@ISACA Volume 9  2 May 2018

Finding Zen While Telecommuting


Bruce R. Wilkins There are many reasons an enterprise may choose to have employees telecommute. These reasons range from reducing office space costs to boosting employee morale. As a security engineer, I am often asked how we, as a corporation, secure this activity while ensuring that our employees stay productive. As with most cybersecurity answers, I like to reply that it depends.

I like to divide the telecommunication situation into 2 main parts to be addressed: productivity and technology. Productivity is a management issue more than a security issue. The general rule of thumb is that employees will not have an epiphany because they are telecommuting. Employees with issues working while in the office will have the same issues when working remotely.

It is generally accepted that employees tend to perform better when they are directly supervised. Productivity is easily measured if the workflow has tasks that are measurable in terms of complexity and time to complete. Piece work is probably the easiest form of this type of workflow. An employee is trained how to do the work and then a manager can evaluate how many tasks were accomplished in a given period of time. In most cases, it is not that easy. In service-oriented workflows, this model cannot achieve the same result. Typically, a baseline to compare employee performance against has not been captured. How does one set a quantitative baseline in a service-oriented workflow for a given task? This would require that all tasks be time studied and the results normalized over a wide set of performers. Alternatively, how would supervision be accomplished if all managers telecommuted and the junior and midlevel personnel were in the office? I have seen this situation in practice and since in-office mentoring did not occur, people were just used as fingers on a keyboard, and this incurred a very high turnover rate.

Productivity issues and technology issues aside, telecommuting is here to stay. It has created the illusion of productivity across the organization. I have seen cases where downsizing the office space has incurred cost savings. However, this incurred a new cost. Employee morale suffered since employees had no permanent offices. You may even think remote work decreases the amount of cars on the road, but this is only true if employees do not drive their children to school every day. Here are some guidelines that one should consider about telecommuting programs:

  1. There are many ways to configure technology to support telecommuting. Using Secure Sockets Layer (SSL)-enabled thin clients and zero clients tend to contain data leakage. These complemented with monitoring software will minimize the amount of data being moved outside the organization’s technology. In today’s environment, it is not unusual to see cloud-based office automation. In these cases, whether employees are telecommuting or in the office is moot.
  2. Ensure that the workforce understands what is required of them when they telecommute. The easiest way to do this is to have the employee tell you what is going to be accomplished during the telecommute period. This should be based on a telecommute plan that is approved by management. This is basically an attempt to make services conform to a piece work model. Although some employees who understand the work better than managers may use this to their advantage, it is something.
  3. Be careful when including any telecommuting commitment in legal documents such as labor or subcontracting agreements. This is a dual-edged sword and can allow low performers to telecommute when known problems exist. As with any provision of a labor agreement, management would not have the flexibility that is required to affect productivity.
  4. No one should be guaranteed 100% telecommute. There are times when people are needed in the office. When people telecommute 100% of the time, their performance increases for a short time, then it begins to drop and finally stabilizes to a given level of performance.
  5. Senior people should have minimal telecommuting opportunities. These individuals are needed to manage the organization and mentor the various teams for which they are responsible.
  6. Keystroke counters and an employee’s presence on a messaging application does not indicate productivity.
  7. Telltale signs that remote employee productivity is diminishing are when an employee fires their childcare provider or the employee no longer takes any personal time or sick time.

Securing technology for telecommuting has matured to a point that an individual can work on tasks and never once download or print a given document from the corporate infrastructure. There are hundreds of products, such as zero clients and thin clients, which use software monitoring of data flow to leverage and determine the security posture of an organization’s telecommuting technology. These products, in addition to others, can be orchestrated for determining when an employee is doing something out of the ordinary. Alternatively, the traditional route with a secure thick client can be taken. This option is a little more expensive, but the risk is well understood by management.

While there are lots of articles arguing that employees like their situation when telecommuting, this is probably not a reflection of job satisfaction, but satisfaction that they do not have to experience the trials and tribulations of commuting. As far as distractions, social butterflies at work will find a way to socialize at home. I have spoken to human resources personnel who know that their corporate telecommute program is not working based on productivity complaints. Regardless of this fact, management teams direct that the program be allowed to continue. In the end, a telecommuting program may just be an employee morale program. Once you give something to people, it is very hard to take it away and maintain morale.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins has the opportunity to provide his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Becoming Risk-Aware in Light of Cybersecurity Resilience and Maturity


In today’s cybersecurity environment, measuring security coverage and utility is simply not enough. Even though cybersecurity is usually approached functionally, the challenges cybersecurity is presented with are vast and complex. Cybersecurity must consider business strategy planning and performance as capability. The capability of cybersecurity within an enterprise can be analyzed with consistent, comprehensive, systematic and holistic analysis of the operational efficiency of its actions, resilience of its people/processes/technology, maturity of its practices, its gaps and the total cost of ownership across the entire axis of risk. A new mindset and new tools must be used to approach cybersecurity in this manner.

