37WCARS-K 2 M Loeb - RAWraw.rutgers.edu/docs/wcars/37wcars/Presentations/...Security Matters to Audit Security has become a board and executive level issue. Must ensure the enterprise’s

MattLoebISACACEO

September17,201637WCARS

Agenda

� ADisruptiveandChangingWorld� ImpactonAuditors� ImplicationsfortheFutureWorkforce

ADisruptedWorld

� Digitaldisruptionisalreadyhere� World’sbiggesttaxiservice…hasnotaxis(Uber)� Popular‘banks’…don’thavevaults(Venmo,M-Pesa)� Mostpopular‘hotelservice’…doesn’townahotel(AirBnB)

� Transitioningfrom‘valuechain’businessmodelstodigital‘ecosystems’

Source:PeterWeillandStephanieWoerner:ThrivinginanIncreasinglyDigitalEcosystem;MITSloanManagementReview,Summer2015

BusinessModelsfortheDigitalEconomy

Source:PeterWeillandStephanieWoerner:ThrivinginanIncreasinglyDigitalEcosystem;MITSloanManagementReview,Summer2015

Towards21,000,000,000+Devices

� Gartnerpredictsthatby2020,20.8billiondeviceswillbeinuseworldwide.Thisincludes:• Connectedvehicles

• IndustrialandconsumerIoT

• Mobiledevices

• Operationaltechnology(e.g.biomedicalandindustrialcontrolsystems)

Source:www.gartner.com/newsroom/id/3165317

IncreasingTechComplexity� Inadditiontothenumberofdevices,technologycomplexityisalsoincreasingwithintheinfrastructure

� Containers� Virtualization� Externalization(cloud)� Softwaredefinedinfrastructure

Source:Ruxit

ImpactonPractitioners� Relativetobusinessandtechnologypeers,auditorsneedtodomore toevaluaterisk…andtheyhavelesstime todoitin.

� Tworeasonsaredrivingtheseconstraints:• Differentialinriskvs.usagedecisionmaking

• Adoptiondynamics

Source:F.Schettini;KeyLessonsfromtheITAuditDirectorForums;June14,2016

DifferentialinRiskvs.UsageDecisionMaking

� Consideranautomobile…

Image:Source:commons.wikimedia.org/wiki/File:Citroen_concept_car_-_Flickr_-_Supermac1961.jpg

Answering“howdoIuseit?”:• Learnrulesoftheroad• Learntodrive• Understandvehiclemaintenancerequirements• Anythingelse?

Answering“isitsafe?”:• Learnrulesoftheroad• Learntodrive• Weather/trafficconditions• Seatbelts/safetyfeatures• Steeringanddrivecolumncondition• Route/stobetraveled• Tirecondition• Engineservicehistory• Roadmaintenance/condition


AdoptionDynamics

� Askyourself:whendoestheauditorlearnaboutusage?� Insomecases,itmayonlybeafterusageisalreadyprevalent:

• ShadowIT

• Auditcycleplanning(typicallyannually)

• “Discoverygap”fornewapplicationsandusage

•Individualuse•Usedinisolation•Limitedusescenarios

“Solo”phase

•Usagebroadens•Smallteams•Usageintegratesintobroaderworkflow

Smallteamphase •Smallteamsjoinforces

asusagegrows•Usageintegratesbetweenteamsandotherapps

Integration

•Usagebecomesenterprise-wide•Partofnormativeoperations

Standardization


TheImpact

• “…shorteneddeploymentlifecycle[s]willrequiremoreagileauditingtechniquessuchascontinuousauditingandauditautomation…Theprofessionmustbecometechnologicallyastute,notonlytounderstandit[technology]butalsothecapabilitytouseitinnovelmannerstosupporttheauditfunction aswellastheforesighttoproposenewtechnologyadvancementstosupporttheprofession.”

—ISACAFutureofITAuditReport

• Some“hardquestions”:� Isyourteam“technicallyastute”

enoughtofacewhat’scoming?

