Day: August 4, 2016

ISACA Now recently talked with Mark Kaigwa, African IT entrepreneur, about the future of IT in Africa. Kaigwa is a keynote speaker at the first-ever Africa CACS at the InterContinental Nairobi, Kenya, which takes place Monday, 8 August to Tuesday, 9 August. For more information click here.

The following is a question-and-answer session with Kaigwa.

ISACA NOW:  It seems that the opportunities for IT in Africa are endless. Obviously, social media is huge. What other opportunities for IT in Africa do you see over the next 5–10 years?
KAIGWA:  I see mobility as one of the greatest epochs of Africa’s technological history. The last 7 years has witnessed nations shift from cyber cafés as the gateway to the Internet to the pockets of hundreds of millions on this continent. I believe that it is indeed something to marvel at.

The implications are massive. You can no longer have an election without factoring in the broader thinking that goes into the mobile phones we know and love. To the extent that in Kenya, where the inaugural Africa CACS will be held, serious conversations have revolved around whether mobile money and mobile phones should be used in the voting process. To illustrate, the total number of registered voters is estimated at 15 million while there are 25 million mobile money users.

I think the layer above mobile is what excites me as we’re only beginning to see the possibilities. Look at how connected devices are entering various sectors, such as the education system, where Kenya recently piloted a program that will see 100,000 students explore learning aided by laptops.

For national security, there’s been a push in the private and public sectors. When it comes to traffic and mobility, Nairobi loses a colossal amount in traffic per day. An IBM study found it the 4th most-stressful city for drivers (after Mexico City, Shenzhen and Beijing). The yearlong study was on how drivers react and vehicles behave as they negotiate obstacles on Nairobi streets. The public sector has seen the deployment of a national police surveillance system powered by 4G technology from Safaricom. This included connecting 195 police posts and HD and Ultra-HD CCTV cameras monitoring traffic and security connecting to a national command and control room.

Kenya’s investor community is pushing boundaries in the Internet of Things (IoT) with organizations like BRCK educating customers and the market. There is also Product Health, an organization looking into supporting solar enterprises. I have great interest in the data we are generating and what that data means for consumers and companies.

At the same time I recognize the risks. To illustrate, in Kenya today you have people that fall within the cracks when it comes to complying with the checks and balances of traditional access to capital and loans. However, one peek at their mobile devices tells a much better story than any bank account ever could. Companies from Silicon Valley and Silicon Savannah are battling for the future of finance, especially for lending based on mobile data.

Organizations like Branch, Saida and Tala take information on Android phones and score them on virtual creditworthiness. Small factors like how much airtime one uses, how many times you charge the phone each day, whether they gamble on sports betting web sites are included, in addition to their mobile money transactions. Tala claims to have over 10,000 data points to make a lending decision. No paperwork involved. M-KOPA pioneered this on a broader basis, pushing beyond access to mobile phones and consequently mobile money by exploring what happens when you build credit scoring based on purchasing power from micropayments.

Second to that, I’d say that chat apps and instant messaging applications also excite me. I’ve followed the growth of Ghanaian startup Beam and others using WhatsApp as an onboarding process. Remittances across the continent exceeded aid in 2012. Since the rise of cryptocurrencies there are myriad start-ups solving the payments space. Beam began this way but pivoted to a new and more interesting proposition.

It isn’t what gets the money into the country that matters, but where it goes and the certainty one has that it is buying what it was intended to buy. This means that if a person has sent $10,000 to family members to purchase a parcel of land, what else do they have but the family members’ word to go on when checking to see that this is what it was spent on?

ISACA NOW:  What are the challenges to Africa’s IT revolution? What solutions do you envision?
KAIGWA:  If we take the two above scenarios, they invariably bring security challenges. The issue of cybersecurity is one that has people divided.

The greatest of these is that on the connectivity front. I’m interested in seeing how the debate on net neutrality plays out on the continent, particularly after India’s decision on net neutrality; we have yet to see any clear reverberations on the continent.

The continent isn’t homogenous. There are 54 different negotiating tables for Facebook to sit with regulators. It is also worth noting that the way true regional lines get erased is when telcos are able to use their borderless technologies and economies of scale to facilitate entry for technology giants. The case in point is Airtel as a partner for Facebook’s Internet.org on the continent.

Mobility itself remains a challenge. Yes, one can engage and build with mobile in mind, but that is not the be-all and end-all of technology. Challenges and pain points in the user experience of unstructured supplementary service data (USSD) are an area that needs further thought. The need to go through menu after menu can prove taxing, especially given the number of timeouts. User experience on mobile (outside of apps) remains a challenge. This considering that USSD does not grant uniformity. From an iPhone 6S plus to a Nokia 3310 (were one to be revived and put back on a network) the interaction is virtually the same.