This new mindset and new tools can be discovered by exploring ISACA’s new white paper, A Risk-Aware Path to Cybersecurity Resilience and Maturity. This white paper outlines acute business risk and practical cybersecurity challenges in enterprises. These challenges exist because capability gaps are not recognized, prioritized and resolved. Read this white paper to discover how to adapt your enterprise to a cybersecurity capability mindset and emphasize the importance of a culture of cybersecurity throughout your enterprise and board of directors.

You can access the complimentary ISACA white paper on the A Risk-Aware Path to Cybersecurity Resilience and Maturity page of the ISACA website.


Retailers, Tech Firms and Financial Services Providers: It Is Time to Shape the Future of Mobile Payments. Are You Ready?

By Gordon Tucker
Retailers, Tech Firms and Financial Services Providers
Source: Anton
Grachev; Getty Images

It has been nearly a decade since Starbucks, one of the biggest mobile payments success stories to date, launched its application (app) and rewards program. And recent research by the Mobile Economic Forum found that one-fifth of global consumers have made a mobile payment in-store. Given the exponential growth in smart device innovation and adoption over the past decade and consumers’ inherent desire for convenience and speed when making a purchase, it is logical to think that the mobile channel would dominate as the avenue for payments by now. It is where we are headed, to be sure. But some formidable obstacles have been impeding the growth of the industry, including:

  • Persistent concerns about fraud, privacy and security—Even though most consumers are aware of “digital wallets”—apps on smartphones that store credit card information and facilitate mobile payments—many remain wary of the risk. Fraud has been a problem, with weak authentication practices and identity theft at the root of many incidents, including those involving well-known brands such as Apple Pay and Samsung Pay.
  • Consumer fears about how companies are collecting and using data, including purchasing history and even geolocation—How and if that sensitive information is being protected from hackers is yet another concern. Tokenization helps to secure valuable transaction data, but data stored in digital wallets or merchants’ payment systems may still be vulnerable. Also, new entrants to the market may lack the security sophistication needed to protect sensitive data from compromise.
  • Bad timing—When solutions such as Apple Pay, Google Wallet and Android Pay were being rolled out by mobile manufacturers and tech providers a few years ago, Europay, Mastercard and Visa (EMV) chip card technology was also hitting the market. Retailers were initially confused and frustrated about whether to adopt mobile payments or EMV chip card technology. Most prioritized the latter. Now, adoption of that technology is near-universal in retail, even though EMV chip card transactions are slower than mobile payments or even traditional credit card payments.
  • Lack of a consistent experience—Merchants of all types have been racing to launch their own digital wallets. But it is unlikely that many will achieve long-term success with their ventures because consumers are already overwhelmed by choice in the market. Plus, these offerings are diverse, which means the mobile payments experience for consumers also varies. That works against efforts by retailers and the mobile payments industry to engage consumers and convince them to pay with their smart devices at every opportunity. And there is another ingredient for mobile payments’ success that not all retailers can capture: A key reason that apps from brands such as Starbucks, Taco Bell and Dominos are so popular is that consumers do business with these retailers frequently—sometimes daily.
  • The fact that old habits die hard—One more dynamic that is working against mobile payment adoption is the simple fact that it is still easier and faster, in most cases, for consumers to pay for goods and services with cash, debit or credit cards. They are comfortable with these methods, so they are in no hurry to change. And many businesses that offer mobile payment options fail to do enough to incentivize consumers to make the switch. For example, they do not provide compelling rewards to customers who use their app frequently.

A Growing Swell of Expectations From Consumers

The picture is not all bleak. There are other strong trends in motion that will help to drive mobile payments innovation as well as consumer adoption and use of these solutions. Here are some of the dynamics to watch:

  • New shopping trends will help mobile payments grow—a lot. Showrooming—where consumers examine merchandise in a traditional brick-and-mortar retail store or another offline setting and then buy it online, sometimes at a lower price—is just one example. It is a retail experience that is made for mobile—and it is expanding as large e-commerce players such as Amazon and Microsoft get in the game. Retailers can use mobile payment apps to incentivize shoppers to buy items in the store by offering discounts, special rewards or free delivery.
  • Mobile shopping apps are becoming more experiential for consumers. The core purpose of a mobile payment service is to facilitate transactions, of course, but that is not enough to engage a consumer. Mobile shopping apps are evolving to help customers discover and research products before they are at the store and then help them locate those products while they are in the store. These apps can also store shoppers’ receipts, gift cards and shopping lists; present discounts and coupons; enable comparison shopping; make the checkout process simple and fast; and more. Look for customer loyalty programs to evolve, as well; for instance, using data insights, a retailer could offer individualized incentives to mobile shoppers and reward them for specific behaviors.
  • A friction-free experience is becoming an expectation, fast. Mobile payments success hinges on creating a simple, seamless, value-adding and branded customer experience. Leading players in the person-to-person (P2P) payments space are setting the standard for the frictionless consumer experience—and winning over mobile-minded millennials. Recent research from Bank of America found that 62% of millennials use a P2P service.

