IS Audit in Practice: Building Digital Trust Through Advocacy

In late 2022, the ISACA^® New England (USA) Chapter president received an invite for Hill Day—an opportunity to join in a day of advocacy with other US chapters on Capitol Hill in Washington DC, USA. The topic was digital trust and the objective was for chapter participants to meet with their respective US congressional representatives to build the ISACA relationship, offer expertise as IS audit/risk professionals, and promote education support for information systems risk and audit-related programs.

To be honest, I did not realize the degree of engagement ISACA had in terms of advocating for our profession. After years of working at a local level for environmental causes, I know how powerful it is when people get involved. Here was an opportunity to make a difference in my own profession related to a topic that truly impacts everyone because technology plays a role in even the most basic activities of daily life and the most complex enterprise strategies. Hill Day not only offered an opportunity for advocacy, but also carried the promise of building relationships with state representatives as an ISACA-credentialed expert on the topics of risk, cybersecurity, privacy and resilience.

After accepting the invitation, I looked up digital trust to make sure I was not interpreting the concept based on my experience alone. The ISACA definition provides a holistic approach to technology and is significant for ISACA-certified professionals. Digital trust encompasses the disciplines ISACA promotes where we as professionals make a difference in our organizations, in learning institutions where we contribute thought leadership and the local community where our subject matter expertise provides meaningful information. It is encouraging to know that digital trust is not confined to cybersecurity or privacy but instead encompasses the key elements that are hallmarks of the ISACA disciplines, including:

• Quality
• Security and privacy
• Transparency and honesty
• Availability
• Ethics and integrity
• Resilience

For IS risk and audit professionals, digital trust is about the relationships that can be built by promoting a multidiscipline approach to risk assessments, controls testing and audit. The concept resonates with business objectives because it builds operational understanding and fosters client relationships through an ever-stronger enterprise reputation in an increasingly technological world. Most important, it puts technology center stage as an enabler instead of behind the computer room door, relegated to the roles of managing support systems and maintaining applications. This change in thinking means IS risk and audit professionals can and should take an integrated approach to the work, with full participation as business partners.

Capitol Hill and Digital Trust

The business advantages of a digital trust framework are many, but technology still feels foreign to many business operations teams, or it feels scary to organizations that dread attacks from cyber bad guys who seem undefeatable. Digital trust replaces fear and a sense of being chained to technology with educational awareness. It engages business professionals and students in a powerful way to start a paradigm shift that will add value to what they do. That is where Hill Day and the US Congress enter the picture.

It is exciting that ISACA has a government relations team advocating for ISACA members all over the world. As an accrediting institution, the value of ISACA’s certifications grows even stronger when government representatives are aware and understand that there is a population of ISACA-certified professionals present in their constituent bases. The start of Hill Day included an "Advocacy 101" overview by ISACA’s chief executive officer (CEO) and government affairs leadership team. Expectations were set for whom chapter members would meet, how to lead conversations and how to constructively follow up. Focusing on what the congressional representatives could do to support ISACA’s proposal for digital trust was critical, and to drive that point, retiring US Representative from the State of New York John Katko, a ranking member on the US House Committee on Homeland Security, addressed ISACA participants regarding the importance of cybersecurity awareness, the activities of the US Cybersecurity and Infrastructure Security Agency, (CISA), and the challenge of building a collaborative mindshare founded on trust and knowledge. How does one establish that mindshare, especially in a US election year, in the fourth quarter when the 117^th US Congress is winding down, on a subject that is not quite headline news$ Key points for getting attention include:

• The topic of discussion must matter to constituents in the US representatives’ and senators’ home states. As constituents from each representative’s home areas, ISACA chapter participants were the perfect messengers to highlight the relevance of digital trust.
• The meeting can be effectively held with staffers instead of bigwigs. Staffers understand the details on behalf of the representatives and senators and are the behind-the-scenes workforce ready and able to bring attention to the cause.
• The topic needs to have an "ask," namely a specific area in which the representative can help. An offer to support the representative is also good to help keep follow-up communication active after the initial meeting.

The Hill Day ask was to support technical education and the US National Defense Authorization Act (NDAA) for fiscal year 2023, when an annual review of funding and target areas for the NDAA is on the voting agenda. The annual bill authorizes US Department of Defense (DoD) spending levels and sets overarching military policy to equip, supply and train US troops and provide for military families.¹ Both the US House of Representatives (House) and the US Senate propose annual funding recommendations and then arrive at a compromise upon which the US Congress agrees for the following year’s funding levels in specific categories, including technology and cybersecurity. The 2023 House version of the funding proposal includes specific areas of interest to ISACA, namely funding for technical education and funding support for veterans. Growing skills through formal programs in hopes of increasing the talent pool of qualified professionals would institutionalize consistent learning for the profession and assist in standard and repeatable digital trust attributes.

