Schaumburg, USA: Looking ahead to a new year offers a valuable opportunity for digital trust professionals to not only reassess the practices within their own function or organisation but also to examine how they can continue to grow in their roles. From this vantage point, ISACA experts recently highlighted their 2023 insights and recommendations for the privacy, cybersecurity, audit and risk fields.
Privacy
In this complex data privacy landscape, Dr Lisa McKee, PhD, Director of Governance, Risk, Compliance and Privacy at Hudl, and member of the ISACA Emerging Trends Working Group recommends that professionals adopt zero trust privacy with data governance, as well as a ComPriSec approach—or the convergence of compliance, privacy and security—in the new year.
In her recent blog post, she highlights the important role of the privacy engineer but also emphasizes that in addition to having strong privacy professionals, consumers everywhere need to do their part and be mindful of the online presence they create.
“Privacy risk appetite is seldom discussed among boards and leaders. Privacy leaders should make sure their programs include a focus on privacy risk management programs, privacy risk appetite, privacy risk tolerance, privacy key performance indicators, privacy key risk indicators, privacy metrics and reporting. 2023 will heighten these needs as the compliance landscape continues to evolve,” says McKee.
Cybersecurity
In her blog post, Global CISO Samantha Hart emphasizes that a big part of looking ahead to the new year for cybersecurity professionals should involve preparations on both a professional and personal level that can help ensure they are set for success. This includes:
- Having a personal incident response plan that factors into your home life
- Going into the office to make connections with colleagues face-to-face
- Knowing your business
- Being flexible
- Embracing tech and tools but keeping people at the forefront
“Yes, we do need to fully understand our attack surface and ensure we have all of the controls in place to detect and respond—however, all the tools in the world won’t take the place of skilled and valued team members who will monitor and respond to the alerts with a human eye that knows what is benign and what is an attack,” says Hart.
Audit
The shifting technology environment, especially given the rise in cloud implementations accelerated by the pandemic, has recalibrated the business landscape.
“The biggest grievance for many core information security professionals has been that the IT audit community has failed to keep pace with this rapidly changing environment and has yet to completely upskill and adapt,” says Varun Prasad, Senior Manager (Cloud), Third Party Attestation, BDO USA.
“As we look to 2023, traditional audit approaches that were used to evaluate legacy IT environments will not make sense for the decoupled cloud native architecture of today’s world,” adds Prasad in his blog post.
Prasad explores some of these areas that auditors should focus on in the coming year to stay on top of their game, including understanding cloud native DevOps and cloud security posture management. Also, being able to evaluate privacy compliance and gain knowledge into vulnerability management and the scope of each type of vulnerability scan.
Additionally, he emphasizes the importance for auditors to have strong soft skills in addition to technical ones—in particular, developing emotional intelligence to deal with pressures and avoid burnout.
Risk
Kerris Lee, ISACA Global Director of Enterprise Risk Management, provides tips that risk management professionals turn their attention to addressing some commonly forgotten action items that actually have a big impact—like enhancing the risk identification and governance process.
“By eliminating risk duplicates and ensuring that risk management has a role in reviewing organisational policies, establishing review cycles of incident response plans and business continuity planning, as well as procurement and contract processes,” says Lee.
Additionally, he notes in his post that working to strike the right tone at the top with senior leadership around the role of enterprise risk management can go a long way in helping the rest of the organisation understand and value the function.
“While there are many areas for risk management professionals to focus on in our day-to-day operations, these are, in my experience, the ones that are often overlooked and that can hurt the organisation over time,” says Lee in his blog post.
“Assuming you are doing the big things well already, it is oftentimes the little things that can make a big difference,” adds Lee.