Regarding mobile money, the Brookings Institute noted that when South American countries were compared to African ones (especially those advanced in the penetration and use of mobile money), there were generally higher rates of formal bank account ownership among marginalized groups (i.e., women and low-income individuals) and higher rates of debit card, credit card use and Internet use for bill payments and purchases than the African countries. Conversely for Africans it remains primarily mobile driven. I’m exploring what this means when it comes to delivering a consistent and cyber-secure experience on mobile channels to customer segments not aware of risks and vulnerable to fraud.

ISACA NOW:  Where are African enterprises at from a cybersecurity standpoint? Where are African citizens at, cybersecurity-wise? What are the challenges and solutions?
KAIGWA:  The biggest challenge here remains as seen above, to categorize the continent as homogenous. As is becoming an adage now—Africa is not a country. The contradictions, challenges and comparisons between countries yield different results each time. One can, however, find parallels when looking at the four corners of the continent. Kenya for East Africa, Nigeria and/or Ghana for West Africa, Egypt for Northern Africa and South Africa for Southern Africa.

To illustrate, one of the continent’s main pan-African organizations, the African Union (AU) in 2014 adopted its Convention on Cybersecurity and Personal Data Protection. The Convention sought to improve how African states address cybercrime, data protection, e-commerce and cybersecurity. Presently, only 8 of the AU’s 54 members have signed the Convention, with none ratifying it. The solutions will take a country-by-country examination of common ground and political will to take action as the consequences will be felt by nation states and the current and next generation of Africans coming online.

ISACA NOW:  What will be the key takeaways from your address?
KAIGWA:  The key takeaways will be 3 provocations for Africa CACS based off of looking at the continent and observing the rise in mobility, the opportunity and threats, and how stakeholders in the public and private sectors and the general public can compete or collaborate to Africa’s advantage and strengths.

My talk begins and spends time looking at what one of the more recent digital “arms race” developments looked like and what the consequences are for the ISACA fraternity and beyond.

 Editor’s note:  For more information on the first-ever Africa CACS, 8 August to 9 August, click here.

Mark Kaigwa, IT Entrepreneur, Nendo

[ISACA Now Blog]

Over time, the term risk assessment has become so commonplace that it has almost lost its meaning and is now much maligned.

Organizations run helter-skelter carrying out risk assessments that eventually become exercises in futility. One wonders why well-meaning managers, highly paid consultants and C-suite members with years of experience, access to tons of research, and armed with the best intentions eventually end up with unusable outcomes?

Here are 6 key lessons from more than a decade of working with organizations across the board on risk assessments from various perspectives, including information security, application security, health and safety, and a project standpoint. They include:

1. Strategize:  The first step is to put in place a well-defined and articulated strategy which not only becomes a guidepost which can be revisited time and again, but which also can be the buoy you cling to when the time comes. A clear, well-articulated strategy can go a long way in ensuring successful risk assessments and driving outcomes.
2. Keep it simple:  Simple is the friend of the wise and can go a long way in ensuring effective risk assessments and outcomes. A simple risk assessment is aligned with strategy, has wide and deep buy-in, and can help keep things practical. Simple risk assessment approaches deliver results easily and enable stakeholders to use them to manage risks effectively. Characterized by very close alignment to the organization and its context, its culture and ease of use, keeping it simple can help ensure sustainable success.
3. Buy-in, buy-in, buy-in:  Irrespective of the reason for the risk assessment, effectiveness is determined by how deeply various stakeholders are involved, how much information is shared, and how the outcomes are perceived. Stakeholder buy-in can determine how the risk assessment is approached and how various stakeholders get involved; a sure shot way to achieve success. Buy-in is easier said than done and requires effective training and communication, transparency on all aspects relating to the risk assessment, a risk-aware organizational culture, and most importantly, visible management commitment.
4. Perfect is the enemy of practical:  Aiming for perfection is desirable, but in most organizations considering day-to-day requirements, the outcomes expected and constraints ranging from limited time, the need to take action as you go along on identified risks, the dynamic nature of risks, and the need to balance risks and costs involved, it is imperative to ensure that the focus is on the practical. Being practical means the risk assessment used is repeatable, reliable and produces consistent results over time. Remember:  you want to be able to identify potential risks and take reasonable actions to mitigate and recover in case risks occur.
5. Benchmark wisely:  A key piece of advice on risk assessments is to benchmark. Assessing the outcomes of your risk assessment against what your peers in industry are doing can give your efforts a sense of stability and provide much needed navigational support. But it is worth remembering that your industry peers are as fickle as you are and no one wants to share information that is less-than-stellar. Very often benchmarking data comes with small print which simply means that the data is usable under certain standard test conditions and may be impractical if not outright nonsensical.
6. Modeling is best left to the ramp:  Ok, I know your eyebrows might have merged with your hairline, but the point is, unless models are chosen appropriately and customized to suit your organizational needs and the purpose you have in mind, off-the-shelf models can actually make things more difficult. If you must choose a model, keep it simple (see point 2 above).

Combine the above in the right proportions and your risk assessment is guaranteed to deliver results and go a long way toward achieving organizational objectives and strategies leading to effective risk management.

R.V. Raghu, Director, ISACA

[ISACA Now Blog]