAL VOL 6 35 13 International Labour Organization, First-Ever National Cybersecurity Badges,” “Unemployment, Total (% of Total Labor Force) 13 June 2017, https://www.girlscouts.org/ (Modeled ILO Estimate),” The World Bank, en/press-room/press-room/news-releases/ November 2017, https://data.worldbank.org/ 2017/palo-alto-networks-girl-scouts-collaborate- indicator/SL.UEM.TOTL.ZS cybersecurity-badges.html 14 Kauflin, J.; “The Fast-Growing Job With a Huge 17 Riggins, N.; “15 Benefits of Hiring Military Skills Gap: Cyber Security,” Forbes , 16 March Veterans,” Small Business Trends, 2 November 2017, https://www.forbes.com/sites/jeffkauflin/ 2017, https://smallbiztrends.com/2017/03/ 2017/03/16/the-fast-growing-job-with-a-huge- benefits-of-hiring-veterans.html skills-gap-cyber-security/#2fc802975163 18 Wittenberg-Cox, A.; “Deloitte’s Radical Attempt 15 Siwicki, B.; “Why Diverse Cybersecurity Teams to Reframe Diversity,” Harvard Business Review , Are Better at Understanding Threats, Patient 3 August 2017, https://hbr.org/2017/08/ Needs,” Healthcare IT News, 28 September deloittes-radical-attempt-to-reframe-diversity 2017, www.healthcareitnews.com/news/ 19 Colby, S. L.; J. M. Ortman; “Projections of the why-diverse-cybersecurity-teams-are-better- Size and Composition of the U.S. Population: understanding-threats-patient-needs 2014 to 2060,” US Census Bureau, March 2015, 16 Girl Scouts, “Palo Alto Networks and Girl https://www.census.gov/content/dam/Census/li Scouts of the USA Announce Collaboration for brary/publications/2015/demo/p25-1143.pdf

SEE W HAT’S NE XT , NOW NEW CPE ON DEM AND COURSES NOW AVAIL ABLE!

Earn Continuing Pr of essional Education (CPE) cr edit hours online befor e the December deadline!

Learn mor e at: www .isaca.or g/ OnDe mand-jv6

36 ISACA JOURNAL VOL 6 FEATU RE

Growing a Cybersecurity Career Five Questions for the Next Job Interview

Those who have owned a house plant have growth. There is a clear plan for the professional probably noticed that no matter where the plant is development and career progression of someone in Do you have placed, it grows toward the strongest source of this position. something light—a phenomenon called “phototropism.” to say about this Tropisms are defined as any growth in response to The term “KSAs” is most frequently used in the article? an environmental stimulus. They are found in nature military, but the concept is universal. KSAs should in various forms, such as gravitropism (downward serve as the baseline requirements for each Visit the Journal pages of the ISACA ® website growth), hydrotropism (growth toward a water position on the team. Organizations need defined (www.isaca.org/journal) , source) and aphototropism (growth away from a KSAs to successfully map out how that role fits into find the article and click light source). Outside of the plant kingdom, the the business and evolves over time. on the Comments link to principles behind tropisms occur in places such as share your thoughts. the economy, family life and the workplace. Without KSAs, it is hard to set a structured plan for https://bit.ly/2Qu68iy professional growth. KSAs can answer the Cybersecurity or IT professionals should seek out questions, “What must candidates know and be career opportunities that offer the right sorts of able to do to be successful in this role?” and “What stimuli to enable their own growth. A positive knowledge and skills must candidates learn to be corporate culture is one such stimulus. A well- rounded workforce development program is another. However, negative stimuli can be present as well trapping employees in situations that stifle growth, push coworkers away and drain the team of talent.

So, how do job candidates evaluate whether an organization has the right set of stimuli for their own development? There are a few critical questions to ask. How the employer answers should provide the insight needed to determine whether the job will support personal and professional goals or the organization has already put a ceiling on growth potential.

Those who lead a cybersecurity team may ﬁnd these questions helpful in evaluating the Philip Casesa opportunities their program provides their team Is the director of product development at Focal Point Data Risk, bringing members. years of insights from roles in cybersecurity, software development and consulting. Prior to Focal Point, he spent 11 years as the director of Question 1: What Is the Multiyear Growth IT/service operations for (ISC) 2, leading and growing a team of enterprise Plan for Someone in the Position? architecture, applications, operations, security and web staff. At Focal Point, Casesa is focused on translating his experience into new offerings This is the answer candidates want to hear: from Focal Point Academy, a leading provider of hands-on cybersecurity Knowledge, skills and abilities (KSAs) are clearly training, working with its elite team of educators to pioneer new models for deﬁned for this role and there are expectations for building world-class enterprise cybersecurity organizations.

ISACA JOURNAL VOL 6 37 ready for their next role?” Some see KSAs as organization can give additional insights into team restrictive or rigid, but they can be very empowering. structure and dynamics. Knowing exactly what must be delivered to move to the next level makes it much easier to seize the What is really important to uncover is if the team’s opportunity and move forward. In interviews, leaders and managers grew into their roles. If they candidates should ask pointed questions about the have climbed a ladder into increasingly more skilled specific skill sets and knowledge expected of the positions, that is a good indicator that there is a role and how they will evolve over time. If the workforce development program in place. They are interviewer can answer these questions, it shows building a pipeline of skilled cybertalent, and new that they have a plan for employees’ growth, goals employees will be expected to develop new skills to be achieved and opportunities for advancement. and advance within the enterprise. However, if it sounds like most of the team members are recent To get started, the candidate should ask questions additions (especially those in leadership), the such as: What are the expectations for the growth turnover rate for the team may be high, training may of someone in this role? How will the skills of be limited and senior roles may be given to outside someone in this role evolve? How will career hires. progression be measured? A careful examination of the job description may also be helpful. If only Listening to what the interviewers say about their responsibilities or experience requirements are experience at the organization can provide listed in the description, rather than the specific information that may not be available from their skills, it could be an indicator that KSAs are not in website, social media or Glassdoor. questions that place for this position and the employee may be may help elicit this information focus on how long stuck carrying out the same tasks indefinitely, rather the interviewers have been with this organization, than advancing in his/her career. their background and how they got to their current position, and what made them decide to join the organization.

TODAy’S CyBER Question 3: What Approach Is Used to LEADERS ARE JUST AS Build a Diverse, Well-Rounded Team? LIKELy TO COME FROM This is the answer candidates want to hear: This ACCOUNTING, IT OR THE enterprise is actively working to build a diverse team, looking for people with a variety of MILITARy. backgrounds, educations, skill sets and experiences. Diversity is important to this team and at this organization. Question 2: How Long Has the Interviewer Been With the Team? What Is Enterprises that embrace diversity seek out a Their Career Story? variety of backgrounds, skill sets, perspectives, experiences and ideas—all things cybersecurity This is the answer candidates want to hear: Team needs. As an industry, and largely out of necessity, leadership is homegrown. Managers started their cybersecurity scores good marks for diversity of careers in the organization and worked their way up. professional background: Many cybersecurity Senior positions are rarely given to outside hires. professionals come from backgrounds outside of the expected fields of information systems, Panel interviews, in particular, provide a unique computer science, etc. Today’s cyber leaders are opportunity to quickly evaluate the amount of just as likely to come from accounting, IT or the homegrown leadership on the team. A round-robin military. But, in other ways, diversity is severely response from the interviewers can paint a picture lacking in cybersecurity. For instance, women make of an organization that develops loyal, talented up only 11 percent of the global cyberworkforce. 1 employees or it can describe a organization in which top talent flees at the first opportunity. Diversity is an interesting example of two types of Follow-up questions to learn more about the tropisms. An organization that builds diverse teams interviewers’ career journeys and experience at the is more likely to encourage the free collaboration

38 ISACA JOURNAL VOL 6 and sharing of ideas, which puts employees in an The global cybersecurity talent shortage has been ideal position to learn new skills from their peer well documented, and regulations, threats and group and bring new ideas to the team (horizontal technologies are constantly evolving. Most knowledge sharing, as opposed to vertical organizations have a few skills gaps on their knowledge sharing). 2 This results in upward growth cybersecurity team. How an organization handles as a professional. And when an organization this challenge can reveal a lot about its workforce embraces diversity, it also inspires employees to development program. grow roots and build their career there. Despite the shortage, some organization still look Successful cybersecurity teams require for outside hires to fill gaps on their teams. Finding unparalleled problem solving, lots of creativity and the right person can take months, if it happens at seamless teamwork. Diversity should be the engine all, leaving the team with a significant gap in skills that drives these outcomes. An organization that and the organization vulnerable. On the other hand, recognizes diversity as both the right thing to do other organizations see a skills gap as a growth and a way to improve security outcomes is also opportunity for an existing team member. These likely to be an organization with a robust program organizations have programs in place for ongoing for developing diverse talent internally. and targeted skills development, constantly elevating employees to fill gaps and training up less experienced hires to fill open positions. This creates upward momentum for the whole team and a THE TyPES OF culture of shared goals, success and loyalty.

PROGRAMS THE COMPANy Finding out how the organization addresses these HAS IN PLACE ARE issues takes a little sleuthing. The job description for the open position should have some indicators OBVIOUS INDICATORS THAT of whether the organization is recruiting to fill a very IT SEEKS OUT AND specific gap. While the opportunity may be great now, it could mean the person hired will be stuck in SUPPORTS DIVERSITy. that position for a while. During the interview, candidates should ask questions about how the organization tackles regulatory changes, new Candidates should ask questions about the technologies, and new threats or risk. Does it rush composition of the team, the team members’ to find someone new or will it start training team backgrounds and what key team members bring to members on how to address these? the table. Candidates should also ask pointed questions about the diversity programs at the Question 5: What Is the Training Program organization. What initiatives does the organization for the Team? have that encourage diverse hiring? Are there groups or programs that support diversity in the This is the answer candidates want to hear: There is workplace? The types of programs the organization an established training program for team members has in place are obvious indicators that it seeks out at every level. Employees are given training and supports diversity. opportunities, and there is an expectation that they will develop new skill sets. Question 4: What Is the Strategy for This is a direct, obvious question, but it is one the Filling Openings on the Team? Is It to candidate should save for last. The problem with a Train Up Existing Team Members or Look simple question about training is that every for an Outside Hire? interviewer is ready for it. Interviewers know that This is the answer candidates want to hear: Existing training is important to most professionals, so they team members are offered new opportunities first. have a canned response ready—a response that The plan for filling skills gaps on the team is to may or may not be an accurate reflection of the train up existing team members to equip them with training program in place. these skills.