� Areyoustayingontopofthenewestadvancementsintechnology?

� Areyourauditingtechniquesagile,continuous,andautomated?


TopTechnologyChallenges:YoYTrends

Source:Protiviti andISACAjointITauditsurvey,“AGlobalLookatITAuditBestPractices”

TheRoadAhead


DigitalSolutionsBringDigitalConcerns

� Increasedsystemscomplexityandrisk� GreaterBoard-levelinvolvementinIToperations,strategy,etc.� Fastercyclesofinnovation� RobustROIontechnologyinvestmentsexpected

� IncreasedandmoreprominentrolesforITRisk,Audit,andGovernance,aswellasCyberSecurity

HolisticPerspective

• Rapidchangeisthenorm:organizationsmustevolvetheirpolicies,processes,people

• Agileandflexibleistheorderoftheday

• Technologyexpandingandmaturing• NewdevelopmentslikeIoT,mobile,cloud,changebusinessesandcanbenefitauditors

• What’syourplan toleveragethem?

• ChangesneedtobeassessedmorebroadlythanjustIT

• Doyouhaveaprocesstoidentifynewrisks?• Toupgradeagingtechnology?• Topreventsecurityandprivacybreakdowns?• Havingaplanmeansaddressingthesequestionsheadon.


BestPractices:Actions� Keepbusinessinformedaboutemergingriskandperspectivesinstrategy

� Auditmustalwaysaskandanswer:Arewemakingprogress?Arewedoingwhatweneedtodotogetwherewewanttogo?

� Answeringmeansbothan“elevatorpitch”andsystemicmetrics

� CommunicatewithmanagementandtheauditcommitteeregularlytoemphasizetheimportanceofconductinganITriskassessment

� ConsiderlinkingyourITauditriskassessmentwiththeERMcatalogtoshowtheintegrationbetweenthetwo

� EnsurethatITandcybersecurityrisksareunderstoodandmonitoredasstrategic-levelrisks,whenwarranted,andasamatterfortheboardofdirectorsandauditcommitteetomonitorregularly


BigData,Analytics,andVisualization:PotentialImpacttoITAudit� OrganizationalimpactIftheorganizationisusingbigdatatodrivedecisionmaking,ITAuditshouldaudithowbigdataismanaged.

� DataintegrityIftheorganizationreliesheavilyonbigdata,ITAuditshouldauditdataintegrity.

� ITauditexecutionITAuditcanusebigdatatoperforminternalauditsinnewways.

� VisualizationNewwaysoflookingatdatacanopenupopportunitiesforauditors


BigData,Analytics,andVisualization:ActionItems� “Checkingthebox”isnotDataAnalytics

� Theorganizationmusthaveastrategytomanagethedatalifecycle– creation,integrity,normalization,destruction,etc.

� It’saprocess,notaproject� Don’tstopexpandingthescopeofdataanalytics.Startsmallandbuild.

� Visualization=opportunity� Investigatefreeorlow-costdatavisualizationtoolstofindvalue,proveworth.


CloudandShadowIT:KeyCloudRisks


CloudandShadowIT:MainConcerns

� ShadowIT� CloudServiceProviderOperations� PoorDueDiligenceandDecisionMaking� PoorVendorManagement� MultipleJurisdictions=MultipleRegulations� PoorGovernanceoverCloud� LegacyApplicationsarenotCloudReady� ROIErodesbyUnexpectedExpenses


AuditingCyberSecurity:WhyCyberSecurityMatterstoAudit� Securityhasbecomeaboardandexecutivelevelissue.

� Mustensuretheenterprise’scybersecurityprogramisdefensibleincourt.

� ITandITSecurityhavetechnicalexperience,butauditunderstandsthatallriskisbusinessrisk.

� Thereisalotofinformationoncybersecurity.Butthereisnotanequivalentamountofinformationonhowauditshouldaddresseffortstodealwithcybersecurityrisk.

