Vous êtes ici :   Accueil » RSS - Isaca.org
Prévisualiser...  Imprimer...  Imprimer la page...
Base de connaissances

 1627147 visiteurs

 3 visiteurs en ligne


Notre site



Neuchâtel, Suisse

Mes coordonées

Crée votre Code

RSS - Isaca.org

ISACA Now: Posts


RSS feed for the Posts list.

The Gap Within the Skills Gap: What Does Cybersecurity Really Need?  Voir?


Panashe GarandeI recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice. But information security is a broad discipline, and I think we need to be more specific when we talk about a “skills gap.” I believe the genuine talent shortage is in hands-on areas, like application security and DevSecOps.

Last year, Forbes released an article stating that the cybersecurity skills gap is an “industry crisis.” As attacks get worse and more commonplace, it noted that companies need cybersecurity professionals more and more. But because of a perfect storm of scarce skills and high demand, security jobs come with a high salary, meaning that businesses not only struggle to find the right people, they have to pay top-dollar to get them.

All of that means that cyber-criminals are having a field day, as the article illustrates. Attackers take advantage of ill-prepared companies, knowing that they are likely to be successful. It’s clear that the industry does need to improve, for the sake of customers and businesses alike.

And to do that, we need good people, with the right skills. The industry has known for a while that those people are not easy to come by – there are simply not enough of them. There are a lot of reasons for that shortage, and it’s worth bearing in mind that it’s not the easiest industry to work in; the stress of the work means that mental health issues are rife.

Specific security
But I think that it’s not enough to say that we need to “fix the skills gap.” We need to delve deeper into where that gap actually is, how it comes about, and what we can do to fix it.

In my view, the really hard-to-find people are professionals with hands-on experience, who can competently throw themselves into application security and DevSecOps teams. As I wrote in my original LinkedIn post, these are areas where you may actually have to get your hands dirty, not just consult on what should be done.

From my experience in the cybersecurity recruitment industry, I think this gap exists because the most common route into technical AppSec is through a programming background. The job requires people with the right technical skills as well as a security-focused mindset, creating a hard-to-find niche. With hands-on roles, you need to be technically proficient as well as be able to understand and integrate security into the work. That’s not an easy thing to find.

A few industry insiders got in touch to give me their views on this problem. For Allan Degnan, DevSecOps/Security lead at Dixons Carphone, it remains about the people. By giving security staff opportunities to progress while remaining in a technical role, those talented people will be able to achieve the personal success that they want, while remaining in the technical positions that they enjoy and have trained for, rather than having to become managers.

Mario Platt, director of cyber security at Broadlight, told me that it’s about getting non-technical people comfortable with “actually touching tech” – and to do that, they need to be given the space to fail, he said.

What we don’t need are more consultants. Security consultants, of course, are valuable contributors to the cybersecurity world. But for now, we need to roll up our sleeves, and dig into addressing the skills gap in targeted fashion.

Category: Security
Published: 4/18/2019 2:55 PM

... / ... Lire la suite

(17/04/2019 @ 19:00)

Why IT Teams Should Avoid Complacency  Voir?


Ammett WilliamsWe are in 2019, and have all witnessed the effects of disruptive start-up companies, the growth and stability of the cloud market, the emergence of CI/CD practices and the simple need for agility. Inversely, there are organizations where none of what I mentioned is happening.

There are times when companies become good at what they do, and they become comfortable. With that comfort comes something that leaders and employee may choose to ignore. What is that? Well, to put it mildly, that thing would be the need for change. A provocative question to yourself would be: If I am doing my job properly and getting good results, do I need to change? Some may argue, “No,” and some may argue, “Yes.” From an IT point of view, the question becomes even more complex. This is especially the case when IT has taken on a supportive operational role within an organization, and by doing so, becomes expert at what they do, but finds that innovation is lost and resistance to change grows larger.

Enter the competitive threats. While your business was doing things right, the disruptor (which can be an existing competitor) was building solutions to solve customer issues, creating new products and services, and defining new ways of doing business to go to market. The result can be dramatic; your business suddenly gets a nudge, you have questions being asked by stakeholders, who all want to know:

  1. How does this impact us?
  2. What is next on our plate?
  3. What are we going to do now?
  4. Are we agile enough to deliver a solution in a short space of time?

At this point, all eyes turn to one of the major business enablers – none other than the IT department. Suddenly, IT goes from doing things right to not being agile enough to support strategy and innovation.