Digital trust replaces fear and a sense of being chained to technology with educational awareness.

Meeting With Congressional Representatives

It is easy to think of US senators and US House representatives as driven by special interests or swept up in dealing with global calamities based on the soundbites in the media. Those big interest events always seem to overshadow life in the communities that each US Congressmember represents. Hill Day was a good reminder that whether priorities are global in nature, such as the economy and climate, or specifically local to a representative’s district, work must aim to improve life in each representative’s home region. The meetings held with staffers and US Congress members focused on what digital trust means for local businesses, how it can improve consumer experiences in a complex technical world, and how education and awareness can accelerate positive change through technology, from receiving care at the doctor’s office to scanning purchases in a checkout line. The ISACA New England (USA) Chapter (my local chapter) did not meet with the elected officials on Hill Day; instead, chapter members met with the representatives’ technology staffers whose backgrounds on technology and cybersecurity enabled the conversations. Our ISACA Global sponsors had set expectations that we might not be meeting with US senators and representatives directly, so the chapter team was prepared with more detailed questions and requests for support on technical education, which the topic-focused staffers were able to address. Each meeting included targeted leave-behind materials that opened the door for future discussions and invitations for the representatives to attend local ISACA chapter meetings.

The benefit for chapter members to build relationships with specific staffers whose roles are in technology promised to make follow-ups meaningful and on target with local needs. Meeting with technically fluent staffers also provided a direct relationship for chapter members to become involved as subject matter experts and to support legislation that helps the profession. Even better than getting legislation passed into law, the relationships initiated on Hill Day allow ISACA members to work with their legislative teams to operationalize existing regulatory frameworks and to take advantage of government support that extends beyond the walls of each person’s enterprise environment.

The People Network Matters

The kickoff of networking with US congressional staffers and elected officials is a significant area of opportunity that ISACA introduced on Hill Day. The chance to meet with other chapters from around the United States was a very important advantage for attendees. It allowed members to look outside their local and enterprise environments to see other viewpoints on digital trust and other key areas that are important to ISACA members. In the emerging post-pandemic world, it was a good reminder of the value ISACA professionals bring to each other, whether it is from coast to coast in the United States—as was the case on Hill Day—or from around the world, through sharing common themes and concerns. In a fast-paced world with careers that never stand still, it is comforting to fraternize with like-minded individuals and share experiences and consider future partnerships.

Growing skills through formal programs in hopes of increasing the talent pool of qualified professionals would institutionalize consistent learning for the profession and assist in standard and repeatable digital trust attributes.

What You Can Do

Even though the pace of work, home and play does not seem to slow down, we are part of a larger community of IS professionals with common understandings and similar goals. Digital trust brings our work center stage in the enterprise and community landscapes, and that can be a differentiator for us. We can make it global, or we can focus on our own backyards. Regardless, there are some points to consider:

• It is important to vote for candidates who resonate with your priorities. Legislative support and government funding stem from representation that advocates for digital trust (and other causes that are important to voters) because representatives know that is what constituents want.
• Consider how you use your ISACA membership. Might more involvement in your local chapter open networking opportunities for you? Could you benefit from a Hill Day experience that gets you in touch with your local government officials? The local chapter volunteers make a dramatic difference in ISACA’s reputation and recognition to benefit all of us.
• Leverage the ISACA experience with your priorities for work and volunteering. Are there themes among the different areas in which you are involved? Can ISACA contribute to what is important to you either through a meaningful network, a meaningful event, or support of a cause that matters to what you do? If so, the possibilities are as close as an email to your local chapter or an inquiry made to ISACA’s Engage page.

Who knew so much was possible and that there is so much opportunity for involvement, advocacy and change? It is all a great opportunity to get involved.

Editor’s Note

To learn more about and become involved in ISACA’s global government relations initiatives, please go to https://www.isaca.org/why-isaca/about-us/advocacy.

Endnotes

¹ United States Committee on Armed Services, "Reed and Inhofe File Fiscal Year 2023 National Defense Authorization Act," USA, 18 July 2022, https://www.armed-services.senate.gov

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a business and help her clients worry less, because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.