Year: 2016

As Its First Ever CTO, Catteddu to Spearhead Organization’s Global Technology Strategy and Roadmap Throughout Key Lines of Business

Seattle, WA – February 23, 2016 – The Cloud Security Alliance (CSA) today announced the appointment of Daniele Catteddu as its first ever Chief Technology Officer. In this role, he will be responsible for driving the development of CSA’s global technology strategy and roadmap throughout its lines of business including research, membership services, standards, education and products. Additionally, Catteddu will be charged with identifying technology trends, products, global policies and evolving social behavior and the impact of each in relation to CSA’s activities.

“Daniele is one of the industry’s foremost cloud security experts,” said Jim Reavis, CEO of the CSA.  “I look forward to working with him in the CTO role as we grow CSA’s influence and continue our expansion into defining assurance for important next generation information technologies.”

Prior to this appointment, Catteddu served as Managing Director of CSA EMEA, where he is credited for establishing and elevating CSA’s presence in the region, making it a center of excellence as viewed by both corporations and policy makers. Catteddu also was instrumental in the development of CSA’s Open Certification Framework, an industry initiative to allow global, accredited and trusted certification of cloud providers.

“I am very much looking forward to taking on the role of CTO for the CSA, where I will have the opportunity to combine my passion for technology with critical and creative thinking to help ensure that any technological advancement is in harmony with and in support of society,” said Catteddu. “I see a tremendous need to educate the market on the fundamental role that information security will play in our future and to provide each market stakeholder with the tools to approach the complexity of the information security issue. With ‘data as the new currency,’ providing high level of info security and protecting people’s right to privacy has become equal to protecting their future investments.”  In the year ahead, Catteddu plans to focus on advancing CSA’s Security, Trust and Assurance Registry (STAR)certification program, including the launch of the STAR Continuous, the identification of new trends especially those related to IoT security, and the creation of the Futures Advisory Committee.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunictions.com

In the two decades that I have been an IT Audit recruiter, the field has come a long way, and there is now much more recognition for the IT Audit profession. Going back to 1995, whenever I speak at an ISACA gathering I’ve always asked how many knew in college that they wanted to be an IT auditor. Just 10 years ago, no one ever raised their hand. About five years ago, hands started to go up. That IT Audit is now considered a viable career choice has been helped considerably by the steady increase in college curriculum focused on IT risks and controls.

As an IT Audit recruiter I am often asked by individuals at various stages of their IT Audit journey—from college to mid-career—what they can do to jump-start their IT audit careers and stand out from the pack. Here are some suggestions.

IT Audit Internships for Newbies
Let us start with those still in college. I strongly recommend you get into a good internship program to gain experience and “try before you buy” to help you decide if IT audit is something you are truly interested in. A good place to look for these programs is with the Big 4 accounting firms, but also with Fortune 500 companies, more and more which are developing audit internship opportunities.

ISACA Membership/CISA Highly Recommended
For those starting out or at mid-career looking to get into the IT audit field, my first suggestion: You need to become a member of ISACA. To get a foothold in the IT Audit world, ISACA can be invaluable particularly for the networking opportunities an ISACA membership affords. Robust ISACA chapters can be found in most major cities.

You should approach every chapter meeting as a networking opportunity. Yes, those events are great for learning more about the profession through training and presentations, but networking is key for those looking to break into the IT audit field. Sit with people you do not know. Move around the room. Introduce yourself to the chapter president or vice president. Ask for 30 seconds to a minute to introduce yourself to the entire group and present your stump speech/elevator pitch to make everyone aware of who you are and that you are looking to get into the IT audit field. How many times will you need to introduce yourself and network your way to an opportunity? Maybe once, maybe one hundred times…but if you put in that level of effort to go beyond the comfort zone and market yourself, you will eventually win somebody over.

Next: It is critical that you sit for the CISA certification. It sends a clear message to prospective employers that have mastered the IT Audit body of knowledge, but even more important, it shows you have taken initiative in your professional development. It demonstrates that you have bought into IT audit, which is something potential employers need to know, especially if they are going to take the risk of hiring someone who needs additional time and training to get up to speed. The CISA has gone from a “nice to have,” to a “Why in the world do you not have your CISA?” CISA is a door opener if you have it and a door shutter if you do not….so dig into your wallet and pay for the exam. If you are serious about the IT Audit field, this is an investment that will definitely pay off.

As for other ISACA certifications, both the CISM and CRISC are continuing to gain recognition. Non-ISACA certifications I recommend include the CISSP from the International Information Systems Security Certification Consortium and the CIA from the Institute of Internal Auditors (IIA).