The need for agility in a rapid, flexible, durable and secure manner can best be delivered by cloud services. Layers of bureaucratic decision, hours of provisioning and other complexities can be addressed with IaaS, PaaS and SaaS solutions, which support CI/CD pipelines. From a security point of view, a lot of effort is put into cloud security, with the provider getting its platform certified by world-recognized standards such as 27001, PCI-DSS, and HIPAA.

What that means for businesses is that, combined with the shared security model of the cloud, they will be able to securely and effectively safeguard data while meeting regulatory compliance and internal enterprise security requirements. Enterprise Architect and GEIT are the solutions that can be introduced or remodeled within your enterprise to create both systems and processes to deal with this type of scenario.

Category: COBIT-Governance of Enterprise IT
Published: 4/17/2019 3:20 PM

... / ... Lire la suite

(16/04/2019 @ 19:56)

The Challenge of Assessing Security for Building Automation Systems  Voir?


Mario Navarro PalosBuilding automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.

BAS frequently encompass any electrical component or device that is used to control a building by managing security, safety and utility services, such as physical access, HVAC, heating, alarms, and lighting, among other electrical and mechanical controllers that automate the buildings.

These services are crucial to any organization; therefore, BAS should be considered, managed, and protected as part of the critical infrastructure, whereby security is an essential factor in the ongoing care and maintenance of these systems. Security-critical services like these demand the underlying control system be reliable and robust against security threats.

In order to identify the appropriate security controls for the protection of these critical systems, it is necessary to know the current status of the building automation infrastructure. Consequently, a security assessment will help any organization to accomplish this task and boost its risk management strategy. A tailored security assessment for BAS will significantly improve situational awareness by providing highly valuable insights and identifying threats and vulnerabilities that are usually off the organizations' radar.

An initial tailored approach should, at a minimum, include the evaluation, analysis, and review of the following security control groups:

Security architecture. An effective assessment must review and evaluate the architectural design of the automation control environment. Network segmentation and segregation, boundary protection controls, remote access, and firewall rules effectiveness, among other critical security controls, should be considered.

Policies, plans, procedures and baselines. Policies and procedures must be well-defined and documented. BAS systems need to be appropriately configured to maintain optimal operation by following a security strategy in a security plan with a strong foundation on documented configuration baselines. This security plan must be aligned with the enterprise architecture and the information security policy framework.

Systems and services acquisition. An adequate security assessment should cover the contracting and acquiring of automation control system components, software, and services from third parties. Since organizations must include security requirements as part of the acquisition process to ensure that the products and services received fit into the enterprise security program, assessment findings will identify existing gaps in BAS implementations, especially those associated with contracting third-party services.

Disaster recovery. The business continuity strategy should be reviewed to evaluate the effectiveness of the continuity of operation plans. Any security assessment should consider that a solid plan addresses roles and responsibilities, assigned personnel and their contact information, and detailed activities associated with responding and restoring system operations after a disruption or failure.

Other control groups such as account management, audit and accountability, configuration management, and maintenance, should be part of a more comprehensive assessment. Designing a security assessment that is too wide in scope involves the review and evaluation of tons of security controls. This approach will most likely overwhelm any team; more importantly, the resulting findings will not provide a resonant value to the different leadership levels of the organization.

Therefore, an effective strategy for designing and executing security assessments for BAS should be founded on a tailored plan of action that encompasses performance, availability, risk, operations, resources, systems communications, change management, components’ lifetimes, and location as key differentiators from traditional IT systems.

Editor’s note: Mario Navarro Palos will present further insights on this topic during his “Designing Security Assessments for Building Automation Systems” session at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.

Category: Audit-Assurance
Published: 4/16/2019 3:05 PM

... / ... Lire la suite

(15/04/2019 @ 16:47)

Tips to Prepare for ISACA’s CRISC Exam  Voir?


Adham EtoomMy motivation to pursue ISACA’s CRISC certification was to improve my skills, knowledge and understanding of enterprise and IT risk management.

The CRISC exam is the most rigorous assessment available to evaluate the risk management proficiency of IT professionals, and CRISC is among the leading GRC certifications, according to CIO magazine.

During my career, I have worked at different enterprises in IT/IS at various functional levels. I hold PMP and GCIH, which I consider to be significant factors in passing this exam.

