ISACA January 2017 – Audit Committee

ISACA started this year with at Estancia La Jolla Hotel & Spa. As a first time attendee to their evening meeting, I was pleasantly surprised to see such a large attendance. The scrumptious food & complimentary drinks were sufficient enough to nurture a networking environment among the attendees.

The official theme of the panel discussion was Audit Committee Areas of Focus 2017. Current IT trends, risks were shared that gave the audience an insight into the board room. The moderator,  Bill  Bonney, was able to ask the questions that seemed to be the most holistically penetrating. The panelists included Vickie Miller, Jeff Miller, and John Lefter.

Here are some of the thoughts that stuck with me:

  • Project managers need to be valued more as they are the ones who help cross the finish line. In one example, a project was only finished after a year of its deadline, and the company was losing around $600,000 per month!
  • Risk comes in many different forms. Lefter mentioned the difficult task of translating the same talk of values through the various departments at Sharp. For example, the clinical side defined risk to be the risk of infection, while the business side defined to focus on market share.
  • “The devil is in the details.” That’s the simple way of putting what J.Miller answered when asked about business growth vs risk. He encouraged organizations to address acquisition questions like, “Will there be multiple accounts payable or will they be rolled into one?” The methodology, he said, lessens the risk. Just because it makes sense strategically, doesn’t mean that it does practically.
  • Organic growth… every wants to be part of the “new “ thing ie: latest automation, AI, going to the cloud. But it’s pulling people away from what’s driving the revenue. How to maintain old line of business while going to the new things is a key question  advised V.Miller.
  • Interestingly enough, with all these recent breaches & failure in security, it has not become easier for security folks to have a larger budget. Most Boards seem to have adapted the view of, “If we pay you enough, you can make all problems vanish.”  This is highly inaccurate as the fanciest tools cannot eliminate the basic vulnerability (the users). After the Target breach, civil suits against the Target board members were filed by the shareholders. This incident has made other Boards anxious and actively looking into what their personal liability is. Most Boards are not filled with tech savy members, in-fact less than 50% of the average Board is aware.
  • A CISO needs to be technically correct & be able to communicate effectively with the C-suite & the Board. Apparently the average CISO in a company lasts less than 3 years!

P.S. Out of the over 5 filled tables, with more than 5 people at each I was the only student. Help me change that number – reach out if you’re interested in coming to the next meeting!


Related posts

Leave a Comment