The benefits that can be realized from using third parties to support the delivery of products and services are always part of any good sales pitch by prospective vendors. Often these benefits include reductions in operational spend, scalability, improved delivery time, specialized capabilities, and the availability of proprietary tools or software, all of which equate to a competitive advantage for companies leveraging third-party relationships effectively.
Companies recognize and capitalize on these advantages: A study in 2017 of nearly 400 private and public companies reported that two-thirds of those companies have over 5,000 third-party relationships, according to a report released by the Audit Committee Leadership Network. This staggering statistic illustrates how deeply organizations have come to rely on third parties for everything from back-office activities (payroll, help desk, business continuity infrastructure, etc.) to customer-facing roles (call center, sales and distribution, marketing, etc.). But this heavy reliance also elevates third-party risk management from a “nice to have” capability to a business imperative.
Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.
However, it seems progress is being made on the cyber staffing shortfall, at least anecdotally. At the 10th Annual Billington Cybersecurity Summit conducted 4-5 September in Washington DC, the theme of cyber workforce development was discussed in several sessions. Specifically, a number of speakers employed at various US agencies commented on the progress the US government has made in using creative and innovative approaches to hiring individuals for cybersecurity roles.
Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage. These grave threats, of course, are in addition to the financial, reputational and compliance impacts of cyber incidents that affect all industries. Given the high stakes, it is time for the CISO to step up, learn about the unique characteristics of ICS and OT, and collaborate with the industrial control engineers, in order to take proper responsibility over ICS and OT cybersecurity.
All too often, IT and risk management professionals seem to be speaking a different language—that is, if they even speak at all. Bridging the Digital Risk Gap, the new report jointly authored by RIMS, the risk management society®, and ISACA, promotes understanding, collaboration and communication between these professionals to get the most out of their organizations’ technological investments.
Digital enterprise strategy and execution are emerging as essential horizontal competencies to support business objectives. No longer the sole purview of technical experts, cybersecurity risks and opportunities are now a core component of a business risk portfolio. Strong collaboration between IT and risk management professionals facilitates strategic alignment of resources and promotes the creation of value across an enterprise.
These days, just about every software platform or app available has some kind of cloud functionality. They might host your data in the cloud, give you cross-platform access to your account, or allow you to upload and download files anywhere. This is remarkably convenient, and a major breakthrough for productivity and communication in the workplace, but it also comes with its share of vulnerabilities. A security flaw could make your data available to someone with malicious intentions.
Cloud security is a complex topic that comprises many different considerations, including the physical integrity of the data center where your data is held and the coding of the software that allows you to access it. A trustworthy cloud developer should take precautions and improve cloud security the best it can—but how responsible should the developer be for ensuring the integrity of their system?
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.