ISACA JOURNAL VOL 6 39 So, candidates should ask questions that require • Welcomes diversity. They are open to new ideas specific answers. Ask the interviewers how the and different perspectives and realize that new training is facilitated. Is it done in-house? Do and different solutions can be the answer to long- employees attend external trainings? Is it online or standing challenges. in-person? How is training selected? Do employees • Helps employees grow their skills . Instead of have to find and choose the training they want? Are looking to outside help for new challenges, employees given a budget to self-select training or opportunities are given to existing employees to does the organization provide guidance? Is there a learn by doing. certain training provider the organization uses? Is training individual or team-based? Diving deep into • Guides employees in their career. They see the how the organization’s training program works will importance of a good training program and help provide a more realistic picture of what it is actually employees choose the courses they need to grow doing when it comes to professional development. the career they want. Candidates should want to see that the organization is making an investment in training and sees value Look for an organization that provides the stimuli in training the team as a whole. A budget is allotted that helps employees grow, encourages them to put to training and time is set aside for employees to down roots, and expands their skill sets and develop new skills. The key is to go beyond the knowledge. Then, new hires will experience what it usual “Are there training opportunities?” questions is like to be a part of an organization and a team and get into specifics. that wants to see team members succeed because they know that professional growth is critical to the Taking the Next Step success of the organization. Not only will employees find their work more fulfilling, but they Many prepare for interviews by trying to anticipate will be excited about their future and the the questions they might get asked. While this is opportunities it holds. important, preparing questions for the interviewer is equally important, especially regarding Endnotes opportunities for professional development. The answers to these questions will help job seekers 1 Frost & Sullivan, The 2017 Global Information determine if a team is the right fit and potentially Security Workforce Study: Women in help them take a step forward in their career path. Cybersecurity , 2017, https://iamcybersafe.org/ These questions will help job seekers find an wp-content/uploads/2017/03/WomensReport.pdf organization that: 2 Rock, D.; H. Grant; “Why Diverse Teams Are Smarter,” Harvard Business Review , 4 November • Has a plan in mind for employees. They have set 2016, https://hbr.org/2016/11/why-diverse- goals, a defined career path and clear teams-are-smarter? opportunities for growth.

• Wants employees to succeed. Their team members have been able to grow successful careers and new hires are given opportunities to do the same.

40 ISACA JOURNAL VOL 6 FEATU RE

Deﬁning the Chief Digital Oﬃcer Using COBIT 5

The digital revolution’s pace is rapidly increasing, framework based in international governance causing numerous disruptions and transformation standards (International Organization for Do you have in more and more industries. A key sign of its Standardization [ISO]/International Electrotechnical something growing importance is the rise of a new kind of Commission [IEC] ISO/IEC 38500) and it draws a 1 to say about this executive: the chief digital oﬃcer (CDO). clear divide between governance and management. article?

Discussions around C-level roles are not new. In Visit the Journal pages Context of the ISACA ® website fact, there is quite a contentious issue around the (www.isaca.org/journal) , CDO and the chief information officer (CIO) and The digital world is changing rapidly and profoundly. find the article and click plenty of diverging references on both roles. 2 Now more than ever, digital transformation (DT) plays a critical role in corporate strategy. DT on the Comments link to However, some contend that the CDO can be share your thoughts. considered the ultimate realization of a type of encompasses a wide range of tasks and activities https://bit.ly/2xZLoZd CIO—more connected to business, more innovative that are complex, cross-functional and and able to build relationships across all levels and interdependent, making it increasingly difficult for 4 functions of the organization. the CIO.

It is still not clear what CDOs are expected to achieve, what their responsibilities are and how they can collaborate with their CIOs. 3 The current lack of clear responsibilities of the CDO role and proﬁle also creates some space for eventual conﬂicts with the CIO when they coexist. Clarifying the two is urgent and required to prevent future problems from occurring.

The responsibilities of the CDO role in the enterprise context can be identiﬁed and correlated with the CIO’s responsibilities using the Responsible, Accountable, Consulted and Informed (RACI) matrix from COBIT ® 5. COBIT 5 provides beneﬁt in this context because it is the only governance

João Catarino Is ﬁnishing a master’s degree based on the topic of digital transformation. Catarino cowrote an article regarding research of governance frameworks for digital transformation in the public sector.

Isabel Rosa, Ph.D. Is a national expert in the area of electronic public procurement in the European Commission and has 30 years of experience in information systems. She was the chief information oﬃcer of several public entities in Portugal and Macau (China). In Portugal, she was also the deputy secretary general and chairman of the ICT Committee of the Ministry of Public Works, Transports and Communications. She was a researcher of governance frameworks for digital transformation in the public sector in the ﬁeld of a doctoral program of engineer and management.

Miguel Mira da Silva, Ph.D. Is an associate professor of information systems at the Instituto Superior Técnico in the University of Lisbon (Portugal) and research group leader at INOV INESC Inovação.

ISACA JOURNAL VOL 6 41 Because organizations need to assign and spread At this point, the future of CIOs began to be Enjoying managerial responsibilities adequately across top questioned. “CIOs who do great things in leading IT this article? managers to ensure successful DT, a new soon gain extra responsibilities. By helping generation of C-suite executives has emerged, business leaders to improve their businesses, the including the CDO. Researchers suggest the CDO CIO becomes an obvious candidate to fill any open • Read Getting Started and the CIO not only collaborate closely, but also role that involves technology, process, or strong With GEIT: A Primer have a symbiotic and interdependent relationship. 5 governance.” 8 However, many new challenges, such for Implementing as brand synergy, were new for the CIO. Governance of However, the ambiguity and contention that Enterprise IT. surrounds the definition of the CDO’s role persist. In Consequently, a growing number of organizations www.isaca.org/geit particular, there is controversy between the CDO have introduced an additional position into their • Learn more about, and CIO roles, which leads to internal difficulties in managerial grid—the CDO. An initial discuss and the organization, with an obvious impact on its conceptualization of the CDO’s position suggests collaborate on ability to adapt to an increasingly unpredictable and that its primary responsibilities are the strategic and information and demanding world. communication aspects of DT, and, if the CDO and cybersecurity in CIO positions coexist, the CDO should closely ISACA’s Online Analyzing the differences between these two roles collaborate with the CIO. The CIO, in turn, deals with Forums. based on COBIT 5 draws a new vision of the the technical aspects of DT. This means that, https://engage. responsibilities assigned to each role. The although the roles/responsibilities of the CDO and isaca.org/online evaluation conducted through a user opinion study CIO are different, their relationship can be symbiotic forums not only provided a positive evaluation of the and interdependent. 9 proposal, but also resulted in valuable input for further work. Researchers identified four distinct CDO role types (digital innovator, advocate, evangelist and Research shows that the CDO’s primary coordinator) and assessed the implications for the responsibilities are those related to ensuring value CIO role in the context of DT. In this research, the optimization and stakeholder communication. four distinct CDO role types are primarily determined by the CIO’s role orientation and the CIO vs. CDO perceived implications of digitalization. 10 In the mid to late 1990s, the CIO was a senior Proposal executive who was able to understand new technologies and how to apply them to the business Now that DT is sure to reach every organization, it is strategy. They were the link that intermediated the important to note that governance is essential for relationship between business leaders and the IT successful DT. 11 To differentiate between department. 6 management and governance, one researcher associates governance to the context of change or Meanwhile, a phenomenon was emerging: transformation. Thus, governance guides globalization. IT managers were faced with new developments that lead to a new (or partly new) challenges and, though IT had become better organization that needs to be managed. 12 aligned with the business, IT executives needed to conduct rigorous analyses of return on investment A set of responsibilities is proposed for the (ROI) and make complex decisions. Moreover, emerging CDO role for the governance of DT and an significant technology expenditures needed to be adjustment of the CIO’s responsibilities in the new justified. Naturally, not all CIOs were at ease with context. This proposal is based on two fundamental this challenge; the IT function demanded a leader principles: simplicity and ease of use. Hence, it is who was able to understand the increased relevant to use well-known and extensively complexity of business and how to interact with the accepted frameworks. This is made possible by IT strategy, business strategy, risk management and using the RACI matrix from COBIT 5. finance. 7

42 ISACA JOURNAL VOL 6 To identify the responsibilities of the CDO and CIO within the enterprise context, the RACI matrix is used. COBIT 5 already identiﬁes responsibilities for MOREOVER, COBIT 5 MAKES A VERy the CIO in its 37 processes. COBIT 5 describes the responsibilities associated to the key practices that PRAGMATIC DISTINCTION BETWEEN make up each process as a RACI matrix. GOVERNANCE PROCESSES AND

The COBIT 5 framework can be considered to be in MANAGEMENT PROCESSES—A POSITIVE line with the governance of DT since COBIT 5 was ASPECT IN CHANGE/TRANSFORMATION designed for IT governance with a specific goal of aligning IT with the business and, subsequently, to AND, MORE SPECIFICALLy, IN DT. generate value to the organization. Moreover, COBIT 5 makes a very pragmatic distinction EDM02 Ensure Benefits Delivery , EDM03 Ensure Risk between governance processes and management Optimization , EDM04 Ensure Resource Optimization , processes—a positive aspect in change/transformation and EDM05 Ensure Stakeholder Transparency . and, more specifically, in DT. With the introduction of the new CDO role, the new Considering the concept of the CDO as the manager proposed distribution is shown in figure 2 . of digital transformation enables a conclusion that this role should be grounded in governance This proposal is based on the following basic principles. Governance provides direction. vectors: Management provides operations. This leads to a • vision of the role of CDO as a bridge between IT and The CDO is responsible for the governance the business ( figure 1 ). processes. • The responsibilities of EDM04 are shared by the Figur e 1—The CDO as the Bridge CDO and the CIO due to the direct link with the Between I T and Business infrastructure management responsibilities of the Governance CIO. CDO • Both roles are responsible for evaluating the Digital benefits since this activity requires both Transformation perspectives, from the business and deep IT knowledge. Business IT • Both roles share the responsibility of evaluating and monitoring risk management, owing to the COO CIO Management wide scope of the source of risk. • Although the CIO is no longer responsible in all As explained, the CIO’s responsibilities are remaining activities, the CIO should be consulted reassessed should the role of the CDO be except for directing and monitoring the introduced in the organizational context. stakeholders’ communication. This is for two reasons: This is a CDO core activity, and the CIO Given the premise that derives from the concept of should not duplicate efforts, instead governance as the functional area that manages concentrating on his or her core activities. change and transformation, and considering that the CDO’s role is, by definition, DT management, This proposal gives the CDO stronger responsibility only the governance processes under the COBIT 5 on the three processes EDM01, EDM02 and EDM05. It framework have been studied: EDM01 Ensure further grants shared responsibility with the CIO on Governance Framework Setting and Maintenance , the remaining two processes: EDM03 and EDM04.

