What is the biggest security challenge that will be faced in 2016?
2016 will see a shift to focusing on the need to perform basic cyberhygiene practices.
What are your three goals for 2016?
Who are you following on Twitter?
A few security gurus and business continuity magnets
How has social media impacted you professionally?
Professional outlets such as LinkedIn have helped me:
What is your number-one piece of advice for other IS audit professionals?
Never stop upgrading and updating your knowledge and work to build a trusted partnership with all stakeholders involved.
What is your favorite benefit of your ISACA membership?
Easy access to peers on different topics. When traveling, I get in touch with local ISACA chapters and meet with them or attend their networking events as a speaker.
What do you do when you are not at work?
How do you think the role of the IS auditor is changing or has changed? What would be your best piece of advice for IS auditors as they plan their career path and look at the future of IS auditing?
In my opinion, the role of IS auditor has expanded as IS auditors are needed to be more involved in all the areas of the business, especially in project management. They should be involved in the projects to consider all the security aspects right from the start. However, the core roles of the IS auditor have not changed as such, since the IS auditor is expected to provide an objective insight into the risk and control processes in any organization. But with advancements in technologies and new, emerging threats, the IS auditor’s auditing methodologies have to be adjusted, taking into account regulatory obligations, outsourcing, new exploitation techniques and more, as these pose serious challenges for this critical role. My humble advice for IS auditors is to keep abreast of these developments, update their knowledge on a constant basis and be flexible to adapt to the new techniques of auditing.
How did you make the transition from IS auditor to your current role as senior operations manager of a certification body? What skills have helped you the most in this most recent role?
Well, in addition to my experience as an IS auditor, I am also an accredited lead auditor and trainer for many other management system standards, including Business Continuity Management System (BCMS), IT Service Management System (ITSMS), Quality Management System (QMS), Cloud Security Alliance (CSA) STAR, and EuroCloud Star (ECSA) Audit, with auditing experience of more than 20 years. As a senior manager of operations, my role has transformed from governance and compliance to the accreditation requirements as a technical reviewer/approver and mentor for other auditors in this field not only locally, but globally within my organization. My IS auditor experience has enabled me to understand and articulate the needs and expectations of an IS auditor, which has helped me assist and guide new IS auditors to increased levels of effectiveness.
How do you see the roles of IS audit, governance and compliance changing in the long term?
I, personally, feel this role will have more responsibilities and is going to become more accountable at the same time. Due to the rise of security incidents/breaches and cybercrime, this role is going to be of high importance. As companies embrace new technologies, IS auditors must strive to understand how new technological developments and trends impact their organizations and internal process-level controls. They need to understand the exposure to cyberthreats as well as impacts on the viability of the business model. From a technology point of view, the IS auditor must recognize that social, mobile, big data and cloud transitioned from buzzwords to the new normal with associated threats. They also need to enhance their understanding of threats associated with the use of mobile commerce to the risk of destructive malware and advanced persistent threat (APT) attacks, since these will form the risk landscape of 2016 and beyond. Similarly, an effective IS audit risk assessment must address new or changing compliance requirements and see their impact on the business as a whole.
How have the certifications you have attained advanced or enhanced your career? What certifications do you look for when recruiting new team members?
Certifications have definitely enhanced my career and provide the desired recognition at the global level. Having a certification shows a true commitment and dedication to your profession/occupation. In my organization, although all auditors have to be qualified based upon the Information Security Management System (ISMS) auditor criteria, the Certified Information Systems Auditor (CISA) certification is preferred for new hires, even if they are not yet ISMS-qualified (which, in most cases, is done on the job). We strongly encourage our ISMS auditors to acquire the CISA certification as soon as possible, and we completely fund the CISA training/exam process. Similarly, we also consider the Certified in Risk and Information Systems Control (CRISC) certification as a preferred certification during the hiring process.
What has been your biggest workplace or career challenge and how did you face it?
My biggest challenge has been the traveling involved in this job. I have traveled to 40 countries on five continents. Sometimes, due to the hectic schedule, I land back home on Saturdays and fly to the next destinations on Sundays. However, all that is done out of my passion for auditing and training. And I strongly believe that when you have motivation and passion, no hurdle or challenge can stop you.