Month: June 2017

There continues to be a great deal of confusion over the new service organization reporting structure and which reports are the best to obtain. The basic intentions of the reports are as follows:

SOC 1 – Related to Internal Control over Financial Reporting
SOC 2 – Related to testing over the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy
SOC 3 – A simplified report on the same principles in SOC 2 and available for public use

In this article, we won’t go into the details of what report you need to obtain. Here, we’ll help answer the question of what you should be doing once you get the report in your hands. Properly reviewing these reports is an essential part of the vendor management and risk management functions, and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.

Obtaining the correct report
When obtaining the report, make sure it is the correct one. There are vendors that issue anywhere from one to sometimes more than 30 reports for different areas of their business. To increase the efficiency and effectiveness of your review, ensure you have the correct one. If you are reviewing card issuance procedures, the item processing report will not suffice.

Time period of report
The time period of the report should be reviewed to ensure it covers the needs of the user. Reporting periods vary and often don’t cover full calendar years (i.e. reporting period of October 1, 2016 – September 30, 2017). Make sure the time period meets your needs. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter (serious investigation should be put into why). Ineffective controls at a key service provider could have serious consequences on your own control environment.

Management’s opinion on the operating effectiveness of the controls
Like the service auditor, management also opines on the operating effectiveness of controls. The same considerations should be taken as were done with the auditor’s opinion. If the two opinions differ, investigation of why should be performed.

Inclusion of control environment in reports
An aspect of reports that may have not been included in the past is description of the service organization’s control environment. This description can provide valuable insights and should be reviewed if present.

Control exceptions
Each report contains a section listing the controls tested and the results of that testing. Any exceptions noted should be investigated for possible impacts on your process. This especially holds true for controls being relied upon.

Vendors who have mature risk management and internal control functions have a minimal amount of exceptions in these reports. If you are seeing a high number, your level of caution should be raised.

User control considerations
Most reports contain a section listing controls that should be in place at the user (your) organization. These sections are typically called User Control Considerations, Complementary User Entity Controls or Description of Client Considerations. These are controls the service organization is assuming you have in place. They may not all be applicable to your business, but this section provides some great insight and may point out gaps in your control structure. Each user control consideration should be reviewed and addressed as applicable.

Subservice providers
Your service providers may be outsourcing part of the service they provide you. This could include hosting, helpdesk and other essential functions. The report you are reviewing should list what activities are outsourced. The term used in the report is most typically “subservice provider.” You should determine if you rely on that subservice and if you need to obtain a report from the subservice provider or perform any other sort of investigative activities. Remember, you are only as strong as your weakest link.

Controls relied upon and reports relied upon
As mentioned before, it is a good idea to keep a running listing of reports and controls you rely upon at your service organization. This will increase the efficiency and effectiveness of your review and will help manage your risk.

Performing your reviews with the proper amount of rigor will ensure you are practicing proper risk management. It is a best practice to create an internal checklist for reviewing the reports to ensure all areas are covered.

We hear stories every week regarding vendor weaknesses resulting in control breakdowns and, in some cases, data breaches. Establishing a proper vendor management program is essential to guard against these threats.

Shane O’Donnell, CISA, CPA, CCSFP, Principal, Chief Audit Executive, The Mako Group

[ISACA Now Blog]

What is the GISWS?

Since its first release in 2004, the biennial (ISC)²® Global Information Security Workforce Study (GISWS) has been gauging the opinions of information security professionals; and in turn, providing detailed insights into the important trends and opportunities within this increasingly crucial profession.

This year, the study conducted its largest-ever global survey of cybersecurity professionals, with over 19,000 individuals taking part (3,694 of which hailing from Europe), further allowing it to ascertain an even clearer and progressively more complete profile of the information security workforce; with stronger understandings of areas and issues such as pay scales, skills gaps, training requirements, corporate hiring practices, security budgets and career progression. Additionally, the study explored corporate attitudes towards information security; presenting a useful and reflective reference for governments, corporations, hiring managers, as well as information security professionals themselves.

The latest release from GISWS and what this means in Europe

This month sees the third release of data from the Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk, which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)², Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap.

The report revealed a number of interesting findings, including a predicted cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers.

While there are strong recruitment targets, a shortage of talent and disincentives to invest in training are contributing to this skills shortage, with 70% of employers around the globe already looking to increase the size of their cybersecurity staff this year.

This demand is set against a broad range of security concerns which continue to develop at pace, with the threat of data exposure clearly identified as today’s top security concern amongst professionals around the world. Concern over data exposure reflects the advent of new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation to be in force by May 2018.