ISACA JOURNAL VOL 6 43 Evaluation for geographic diversity, 13 of the respondents are Portuguese, one is Brazilian and one is Dutch. It Given the controversy of this topic, the assessment should be added that in the Portuguese group, three of the proposal was gathered via a user opinion respondents work abroad in several countries at the study. 13 Not only was it important to obtain a same time. The organization types of the respondent proposal assessment, it was also critical to group are also mixed: Five are in public service and 10 understand how the community closest to the topic are in private institutions. In terms of area of job sees the CDO and the CIO roles. functions, the respondents include four chief executive oﬃcers (CEOs), three digital professionals, Fifteen people replied to the questionnaire, all three academicians and ﬁve working in information senior professionals in their line of work, with an and communication technology (ICT). average career span of approximately 22 years. As

44 ISACA JOURNAL VOL 6 The questionnaire was designed to be self- Digital professionals are, in general, more explanatory and contained ﬁve sections: the supportive of the proposal, while those more respondent’s characteristics, views on the topic, connected to ICT are, in general, less supportive. general proposal assessment, detailed proposal The reason for this is the growing controversy that assessment, and identiﬁcation of three functions the role of the CDO is a threat to that of the CIO and and three characteristics associated with the CDO the sense of rivalry between these two roles that and CIO. transpires from the media.

The questionnaire had three types of questions: In one of the questions, respondents were asked to multiple choice, open ended and scaled (graded on list three characteristics for each profile. Although a scale from 1 to 10, in which 1 = Completely they are described differently, there is a disagree and 10 = Completely agree). This last convergence of opinions from which the following group contains the most relevant component of the stand out: proposal assessment: the responsibilities assigned • CDO profile —Business-oriented, leadership skills, to each role ( figure 3 ). visionary, higher risk profile, strategic thinking, strong relationship builder, problem-solving The analysis of the results shows some interesting conclusions.

Figur e 3—Sect ion of the Assessment on Each Role’s Responsib iliti es ) ) 0 0 1 1 - - 1 1 ( (

n n o o i i t t a a u u l l O a a O D I v v C E Go vernance P rocesses C E EDM01: Ensu re Go vernance Framework Setting and Maintenance Evaluate the g overnan ce system R C Direct the g overna nce system R C Monit or the g overna nce system R C

Evaluate v alue optimization RR Direct v alue optimization R C Monit or v alue o ptimization R C EDM03: Ensu re Risk Optimization Evaluate risk m anagement RR Direct risk ma nagement R C Monit or risk m anagement RR EDM04: Ensu re Resou rce Optimization Evaluate r esource management RR Direct r esource management RR Monit or r esour ce m anagement RR EDM05: Ensu re Stak eholder Tra nsparency Evaluate sta keholder repor ting r equirements R C Direct sta keholder communication an d reporting R I Monit or stak eholder com munication R I

ISACA JOURNAL VOL 6 45 attitude, reward assessment capabilities, innate Figures 4 and 5 show the assessment average design/lean thinking scores obtained for the CDO and the CIO, respectively.

• CIO proﬁle —IT-oriented, focused, detail-oriented, The results in ﬁgure 6 show a higher agreement on results-oriented, collaborative, tech savvy, the responsibilities of the CDO in the processes business supporter, ability to execute on change, regarding value optimization, stakeholders’ ability to translate strategy into execution, communication and the governance system, in line technical leadership with the previously stated conclusions about the CDO’s primary focus on strategic and This shows how these two roles require communication aspects. 14 substantially different characteristics.

In short, the results of the questionnaire show that Regarding the functions exercised by the CDO and the COBIT 5 RACI matrix can be a very important the CIO, one of the questions was to list the main tool in defining/redefining both roles in the three functions. The following are worth noting: organizational context of DT. Indeed, its formulation • CDO functions —Define the digital strategy/vision, can lead to a rethinking of the current situation. align/converge the digital strategy with the What is clear from figures 4 and 5 is that the corporate strategy, create a digital culture in the agreement on the CIO’s responsibilities is lower enterprise, disrupt, transform to digital, change when the responsibility shifts from R (responsible) management to C (consulted) or I (informed). In the case of the CDO, which is responsible (R) for all processes, the • CIO functions —Implement IT projects, build IT clear disagreement falls on the EDM04 process. strategy, change management, establish a Interestingly, though, this process was proposed technologic landscape that incorporates future with shared responsibility by the CIO, and it was business needs with less impact, ensure time to precisely in this process that the CIO achieved the market, ensure an adequate IT governance most in-sync answers. framework

Despite all the controversy that the proposal Conclusion assessment raises, it is rather positive overall. Clear roles at the C-level are essential to boost the enterprise’s capabilities in times of disruption.

Figur e 4—A verage Evaluation of CDO Responsibilities CDO A verage Score

Monitor value optimization – R 9,64 Evaluate value optimization – R 9,45 Direct value optimization – R 9,36 Direct stakeholder communication and reporting – R 9,00 Monitor stakeholder communication – R 8,91 Evaluate stakeholder reporting requirements – R 8,82 Evaluate the governance system – R 8,27 Monitor the governance system – R 8,18 Direct the governance system – R 8,18 Evaluate risk management – R 8,09 Monitor risk management – R 7,18 Direct risk management – R 7,18 Monitor resource management – R 5,91 Evaluate resource management – R 5,73 Direct resource management – R 5,55 0,00 2,00 4,00 6,00 8,00 10,00

46 ISACA JOURNAL VOL 6 Figur e 5—A verage Evaluation of CIO Responsibilities CIO A verage Score

Monitor resource management – R 9,36 Evaluate resource management– R 9,36 Direct resource management – R 9,36 Monitor risk management – R 8,73 Evaluate value optimization – R 8,09 Evaluate risk management – R 8,09 Evaluate the governance system – C 7,55 Monitor the governance system – C 7,27 Direct the governance system – C 7,27 Monitor stakeholder communication – I 6,82 Direct stakeholder communication and reporting – I 6,82 Direct risk management – C 6,64 Evaluate stakeholder reporting requirements – C 6,45 Direct value optimization – C 6,36 Monitor value optimization – C 6,18 0,00 2,00 4,00 6,00 8,00 10,00

Figur e 6—A verage Evaluation Results by Governance Process for the CIO and CDO

Average Score by Governance Process

9, 48 10 9, 36 9 8, 51 8, 21 7, 79 8, 18 7, 82 7, 48 7, 65 7, 55 7, 80 8 7, 36 7 6, 88 6, 70 6 5, 73 5 4 3 2 1 0 EDM01: Ensur e EDM02: Ensur e EDM03: Ensur e EDM04: Ensur e EDM05: Ensur e Governance Benefits Risk Resour ce Stak eholder Framework Deliv ery Optimization Optimization Transparency Setting and Maintenance

CIO CDO Global

The research described here, particularly the This study focused solely on the CDO and CIO responses of practitioners who participated in the responsibilities in the context of the COBIT 5 proposal assessment, shows that using the RACI governance processes. The first major proposal matrix to define the CDO’s and the CIO’s evaluation findings were that most people find it responsibilities is quite feasible and, above all, very difficult to clearly distinguish between governance useful to clarify the boundaries between the two and management. roles. The overall scores for both proposals were very positive: 7.62 for the CIO and 7.96 for the CDO, This difficulty implies that their functions/activities, on a scale of 1-10 points. objectives and required skills are not evident. It is,

ISACA JOURNAL VOL 6 47 therefore, more difficult to understand the reason Roles of a New C-Level Position in the for the predominant connection between the CDO Context of Digital Transformation,” Proceedings and the governance processes and the CIO and the of the 49 th Hawaii International Conference management processes. on System Sciences (HICSS), 2016, https://ieeexplore.ieee.org/document/7427821/ On the other hand, the responses to the study 4 Ibid. showed that it was easier to understand the 5 Ibid. connection between governance and 6 Groysberg, B.; L. K. Kelly; B. MacDonald, “The transformation. New Path to the C-Suite,” Harvard Business Review , March 2011, https://hbr.org/2011/ It was also clear that although the management 03/the-new-path-to-the-c-suite processes were not the subject of this study, they 7 Ibid. should also be reviewed. Though the predominance 8 Westerman, G.; “Should your CIO Be Chief of responsibilities of the CIO role at this level is Digital Officer?” Harvard Business Review , more predictable, this is not to say that in some 2 August 2013, https://hbr.org/2013/08/should- processes responsibilities could not be shared, in your-cio-be-chief-digit particular: APO02 Manage Strategy , APO04 Manage 9 Op cit Horlacher and Hess Innovation and APO08 Manage Relationships . 10 Haffke, I.; B. Kalgovas; A. Benlian; “The Role of the CIO and the CDO in an Organization’s Digital It is important to stress that this study is still taking Transformation,” 37 th International Conference its very first steps, and it takes more than qualitative on Information Systems, Dublin, Ireland, 2016, studies to consolidate the findings on this topic. It https://www.researchgate.net/publication/ will be useful to understand these findings if 311653140_The_Role_of_the_CIO_and_the_CDO_ frameworks of digital enterprise governance in_an_Organization’s_Digital_Transformation emerge and determine how both roles will be 11 CapGemini Consulting, “Governance: addressed by the community of practitioners. A Central Component of Successful Digital Transformation,” 2012, Authors’ Note https://www.capgemini.com/wp- content/uploads/2017/07/Governance__ Opinions expressed in this article are the authors’ A_Central_Component_of_Successful_Digital_ own and do not necessarily represent the views of Transformation.pdf any entity. 12 Hoogervorst, J.; “On the Realization of Strategic Success—A Paradigm Shift Needed: Enterprise Endnotes Governance and Enterprise Engineering as 1 Friedrich, R.; P. Peladeau; K. Mueller; “Adapt, Essential Concepts,” 2012, Disrupt, Transform, Disappear: The 2015 Chief www.ciaonetwork.org/uploads/eewc2012/ Digital Officer Study,” Strategy& , 13 December industry_track/Jan%20Hoogervorst 2015, https://www.strategyand.pwc.com/ %20-%20On%20the%20Realization%20of reports/chief-digital-officer-study %20Strategic%20Success.pdf 2 Rickards, T.; K. Smaje; V. Sohoni; “‘Transformer 13 Pries-Heje, J.; R. Baskerville; J. Venable; in Chief’: The New Chief Digital Officer,” “Strategies for Design Science Research McKinsey & Company, September 2015, Evaluation,” European Conference on https://www.mckinsey.com/business- Information Systems, 2008, https://pdfs. functions/organization/our-insights/transformer semanticscholar.org/e203/0059956910d434e6 -in-chief-the-new-chief-digital-officer 34e43271543dbc98da28.pdf 3 Horlacher, A.; T. Hess; “What Does a Chief 14 Op cit Horlacher and Hess Digital Officer Do? Managerial Tasks and

