You are here :   Welcome » RSS -
Preview  Print...  Print this page...
Knowledge base

 1567749 visitors

 4 visitors online


site Link

Neuchâtel, Suisse


Genere YOUR Code


ISACA Now: Posts

RSS feed for the Posts list.

Why Problem-Solving Can Detract from Innovation  View ?


Luke WilliamsEditor’s note: Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, will give the closing keynote address at the GRC Conference 2018, to take place 13-15 August in Nashville, Tennessee, USA. Williams recently visited with ISACA Now to discuss how enterprises can spark more innovation, the concept of disruptive hypotheses and more. The following is a transcript of the interview, edited for length and clarity:

ISACA Now: How, if at all, is entrepreneurship different from it was 10 years ago?
In the past 10 years, the public perception of “entrepreneurship” has shifted toward “disruptive entrepreneurship,” which is about trying completely new products and business models that haven't been tried before. Instead of staying small, disruptive entrepreneurship is focused on high-growth businesses.

We often contrast small business entrepreneurs as sort of “incremental” entrepreneurs; they're incrementally improving business models that have already been established. So, someone who wants to open a shoe store might take their own incremental spin on it, but that's pretty much what it is. Disruptive entrepreneurship is a different form of entrepreneurship and it requires a completely different skill set. As a result, it requires a different approach to education.

Ten years ago, this approach was very much focused on the business plan: this long, elaborate document with all these sorts of financial projections. There was emphasis on getting the plan right. There was little emphasis on prototyping and experimenting. That has been a significant shift in the last 10 years. What we’re really educating entrepreneurs on today is far less about writing a business plan and far more about putting that focus, time, and energy into trying out your idea.

ISACA Now: What are some of the most common missteps made by people who are starting their first business?
I think the biggest misstep or mistake is that people are focused on finding problems to solve. We’re obsessed (in America in particular) with problem-solving. We almost use “problem-solving” as a label for thinking. The problem with problems is they’re seductively clear. They’re screaming for your attention, which typically means that problems are all that are getting anyone's attention.

The richest areas for innovation are found in the seemingly unbroken aspects of the situation you're focused on, precisely because nobody else is looking at these things. Because nothing appears to be wrong, or because it’s not broken enough to be really a problem, that doesn't mean that there’s not an opportunity there.

Often, an adequate idea blocks the emergence of a better idea. Because something is adequate, people don’t feel the need really to look at an alternative way of delivering their model. If it’s not broken, they don’t see the need to spend the time and attention to fix it.

ISACA Now: What type of management style most lends itself to fostering innovative thinking among employees?
What I’m going to talk about at the conference is the difference between sustaining leadership and disruptive leadership.

Sustaining leadership means incrementally improving what you’re currently doing. It’s all about maintaining the continuity of the current business.

Building options for the organization’s future is about managers introducing prolific discontinuity into the business – not waiting for disruption to happen, but rather being proactive. You've got to disrupt yourselves.

There are a lot of managers running around saying they value innovation. Where I find the disconnect most readily occurs is in the metrics; most managers find they’re rewarding the status quo, basically incentivizing people to keep the existing system of continuity. They have to fix that disconnect and figure out how to actually start rewarding effort rather than result.

ISACA Now: Which themes from Disrupt: Think the Unthinkable to Spark Transformation in Your Business tend to surprise people the most? What kind of feedback have you heard that are kind of new, a-ha moments for people?
There’s a tool called “disruptive hypothesis.” With a regular hypothesis, we make a reasonable prediction of what we can do, and then we test that prediction. An example: if your phone wasn't working, you would predict that the battery was flat, so you'd charge your phone. If your phone starts working, your hypothesis was correct; if it doesn't, you need to formulate another hypothesis.

That’s OK for sustaining leadership. If you want to start growing through innovation, you have to get out of the habit of making reasonable predictions and into the habit of making unreasonable provocations.

So, you might start thinking, “Well, why does a phone even need a battery?” The difference is profound. The point of a “disruptive hypothesis” is to give yourself deliberate permission to be wrong and try to create a new idea.

