Lucio Augusto Molina Focazzio, CISA, CRISC, CISM, COBIT Assessor and Trainer, ITIL
Is a systems engineer who specializes in systems auditing. He has broad experience with national and multinational companies. He is a COBIT Certified Assessor and has implemented and evaluated IT governance using COBIT. He has presented COBIT 5 Foundation, Implementation and Assessor courses in Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Mexico, Panama, Peru and Venezuela. Molina served as an ISACA and IT Governance Institute international vice president and as a member of the IT Governance Committee, the CISA Test Enhancement Subcommittee, the Finance Committee and the Membership Board. He won the John Kuyers Best Speaker/Conference Award in 2004.
What is the biggest security challenge that will be faced in 2018? How should it be addressed?
Identifying, containing and responding to targeted information attacks, especially phishing and ransomware. To respond, increase management awareness, strengthen regulations, train company personnel on information security, and strengthen the IT security infrastructure with predictive tools and artificial intelligence.
What are your three goals for 2018?
What is your favorite blog?
ITInsecurity (insecurityit.blogspot)
What is on your desk right now?
How has social media impacted you professionally?
Social media is an excellent way to share knowledge and sell services. I take advantage of social media to know people around the world with similar interests. I can increase my knowledge and sometimes I can help people by answering different kinds of concerns about the profession.
What is your number-one piece of advice for other IS audit professionals?
To study, learn, and practice, practice, practice continuously. Our profession is like the medical profession; everything is continually changing and must keep up with the change.
What is your favorite benefit of your ISACA membership?
To access to the knowledge base to learn, and the ISACA Journal
What do you do when you are not at work?
I walk and play with my Catahoula leopard dog.
How do you think the role of the IS audit professional is changing or has changed?
Over time, the role of the IS audit professional has been changing due to advances in technology and the sophistication of risk and controls.
From evaluating controls around the computer, the IS audit professional went on to evaluate the computer itself. Now, as technology evolves, audits are focused on evaluating computational environments such as the cloud; artificial intelligence; and specialized topics related to cybersecurity and information security, including the evaluation of third parties within audit scope.
This evolution has resulted in the IS audit professional knowing and specializing in industry standards (e.g., International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] 27001 and ISO/IEC 22301), good practices (ITIL), and reference frameworks such as COBIT 5 and The Open Group Architecture Framework (TOGAF), as well as specializing in computational tools.
What leadership skills do you feel are critical for professionals to be successful in the field of IS audit?
They should be advisors to the executive level, providing critical thinking and analysis. In addition to their skills that detect and identify risk, IS audit professionals should be able to motivate their clients to improve their culture through controls. They should be good communicators, able to write effective audit reports and “sell” them. They must also have the ability to analyze and solve problems to make recommendations that provide value to the organization, remembering the need to reinvent and innovate themselves continuously.
What is the best way for someone to develop those skills?
Being a leader is not giving orders; it is teaching by example. Leaders always do more than what is asked of them and they guide their subordinates toward success. Leadership is learned through practice; having a coach makes it much better. Attitude is also very important. Leaders must be able to detect weaknesses and strengths in their team, to overcome the weaknesses and take advantage of the strengths.
What advice do you have for IS audit professionals as they plan their career paths and look at the future of information security?
In this digital world, modern IS audit professionals have the evaluation of cybersecurity and information security among their main activities. To do this, they must strengthen their knowledge on the subject; they must know the information security standards and the risk and vulnerabilities of the information and the platforms on which the information resides. Using this knowledge in the development of audits will allow them to apply global knowledge about the security risk of business information and, at the same time, a more detailed knowledge of the areas related to information security. I would advise IS audit professionals to earn the Certified Information Systems Auditor (CISA) certification because it is globally recognized. It is also highly desirable for IS audit professionals who wish to function at a management level to earn the Certified Information Security Manager (CISM) credential. Those who prefer a more technical perspective should pursue the Certified Information Systems Security Professional (CISSP) credential.
How have the certifications you have attained advanced or enhanced your career? What certifications do you look for when recruiting new members of your team?
My ISACA certifications have changed my life. They opened a very wide professional field to me. As soon as I earned my Certified Information Systems Auditor (CISA), I was promoted in the organization where I worked. When I added the CISM and the Certified in Risk and Information Systems Control (CRISC) certifications, I was able to be more competitive in the field of consulting because organizations look for certified professionals. Certifications show that the person has the experience and knowledge required to perform the needed function. Private companies and the government usually give additional points in their competitive bids and tenders when the team vying for the assignment has international certifications. In the environment I work, ISACA certifications are highly desired, so I always hope that the resources I hire have earned one or more of the ISACA professional certifications and that they are also certified in COBIT 5, preferably as implementers or assessors.
How do you see the roles of IS audit, governance and compliance changing in the long term?
Every day, new regulations appear that force organizations to evaluate their risk and improve their controls. Additionally, IT governance in organizations is increasingly in demand. Therefore, I think that the role of the IS auditor related to governance and compliance will be increasingly important, and IS auditors should evolve toward expanding their audit spectrum by supporting their organizations in achieving implementation and maintenance of IT governance and complying with local laws and regulations as well as those of other countries (such as the US Sarbanes-Oxley Act [SOX]).
What has been your biggest workplace or career challenge and how did you face it?
My work life has been full of challenges, but I think one of the most difficult was when a consulting company asked me to join its team of professionals to help Ecopetrol, the largest oil company in Colombia, comply with SOX, supported by COBIT. This is work that should be done in a short period of time. Thanks to the support of top management and the excellent teams from both Ecopetrol and the consulting company, we achieved the goal. My role was serving as the COBIT expert and my mission was to help Ecopetrol understand the benefits of applying COBIT and how to integrate it with other international practices and standards to comply with SOX.
I had to work with different areas of the company to improve their knowledge about the use and application of COBIT. I held talks at all levels on COBIT, trained the staff on COBIT, and coached the team on the integration of COBIT with other international standards and practices.