48 ISACA JOURNAL VOL 6 FEATU RE A Heightened Sense of Awareness What the Internal Auditor Should Know About Information Security Awareness Training

According to the US National Institute of Standards management for the obvious reason that it requires and Technology (NIST), each individual in an the commitment of resources (money and Do you have organization who owns, uses, relies on, or manages employee hours). Beyond that, senior management something information and information systems must fully must see to it that: to say about this understand his or her specific security • The program content and delivery are well suited article? responsibilities. 1 to the needs of the organization. Visit the Journal pages of the ISACA ® website One of the most important tools an organization • The training is understood and retained well (www.isaca.org/journal) , has (or should have) to reach that state of enough to influence employee behavior. find the article and click readiness is an information security awareness • The organization receives value from the program on the Comments link to training program. in terms of mitigating security risk. share your thoughts. _h_t_tp__s_:/_/_b_i_t._l_y_/_2_P_b__w_1_ DP Even though internal auditors may not be Finally, and perhaps most important, senior performing an audit of the security awareness management should reinforce the awareness training program specifically, they should be familiar training by setting a good top-down example in their with the elements of a good awareness program behaviors and attitudes. “The critical success factor regardless of the business area at which they are [for an information security awareness program] is looking. If there are issues in a security-related area, awareness training may be one place they can look to provide recommendations.

The key characteristics of an information security awareness training program that an internal auditor should be aware of include the extent to which the program is supported by management, the content of the training itself, how that training is delivered and how the organization measures success for the program.

Management Support A successful information security awareness training program must have the support of senior

Wade Cassels, CISA, CFE, CIA, CRMA Is a senior IT auditor at Nielsen. He supports Nielsen’s IT general controls external audit engagement and the audit reporting and communications functions for Nielsen Internal Audit.

Kevin Alvero, CFE Is senior vice president of internal audit at Nielsen. He leads Nielsen’s global internal quality audit program and its industry standards compliance initiatives, spanning the company’s television, digital, and consumer products and services.

Randy Pierson, CISA Is a senior IT auditor at Nielsen and has worked in the media and entertainment industry since 2011. Before joining Nielsen, he worked as an auditor with Ernst & young, where he served organizations across the media industry, including television, Internet and mobile audience research. Pierson also served as compliance oﬃcer for the digital media company Pixalate.

ISACA JOURNAL VOL 6 49 or third party) can cater to that risk. The internal auditor should also be aware if his or her IN THE CAT-AND-MOUSE GAME OF organization is practicing sound vendor risk management practices. As one author noted, PROTECTING ORGANIzATIONAL ASSETS, “Companies must perform [due diligence] on any SECURITy THREATS ARE CONSTANTLy organization they consider to provide outsourced 3 EVOLVING, SO SECURITy AWARENESS online training to employees.” TRAINING IS NEVER DONE. From a content perspective, good training should consist of real-world examples that are relatable to the trainees’ everyday work. It should also include how well top management acts as role models for real-world case studies that help to reinforce the its employees,” writes V. J. Srinvas in a recent reality that security breaches do happen and ISACA Now blog post. “Their actions will influence demonstrate how the organization can be and enhance policy compliance and awareness impacted. levels among employees.” 2 Finally, awareness training must be compliant with Content any relevant standards or regulations (such as the US Federal Information Security Management Act The most important aspect of good security [FISMA]), based on the organization’s geography, awareness training content is making sure it is industry type, etc. customized to the audience based on their job area, role and user level. It would not be productive, in fact, it would be counterproductive, to teach general Format/Delivery staff about security threats and policies/processes In the cat-and-mouse game of protecting that are specific to technical users, such as organizational assets, security threats are constantly programmers or personnel who maintain system evolving, so security awareness training is never architecture. In addition to the obvious benefit of done. It should be performed on a routine basis and aiding retention, keeping training at an appropriate updated regularly. Generally, trainees are better able technical level also helps to ensure that knowledge to understand and retain smaller amounts of of more complex and technical security processes information presented in regular increments. is limited in its exposure to those who need to know. However, it is important to provide all trainees The training should also come from a variety of enough visibility to understand how their everyday different delivery methods. An article published by roles fit into the big picture of the organization’s the SANS Institute says, overall security risk management. All users should One of the best ways to make sure understand, for example, not just that they are company employees will not make costly required to update their password(s) regularly, but errors in regard to information security is to they should also be able to articulate how password institute company-wide security-awareness protocols help protect them and the organization. training initiatives that include, but are not limited to classroom style training sessions, Even though security awareness training is often security awareness website(s), helpful hints provided by a third-party vendor, it is important that via e-mail, or even posters. These methods multiple areas of the organization contribute to the can help ensure employees have a solid development of the training content to ensure that understanding of company security policy, the content is well suited to the organization’s procedure and best practices. 4 needs and the risk environment in which it operates. Input related to content should not only come from In-person classroom training, which may be the places such as security, IT, information security and most resource intensive and, therefore, the least legal, but also from operational leaders who can frequent, can be complemented by more frequent provide insight into how general users interact with online training (modules or live virtual sessions) and security risk/threats in the course of their day-to-day by even more frequent email or newsletter duties so that the training provider (whether internal

50 ISACA JOURNAL VOL 6 communications. Using these different types of For example, if having an awareness program is a delivery methods in concert allows organizations to matter of compliance, then avoiding the costs of Enjoying control costs, disseminate information with agility noncompliance (i.e., fines, reputational damage) this article? and achieve understanding by different types of obviously contributes to ROI. Meanwhile, if the learners. Incorporating user communities also gives estimated financial impact of an event (e.g., a • Read Firmware employees access to support for questions or particular information security breach) is known Security Risks issues as they arise. based on the organization’s risk assessment and Mitigation . process, then a change in the organization’s level of www.isaca.org/ Regardless of the delivery type, there should be some susceptibility (i.e., likelihood), which can be firmware interactive element to the training. Interactivity helps measured, can provide management with an idea of • Learn more to ensure participation and promote retention. Online the return they are getting from awareness training. about, discuss modules may have pop-up quizzes or other checks and collaborate for understanding, for example. In live classroom or The key is having the measurements in place on on audit and live virtual training, attendees should have the which to base ROI calculations prior to implementing assurance in opportunity to ask questions. the training. As one expert notes, “If you have a ISACA’s Online concrete (or at least evidence-based) way to track Forums. susceptibility, measuring ROI is simple.” 5 Measurement https://engage A good security awareness program must have .isaca.org/online metrics that help management make informed forums judgments about its effectiveness. Generally, these metrics fall into three main categories: A GOOD SECURITy

• Participation —Are the right people receiving the AWARENESS PROGRAM training when needed? This is the easiest part of MUST HAVE METRICS THAT the program to measure and, although participation alone is not suﬃcient to judge HELP MANAGEMENT MAKE success, it is, nevertheless, important to track. INFORMED JUDGMENTS • Retention —Are trainees understanding the ABOUT ITS material that is being taught? Not only is this important to capture on a session-by-session EFFECTIVENESS. basis, but tracking this information over time will help management and vendors make incremental improvements to the content and structure of the awareness training program. Maturity

• Compliance —Are employees carrying the In 2016, SANS introduced the Security Awareness knowledge forward into their roles? There are a Maturity Model ( ﬁgure 1 ). The internal auditor number of ways organizations can measure if should understand where on the spectrum his or awareness training is affecting employee behavior, her organization falls, but, perhaps more important, including incident tracking and review, penetration the internal auditor should determine whether or not testing (i.e., hacking, phishing, social engineering), a maturity model is being utilized by management and internal audits of adherence to policies such as to guide the content, frequency, delivery and data retention, password and off-boarding measurement of the security awareness training 6 protocols. program over time. Per the SANS website, the spectrum of maturity levels are deﬁned as follows:

However, using these measurements to make an • Nonexistent —Program does not exist. Employees assessment about the value of the training program have no idea that they are a target, that their to the organization—its return on investment (ROI)— actions have a direct impact on the security of can be one of the more challenging aspects of the organization, do not know or understand managing the program. For the internal auditor, who organization policies, and easily fall victim to is conditioned to think of risk in terms of likelihood attacks. and impact, it is helpful to consider whether the training program is mitigating either, or both.

ISACA JOURNAL VOL 6 51 Figur e 1—Security A war eness Maturity Model

Security A war eness Maturity Model

Metrics Framework Long-T erm Sustainment and Promoting Cultur e Change Awareness and Beha vior Change Compliance Focused

Nonexistent

Sour ce: SANS, “Defining the Security A war eness Maturity Model,” Security A war eness blog, 8 Mar ch 2016, https:/ /www .sans.or g/security-awar eness-tr aining/blog /defining-security-awar eness-maturity-model. Reprinted with permission.