If you’re in a brainstorm session and everyone’s nodding and going “Yeah! Great idea! We can implement that tomorrow!” it means it’s incremental; one of your competitors is already doing it or will be soon. A disruptive hypothesis is an intentionally unreasonable statement that gets everyone’s thinking flying in a different direction.

Another takeaway from the book, I talk about the “cult of personality” problem with innovation. It forms out of celebrity CEOs – Steve Jobs, Jeff Bezos, and Elon Musk – and reminds us that they’re role models of innovation. It’s all about their personalities, and it’s not productive. It’s not about actually creating new products and services. For all of us as innovators, our most important job is to educate and create more innovators. We need to treat innovation as a skill. This isn’t about asking them to change their personality.

I often use the metaphor of cooking; there’s cooking show on every channel. Weirdly, we have a problem teaching people to cook, because it’s nothing more than, “We show you how to take the ingredients and arrange them into a meal.” It’s the same with innovation. Those recipes are ideas, and those recipes (your ideas) make the ingredients (your resources) more valuable. The cooking metaphor is powerful for people because this isn’t about inventing anything new; it’s just rearranging things we already have.

Category: ISACA
Published: 7/13/2018 3:09 PM

... / ...

(12/07/2018 @ 19:56)

Transport Layer Security Bolsters Secure Remote Data Transmission  View ?


Paul PhillipsIt is an amazing time to be alive for many reasons, one of which is the ability to communicate almost seamlessly and securely with people from all over the world. Technology allows us to connect with individuals with whom we most likely never would have before.

Remote communication was the initial goal; however, as the internet evolved, so did the risk of sending and receiving unaltered accurate and complete data remotely. With the Transport Layer Security (TLS) technology protocol, secure remote communication and data transmission between businesses and individuals is possible.

The objective of TLS is to provide confidentiality and integrity of data between multiple applications based on a set of communication rules. However, this ability does not come without risk. The ultimate goal is the confidentiality, integrity and availability of data in transit. How do we ensure the data is only accessible to the authorized recipient and that it accurate, complete and available when needed? Message authentication, non-repudiation, and integrity checks are functions performed to achieve the overall goal. Because of the ever-present threat posed by individuals seeking to steal and/or modify messages in transit, the TLS protocol continues to evolve, which requires security professionals and developers to be informed on revisions and make necessary modifications to their infrastructure.

The foundation for the TLS protocol is based on the Public Key Infrastructure technology. This technology is used to create and manage both the public keys and digital certificates needed to ensure the privacy, authenticity and accessibility of transmitted information. This process is triggered by a function known as the handshake. This is the initial communication between the two parties, the client and the server. This is when the keys are initiated and the digital certificate is validated to allow for secure communication. There are challenges associated with this process, one of which is establishing trust in the certificate, and the other is relying on and communicating with a website that may not have been implemented, configured and properly patched, which could lead to all types of inefficiencies and vulnerabilities.

While the risks and challenges associated with this technology may be difficult, it is obviously much easier to address them internally within the enterprise as opposed to them existing externally, which is next to impossible to address. Therefore, enterprises should focus on how best to implement and properly maintain the technology and how it fits into the overall information security program, which starts with a look at the information security policy and procedures of the organization as well as the risk management process. The TLS protocol is an acceptable approach to implementing tools and techniques to mitigate the risk associated with data transmission. However, a holistic approach to information security that will include safeguards to protect data at rest should be taken.

Each tool, technique, and process should work cohesively to protect the enterprise’s information assets because there is no silver bullet. There is no one technology that will mitigate all risks and address all challenges. Therefore, it is a matter of choosing the best tool for the organization and ensuring there are trained individuals in place to install and maintain such complex tools.

Category: Security
Published: 7/12/2018 3:02 PM

... / ...

(11/07/2018 @ 00:01)

ISACA Awards: Celebrating 2018 Recipients and Looking Forward to 2019 Nominations  View ?