Despite the fact that my preparation time for the CRISC exam was relatively short, I strongly believe in proper planning, execution and monitoring to succeed in any endeavor, no matter the amount of time you have. I am delighted to share with you some tips and advice of how I prepared for the exam:

  • Do your own research about the certification that you are interested in. One of the best starting points is to check the ISACA website; all information that you need should be available there. Then, speak with your trainer, or others who are being certified, and ask for some assistance.
  • To get all ISACA benefits and discounts on certification exams, including CRISC, become a member.
  • Start with the official CRISC study materials (Review Manual, Questions, Answers and Explanations), and make sure to get the latest editions. Reading the review manual at least twice cover-to-cover was a great help for me, as well as practicing QAEs as much as possible before the exam. It is important to grasp the underlying logic behind all concepts across all domains.
  • For more understanding and practice, enroll in a CRISC training course, or you can choose to self-study.
  • Continuously evaluate your understanding level, and challenge yourself with questions to bridge any knowledge gaps and weaknesses. Remember: practice makes perfect!
  • Don’t stop researching and reading while you study from various sources. Risk management is full of abstract concepts. I found these resources valuable for preparation: The Risk IT Framework, Measuring and Managing Information Risk: A FAIR Approach, and other ISACA publications.
  • Go to the exam with a reasonable confidence level and an understanding of the risk management process cycle. Remember: confidence can make or break any exam!

CRISC is an important journey in my professional life, and I appreciate it much more than before having gone through the process. I posted more tips here after I passed the exam.

I wish you much luck with your CRISC journey!

Category: Certification
Published: 4/12/2019 2:59 PM

... / ... Lire la suite

(11/04/2019 @ 20:24)

ISACA Celebrates Volunteer Participation  Voir?


Melissa SwartzIt’s my favorite week of the year at ISACA – Volunteer Appreciation Week. It is a time when we all reflect on the important and impactful contributions members of our professional community have selflessly made to advance our organization and our industry. It is also a time to invite those who have not yet joined our volunteer corps to participate in ways that align with their interests and availability.

In this, ISACA’s 50th year, we acknowledge all the volunteer leaders who have established and run the organization as national and then international leaders, expanding our business lines and knowledge base, and responding to an ever-changing landscape of technology and technology governance. Have you visited ISACA’s 50th anniversary webpage? The volunteer 50th Anniversary Advisory Panel and ISACA’s Strategic Communications team have created an array of resources to celebrate the anniversary and invite you to get involved, too.

Did you know that nearly 3,000 chapter leaders serve members locally by organizing networking and professional development activities? Or that in 2018 nearly 1,300 volunteer roles were filled in international working groups and task forces, and by independent contributors?

Without the time and expertise shared by these dedicated volunteers, game-changing ISACA products and initiatives such as our certifications and conferences, the CSX platform, COBIT 2019, the Awards Program, SheLeadsTech, and so much more would not have been possible in the past 50 years. ISACA hears the needs of the membership, engages diverse thought leaders, and creates solutions to help bring these services to fruition.

Why do our volunteers do it? So often we hear that ISACA has helped people advance along their own career path, and they want to return the favor and help someone else. That altruistic attitude, passion for their profession, and interest in service not only exemplifies ISACA’s values but also helps to fulfill our purpose and promise. Of course, there are intangible benefits, too – things like developing leadership skills, expanding your global network, continuing your education and, of course, obtaining some free CPEs, which are all excellent benefits. Whatever drives you to give back, we welcome your participation and will help you achieve your goals.

Over the years, the volunteer program has evolved with the organization. We know that personal and professional commitments make time a scarce resource, so ISACA’s flexible engagement model seeks to align with your interests and availability. We heard that volunteers wanted shorter time commitments, more targeted and impactful contributions, and a way to track their participation. Therefore, ISACA is thrilled to launch a new volunteer engagement portal through Engage, which also houses our online discussion forums and other networking tools. Log in, update your volunteer profile, and check out the volunteer opportunities that need your help!

As Dr. Martin Luther King, Jr. said, “Everybody can be great because everybody can serve.” We thank and appreciate our great volunteers of the past and present and invite everyone to continue to serve ISACA as we look to the future. Happy ISACA Volunteer Appreciation Week!

View The National Volunteer Week Infographic >>

Editor’s note: To learn more about volunteering at ISACA, log into Engage. To help ISACA recognize outstanding volunteer leaders in international and chapter roles, submit an ISACA Award nomination by 15 August.

Category: ISACA
Published: 4/11/2019 3:01 PM

... / ... Lire la suite

(10/04/2019 @ 22:55)

Dernière mise à jour : 19/04/2019 @ 05:15