Globally, the adoption of risk management has been a slow process. What steps do you think companies should take to ensure faster adoption, given the almost constant threat environment enterprises face?
I have been in the IT business for the last 25 years and worked in various industries, from government, non-profit and construction, to leading a software company. ISACA’s State of Enterprise Risk Management Survey findings show that, unfortunately, only 29% of respondents are highly confident that enterprise can predict the impact of vulnerabilities associated with emerging technologies. Some of the things have worked in the past and the past is a good prediction for the future. For about 10 years we were talking about the cloud coming, and now it is here and even witnessing a rapid adoption. That can serve as a prediction curve for other emerging technologies. The adoption of the cloud has become a prime source of risk for enterprises. A couple of years ago, people seldom talked about risk, only about cybersecurity and information security, and now the whole idea of clearly defining risk has become important.
Many times IT professionals do not understand the complexities of their own business. The vulnerabilities in the construction industries will be different from the manufacturing or finance industry. One size does not fit all, and it takes time to decode the type of risk. Setting expectations according to the industry and optimizing risk is the key to having meaningful and faster adoption of technologies and risk management.
Data privacy is now structured by compliances like GDPR and CCPA. What role does ISACA play in ensuring companies meet them?
In the last 12 months, privacy regulations have been developing uncharacteristically fast. Many organizations are confused and, in many cases, they are unable to adopt these policies and privacy programs. It is not just GDPR, but the CCPA law from California is going to become more impactful to companies in the US. Users are more likely to switch to product companies or competition if they believe another provider will handle their personal data in a better way, as they are becoming more educated about their data rights. Companies may actually lose money if they don’t restructure their data privacy and compliance programs.
ISACA is at the front end of this. We are providing our members and the global professional community with an array of knowledge resources on these topics. We share interactive training during our conferences. We are developing a whole discipline around data privacy becausewe believe it is here to stay and it is transformational.
In your opinion as a technology expert, how would you compare policies to technology tools for better security management?
It is like a chicken and egg situation. Is it policy or is it tools or both of them? The policies need to precede the selection of technology tools, in my opinion. It is like the old framework of people, profit and technology. They have to come in this order. People are crucial, but policies are quite essential. As IT executives, we need to understand and define the main processes for cybersecurity, governance, identity and access management, awareness and education, vulnerability management, and incident response. I would suggest using tools that measure the maturity of an organization around policies is an important step so that we can continuously communicate with our stakeholders and board effectively.
Change management is a big part of transformation. How does ISACA support companies in that aspect of moving to better security practices?
Change management is one of those things that everyone is using in a different context from each other, but it is about the mobilization of a security champion and making sure a company raises awareness around security and risk management .
Change management starts with a well-educated and trained workforce. ISACA provides certifications and also has Cybersecurity Nexus, or CSX. CSX provides hands-on interaction courses and tools where people can learn how to combat different vulnerabilities and mitigate live cyber incidents. These are some of the educational materials we create on a regular basis, which have been instrumental in increasing the ability of cybersecurity professionals to be continuously prepared to fight vulnerabilities and cyber incidents.
As CTO in an organization like ISACA, what difference do you think you can make to the information systems’ security in companies?
I am responsible for protecting the enterprise of ISACA, to drive digital transformation and increase security at my own organization. However, I also provide inputs to the teams at ISACA based on my experience and my background to drive programs, training and learning opportunities that can be shared with a more massive membership base and help the organization to strengthen the security worldwide. I have internal as well as external focus by working with our subject matter experts in developing frameworks.
Recommended read: IoT Will Enable “Hotels of the Future”
We are working in the area of cybersecurity and new emerging technologies and looking at different drivers. For example, according to Gartner predictions, by 2025, 50% of people with a smartphone but without a bank account will be using mobile access to a currency account. Based on our expertise in protecting intellectual property, we are looking at blockchain and countering deep fake technology. With AI and ML, we are doubling down on standards and frameworks, and we believe regulations will be coming on those areas for which can be on the front lines.
“Change management is one of those things that everyone is using in a different context from each other, but it is about the mobilization of a security champion and making sure a company raises awareness around security and risk management.”
Simona Rollinson, CTO, at ISACA