• Compliance focused —Program is designed program is an established part of the primarily to meet speciﬁc compliance or audit organization’s culture and is current and requirements. Training is limited to annual or ad engaging. It takes a minimum of 3-5 years to hoc basis. Employees are unsure of effectively change culture. organizational policies and/or their role in • Metrics framework —Program has a robust metrics protecting their organization’s information assets. framework to track progress and measure impact. • Promoting awareness and behavior change — As a result, the program is continuously improving Program identiﬁes the training topics that have and able to demonstrate return on investment. This the greatest impact in supporting the stage does not imply metrics are not part of every organization’s mission and focuses on those key stage (they are). This stage reinforces that to truly topics. Program goes beyond just annual training have a mature program, it must have metrics to and includes continual reinforcement throughout demonstrate success. the year. Content is communicated in an engaging and positive manner that encourages Conclusion behavior change at work, home and while traveling. As a result, people understand and For an organization’s employees to react follow organization policies and actively appropriately to the security threats they encounter recognize, prevent and report incidents. Behavior and to avoid unknowingly becoming a security can begin to be changed in as early as several threat themselves, they must receive regular, weeks, depending on the behavior being targeted. relevant and engaging information security awareness training. That is why the internal auditor • Long-term sustainment and culture change — should be able to recognize and articulate the Program has the processes, resources and elements (or missing elements, as the case may be) leadership support in place for a long-term life of an effective security awareness training program cycle, including, at a minimum, an annual review that delivers value to the organization. and update of the program. As a result, the

52 ISACA JOURNAL VOL 6 Endnotes 4 Brodie, C.; The Importance of Security Awareness Training , SANS, 2008, lein, P. ; P. Toth; A Role-Based Model for 1 K https://www.sans.org/reading- Federal Information Technology/Cybersecurity room/whitepapers/awareness/importance- Training, 2013, https://csrc.nist.gov/csrc/media/ security-awareness-training-33013 publications/sp/800-16/rev-1/draft/documents/ 5 Dowd, J.; “How to Calculate ROI for Security draft_sp800_16_rev1_2nd-draft.pdf Awareness Training,” The PhishLabs Blog, Srinivas, V. J.; “How to Make Information 2 22 November 2016, https://info.phishlabs.com/ Security Awareness Relevant,” ISACA Now blog, blog/how-to-calculate-roi-for-security- www.isaca.org/Knowledge-Center/Blog/Lists/ awareness-training Posts/Post.aspx?ID=711 6 SANS, “Deﬁning the Security Awareness 3 Kroll, K.; “Kicking the Tires on Third-Party Maturity Model,” 8 March 2016, Online Training Offerings,” Compliance Week , https://www.sans.org/security-awareness- 9 September, 2014, https://www.compliance training/blog/deﬁning-security-awareness- week.com/news/news-article/kicking-the- maturity-model tires-on-third-party-online-training- offerings#.WyQGkjQvzIU

FIND THE RI GH T T AL EN T. FIND THE RI GH T JO B. EI THER W AY, Y OUR SEARCH CAN END RI GH T HERE .

Whether y ou ar e sear ching for a job or looking for that per fect candidate for y our open position, ISA CA ’s Online Car eer Centr e is the sour ce for IS/I T audit and information security pr of essionals. Visit our Car eer Centr e at www .isaca.or g/Car eerCentr e t o learn mor e.

ISACA JOURNAL VOL 6 53 TOO LS Skill Acquisition in a Rapidly Evolving Workplace

The cybersecurity skills gap has been on the technically relevant areas.” 3 In looking to the future, DDoo y yoouu h haavvee surface of employers’ awareness for several years. a potential bottleneck in upward mobility may exist ssoommeetthhiningg The ability to meet security objectives given the for those entering the field now. This could be ttoo s saayy a abboouutt t thhisis skills gap is compounded by the moving target attributable to increased competition for those aarrtticiclele? ? created by evolution in the workplace. While factors higher-level positions as a larger group of such as age or gender definitely contribute to the practitioners seeks that next career progression. VVisisiti tt hthee J Joouurnrnaal l ppaaggees s ®® changing workplace, it is the rapid pace of evolution Also, trends toward automation may play a role in ooff t hthee I SISAACCA A wweebbssitiete 4 ((wwwwww.i.sisaaccaa.o.orgrg//jojouurnrnaal)l), , related to new technology that captures the that potential bottleneck. So, those practitioners fifinndd t hthee a arrtitciclele a anndd c clilcick k attention of technologists looking to future proof looking to future proof their careers may explore the oonn t hthee C Coommmmeenntsts l ilninkk t oto their careers. As organizations adopt new following options. sshhaarere y yoouurr t hthoouugghhtsts. . technologies, a gap is created between the new skills required of security personnel and IT audit _h__tt_p_s_:_/_/b__it_._ly_/_2__R_s_d_H_ rh Balance Interpersonal Skills With staff and the skills these practitioners hold. Technical Skills

In ISACA’s State of Cybersecurity 2018: Workforce If technologists include acquisition or enhancement Development 1 survey, respondents indicated that of interpersonal skills as part of their career the greatest hiring demand is expected at the planning, inclusion is more likely to be incidental Robin Lyons, technical security level for individual contributors, rather than a skill set that is intentionally developed. CISA, CIA not the management or executive level 2 (figure 1 ). After all, people tend to believe that they work Is a technical research Of those responding, 77 percent indicated increased collaboratively with others. Given workforce manager in ISACA’s staffing needed at this level compared to 76 percent diversity in age, gender, national origin, technical Knowledge and reporting no additional staffing required at the background and other factors, collaboration is Research department. executive or C-suite level. indeed a critical interpersonal skill; however, it is not In that role, she the only interpersonal skill required to future proof a contributes thought One of the key enterprise takeaways cited by the career in technology. Balancing interpersonal skills leadership by with their technical skills will serve technologists in generating ideas and report is that “the increasing need for skilled their current roles and continue to serve them as deliverables relevant to security personnel validates investment in existing ISACA’s constituents. staff, including education, training, skill their careers progress. She partners with development and certification, particularly in Learning Solutions as a subject matter expert Figur e 1—Hiring Demand Or ganiz ational Level on audit and CSX- related projects. She In 2018, for which of these le vels do you see the hiring demand increasing, decreasing or remaining the same? also writes audit programs, narratives 77% Individual contribut or, 21% and blogs, as well as technical security leads projects when 2% 46% any of these functions Individual contribut or, 50% are co-sourced with nontechnical security 4% external resources. 39% Prior to joining ISACA ®, Security manager 58% 3% Lyons was a Payment 26% Card Industry (PCI) Senior manager or dir ect or of security 70% subject matter expert 4% 21% for a Fortune 200 Executive or C-suite security (e.g., CISCO) 76% corporation and the 3% internal audit director 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% for an institution of higher education. Incr eased staff needed No change in staff needed Decr eased staff needed

54 ISACA JOURNAL VOL 6 Key Skill Acquisition new internal opportunities requiring these degrees Although the greatest hiring demands are at the or skills arise, employees will be considered for executive or C-suite level now, practitioners who those new opportunities. aspire to positions at those levels should develop public speaking skills. At the executive level and Key Skill Acquisition beyond, speaking at board meetings and to internal Ensure that skills can be objectively demonstrated. and external audiences is expected. Public speaking skills can be learned through any number Build and Maintain Partnerships Around of groups dedicated to that skill and honed by Emerging Technologies volunteering to speak at meetings of professional associations such as ISACA ®. Leveraging participation in professional organizations and e-publications from groups that Strategically Develop Skills That Can Be report on emerging technologies are ways for practitioners to learn about new technologies. Objectively Demonstrated Awareness of new technologies is critical as it Given the rapid pace at which new technologies are allows practitioners to consider if there is a suitable adopted, it is impractical to be an expert in all things fit for the technology in their organizations. If so, the IT. As a result, the technologist benefits from taking practitioner has lead time to consider any a tactical approach to skill development. In their challenges should the technology be considered current positions, technologists should ensure and develop possible solutions to those challenges. alignment of technical skills with their Similar to monitoring emerging technologies, organizations’ strategic objectives. For example, if practitioners should develop a way to monitor an organization has adopted a hybrid cloud pending compliance requirements. Developing an strategy, a technologist should have a solid understanding of those requirements enables the understanding of capabilities and challenges of technologist to analyze how existing technology public cloud vs. on-premise cloud solutions. and new technology can support new compliance Enhancing knowledge through selected readings or requirements. online tutorials may be ways to develop skills for these scenarios. Depending on the technologist’s Key Skill Acquisition role, that may be sufficient. Have a plan to ensure awareness of new technologies as they emerge. Should the technologist want to be viewed as a subject matter expert by the organization, however, Conclusion objective demonstration of skills may be a better path to take. Objectively demonstrating a skill can The rapid pace of change in the workplace makes be achieved through practical work experience in this an exciting time to be an IT practitioner. The the subject area. Alternatively, objective need to acquire new skills at a fast pace adds an demonstration of skills can be shown through element of challenge to the excitement. Armed with certifications; a certification demonstrates a skill a tactical plan to align skill development with their set whereas a one-off course demonstrates organization’s strategic objectives, to remain proficiency. Practitioners should ensure that the cognizant of the importance of interpersonal skills, certifications pursued are recognized and and to leverage internal and external professional appreciated in their industries as well as by their relationships to monitor emerging technologies, organizations. practitioners can meet the challenge of developing skills that keep pace in rapidly changing Having identified ways to develop skills in an environments. evolving workplace, practitioners should leverage their organizations’ existing platforms to document Endnotes their skills. It is not uncommon for organizations’ 1 ISACA ®, State of Cybersecurity 2018: Workforce human resources departments to maintain profiles Development, USA, 2018, https://cybersecurity. of their employees. The purpose of these platforms isaca.org/state-of-cybersecurity is to be informed as employees develop 2 Ibid ., p. 10 educationally by attaining degrees or expand their 3 Ibid ., p. 11 skills through new certifications. The idea is that as 4 Ibid ., p. 10

ISACA JOURNAL VOL 6 55 CRCROSS WO RD PUZZL E

by Myles Mellor www .them ecr osswor ds.com

Across 12 3 45 67 1. Model that replaced the centralized (mainframe) model 6. Customer care system, abbr. 891 0 8. Institute that monitors standards and technology, abbr. 11

9. The N in NGFW 12 13 14 10. ______ware, unnecessarily added software 12. Meeting lists 15 13. Jotted down 16 17 18 19 16. German software company 18. Oversimpliﬁes, 2 words 20 21 20. Tech experts 21. Back when 22 23 24 22. Sectioned 25 26 24. Tear into pieces (2 words) 25. Historical period 27 28 29 30 31 27. ______source 28. Formal and explicit approval 32 33 34 33. Video device, for short 35 36 37 38 34. Credit card company 35. Security model in which all resources of 39 a network are accessed securely. 2 words 40 38. Core belief 39. Unit of force 40. Outlook recommended by futurist Mark 17. Goal Stevenson 18. Statistic 19. Presides over a debate DOWN 22. Sleeps at the switch, perhaps 1. The D in DoS attacks 23. One thousand dollars, in slang 2. Organized sets of principles 24. Computer memory 3. Complaints 26. What Blackberry started as 4. Magnate 29. IBM products 5. Forum activities 30. States 6. The Internet of remote servers used for stor - 31. Do not waste age, 2 words 32. Numerical piece of data, abbr. 7. School near Harvard, abbr. 36. Brazilian city 11. Changed to survive in different conditions 37. Einstein's birthplace 14. One who plots bad stuff 38. Moral strength in Confucianism 15. Extremely popular

