Mais Barouqa, CISA, CRISC, CGEIT, COBIT 5 Foundation GRCP, ISO 27000 LA, ITIL
Has more than six years of specialized experience in the realm of technology risk services inclusive of IT audits, IT risk assessments, post-implementation reviews, governance framework reviews, and compliance and controls assessments according to best practices. She has led multiple projects spanning a number of diversified industries across the Middle East region. Barouqa has been involved in providing IT control assurance and consulting services in numerous business environments. She has been involved in reviewing IT risk assessments through assessing vulnerabilities, threats and controls surrounding the IT environment; reviewing governance frameworks pertaining to the IT department with emphasis on strategic management, risk optimization, resource optimization and benefit realization, pre- and post-implementation reviews covering application; and security controls and data analytics using ACL to administer computer aided audit tests (CAAT).
What is the biggest security challenge that will be faced in 2019? How should it be addressed?
Data privacy. It should be addressed by:
What are your three goals for 2019?
What industry-related sources (blogs, newsfeeds, etc.) do you read on a regular basis?
ISACA Journal, ISACA Now blog, and CIO magazine
How do you keep your own information safe? That is, what do you do or not do to protect your own data privacy?
I never share my data with untrusted parties and I always check if the website or organization I am dealing with has aligned itself with GDPR.
What is your number-one piece of advice for other audit, risk and assurance professionals as they build their careers?
Building a career in audit, risk and assurance can be challenging. Young professionals can start this journey by maintaining a process of continuous learning and developing as many skills as they can.
What is on your desk right now?
Two standards for information security, COBIT 5 and a calendar
What do you do when you are not at work?
I practice my favorite sport—swimming—and I enjoy reading and socializing.
What is it that drew you to the audit, risk and assurance profession? What keeps you in the profession?
Looking at the past 10 years, it is clear that what was threatening business continuity or existence previously might be considered obsolete now. Nevertheless, with each year, new threats that pose risk to organizations emerge. This dynamic atmosphere is what drew me to this profession.
In risk, audit and assurance, a professional has to remain aware of any new trends to properly adjust and react. This active role, in which no single day is the same, is very challenging at first. When I started, I was asked to conduct a full security audit on one of the leading financial institutions. I recall the complexity of the environment that was assessed. It was an overwhelming scenario in which I had to conduct a great deal of research and refer back to guidance from other enterprises such as ISACA. Nevertheless, once I finalized the assessment, I realized that the amount of experience and knowledge that I obtained in a very short period of time was incomparable with any other profession. That is why I remain in this profession. Knowing that, with each new project, I will learn something different even at the level to which I have progressed.
How do you think the profession has changed and evolved? How have those changes impacted the audit and risk professional?
The changes surrounding the businesses, the introduction of the new technologies, the enforcement of new laws and regulations, and financial crises all play a role in changing and evolving this profession since, unlike any other profession, audit and risk works with several departments and units, where its operating landscape is mainly the whole organization.
Today, the profession has become more demanding in achieving efficiency due to the rapid changes of technology. Technological advancements have directly impacted the risk, audit and assurance practice since enterprises have realized the benefits of technological adoption. That means that today, professionals are required to have a solid background in systems, tools and analytical procedures. This has had an impact on the skill sets audit and risk professionals need and the methods of conducting the assessments.
What skills will be most important for audit, risk and assurance professionals to develop in the coming year(s), decade?
Taking into consideration the trends so far, I believe that the audit and risk professional should focus on obtaining key skills in two areas. The first is data and advanced analytical skills. We are living in a data-driven world where decisions being made at the c-suite level of organizations are based on data analytical reports. Concepts such as big data are echoing in all industries, where their implementation will help audit and risk professionals in establishing efficiency and covering broader areas. For example, analytics can be used to conduct credit risk decisions and detect fraudulent activities.
The second is cybersecurity knowledge. Cyberrisk is now ranked the fifth risk to be considered worldwide according to the recent risk landscape report issued by the World Economic Forum. Knowledge of and background in cyberattacks are now fundamental to any risk and audit profession in order to proactively control and reduce the risk associated with the cybersecurity and information security domains within the organization.
What do you think are the most effective ways to address the skills and gender gaps in the technology workspace?
There is no doubt that in the risk and audit profession and, certainly in the technology space in general, a gender gap does exist since the technology sector has been dominated by males for quite sometime. Nevertheless, I do feel that this gap has been reduced in the past few years. Especially of note is that more women are now in leadership positions in technology organizations. Still, though, more efforts should be put toward having a balanced representation of men and women at all levels of business.
From my point of view, in order to achieve that, two things should happen. More women should occupy leadership positions within the risk and audit profession, where those women will serve as important role models for younger generations of women risk and audit professionals to follow. And, we need more male advocates who work to empower women in organizations.
When it comes to the skill sets for both men and women, the continuous improvement of skills is mandatory to remain competitive in the current market and to meet the demands of what is coming next. This can be achieved in several ways. Professionals can take on the responsibility of continuing professional development by obtaining professional certifications such as the Certified Information Systems Auditor (CISA) or the Certified in Risk and Information Systems Control (CRISC), and also by attending webinars and conferences in order to exchange experiences and knowledge. An effective way to gain or improve a certain skill set is to remain engaged with other professionals in the same industry.
What do you see as the biggest risk factors being addressed effectively by audit, risk and assurance professionals?
From my point of view, it is the continuing advancement of technology, specifically security, risk.
Organizations continue to invest in complex IT systems and people continue to migrate their information into the cloud or other digital formats. As this process continues to grow, security risk scenarios keep evolving. Since the audit, risk and assurance profession works closely with all business units, the advancement of technology has an impact on requiring this profession to remain ahead when it comes to controlling security risk factors. We can see that information security audits, cybersecurity assessments and data privacy reviews are now in demand within the market as information has increased in its value and is considered an important asset to the organization.
If we look at the regulatory trends, we can see the emphasis on security risk. Deloitte conducted a study in December 2018, which named cybersecurity and privacy as two of the key regulatory trends that will affect enterprise compliance strategies. This means that the strategy guiding the risk, audit and assurance profession will be molded while having security at its core.
What was the most significant event or experience to date that has impacted the evolution of your career?
There are many experiences that shaped my professional career and each of them has its own positive impact. At this point, I cannot specify only one, but all of them have had one common theme, which is the two C’s: complexity and challenge.
Handling complex and challenging situations has provided me with opportunities to grow faster and learn more so that, in the next situation, I will have what I call a “skill shield.”