Entrants in the P2P space are also focusing on the back end, trying to simplify operations and bake in security wherever possible without undermining the consumer experience. Good infrastructure that supports a secure and seamless customer experience is essential to the future of mobile payments. In the coming months, the Protiviti blog will explore the topics that retailers, technology companies and financial services providers, specifically, should consider when developing their mobile payments strategy. These topics include operational effectiveness, risk and compliance issues, technology strategy, and security and data privacy. Each of the industries mentioned has an important role to play in helping to shape the evolution of the mobile payments industry. It will be through their collaboration, cooperation and innovation that the mobile payments experience can become what businesses and consumers alike envision it can—and should—be.

This article was originally published on The Protiviti View.

Read more on the KnowledgeLeader website.

Editor’s Note: © 2018 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Report of the Nominations Committee

By Greg Grocholski, CISA, Nominations Committee Chair

The charge of the ISACA Nominations Committee, as described in sections 4.5(c) and 6.01 of the ISACA bylaws, is to prepare a slate of candidates for the ISACA Board of Directors, consisting of a board chair, vice-chair, directors and 3 past board chairs. According to section 4.5(c), that slate is presented to the current board for approval during its regularly scheduled meeting immediately preceding the Annual General Meeting. Said process was followed, and the 2018-19 board slate was presented and approved by the ISACA Board of Directors on 20 April 2018.

The Nominations Committee is chaired by a past chair of ISACA, and its members include 2 additional past chairs and 4 other members with significant ISACA experience and diverse geographic representation.

The committee has an obligation to prepare the best possible slate of individuals who will work together as a team to lead the association. Its evaluation of candidates takes into account their intent to reflect the organization’s diversity in terms of geography, skills, experience and other relevant factors, while also balancing continuity and new viewpoints.

The selection process is managed with attention to detail. Deadlines are strictly adhered to, nominations are treated with unbiased consideration, candidates are interviewed, and strict confidentiality is maintained throughout the process. The Governance Committee (GC) provides oversight to the committee’s processes, and the committee reports to the Board of Directors and the membership of ISACA.

As chair of the committee, I affirm that the committee’s deliberations were carried out in accordance with the bylaws and good governance principles.

2017-18 Nominations Committee Members:

  • Greg Grocholski, CISA, USA (chair)
  • Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Australia (vice-chair)
  • Lilia Liu, CRISC, Panama
  • Tony Noble, CISA, Australia
  • Robert E Stroud, CRISC, CGEIT, USA
  • Marc Vael, CISA, CRISC, CISM, CGEIT, Brussels
  • Frank Yam, CISA, Hong Kong

The 2017-18 Nominations Committee is pleased to present the slate for the 2018-19 ISACA Board of Directors approved by the 2017-18 Board of Directors, to be installed at the Annual General Meeting on 9 June 2018.


Slate of 2018-19 Board of Directors


ISACA will hold its Annual General Meeting on 9 June 2018 in Chicago, Illinois, USA, where it will install the 2018-19 Board of Directors. In accordance with the association’s bylaws, the Nominations Committee submits the following slate for the 2018-19 Board of Directors:

  • Robert Clyde, CISM, chair
  • Brennan Baybeck, CISA, CRISC, CISM, CISSP, vice-chair
  • Tracey Dedrick, director
  • R. V. Raghu, CISA, CRISC, director
  • Gabriela Reynaga, CISA, CRISC, director
  • Gregory Touhill, CISM, CISSP, Brigadier General USAF (ret), director
  • Theodore Wolff, CISA, director
  • Tichaono Zororo, CISA, CRISC, CISM, CGEIT, CIA, CRMA, director
  • Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CPA, director, board chair (2017-18)
  • Chris Dimitriadis, CISA, CRISC, CISM, ISO 20000 LA, director, board chair (2015-2017)
  • Robert E Stroud, CRISC, CGEIT, director, board chair (2014-2015)
  • Matt Loeb, CGEIT, CAE, FASAE, CEO and director

The Annual General Meeting agenda will include the annual report, the treasurer’s report, the approval of the annual auditor and the installation of the 2018-19 board slate.

All ISACA members are invited to attend the Annual General Meeting of the Membership.