Answers on page 58

56 ISACA JOURNAL VOL 6 Take the CPE QU IZ quiz online. #181

https://bit.ly/2IDVeUM

Based on Volume 4, 2018—Economics of Technology Value—1 Hour of CISA/CRISC/CISM/CGEIT Continuing Professional Education (CPE) Credit

TRUE/FALSE

PEARCE ARTICLE around the world, raising the possibility of possible conflicts of laws across jurisdictions. 1. ISACA’s IT portfolio management paradigm focuses on return on investment, but does not consider the mix of types of 12. Because ICOs lack historical performance data or credible technology in which investment may be made. cash-flow predictions, investors will find it difficult to benchmark ICO valuations. 2. One method users may find helpful to visualize IT investment variability and the risk of failure is the Monte Carlo simulation. 13. Blockchain is just one of many recent examples of an emerging technology. While many organizations feel 3. The IT investments known as “cash cows” are those that pressured to stay ahead of technological advances, they need provide higher returns than they should for the risk they bear. not feel quite so driven because research reported in the Harvard Business Review indicates that organizations that TAMMINEEDI ARTICLE neglect digital innovation show no effects on their revenues 4. According to COBIT ® 5 for Risk , key performance indicators and earnings. (KPIs) are metrics capable of showing that the enterprise is, or has a high probability of being, subject to a risk that exceeds HO ARTICLE the defined risk appetite. 14. Placing cybersecurity within information security, 5. In the three-lines-of-defense model, the second line of defense organizationally speaking, can help eliminate duplication of is an independent corporate risk function. activities, whereas structuring them as equal counterparts 6. In developing a risk register, many inputs need to be may result in overlap of responsibilities. considered, including corporate objectives and policies defined 15. The key to making the lines-of-defense model effective is to by senior management and authoritative sources and ensure that the lines remain truly separate, not sharing reports standards. or results between or among them.

BRUNSWICK ARTICLE SERRES ARTICLE 7. A robust and well-designed managed file transfer (MFT) 16. The knowledge, skill and experience of the information program and integrated platform can be useful to any security staff are the primary factors on which organizations organization involved in data movement, which makes it base their security technology acquisitions. especially helpful for enterprises that must comply with the 17. Risk management must be embedded in cybersecurity EU’s General Data Protection Regulation (GDPR). decisions to ensure that risk, rather than solely technological 8. Organizations may not have to exert quite as much effort as criteria, guides those decisions. expected to remain compliant with GDPR because only a few selected actions taken on data are technically considered ONAL ARTICLE “processing” and, therefore, subject to its regulations. 18. The use of the word “holistic” in the article’s definition of the 9. GDPR’s Article 30 specifies that records of processing activities term “data governance” makes it clear that data governance must be maintained, noting specifically the type of data applies to all data within the organization, including data processed, but not the purpose for which the data are used. originating from outside sources. ZONGO ARTICLE 19. Solvency II and International Financial Reporting Standards (IFRS) are data-focused regulations that apply only to the 10. Blockchains are distributed across many participants in the insurance industry. network, but this decentralized approach is backed up by use 20. The Capital Markets Board of Turkey’s Communiqués on of a centralized repository. Information Systems Management and Independent Audit 11. Regulators are beginning to address the lack of global laws to requires certification of compliance with International govern digital currencies and initial coin offerings (ICOs). This Organization for Standardization (ISO) standards. is a difficult task because ICOs can attract participants from

ISACA JOURNAL VOL 6 57 CPE QUIZ #181 THE ANSWER FORM Based on Volume 4, 2018

TRUE OR FALSE

PEARCE ARTICLE 12. Name PLEASE PRINT OR TyPE 1. 13.

2. HO ARTICLE Address 3. 14. TAMMINEEDI ARTICLE 15. CISA, CRISC, CISM or CGEIT # 4. SERRES ARTICLE

5. 16.

6. 17. Answers: Crossword by Myles Mellor See page 56 for the puzzle. BRUNSWICK ARTICLE ONAL ARTICLE 1 2 3 4 5 6 7 DI STRIB UTED CRM 7. 18. E Y E I E L I 8 9 10 NI ST NE XT BLOAT 11 8. 19. I T A F A A U 12 13 14 AG ENDAS NO TED C 15 9. 20. L M A H E C O 16 17 18 19 SAP DU MBSDOWN 20 21 ZONGO ARTICLE IT AGO M S 22 23 24 SE GMEN T ED RI PUP 25 26 10. N E D U ERA U I 27 28 29 30 31 OP EN IM PR I MATUR 32 33 34 11. O S CAM VISA 35 36 37 38 ZE ROTRUST TE NET 39 Please conﬁrm with other designation-granting professional bodies for their CPE qualiﬁcation acceptance criteria. Quizzes E I A L E ERG O may be submitted for grading only by current Journal subscribers. An electronic version of the quiz is available at 40 www.isaca.org/cpequiz; it is graded online and is available to all interested parties. If choosing to submit using this print S OP TIMISM S R copy, please email, fax or mail your answers for grading. Return your answers and contact information ISACA Support or by fax to +1.847.253.1755. If you prefer to mail your quiz, in the US, send your CPE Quiz along with a stamped, self- addressed envelope, to ISACA International Headquarters, 1700 E. Golf Rd., Suite 400, Schaumburg, IL 60173 USA. Outside the US, ISACA will pay the postage to return your graded quiz. You need only to include an envelope with your address. You will be responsible for submitting your credit hours at year-end for CPE credits. A passing score of 75 percent will earn one hour of CISA, CRISC, CISM or CGEIT CPE credit.

Get Noticed Advertise in the ISACA® Journal Journal For more information, contact [email protected]

58 ISACA JOURNAL VOL 6 STA NDARD S GU IDELI NE S TOO LS AN D TECHN IQUE S

ISACA Member and Certification Holder Compliance IS Audit and Assurance Guidelines The guidelines are designed to directly support the standards and help The specialized nature of information systems (IS) audit and assurance practitioners achieve alignment with the standards. They follow the and the skills necessary to perform such engagements require standards same categorization as the standards (also divided into three that apply specifically to IS audit and assurance. The development and categories): dissemination of the IS audit and assurance standards are a cornerstone • General guidelines (2000 series) of the ISACA ® professional contribution to the audit community. • Performance guidelines (2200 series) IS audit and assurance standards define mandatory requirements for • IS auditing. They report and inform: Reporting guidelines (2400 series) • IS audit and assurance professionals of the minimum level of General acceptable performance required to meet the professional 2001 Audit Charter responsibilities set out in the ISACA Code of Professional Ethics 2002 Organizational Independence 2003 Professional Independence • Management and other interested parties of the profession’s 2004 Reasonable Expectation expectations concerning the work of practitioners 2005 Due Professional Care ® ® 2006 Proficiency • Holders of the Certified Information Systems Auditor (CISA ) designation 2007 Assertions of requirements. Failure to comply with these standards may result in an 2008 Criteria investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action. Performance 2201 Engagement Planning ITAF TM , 3 rd Edition (www.isaca.org/itaf) provides a framework for 2202 Risk Assessment in Planning multiple levels of guidance: 2203 Performance and Supervision 2204 Materiality IS Audit and Assurance Standards 2205 Evidence 2206 Using the Work of Other Experts The standards are divided into three categories: 2207 Irregularity and Illegal Acts 2208 Sampling • General standards (1000 series)—Are the guiding principles under which the IS assurance profession operates. They apply to the Reporting conduct of all assignments and deal with the IS audit and assurance 2401 Reporting professional’s ethics, independence, objectivity and due care as well 2402 Follow-Up Activities as knowledge, competency and skill. • Performance standards (1200 series)—Deal with the conduct of the IS Audit and Assurance Tools and Techniques assignment, such as planning and supervision, scoping, risk and These documents provide additional guidance for IS audit and assurance professionals and consist, among other things, of white papers, IS materiality, resource mobilization, supervision and assignment ® management, audit and assurance evidence, and the exercising of audit/assurance programs, reference books and the COBIT 5 family of professional judgment and due care. products. Tools and techniques are listed under www.isaca.org/itaf . • Reporting standards (1400 series)—Address the types of reports, An online glossary of terms used in ITAF is provided at www.isaca.org/glossary . means of communication and the information communicated. Prior to issuing any new standard or guideline, an exposure draft is Please note that the guidelines are effective 1 September 2014. issued internationally for general public comment.

General Comments may also be submitted to the attention of the Director, 1001 Audit Charter Content Strategy, via email ([email protected]); fax (+1.847.253.1755) 1002 Organizational Independence or postal mail (ISACA International Headquarters, 1700 E. Golf Road, 1003 Professional Independence Suite 400, Schaumburg, IL 60173, USA). 1004 Reasonable Expectation 1005 Due Professional Care Links to current and exposed ISACA Standards, Guidelines, and Tools 1006 Proficiency and Techniques are posted at www.isaca.org/standards . 1007 Assertions 1008 Criteria Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional Performance responsibilities set out in the ISACA Code of Professional Ethics. 1201 Engagement Planning ISACA makes no claim that use of these products will assure a 1202 Risk Assessment in Planning successful outcome. The guidance should not be considered 1203 Performance and Supervision inclusive of any proper procedures and tests or exclusive of other 1204 Materiality procedures and tests that are reasonably directed to obtaining the 1205 Evidence same results. In determining the propriety of any specific procedure 1206 Using the Work of Other Experts or test, the control professionals should apply their own professional 1207 Irregularity and Illegal Acts judgment to the specific control circumstances presented by the particular systems or IS environment. Reporting 1401 Reporting 1402 Follow-Up Activities

ISACA JOURNAL VOL 6 59 ISACA ® Journal , formerly ADVE RTISERS/ Information Systems Control Journal, is published by the WEBS ITE S Information Systems Audit and Control Association ® (ISACA ®), a nonproﬁt organization created for the public in 1969. Membership in the association, a voluntary organization serving SCCE www.EuropeanComplianceEthicsInstitute.org 1 IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal .

