1 Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA
2 AGENDA IT s Changing Landscape ISACA s Response Vision and Mission COBIT 5 Strategy 2022 Questions and Discussion
3 PACE OF CHANGE OF DIGITAL INFRASTRUCTURE DIGITAL POWER Computing X Communication X Storage X Content Moore s law Fiber law Disk law Community law Doubles every 18 months X Doubles every 9 months X Doubles every 12 months X 2n, where n is number of people Source: John Seely Brown
4 WORLDWIDE IT SPENDING FORECAST (BILLIONS OF US DOLLARS) 2012 Spending 2012 Growth 2013 Spending 2013 Growth 2014 Spending 2014 Growth Devices % % % Data Center Systems % % % Enterprise Software % % % IT Services % % % Telecom Services 1, % 1, % 1, % Overall IT 3, % 3, % 3, % Source: Gartner (January 2013)
5 OTHER GARTNER PREDICTIONS Technology spend outside IT will become almost 90% by end of the decade. 4.4M IT jobs globally will be created to support Big Data. $34B of IT spending in 2013 In 2016 > 1.6B smart mobile devices will be purchased globally. Security investments will increase by 56% in five years. Driver: Regulatory compliance
6 WHAT DOES IT MEAN? Information systems environments are continuing to increase in complexity and impact, bringing unprecedented value opportunities along with significant risk. This requires: Active governance and management of information Advanced auditing and security approaches
7 EXAMPLE Securing and auditing the cloud requires good understanding of: Technologies (web services, virtualization) Related control frameworks Business requirements (linking IT with the business) Legal requirements (data transfer, retention, protection) Contractual agreements (e.g., impeding factors from moving to other providers) Source: ISACA Cloud Computing Management Audit/Assurance Program
8 ISACA THEN AND NOW THEN EDPAA IT auditors CISA IS Auditing Standards COBIT 7,504 members (y-e 1992) NOW ISACA and risk managers, privacy officers, compliance professionals, information security experts, IT control and IT governance professionals and CISM, CGEIT and CRISC and IS Control Standards COBIT 5 110,388 members (y-e 2012)
9 KEY ACCOMPLISHMENTS IN 2013 The association reached 100,000 full year dues paying members The 100,000 th CISA was awarded We successfully opened our 200 th chapter Achieved an 83% retention rate on a global basis Our CRISC certification won an award for the best professional certification from SC Magazine
10 VISION AND MISSION
11 VISION AND MISSION ISACA s vision (to aspire to as an organization) Trust in, and value from, information systems ISACA s mission (to guide decision making and investments) For professionals and organizations be the leading global provider of knowledge, certifications, community, advocacy and education on information systems, assurance and security, enterprise governance of IT, and IT-related risk and compliance
12 IT VALUE FACTORS Alignment IT and business processes Organization structure Organization strategy which responds to Business Requirements drive the investment in Integration Enterprise architecture Business architecture Process design Organization design Performance metrics IT Processes to deliver Enterprise Information IT Resources that are used by
13 VALUE DEFINED (VAL IT) IT is not an end to itself but a means of enabling business outcomes. IT is not about implementing technology. It is about unlocking value through IT-enabled organizational change. Value is the total life-cycle benefits net of related costs, adjusted for risk and (in the case of financial value) for the time value of money. The concept of value relies on the relationship between meeting the expectations of stakeholders and the resources used to do so.
14 TRUST DEFINED Definition 1: Trust is the ability to predict what a system will do in various situations. Definition 2: Trust is using an information system without having full knowledge about it. Definition 3: Trust is giving something now (credit card) with an expectation of some future return or benefit (online purchase). Trust that: Private and sensitive information will remain confidential. Process integrity is maintained. Essential business processes are available or recoverable. Definition 4: Trust is being vulnerable (entering private and sensitive information) while expecting that the vulnerabilities will not be exploited (identity theft).
15 TRUST AND VALUE RELATIONSHIP TRUST ASSURANCE VALUE Trust creates the opportunity for Value. Value is based on an expectation of Trust. Assurance binds Trust and Value together.
16 Governance Audit/Assurance Information systems are integral enablers that: Achieve an organization s strategy and business objectives Provide the confidentiality, integrity, availability and reliability of information assets Ensure compliance with applicable laws and regulations Info Security Their criticality brings to the enterprise unprecedented potential for both value creation and risk (creating the need for trust). Risk Management
17 COBIT 5
18 Evolution of Scope COBIT 5: GOVERNANCE OF ENTERPRISE IT Governance of Enterprise IT (GEIT) IT Governance Management Val IT 2.0 (2008) Control Audit Risk IT (2009) COBIT 1 COBIT 2 COBIT 3 COBIT 4.0/4.1 COBIT / ISACA. Used by permission.
19 COBIT 5: PRODUCT FAMILY 2012 ISACA. Used by permission.
20 COBIT 5: OVERVIEW COBIT 5 brings together the five principles... that allow the enterprise to build an effective governance and management framework... based on a holistic set of seven enablers... that optimises the information and technology investment and use for the benefit of stakeholders.