ISACA Annual General Meeting to Take Place in Chicago


The ISACA Annual General Meeting (AGM) takes place to install the Board of Directors. Those who attend this meeting will also be able to review fiscal information from the past year. Attendees will have the opportunity to receive ISACA’s annual report, which will be posted on the ISACA website after the meeting. The AGM will take place on 9 June 2018 at the Langham Hotel, 330 N. Wabash Avenue in Chicago (Illinois, USA). This 1-hour meeting will take place from 8AM to 9AM CDT (UTC -5 hours) in the Chelsea Ballroom located on the 2nd floor of the Langham Hotel.

To register to attend the meeting and to ensure we have adequate seating, please email your name and member number to agm@isaca.org. Travel expenses to/from the annual general meeting are the responsibility of the individual. To learn more about the meeting, visit the ISACA Annual General Meeting page of the ISACA web site.


2018 ISACA Award Recipients


Congratulations to the 2018 ISACA award recipients! ISACA is proud to recognize the outstanding achievements of our individual contributors, chapters and certification exam takers who offer thought leadership, volunteer service and professional achievements that advance ISACA’s purpose and promise.

Recipients of ISACA’s Global Achievement Awards, our highest honors, will be recognized during EuroCACS in May 2018. Chapter officers will accept their awards for individual chapter leadership, innovative chapter programs and the best chapters worldwide at an awards banquet during the Global Leadership Summit in October 2018. Certification Exam Top Scores will be presented at EuroCACS and CSX Europe this year. ISACA looks forward to celebrating with you at these global events.

Some award recipient highlights include:

  • Ahmet Efe, Ph.D., CISA, CRISC, PMP, recipient of the ISACA Michael Cangemi Best Book/Author Award, which recognizes an individual or coauthors for major contributions to ISACA publications in the field of IS audit, control, risk, governance and/or security. Efe received this honor for his article, “A Model Proposal for Organizational Prudence and Wisdom Within Governance of Business and Enterprise IT,” published in COBIT Focus, 6 March 2017.
  • Christian Palomino, CISA, CISM, CGEIT, recipient of the ISACA Eugene M. Frank Award for Meritorious Performance, which recognizes an individual whose long-standing service in multiple roles, including key volunteer leadership positions, has contributed to ISACA’s global success. Palomino has received this honor for contributions to ISACA’s certifications with long-standing service and leadership roles in exam development, job practice analysis and translation support.
  • Mark Thomas, CRISC, CGEIT, recipient of the ISACA John Kuyers Award for Best Speaker, which recognizes an individual for outstanding speaking achievements at an ISACA-sponsored event. Thomas received this honor for contributions to ISACA’s continuing education efforts by delivering outstanding presentations at ISACA events.
  • Jack Freund, Ph.D., CISA, CRISC, CISM, recipient of the ISACA John W. Lainhart IV Common Body of Knowledge Award, which recognizes an individual for major contributions to the development and enhancement of the common body of knowledge used by the ISACA community. Freund received this honor for contributions in developing the Certified in Risk and Information Systems Control (CRISC) certification and for ensuring the integrity and quality of the CRISC certification exam content.
  • Nikesh Dubey, CISA, CRISC, CISM, CCISO, CISSP, recipient of the ISACA Harold Weiss Award for Outstanding Achievement, which recognizes an individual for sustained contributions to the advancement of the governance of enterprise IT (GEIT). Dubey received this honor for sustained contributions to the IT governance, risk and compliance community through innovative concepts, tireless drive, leadership and passion.
  • Gail Coury, CISA, CISM, CISSP, recipient of the ISACA Chair’s Award, which recognizes an individual who has made an exceptional impact on ISACA or the business technology profession. This award is presented at the discretion of the ISACA chair. Coury received this honor for inspirational leadership and dedication to advancing women in technology and for supporting the formation of ISACA’s philanthropic strategy and activities.

Earlier this year, ISACA solicited nominations from its members to acknowledge colleagues who have shown outstanding leadership and dedication to ISACA and to the information systems governance, security, audit and assurance professions. Those nominations were vetted via a peer-review process, and recipients were recommended to the ISACA Board of Directors for final approval. Special thanks to the ISACA Corporate Awards Working Group and the ISACA Journal Article Review Team who reviewed the nominations. It was a challenging decision as so many dedicated volunteers serve ISACA in so many capacities, and ISACA received many worthy nominations.

To learn more about ISACA awards, our outstanding recipients, the 2018 chapter awards recipients and certification exam high scorers, visit the ISACA Awards page of the ISACA website.

The 2019 award nomination cycle will open in June. Nomination forms and more details will be posted online. This peer-recognition program relies on the ISACA membership to identify outstanding candidates and select distinguished recipients each year. Join us in acknowledging the efforts of our volunteers and industry specialists.