@ISACA Volume 19  21 September 2016

Risk of Cyber Austerity

By Jack Freund, Ph.D., CISA, CRISC, CISM

It is a universal truth that companies will never have enough money to pursue all of the strategies they would like. Understanding this is key to incorporating risk-based thinking in daily security tasks. Any time you have to shorten a list of things you care about down from everything to something less, you are employing a risk-based approach. For which employees should we be monitoring daily activities? Which systems should be patched first? From which systems should we be getting detailed logs? For each of the previous questions, “all of them” is the preferred answer, but that kind of absolutism is rarely practical.

This kind of reasoning is difficult enough in times of plenty, but when your company is going through cutbacks, it becomes critical. In times of austerity, you may find yourself contemplating cutting critical security services. Even security cannot avoid cutbacks when the belt tightening begins. So how do you decide what to reduce, what to delay and what to stop?

You can utilize this high-level process for triaging the risk associated with divesting from critical security processes and services:

  1. List your options—This is best done with a service catalog. If you do not have one, you should make one. Fundamentally, what are the things that the security team provides to the organization? The answer to this question will form the basis of the service catalog. A typical listing includes services such as monitoring, awareness, training, risk assessments and incident response. Depending on the size of the organization, it might be helpful to break these down into sub-services. Incident response, for instance, might break down into insiders and external.
  2. Monetize the options—Each of the items listed has people and technologies associated with them. Figure out what they are. (The finance department is a great help here.) Now the cost for the organization to provide these services is known.
  3. Assess risk—Determine the risk associated with these services in their current state. Consider the maturity of the services, how well staffed they are and the state of their technologies. As this is a financial exercise, it is necessary to use a quantitative risk model that reports risk in terms of frequency and magnitude of loss. This will establish the baseline (current state) associated with these services.
  4. Prioritize—Rank order the cuts necessary to meet the budgetary goals. Apply good management judgment about where to cut back, stop and delay. It is short and easy to write here, but this will be a very difficult undertaking.
  5. Assess residual risk—Perform a residual risk assessment on how much increased risk the organization will be shouldering by making these cuts.

Utilizing this process will give you sure footing when asserted to management that making the cuts necessary to achieve the budgetary goals will increase risk. Not only will you be able to say that, but you will also be able to articulate that the cuts will result in additional financial losses over an expected timeline. This incorporates security into the budgeting debate by measuring the impacts of cutbacks using the same scale the company is using elsewhere. For instance, if there is a decision to reduce overseas investments, somewhere there is a projection as to what that will cost in terms of money saved and future profits forsaken. Using this method will allow security to keep pace with those discussions by illustrating present-day savings and potential losses in the future.

Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, and 2016 inductee into the Cybersecurity Canon.


ISACA Certification and CPE Requirement


Source: ©iStock.com/
Izabela Habur

With the last quarter of the year approaching, individuals are encouraged to review their 2016 continuing professional education (CPE) record, update it with the CPE activities they have completed and make note of how many additional CPE hours are needed.

The CPE policy requires the attainment of CPE hours over an annual and 3-year certification period. Once certified, the individual is put on a 3-year CPE reporting cycle, and this 3-year cycle aligns with the calendar year. Certified individuals must comply with the following requirements to retain certification each year.

The Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) CPE policies requires certified individuals to:

  1. Attain and report an annual minimum of 20 CPE hours. These hours must be related to the currency or advancement of the certified individual’s knowledge or ability to perform their certification-related tasks. The use of these hours toward meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  2. Attain and report a minimum of 120 CPE hours for a 3-year reporting period.

Details on where one stands on the attainment of these goals can be found in the certified individual’s record, which can be found on the Manage My CPE page of the web site, posted in the MyCertifications area of an individual’s MyISACA page. Reviewing this information in September gives you ample time to schedule or plan your CPE activities for 2016 to ensure the requirement(s) are met before the end of this year.

ISACA membership provides many ways to assist certified individuals in earning CPE. For more information, visit the How to Report and Earn CPE page of the ISACA web site.