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ leaders and from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by supporters authors, employers or the Editor Manish Gupta, Ph.D., CISA, CRISC, Nancy Thompson, CISA, CISM, editors of the Journal. ISACA CISM, CISSP CGEIT, PMP Journal does not attest to the Jennifer Hajigeorgiou Mike Hansen, CISA, CFE Smita Totade, Ph.D., CISA, CRISC, originality of authors’ content. [email protected] Jeffrey Hare, CISA, CPA, CIA CISM, CGEIT Sherry G. Holland Jose Urbaez, CISA, CRISC, CISM, CGEIT, © 2018 ISACA. All rights Managing Editor Jocelyn Howard, CISA, CISMP, CISSP CSXF, ITIL reserved. Maurita Jasper Francisco Igual, CISA, CGEIT, CISSP Ilija Vadjon, CISA Jennifer Inserro, CISA, CISSP Sadir Vanderloot Sr., CISA, CISM, CCNA, Khawaja Faisal Javed, CISA, CRISC, CBCP, CCSA, NCSA Instructors are permitted to Assistant Editor photocopy isolated articles for ISMS LA Rajat Ravinder Varuni, CEH, DOP, DVA, Mohammed J. Khan, CISA, CRISC, CIPM GPEN, SAA, SAP, SCS, SOA noncommercial classroom use Safia Kazi Farzan Kolini, GIAC Varun Vohra, CISA, CISM without fee. For other copying, Contributing Editors Shruti Kulkarni, CISA, CRISC, CCSK, ITIL Manoj Wadhwa, CISA, CISM, CISSP, reprint or republication, Bhanu Kumar ISO 27000, SABSA permission must be obtained Sunil Bakshi, CISA, CRISC, CISM, CGEIT, Hiu Sing (Vincent) Lam, CISA, CPIT(BA), Kevin Wegryn, PMP, Security+, PfMP in writing from the association. ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ITIL, PMP Tashi Williamson Where necessary, permission ISO 27001 LA, MCA, PMP Edward A. Lane, CISA, CCP, PMP Ellis Wong, CISA, CRISC, CFE, CISSP is granted by the copyright Ian Cooke, CISA, CRISC, CGEIT, COBIT Romulo Lomparte, CISA, CRISC, CISM, owners for those registered Foundation, CFE, CPTS, DipFM, ITIL CGEIT, COBIT 5 Foundation, CRMA, ISACA Board of Directors with the Copyright Clearance Foundation, Six Sigma Green Belt IATCA, IRCA, ISO 27002, PMP (2018-2019) Center (CCC) ( www.copyright. Robin Lyons, CISA, CIA Larry Marks, CISA, CRISC, CGEIT com ), 27 Congress St., Salem, Vasant Raval, DBA, CISA Tamer Marzouk, CISA, ABCP, CBAP Chair MA 01970, to photocopy Steven J. Ross, CISA, CBCP, CISSP Krysten McCabe, CISA Rob Clyde, CISM articles owned by ISACA, Brian McLaughlin, CISA, CRISC, CISM, Vice-chair for a flat fee of US $2.50 per Advertising CIA, CISSP, CPA Brennan Baybeck, CISA, CRISC, CISM, Brian McSweeney article plus 25¢ per page. [email protected] CISSP Send payment to the CCC Irina Medvinskaya, CISM, CGEIT, FINRA, Series 99 Director stating the ISSN (1944-1967), Media Relations date, volume, and first and Mike Michlowski, CISA, CRISC, CISM, Tracey Dedrick CGEIT, CCSP, CFE, CIA, CIPM, CIPP/G, last page number of each [email protected] Director CIPP/US, CIPT, CISSP, CRMA article. Copying for other Leonard Ong, CISA, CRISC, CISM, CGEIT, David Earl Mills, CISA, CRISC, CGEIT, MCSE COBIT 5 Implementer and Assessor, than personal use or internal Reviewers Robert Moeller, CISA, CISSP, CPA, CSqE CFE, CIPM, CIPT, CISSP, CITBCM, CPP, reference, or of articles or Matt Altman, CISA, CRISC, CISM, CGEIT David Moffatt, CISA, PCI-P CSSLP, GCFA, GCIA, GCIH, GSNA, columns not owned by the Sanjiv Agarwala, CISA, CISM, CGEIT, CISSP, Ramu Muthiah, CISM, CRVPM, GSLC, ISSMP-ISSAP, PMP association without express ITIL, MBCI ITIL, PMP permission of the association Vikrant Arora, CISM, CISSP Ezekiel Demetrio J. Navarro, CPA, CISA, Director or the copyright owner is Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CRISC, CISM, CGEIT, CISSP R. V. Raghu, CISA, CRISC expressly prohibited. ABCI, AMIIB, BS 25999 LI, CEH, CISSP, Jonathan Neel, CISA Director ISO 27001 LA, MCA, PMP Jacky y. K. Ng, EngD, CISM, COBIT Gabriela Reynaga, CISA, CRISC, COBIT ISSN 1944-1967 Brian Barnier, CRISC, CGEIT Assessor, CEng, CMgr, ISO/IEC 27001 Foundation, GRCP Ronald Bas, CISSP LA, MCMI, MIET Pascal A. Bizarro, CISA Nnamdi Nwosu, CISA, CRISC, CISM, CGEIT, Director Jerome Capirossi, CISA PfMP, PMP Gregory Touhill, CISM, CISSP, Brigadier Anand Choksi, CISA, CCSK, CISSP, PMP Ganiyu Babatunde Oladimeji, CISA, CRISC, General United States Air Force (ret.) Joyce Chua, CISA, CISM, PMP, ITILv3 CISM Ashwin K. Chaudary, CISA, CRISC, CISM, Anas Olateju Oyewole, CISA, CRISC, CISM, Director CGEIT CISSP, CSOE, ITIL Theodore Wolff, CISA Burhan Cimen, CISA, COBIT Foundation, David Paula, CISA, CRISC, CISSP, PMP Director ISO 27001 LA, ITIL, PRINCE2 Pak Lok Poon, Ph.D., CISA, CSqA, MIEEE Tichaona zororo, CISA, CRISC, CISM, Ken Doughty, CISA, CRISC, CBCP John Pouey, CISA, CRISC, CISM, CIA CGEIT, COBIT Assessor, CIA, CRMA Nikesh L. Dubey, CISA, CRISC, CISM, CISSP Steve Primost, CISM Subscription Rates: Robert Findlay Parvathi Ramesh, CISA, CA Director and Chief Executive Officer John Flowers, CISA, CRISC Antonio Ramos Garcia, CISA, CRISC, CISM, Matthew S. Loeb, CGEIT, CAE, FASAE US: Jack Freund, Ph.D., CISA, CRISC, CISM, CDPP, ITIL Director and ISACA Board Chair 2017-2018 one year (6 issues) $80 CIPP, CISSP, PMP Sheri L. Rawlings, CGEIT Theresa Grafenstine, CISA, CRISC, CGEIT, Sailesh Gadia, CISA Ron Roy, CISA, CRP CGAP, CGMA, CIA, CISSP, CPA Amgad Gamal, CISA, COBIT Foundation, Louisa Saunier, CISSP, PMP, Six Sigma All international orders: Director and ISACA Board Chair 2015-2017 one year (6 issues) $95 CEH, CHFI, CISSP, ECSA, ISO 2000 Green Belt LA/LP, ISO 27000 LA, MCDBA, MCITP, Daniel Schindler, CISA, CIA Chris Dimitriadis, Ph.D., CISA, CRISC, CISM MCP, MCSE, MCT, PRINCE2 Sandeep Sharma, CISA, BEPM, CqI, EFqM, Remittance must be made Director and ISACA Board Chair 2014-2015 Robin Generous, CISA, CPA IRCA, ISO 27000 LA, ITIL, MCP(BI), in US funds. Robert E Stroud, CRISC, CGEIT, (1963-2018) Tushar Gokhale, CISA, CISM, CISSP, MLE, MSP, OSCJP, PRINCE2 ISACA is deeply saddened by the ISO 27001 LA Catherine Stevens, ITIL passing of Robert E Stroud on Monday, Tanja Grivicic Johannes Tekle, CISA, CFSA, CIA 3 September 2018. ISACA BOOKSTORE RESOURCES FOR YOUR PROFESSIONAL DEVELOPMENT

CISA, CRISC, CISM and CGEIT Review Manuals Are Available as eBooks! Get the training you need. Prepare to obtain your CISA, CRISC, CISM or CGEIT certification and be recognized among the world’s most-qualified information systems professionals. ISACA’s Online Review Courses provide internet accessible, on-demand instruction and are ideal for preparing you and fellow audit, assurance, control, security and cybersecurity professionals for ISACA’s certification exams.

VISIT ISACA.ORG/EXAMONLINEREVIEW TO LEARN MORE.

BROWSE A VARIETY OF PUBLICATIONS FEATURING THE LATEST RESEARCH AND EXPERT THINKING ON STANDARDS, BEST PRACTICES, EMERGING TRENDS AND MORE AT ISACA.ORG/BOOKSTORE

S-1 FEATURED PUBLICATIONS

® th CISA Review Manual, 26 Edition CISA® Review Questions, Answers & Explanations The CISA Review Manual 26th Edition is a comprehensive Manual, 11th Edition reference guide designed to help individuals prepare for the CISA Review Questions, Answers & Explanations Manual 11th CISA exam and understand the roles and responsibilities of an Edition consists of 1,000 multiple-choice study questions that information systems (IS) auditor. The manual has been revised have previously appeared in the CISA Review Questions, Answers & according to the 2016 CISA Job Practice and represents the Explanations Manual 2015 and the CISA Review Questions, Answers most current, comprehensive, peer-reviewed IS audit, assurance, & Explanations Manual 2015 Supplement. The manual has been security and control resource available worldwide. updated according to the newly revised 2016 Job Practice. The 26th edition is organized to assist candidates in understanding Many questions have been revised or completely rewritten to be essential concepts and studying the following job practice areas: more representative of the CISA exam question format and/or to • The Process of Auditing Information Systems provide further clarity or explanation of the correct answer. These • Governance and Management of IT questions are not actual exam items but are intended to provide • Information Systems Acquisition, Development and CISA candidates with an understanding of the type and structure of Implementation questions and content that have previously appeared on the exam. • Information Systems Operations, Maintenance and Service Management To assist candidates in maximizing study efforts, questions are • Protection of Information Assets presented in the following two ways: • Sorted by job practice area—Questions, answers and The CISA Review Manual 26th Edition features an easy-to-navigate explanations are sorted by the CISA job practice areas. This format. Each of the five chapters has been divided into two allows the CISA candidate to refer to questions that focus on sections for focused study. Section one of each chapter contains a particular area as well as to evaluate comprehension of the the definitions and objectives for the five areas, as well as the topics covered within each practice area. corresponding tasks performed by IS auditors and knowledge • Scrambled as a sample 150-question exam—150 of the 1,000 statements (required to plan, manage and perform IS audits) that questions included in the manual are selected to represent are tested on the exam. It also includes: a full-length CISA exam, with questions chosen in the same • A map of the relationship of each task to the knowledge percentages as the current CISA job practice areas. statements Candidates are urged to use this sample test to simulate an • A reference guide for the knowledge statements, including actual exam and to determine their strengths and weaknesses the relevant concepts and explanations in order to identify areas that require further study. Answer • References to specific content in section two for each sheets and an answer/reference key for the sample exam knowledge statement are also included. All sample test questions have been • Self-assessment questions and explanations of the answers cross-referenced to the questions sorted by practice area, • Suggested resources for further study making it convenient for the user to refer back to the explanations of the correct answers. Print Product Code: CRM26ED

