ISACA’s 50th anniversary year is about simultaneously honoring our past while visualizing how our professional community will innovate the future. Last week’s experience at our North America CACS conference in Anaheim provided tremendous inspiration on both fronts.
I will pay homage to ISACA’s remarkable past later in this post, but I want to start by highlighting a member story that underscores why we have such a bright future. I had the privilege of helping to open the conference by sharing the stage with ISACA board chair Rob Clyde and Kelly Lin, an impressive young professional and board member of ISACA's Los Angeles Chapter. Kelly is a rising leader in the IT audit world and an example of how transformative ISACA can be in our members’ lives.
In the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.
On 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.
The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as taping a weaponized hyperlink, are difficult to fend off and dramatically alter the game.
Lift and shift.
While this phrase is not new, it’s now said with regularity in relation to moving infrastructure to the cloud. Providers promise seamless transitions as if you were moving a server from one rack to another right next door. While moving to the cloud can put companies in a more secure position, proper care needs to be taken. Assuming everything is the same can be a fatal mistake, one that is happening on a regular basis.
No-brainersFrom a physical security perspective, moving infrastructure to the cloud will almost always be more secure. Large cloud providers place infrastructure in state-of-the-art data centers with top-of-the-line physical security measures. Organizations do not often have the budget, time, or expertise to build their own on-premise data centers to these specifications. I have seen the full spectrum of data centers over the years (umbrellas over server racks as a control to protect from a leaky roof, anyone?). Even the most advanced data centers we see on premise do not match those of the large cloud providers.
Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.
At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.
“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.