The Importance of Planning a Governance of Enterprise IT Implementation

By Peter Tessin, CISA, CRISC, CGEIT

Embarking on a governance of enterprise IT (GEIT) implementation can be intimidating. There is plenty of anecdotal evidence describing failed GEIT projects and the problems associated with GEIT implementations. In my experience, common elements in failed GEIT implementations include a failure to obtain key executive commitment and not performing adequate analyses of the enterprise prior to embarking on the GEIT implementation itself. Those are planning activities.

A GEIT implementation creates whole-scale changes across the enterprise, and this requires commitment from enterprise executives and the board of directors. Additionally, the environment must be ready for significant change. A GEIT implementation can be as significant, and disruptive, as a complete change in company culture. COBIT 5 Implementation discusses getting the environment ready and identifying the trigger points that prompt the need for a GEIT implementation.

There are several elements that are critical to a successful implementation. One of the most important elements is to have qualified personnel available to lead the implementation. There are many experienced professionals around the world who have the skills and experience to lead enterprises through this if the enterprises lack in-house expertise. Employing an experienced governance practitioner for the implementation can greatly assist in the planning of the project.

Determining how ready the enterprise is for change can provide valuable insight to the implementation team. Conducting a change readiness assessment can be a great early activity in planning the overall GEIT structure. The outcome of the assessment can guide the GEIT implementation team in designing what approach will best serve the enterprise.

Another very beneficial activity to support GEIT planning is a risk assessment. A comprehensive risk assessment can provide valuable insight into how the enterprise will make use of existing resources, acquire new resources, respond to opportunities and provide for security. All these elements can influence the design of a governance structure and should be considered part of the overall GEIT structure planning.

Once the GEIT implementation team has all the background information from risk assessments and change readiness testing, it can begin the process of analyzing and documenting the enterprise’s need for a new or changed governance structure and documenting the extent to which a governance structure already exists. The next planning step is to carefully analyze the stakeholder requirements and fully describe the desired state of the enterprise. These 2 analyses make up the analytical foundation of all implementation efforts that follow.

Read the full COBIT Focus article, “The Importance of Planning a Governance of Enterprise IT Implementation.”


Improving IT With a CGEIT Certification

Kevin Lyday, CGEIT, CEA, CIPP/G, CISSP, FAC-COR III, FAC-PPM IT III, Shares His Experience as a CGEIT

Kevin Lyday spends a great deal of his spare time doing hands-on work, especially home repair and improvement. Lyday’s interest in fixing things extends to his job as a senior advisor for IT governance at the US Centers for Disease Control and Prevention. “I think of myself as a fixer. I do this by applying sound principles, frameworks and processes via participation with stakeholders,” he says. “I like to see things succeed and be delivered as promised. When I can turn around a troubled activity, I find great satisfaction in knowing that the customer is getting what they paid for and that they trust us to do so again in the future.”

Lyday finds the lack of consistent IT project completion as approved to be a significant challenge in the IT community. “The number one reason for project failure is a lack of involvement by top management who do not perceive IT as their responsibility, even though they are the recipient of IT solutions,” he says. “Governance, by its very design, provides a structure by which all stakeholders from across all lines of business can become involved and accountable for the success of IT at both the local level and at the enterprise. Governance increases transparency and ensures a healthy level of scrutiny.”

Lyday believes that having the Certified in the Governance of Enterprise IT (CGEIT) certification has given him credibility among his colleagues. “After 9 years of consistent IT governance involvement and in conjunction with my CEGIT certification, I believe that I am viewed by my peers as highly knowledgeable about governance,” he says. “I have worked with many colleagues throughout the CDC to establish a project management framework and related governance processes. I serve on many governance committees at both the local and enterprise levels, and this is beginning to pay dividends as the US federal government, in both the executive and legislative branches, is implementing more and more stringent requirements related to the management of IT investments. We are well positioned to quickly comply with IT governance mandates.”

Lyday’s governance expertise has taught him that IT governance is about more than effectively using all resources; it is also about the successful delivery of value to business. “If IT is not perceived as a value added partner by business, that organization has problems,” he says. “To provide a real-world example, IT enables the CDC to respond to worldwide pandemics. We cannot afford to fail. For us, governance is not just about saving money, it is, in part, about saving lives.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.