� Withinthenextfewyears,externalauditingfirmsmaycountcybersecuritycontrolsas“inscope”aspartoffinancialaudits.

� Theproblemisnotalackofexpertise;itisalackofdialogue.


AuditingCyberSecurity:ActionItems� Ensurecybersecurityriskisintegratedformallyintotheauditplan.

� Leverageapplicablenationalcybersecurityframeworks(suchasNISTintheU.S.)toincreasedefensibilityandefficiency.

� Identifyandactonopportunitiestoimprovetheorganization’sabilitytoidentify,assess,andmitigatecybersecurityrisktoacceptablelevels.

� Recognizethatcybersecurityriskisnotonlyexternal;assessandmitigatepotentialthreatsthatcouldresultfromtheactionsofanemployeeorbusinesspartner.


TalentAcquisitionandRetention:InternalAuditIncreasingExpectations

Source:PwC’s18thAnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:InternalAuditIncreasingExpectations

Source:PwC’s18thAnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:Modern-DayChallengesinRecruiting� Riseofthecontingentworkforce,growthoffreelanceeconomyAsmorepeopleseekflexibleworkopportunities,theyareturningtopart-timepositionsandfreelancework.

� TechnologicaladvancementsPeoplewanttowork,accessandshareinformationthewaytheylive—constantlyconnectedwithanybody,anytime,andanywhere.

� Multi-generationalworkforceFourgenerationscomprisetoday’sworkforce;eachonebringsuniqueperspectives,attitudesandcommunicationandworkingstyles.

Source:PwC’s18th AnnualGlobalCEOSurvey(2015)

TalentAcquisitionandRetention:ActionItems� Usethemostmoderntechniques.

Ifanorganizationisusingoutdatedtechniques,andnotbecomingautomated,itwilllosemillennialsanddigitalnativesquickly.

� Buildanexperiencethatmatchesthetypeoftalentyouaretryingtoattract.

� Speaktheirlanguage.

� Sellwhatthebusinesshasratherthanonlythejobitself.

� Givethemmorethanjust“gruntwork”;focusonwhatmotivatesthem.

� Givethemexperiencesoutsideoftheoffice.

� Giveunexpected,surpriserecognition

� Offerflexibleworkarrangements


FutureofWork� Thecoming“newnormal”:

• “On-demand”economyaschiefdriverofglobaleconomy

• “Mobile-first”workforcesutilizingSMACtechnologiestomaximizetheirorganizations’effortsasdigitalleaderswillbestandard,acrossallindustries,atalllevels

• Robustandcontinualupskillingandreskilling,withlearningdeliveredfromformal,informalsources

Source:2016,Volume2,McKinseyQuarterly:DigitalStrategy:TheEconomicsofDisruption;LearningattheSpeedofBusiness

DigitalNatives:TheDriversofTomorrow’sDigitalEcosystemsAreAlreadyArriving� Digitalcompaniesthrivingasdriversofdigitalecosystemsarealready hiringdigitalnativesandcreatingdigitalworkplaces

� Fordigitalnatives:� Theworldison-demand,flexible,andborderless� Personal/organizationalinterfacesareexpectedtobedigital—liketherestoftheirworld

Source:2016EMC2 WhitePaper:CompetingforDigitalCustomers:WhyCompaniesMustEmbraceDigitalTransformationNow

FutureofLearning� Corporatelearningexpectedtochangedramaticallyinfuture� Increasingpresenceofdigitalnativesintheworkforcewillbeaprimarydriverofthesechanges

� TheNewNormal:Contentinthecloud,accessedbymobiledevicesemployingmultiplelearningenvironments,andoftengenerated,sharedandcuratedbytheusercommunityitself


NextGen LearningEnvironments:LearningattheSpeedofBusiness


Documents

37WCARS-K 2 M Loeb - RAWraw.rutgers.edu/docs/wcars/37wcars/Presentations/...Security Matters to Audit Security has become a board and executive level issue. Must ensure the enterprise’s