This month’s report illustrates a revolving door of scarce, highly paid workers amidst a non-existent unemployment rate of just 1% in Europe. While organisations struggle to retain their staff – 21% of the global workforce stated they had left their jobs in the past year – they are also facing high salary costs, with 33% of the workforce in Europe, in particular, making over $100,000 USD / EUR €95,000 / GBP £78,000 per year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?” states the report.

Recruitment and professional development strategies must change

The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements.

Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above.

As the fastest growing demographic, millennials will be critical to filling this employment gap, but the attitudes must change in order to entice valuable candidates. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience – 93% of respondents indicated that this is an important factor when making their hiring decisions.

Yet, employers could be doing much more to attract and retain younger people. The study found that millennials value organisation training as well as mentorship and leadership programmes. As a demographic that holds personal development in such high regard, businesses need to be catering to these needs to attract vital young talent.

Undoubtedly, there is a real mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skills sets may not be keeping pace with requirements. Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills respectively.

Improving gender diversity

In addition to the widening skills gap, diversity within the workforce remains low. The study also revealed that women form just 7% of the workforce worldwide in Europe; a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with male professionals in Europe earning £9,100 more on average than their female counterparts. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions. In the UK for example, 50% of female cybersecurity professionals hold postgraduate degrees, compared to just 37% of men, with 64% of women in managerial positions compared to 57% of men.

A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle with few established female role models to encourage the new generation.

But there are clear steps that can be taken to attract more women into cyber, and at the same time address the growing need for more staff. Much like with millennials, employers need to create inclusive work places that support and value women, via sponsorship and mentorship programmes that tie to the success and satisfaction of women at all levels. Equally as important, organisations must end pay inequity, and also draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of females.

Fundamentally, this is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time the workforce is surveyed, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more millennials and women into the industry would not only significantly help reduce this shortfall in skills, but by diversifying the workforce, it will provide the necessary basis for a safer world, especially in today’s increasingly plugged-in society.

The full report can be downloaded here:http://iamcybersafe.org/GISWS/

[(ISC)² Blog]

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight risk management professional and ISO delegate Michael Thiessmeier.

Perhaps owed to his military background, Michael Thiessmeier believes that knowing how to perform the duties of both his supervisors and subordinates is the best way to ensure success. He has put in the time to make sure that’s the case.

Thiessmeier has more than 20 certificates and certifications, including ISACA’s COBIT Foundation certificate.

“Think about it this way,” Thiessmeier said. “One person might go watch soccer on Sundays. I might sit on that same couch preparing for a certification exam and feel the same kind of joy and excitement if I pass that the other person feels when their home team scores a goal.”

Thiessmeier joined ISACA in 2012 when professors in Germany – where he was born and spent seven years performing military service – encouraged him to seek out professional organizations.

“I spent years looking for options and evaluating my career path,” Thiessmeier said. “Finally, I determined that ISACA was best aligned with the direction that my career was taking.”

His current role is Senior Manager, Technology & Security Risk Management, with Oportun in Redwood City, California, USA. He is especially interested in how trends like machine learning necessitate automating controls testing.

“Being situated at the intersect of fin-tech and financial services allows me to work on things that have not been done before,” Thiessmeier said. “There truly is no cookie-cutter approach to our industry, and that’s where the research I am doing with ISACA and other organizations turns out to be very helpful.”

Thiessmeier also is heavily involved with ISO as a delegate expert for ISACA, a relationship that came about when he saw an opening on the ISO liaison committee posted on ISACA’s website. He is active in the Security Controls and Services, and Identity Management and Privacy Technologies working groups, and recently was elected as project co-editor for the ISO standard pertaining to application security validation and verification.

Some of Thiessmeier’s career highlights include working on the largest gaming console launch in history – he was manager of consumer services technology with Sony PlayStation during the PS4 launch – while at the same time participating in a major customer relationship management (CRM) implementation that automated consumer service processes.

“During that time I was not only allowed to lead several teams of incredibly smart and caring individuals, but also designed and ran the ‘war room’ used to manage that console launch,” he said. “Thanks to everyone involved, the launch was a great success and beat our expectations.”

Going forward, Thiessmeier intends to learn more about penetration testing. Fitting his overarching approach, that objective isn’t for personal gain as much as to continue deepening his broad-based reservoir of knowledge.

“I do not plan on being a penetration tester at this point in my career, but I want to make sure that I am in the best position to empower them in their day-to-day duties,” he said.

Aside from his traditional career interests, Thiessmeier volunteers for Team Rubicon, an organization that provides disaster response and veteran integration services.

“The moment you see a community that went through a horrible disaster pull together and come out of it closer than ever – no words can describe that,” Thiessmeier said.

[ISACA Now Blog]