Rosemary AmatoRecognition of service and of outstanding achievements has long been an ISACA tradition, and it has been my pleasure to volunteer on the ISACA Awards Working Group, which was charged with enhancing the prestige and increasing global participation in the ISACA Awards Program. We have made great progress over the last couple of years in creating a peer recognition program, soliciting nominations from our membership and inviting distinguished colleagues to fairly peer-review the nominations, identifying the “best of the best” among a rather elite professional community.

Our 2018 class of recipients lived up to that reputation, and we celebrated their accomplishments during the awards presentation at EuroCACS in Edinburgh, Scotland in May. Terry Grafenstine, 2017-18 ISACA board chair, presented each recipient with his or her award after the audience viewed a short video on the importance of recognition activities and how we can inspire future generations.



Recipients celebrate on stage and with their families and colleagues.

Jack Freund, recipient of the ISACA John W. Lainhart IV Common Body of Knowledge Award, brought his wife and 10-year-old daughter (and possible future ISACA member if her lawyer/racecar driver/veterinarian career falls through) to celebrate with him. Jack has been instrumental in developing the CRISC certification and maintaining the quality of the exam content.

Upon learning of his award selection, Mark Thomas, a top-rated speaker at many ISACA meetings and recipient of the ISACA John Kuyers Award for Best Speaker, said, “I am honored to receive this award, and appreciate all that ISACA does for our professional community.” This is a common remark from our humble honorees, who dedicate so much of their time, energy, expertise and passion toward advancing ISACA’s purpose and promise.

2018 ISACA Global Achievement Recipients pose with 2017-18 ISACA Chair Terry Grafenstine.

CISM and CRISC Exam Top Scorers pose with 2017-18 ISACA Board Chair Terry Grafenstine.

We are inspired by Gail Coury, recipient of the ISACA Chair’s Award for her dedication to advancing women in technology and supporting ISACA’s philanthropic initiatives, and Nikesh Dubey, an active author and reviewer for the ISACA Journal. We appreciate the knowledge shared by Ahmet Efe in his outstanding articles about COBIT, and we value the leadership Christian Palomino has provided in the CGEIT and CISM working groups. Additionally, our Certification Exam Top Scorers outdid themselves with seven honorees this year for our five certifications: CISA (tie), CISM, CRISC, CGEIT and CSX Practitioner (tie).

To meet these outstanding ISACA contributors during the awards presentation was truly my honor, and now I’m eager to help select the 2019 award recipients. But the Awards Working Group and I can’t do it without your help!

The 2019 ISACA Awards call for nominations is now open, and I ask each ISACA member to think about the incredible articles and speakers you have learned from and the volunteer leaders you have met throughout your ISACA journey. ISACA needs you to nominate them so we can publicly recognize their contributions. Our Global Achievement Awards and our Chapter Awards nominations close 15 August and will be presented in 2019.

To learn more about the ISACA Awards Program and to submit a nomination, visit our webpage.

To learn more about the 2018 ISACA Award recipients, download the 2018 Awards Booklet.

Category: ISACA
Published: 7/10/2018 2:59 PM

... / ...

(06/07/2018 @ 17:58)

CISM Top Scorer Provides Exam Insights  View ?


Alexey BaksalyarLast year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.

Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.

In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.

If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.

I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.

Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.

I used the following study materials:

The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.

This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.

Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:

  • Go through the study materials one more time. You may spend several additional weeks, but it can have a good effect.
  • Try to answer problem questions again (Q&A Database provides this function) and make sure the underlying concepts and knowledge statements are clear to you.
  • Make several attempts to pass a full CISM exam (150 questions) to determine if you need to adjust the time needed for answering the questions. Test yourself in conditions as close to the real certification exam as possible. It will help you to avoid time issues during the exam.

After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.

Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.

During the exam:

  • Try to not spend additional time on problem questions where the answer is not clear until you have completed the ones with which you are more confident.
  • Bookmark problem questions so you can quickly return to them later to review you answers.
  • If you have additional time after answering all the questions, review bookmarked questions and check your answers.

After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.

I hope some of these tips are helpful on your path toward certification. Good luck!

Category: Certification
Published: 7/9/2018 3:12 PM

... / ...

(03/07/2018 @ 19:12)

Last import : 16/07/2018 @ 19:22