ISACA Malta Conference 2007

The second half of the conference split the audience into two streams. The IT Assurance and Compliance Stream and the IT Security and Risk Stream. The security and risk stream topics continued to show how IT security continues to go hand in hand with IT Governance (assurance and compliance). I attended the latter, the topics being

1. IT Security and Risk
2. Future Perspectives on IT Risk
3. Measuring IT Security
4. Managing Risks in the Credit Card Industry

Of particular interest to me were the last two topics. Often enough security metrics are generally not understood by business people and Mr Jakub Syta did a fine job in explained a methodology to successfully get the message through. No rocket science involved --- in fact its rather straightforward following a few simple steps:

1. Identify the interested parties
2. Get their expectations
3. Measure using KISS and CORREcT methods

Interested parties would involve people like the Chief Technical Officer and a companies board. Getting their expectations is knowing which goals the company/business wants to achieve. With the help of COBIT as a framework, these could be easily identified. KISS -> Keeping it simple stupid. No need to complicate it more than it might already be. The CORREcT method stands for Complete, Objective, Reliable, Rapid, Easy to Understand and Compact. Qualative vs Quantative metrics were also explained. Qualative metrics would include monitoring incidents and policy deviations whilst quantative techniques would include successful adherence to business continuity programmes, the number of vulnerabilities found and the security cost incurred per project.

The final topic talked about techniques the bad guys use to steal credit card information. Supplemented with information from past online hacks, Mr Jani Kallio talked of how important it is for businesses to adhere to security standards in such a rapidly evolving environment. There was mention of skimming and how fraudsters are obtaining credit card information and selling it on the black-market. Furthermore in response to these techniques he showed what is being done to prevent this type of fraud.

Overall I think that through activities like these, user awareness on current security issues is certainly raised by more than a couple of bars. The mix of people that attended this conference ranged from security professionals, CEO's, CIO's and financial auditors alike --- therefore the exposure was well targeted. Through these efforts; in line with our cause to increase user security awareness; we hope that from a project management point of view, security is thought of from inception --- as we tend to agree that coupled with good communication channels, security is a process (certainly not a goal) worthy of its due attention.