This week I am attending the Information Systems Audit and Control Association (ISACA) World Congress in Washington, DC.
This is the first such event for the ISACA and they have tried for a different approach – no ‘death by powerpoint’ and most sessions featuring a lot of interactivity between delegates and featured speakers. Here is my take on the first day.
The opening session featured Jim Murphy, a former US Air Force Fighter pilot and currently running his own consulting firm, Afterburner. These guys do a great presentation, applying some of the principles they learned in the military to help businesses learn to execute ‘flawlessly’. I can even forgive them for their over the top ‘Gung Ho’ style.
For many years I have been concerned that modern organisation do not focus enough on ‘execution’ as a critical discipline. Everybody wants to do strategy and leave execution for somebody else – a great way to avoid accountability!
This is especially a risk for BC and DR programs, where you may only get the one chance to execute properly. As Murphy says, in the Air Force you “train for the real deal everyday”.
One of the keys to his model of ‘flawless execution’ is promoting the benefits from robust debriefing. This will not be news to those wiht a background in the military or emergency services – but it will be a new concept for most corporates. This model of debriefing will capture lessons learned and use them to improve future performance. The keys are a rankless and nameless approach to the debrief, where it is ok (in fact required) that you critique a more senior colleague if they have put the mission at risk. A far cry from many corporate ‘post implementation reviews’ that are often conducted to cover up.
A number of useful ideas here to help build resilience, I bought Murphy’s book and will review it in a couple of weeks.
After Murphy’s session I was looking for something more low key and found it in an panel session of Chief Information Security Officers. The discussion here covered a much wider range of topics than would be expected – including discussion around Prensky’s concept of Digital Natives and Digital Immigrants.
This session produced one of the quotes of the day for me – “criminals do not read your compliance statement” – highlighting the illusion of control that comes from compliance oriented approaches to security, equally applicable to risk and BC.
My third session took the format of an interview with the VP, National Security Policy form Verizon Communications. He was speaking about sectoral approaches to protection and resilience – similar to the Trusted Information Sharing Network in Australia.
Key message for building resilience from this session, first you have to know yourself. Understand your organisation, your real capabilities, and the extent and location of your critical assets. Having robust infrastructure was suggested as a second order of priority.
There was a suggestion that perhaps Al-Qaeda presented a more resilient operating model than most corporates, but my guess is that will not gain a lot of traction in the Board Room.
The last two sessions covered the impacts of Cloud Computing and Social Media on information security. You really cannot have any kind of technology related event these days without discussing these two issues – and even more important as they start to apply pressure to audit and control environments. The cloud session represented a panel discussion with plenty of questions from the audience while the Social Media session took the format of a group discussion – with a few slides to set the scene.
Sometimes we tend to overlook the fact that technology keeps changing and IT and Info Security professionals have continued to adapt to these new demands.
- It was the end of life as we knew it when people started to put PC’s into the office, initially without the support or assistance of Corporate IT (which was more likely to be known as Data Processing in those days)
- In many organisations a non-responsive IT organisation is driving the business to Software as a Service and other cloud offerings.
- I well remember the impact when we introduced email and then later wanted to connect to the internet.
- The end of the work for Info Sec and control of our networks
- At the beginning we could only have a stand-alone PC in the corner with a modem for internet – it was totally unacceptable to have the corporate network exposed to the internet.
Hopefully the learning and sharing encouraged by the format of this conference will help with this adaptive process in the current generation of IT professionals.