To sum up, with IT audit candidate scarcity as significant as it has been since the initial years of Sarbanes-Oxley compliance, demand for qualified IT audit professionals will likely continue to exceed supply for the foreseeable future. This creates opportunities for those looking to break into the field, and an ISACA membership and certification are the keys to doing just that.

Derek Duval is the owner of Duval Search Associations, which is devoted exclusively to enhancing careers of IT audit, risk management, compliance, and advisory professionals.

Derek Duval, CPC
Duval Search Associates, LLC

[ISACA Now Blog]

As the Internet of Things continues its promising evolution, the world is becoming more engaged in the discussion of privacy issues versus issues of national security. At the center of this exchange is the burning question of whether we, as nations and communities, should sacrifice privacy for security.

Some governments think so, and have gone to great lengths to gather information from sources both inside and outside their borders, quite often acquiring the information of millions of persons in a quest to identify the specific actions of only a few individuals.

On the other side of the argument are those who believe that an individual’s right to privacy is sacrosanct; nothing can, nor should, supersede it, including a government’s desire to act in what it deems the interests of national security.

The actions of Edward Snowden put a spotlight on these conflicting perspectives, pointing out the various ‘back door’ entry points that enabled a government to examine the information of private citizens at any moment it deemed such an examination necessary.  Today, we find governments and citizens across the world having conversations about the appropriate balance of privacy and security.  Those discussion, as yet, have yielded little agreement, and few signs of potential resolution.

And now, the voice of someone new has joined that conversation: David Chaum.

David Chaum was the creator of the mix networks of the late 1970s.  He has spent much of his career in encryption, ensuring that information stays the property of the individual, and no one else’s.  In January at the Real World Crypto conference at Stanford University, he proposed a new way to ensure an individual’s online privacy, a model he calls PrivaTegrity.

His solution is somewhat counterintuitive.  He proposes more ‘back doors’—nine of them, in fact.  Simply put, Chaum’s PrivaTegrity model places nine servers in nine different nations.  No single server can provide access to the information being transmitted, nor can any combination of the nine servers access the information —save all of them acting in unison.  His rationale is simple: if nine governments or other entities can agree that something is undesirable—terrorist plots, human or drug trafficking, or similar endeavors—then that information should be accessed and acted upon.

A critic of Chaum’s pointed out the central flaw in this, though.  Why would criminals and terrorists use a construct that you have already publicly stated has the ability to be accessed through a back door, albeit a door with nine locks?

While Tor encrypts and bounces communications through a network of relay servers, preventing traffic analysis, Tor cannot—and does not—protect against traffic confirmation. Because of imperfections such as this, Tor and similar constructs are vulnerable to decryption efforts—but are they vulnerable enough, in the mind of a bad actor, to merit switching from that to Chaum’s PrivaTegrity model?  PrivaTegrity may make privacy more difficult to pierce—but it can still be pierced.

To be blunt, the only reason for criminal or terrorist elements to use PrivaTegrity would be if they controlled all nine servers.  It is difficult to imagine a scenario in which any one of nine criminal or terroristic enterprises would act against their own self-interests, so it would be extremely difficult to get all nine actors’ approvals, and lift the veil of privacy.  This could prove appealing to such groups—and be a nightmare beyond imagination for law enforcement, cybersecurity and national security professionals.

So, I believe it is safe to say—no, David Chaum has not saved the Internet.

But perhaps he has pointed to a way forward.  Plurilateral agreements require the approval of all entities involved before an action can be undertaken, and may be the nontechnological solution to the privacy versus security debate.  This is not a new approach to issues that are borderless, global in scope, and with implications for nations and individuals the world over; a plurilateral agreement regarding the future development and usage of Antarctica was entered into force by a dozen nations in 1961.  In the half-century since, the member nations have worked together to increase the number of nations in the Antarctica Treaty, as well as to set parameters for the scientific and research on that continent.

In this age of the Internet, privacy is disappearing—or perhaps we might soothe our souls by acknowledging that privacy is being redefined. Individuals are continuing to reveal more about themselves online.  Governments are actively pursuing what they believe to be the best security interests of their respective nations.  While many security-focused agencies around the world would be loath to have another similar agency in an outside nation sign off on their actions, the fact remains that it just might be the best way to ensure the privacy of the individual while still engaging in the pursuit and apprehension of criminals, terrorists and similar bad actors.

The Internet does not belong to an individual or a nation; it is among the few constructs in our world that can make that claim.  Instead, it is a construct that deserves the responsible stewardship of both state actors and individuals.  It is time that privacy be given the same status that other issues of global import have been given. It is time we work together to ensure that innocent, ordinary individuals the world over can communicate with one another—and only one another.

Matt Loeb, CGEIT, CAE
CEO, ISACA

[ISACA Now Blog]