® eBook Product Code: EPUB_CRM26ED Print Product Code: QAE11ED Member Price: $105.00 CISA

CISA Review Questions, Answers & Explanations Manual 11 R M th Member Price: $120.00 26 Edition Non-member Price: $135.00 CISA

Review Manual 26 Non-member Price: $156.00

1700 E. Golf Road, Suite 400 Schaumburg, I 60173 USA

P: 1.847.660.5505 th F: 1.847.253.1755 Edition Support: support.isaca.org Print book available in Chinese, French, Website: www.isaca.org th Edition Print book available in Chinese, Italian, 1700 E. Golf Road, Suite 400 Italian, Japanese and Spanish. Schaumburg, I 60173 USA ®

P: 1.847.660.5505 F: 1.847.253.1755 Support: support.isaca.org Japanese, Spanish and Turkish. Website: www.isaca.org CISA R A E M 11th Edition

S-2 ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE CISA® Review Questions, Answers & Explanations CRISC™ Review Questions, Answers & Explanations Database—12 Month Subscription Manual, 5th Edition The CISA Review Questions, Answers & Explanations Database is The CRISC Review Questions, Answers & Explanations Manual, a comprehensive 1,000-question pool of items that contains the 5th Edition has been expanded and updated to include even more questions from the CISA Review Questions, Answers & Explanations practice questions. This study aid is designed to familiarize Manual 11th Edition. Exam candidates can take sample exams with candidates with the question types and topics featured in the randomly selected questions and view the results by job practice CRISC exam with the use of 550 questions. domain, allowing for concentrated study in particular areas. The database is available via the web, allowing CISA Candidates to log Many questions have been revised or completely rewritten to be in at home, at work or anywhere they have Internet connectivity. more representative of the current CRISC exam question format, and/or to provide further clarity or explanation of the correct Database Product Code: XMXCA15-12M answer. These questions are not actual exam items, but are Member Price: $185.00 intended to provide CRISC candidates with an understanding of the Non-member Price: $225.00 type and structure of questions and content that have previously MAC and Windows compatible. appeared on the exam. 1700 E. Golf Road, Suite 400 Schaumburg, I 60173 USA ®

P: 1.847.660.5505 F: 1.847.253.1755 Support: support.isaca.org Website: www.isaca.org CISA Print Product Code: CRQ5ED

R A E D CRISC Review Questions, Answers & Explanations Manual 5 12-Month Subscription Member Price: $72.00 Non-member Price: $96.00 th Edition Print book available in Chinese and Spanish. 1700 E. Golf Road, Suite 400 Schaumburg, I 60173 USA TM

P: 1.847.660.5505 F: 1.847.253.1755 Support: support.isaca.org Website: www.isaca.org CRISC R A E M CRISC™ Review Manual, 6th Edition 5th Edition

Updated with additional questions! The CRISC Review Manual, 6th Edition is a comprehensive reference guide designed to help individuals prepare for the CRISC exam and understand IT-related business risk management roles and responsibilities. The manual has been enhanced over the CRISC™ Review Questions, Answers & Explanations past editions and represents the most current, comprehensive, Database—12 Month Subscription peer-reviewed IT-related business risk management resource available worldwide. The CRISC Practice Question Database is a comprehensive 550-question pool of items that contains the questions from the The 6th edition manual is organized to assist candidates in CRISC Review Questions, Answers & Explanations Manual 5th understanding essential concepts and studying the following job Edition. Exam candidates can take sample exams with randomly practice areas: selected questions and view the results by job practice domain, • IT Risk Identification allowing for concentrated study in particular areas. Additionally, • IT Risk Assessment questions generated during a study session are sorted based on • Risk Response and Mitigation previous scoring history, allowing CRISC candidates to identify • Risk and Control Monitoring and Reporting their strengths and weaknesses and focus their study efforts accordingly. The database is available via the web, allowing th The CRISC Review Manual 6 Edition offers an easy-to-navigate CRISC candidates to log in at home, at work or anywhere they have format. Each of the book’s four chapters has been divided into two Internet connectivity. sections for focused study. Section one of each chapter contains: • Definitions and objectives for the four areas Database Product Code: XMXCR14M-12M CRISC Review Questions, Answers & Explanations Manual 5 • Task and knowledge statements Member Price: $185.00 • Self-assessment questions, answers and explanations Non-member Price: $225.00 • Suggested resources for further study th Edition MAC and Windows compatible. 1700 E. Golf Road, Suite 400 Schaumburg, I 60173 USA TM

P: 1.847.660.5505 F: 1.847.253.1755 Support: support.isaca.org Print Product Code: CRR6ED Website: www.isaca.org CRISC R A E M 12-Month Subscription TM eBook Product Code: EPUB_CRR6ED

Updated Member Price: $105.00 with additional CRISC questions! R M 6th Edition Non-member Price: $135.00 CRISC Review Manual 6

1700 E. Golf Road, Suite 400 Schaumburg, I 60173 USA

P: 1.847.660.5505 th F: 1.847.253.1755 Edition Support: support.isaca.org Print book available in Chinese, Japanese Website: www.isaca.org and Spanish.

ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE S-3 CISM® Review Manual, 15th Edition CISM® Review Questions, Answers & th The CISM® Review Manual, 15th Edition is designed to help Explanations Manual, 9 Edition you prepare for the CISM® exam. This comprehensive, The CISM® Review Questions, Answers & Explanations easy-to-navigate manual is organized into chapters that Manual, 9th Edition consists of 1,000 multiple-choice study correspond to the four job practice areas covered in the questions, answers and explanations, which are organized CISM exam. The Manual is primarily designed as a tool for according to the CISM job practice domains. exam prep, but can also be useful as a reference manual for information security managers. The questions, answers and explanations are intended to introduce the CISM candidate to the types of questions that New to the 15th Edition: appear on the CISM exam. This publication is ideal to use • In Practice Questions help you explore the concepts in conjunction with the CISM Review Manual 15th Edition. in the CISM Review Manual in your own practice. • Knowledge Checks are designed to help reinforce To help exam candidates maximize—and customize—their study important concepts from the Review Manual to further efforts, questions are presented in the following two ways: enhance your learning. • Sorted by job practice area • Case Studies provide real-world scenarios to help • Scrambled as a sample exam you gain a practical perspective on the Review Manual Product Code: CQA9ED content and how it relates to the CISM’s practice. CISM Review Questions, Answers & Explanations Manual 9 Member: US $120.00 • Comprehensive Index has been updated to make Non-member: US $156.00 navigating the Review Manual easier and more intuitive. th Edition

3701 Algonquin Road Suite 1010 Print product available in: Chinese, Japanese Rolling Meadows, I 60008 USA ®

P: 1.847.660.5505 F: 1.847.253.1755 th Support: support.isaca.org The CISM Review Manual 15 Edition maintains featuresWebsite: from www.isaca.org CISM and Spanish. R A E M previous editions including: 9th Edition

Updated • Task and knowledge statements with additional questions! • Self-assessment questions • Suggested resources for further reading • Glossary CISM® Review Questions, Answers & Print Product Code: CM15ED Explanations Database—12-Month Subscription ® eBook Product Code: EPUB_CM15ED CISM Member: US $105.00 The CISM® Review Questions, Answers & Explanations Database R M 15th Edition Non-member: US $135.00 CISM Review Manual 1 is a comprehensive 1,000-question pool of items that contains

3701 Algonquin Road Suite 1010 Rolling Meadows, I 60008 USA ® P: 1.847.660.5505 5 th F: 1.847.253.1755 Edition the questions from the CISM Review Questions, Answers & Support: support.isaca.org Website: www.isaca.org Print product available in: Chinese, Japanese and Spanish. Explanations Manual 9th Edition.

The database is available via the web, allowing our CISM candidates to log in at home, at work or anywhere they have Internet connectivity.

Exam candidates can take sample exams with randomly selected questions and view the results by job practice domain, allowing for concentrated study in particular areas. Additionally, questions generated during a study session are sorted based on previous scoring history, allowing CISM candidates to identify their strengths and weaknesses and focus their study efforts accordingly.

Product Code: XMXCM15-12M

® Member: US $185.00 CISM Non-member: US $225.00 R A E D

3701 Algonquin Road Suite 1010 Rolling Meadows, I 60008 USA MAC and Windows compatible.

P: 1.847.660.5505 F: 1.847.253.1755 Support: support.isaca.org Website: www.isaca.org

S-4 ORDER ONLINE AT WWW.ISACA.ORG/BOOKSTORE CYBERSECURITY NEXUS

21 51 CENTURY CVBERSECURITV TRAINING IS HERE

LEARN, PRACTICE AND PROVE YOUR SKILLS ™ ONLINE WITH THE CYBERSECURITY NEXUS (CSX) VIRTUAL CYBER ACADEMY.

The demand for professionals with technical cybersecurity skills is at an all-time high. Get the training you need, when and where you need it, with ISACA®'s Cybersecurity Nexus™ (CSX) Virtual Cyber Academy:

• Anytime, anywhere online access

• Real-world training in a live, dynamic network environment

• Comprehensive courses, hands-on practice labs, real-time assessment, and credentialing opportunities

• Learning solutions for every experience level

• Individual instructional courses and practice labs available-or save more with a full one-year subscription

TO GET STARTED, VISIT ISACA.ORG/CSX-VIRTUAL-CYBER-ACADEMY/OVER VIEW

ISACA®, the Cybersecurity Nexus'" (CSX) Mark, and ISACA's Cybersecurity Nexus'" (CSX) products, certifications, and services are not affiliated with CSX Corporation or its subsidiaries, including CSX Transportation, Inc.

SEE WHAT’S NEXT, NOW Information systems and technology are constantly evolving. But, your way to get ahead in audit, security, cybersecurity, risk, privacy and governance remains the same—ISACA®’s globally recognized certifications. These credentials are designed for forward-thinking professionals across a variety of industries. ISACA certifications are not just any certifications, they are the ones that can get you ahead!