Author raoul

By Raoul Morales on May 31, 2022

A couple of weeks ago, I had the privilege of attending the ISACA conference in New Orleans.  It was a special treat since I (along with most of the world) had not been to a convention in 3 years due to a life altering pandemic.  Quite refreshing to actually see people in person, listen to great speakers in person and share insight with colleagues in person.  I couldn't attend all 80+ sessions but was able to catch about 18 of them.

The topics creating the most buzz were 3rd Party Risks, Ransomware, Automation, Data Privacy, Audits & Risk Management.  Some are well known and maybe repeated too often.  Some are continually being addressed improperly.  Others may be completely new.  Hope you find this insight useful.

HERE ARE THE TOP 5 TAKEAWAYS FROM ISACA 2022:

1. 97% of Firms are Negatively Impacted by 3rd Party Risk & Supply Chain Breaches.

In today’s climate, businesses know how important it is to protect their own digital footprint.  The pandemic accelerated digital transformation so bad actors across the globe know this is the easiest way into your firm and they want the path of least resistance.  Cloud compromises jumped from 9% in 2018 to 20% in just one year.  TPRM needs to be a dedicated business function.  Some steps include:  1) Triage - prioritize Tier 1 Vendors, then tier 2 then tier 3  2) Monitor - regularly assess and monitor the effectiveness of risk mitigation & controls  3) Optimize - coordinate with cybersecurity, operational resilience, ESG & ERM initiatives then use the same frameworks for risk management and reporting.

2. Customer Personally Identifiable Information (PII) is the Most Common Type of Record that is Lost or Stolen.

All customers buy goods and services with the ‘hope and expectation’ their PII will be held in the highest regard and utmost confidentiality.  This data is held in shared drives, emails, numerous database tools - no wonder why this is the most common record that is lost.  Data Privacy is enforced by the way information is managed.  Not by compliance or laws or regulations or standards.  Assessing & treating Data Privacy risk has traditionally required segmented work flows due to disparate data repositories and lack of mining capabilities.  Here are 3 top recommendations for your firm:  1) consolidate Data Privacy reporting 2) unify Data Privacy assessment workflows & 3) use a Single Source for risk treatment.

3. 1/2 of ALL Business Frauds in 2020 were from Internal Control Weaknesses.

The most common deficiencies include terminated employees still active in the network, lack of segregation of duties, lack of critical application list, lack of vendor risk assessment & vendor management program, lack of penetration testing & internal vulnerability scanning.  While Vertex11 is not surprised by this continual revelation, having proper Internal Controls is crucial to mitigating these risks and ensuring your company’s audit process is smooth.  Some helpful tips include 1) Audit your existing security 2) Review existing controls 3) Consult - improvement plan 4) RBAC/ABAC 5) SoD & Audit reporting 6) User provisioning 7) Periodic review 8) Documentation

4. Persistent Ransomware Threats from Cybercriminal Groups are Rising Exponentially.

Roughly 40% of global organizations have no ransomware emergency plan in place or unsure if one exists.  No wonder why these threats are climbing fast.  Establishing an Incident Response plan with an on-call Computer Security IR Team ready for deployment is crucial.  Conducting regular Table-Top Exercises is a must!  Practicing periodically will reduce the impact of this threat and keep your IR team on guard. 

5. Using Automation will Help Streamline Policy as a Code (PaC).

The concept of storing policy documents as a code in a manner consistent with software development & making policy decisions in an automated way is on the rise due to efficiency.  PaC can reduce uncertainty by making policy evaluations immutable and their repo can be shared across teams.  PaC improves speed by allowing teams to make changes with less human involvement along with fewer manual reviews and approvals.  PaCs can be committed, tested and merged like any code so you’ll be able to audit confidently.  This history is shared across teams, making it a single source of truth!