21 COBIT 5: THE FRAMEWORK In other words Creates optimal value by balancing benefits, risk and resources Enables information and related technology to be governed and managed in a holistic manner Offers generic, useful principles and enablers
22 COBIT 5 PRINCIPLES 2012 ISACA. Used by permission.
23 COBIT 5 ENABLERS 2012 ISACA. Used by permission.
24 COBIT 5 ENABLING PROCESSES 2012 ISACA. Used by permission.
25 OTHER COBIT 5 RESOURCES Vendor Management Using COBIT 5 Configuration Management Using COBIT 5 Securing Mobile Devices Using COBIT 5 Transforming Cybersecurity Using COBIT 5 COBIT Process Assessment Model: Using COBIT 5 COBIT 5: Enabling Information (Just Released) Risk Scenarios Using COBIT 5 for Risk (February 2014) Controls and Assurance in the Cloud Using COBIT 5 (April 2014) IT Control Objectives for Sarbanes- Oxley (update, June 2014) Advanced Persistent Threats: How to Manage Risk in Your Business
26 STRATEGY 2022
27 STRATEGIC ASPIRATION By 2022, ISACA will be the foremost global organization on the topic of trust in and value from information and information systems, providing distinctive relevant knowledge and services to help stakeholders enhance the governance and management of information and information systems Horizon 1 Horizon 2 Horizon 3
28 20-PLUS INITIATIVES 1. Expanding products for current constituents 2. Creating new products for new constituents 3. Targeting industries and building enterprise relationships 4. Strengthening the operating mode
29 STAKEHOLDERS AND ENABLERS Individual Enterprise (both private and public sector entities including commercial organizations, government entities, academic institutions, professional not-for-profits, etc.) Member Credential Holder Non-member Consumer Advocate Consumers ISACA s individual stakeholders will be drawn from the population of those with professional focus in areas of information and practices related to IT/IS governance, management, security, assurance or risk for expediency, ISACA terms these individuals information trust/value professionals]. Whether these individuals will be members, credential holders, non-member consumers or not interested in ISACA depends on their perception of ISACA s value proposition for them and the degree to which they find ISACA s areas of focus relevant. Advocate in this context refers to the internal enterprise influencer who represents the conduit for ISACA to reach the enterprise (e.g., the CIO who advocates adoption of COBIT for his/her organization). Stakeholders and Enablers
30 ISACA S LINES OF BUSINESS Credentialing and Career Management Knowledge Relations Stakeholders identified Needs outlined Contribution defined Proposed products listed
31 SUPPORTING GOALS ENTERPRISE GOALS STRATEGY MAP By 2022, ISACA will be the foremost global organization on the topic of trust in and value from information and information systems, providing distinctive relevant knowledge and services to help stakeholders enhance the governance and management of information and information systems. Serve our stakeholders and be at the forefront of our professional space Enable the organization and be operationally excellent E-1 Be the preferred organization for information trust/value professionals and enterprises by continuously meeting their needs E-2 Enhance the global relevance, position and reputation of ISACA and its stakeholders through our thought leadership and advocacy E-3 Align enablers with ISACA s mission and vision to support realization of strategic goals and delivery of benefits E-4 Optimize our resources and their use LOB: Credentialing & Career Management, Knowledge, Relations C-1 Provide stakeholders with distinguishing credentials K-1 Advance the professional knowledge and competencies of individuals by developing and providing highly valued knowledge products and services and engaging education R-1 Be the preferred global membership organization and community C-2 Advocate for and increase professional value of credentials and credential holders C-3 Be the leading career resource K-2 Enhance ability of enterprises to address information trust/value needs and meet market demands by developing and providing frameworks and related knowledge and educational products R-2 Increase ISACA s global relevance and position C-4 Provide usable and relevant professional ethics, standards and guidelines, professional tools and techniques K-3 Expand available knowledge resources by increasing knowledge contributions from individuals and enterprises R-3 Better enable ISACA chapters to serve members and new stakeholders and create awareness of ISACA products and services Principles, policies, processes, structure, culture, ethics, behavior E-3.1 Maintain a realistic, relevant, forward-pushing strategy E-3.2 Actively scan for drivers of future change and trends, and determine ISACA s response to them E-3.3 Encourage a stakeholderfocused, innovative culture and behaviors E-3.4 Inspire stakeholder loyalty and enhance our brand identity with appropriate product, marketing and communication strategies E-3.5 Maintain an appropriate organizational structure which enables execution of our strategy E-3.6 Ensure good corporate governance principles, policies & practices, and support an ethical culture and behaviors E-3.7 Embed effective enterprise risk management in execution of activities and our strategy Resources and their use E-4.1 Utilize effective and efficient processes which optimize use of our resources E-4.2 Ensure we have sufficient human resources with the competencies, skills and motivation to deliver on ISACA s strategy E-4.3 Ensure the financial resources to sustain core business and seize strategic opportunity E-4.4 Obtain the information necessary to enable strategic decision-making and execution E-4.5 Align and leverage IT to enable achievement of business objectives and our strategy 2012 ISACA. Used by permission.
32 FIRST IN FOCUS Execution: What will ISACA provide to meet stakeholder needs? What are our first-in-focus S22 solutions? To address immediate market-driven stakeholder needs: Offerings on cybersecurity and privacy To address emerging needs: Approach for ISACA s response to megatrends For the future: Strategy for COBIT Maximize its value potential; undertake process of positioning COBIT s relevancy in broader business sense; continue visionary approach to defining and pursuing COBIT-related knowledge development, business/it integration
33 VOLUNTEER BODIES Emerging Business and Technology Committee Cybersecurity TF Privacy TF COBIT Growth Strategy TF M&A TF Assurance TF
All available Global Online MBA routes have a set of core modules required to be completed in order to achieve an MBA. Those modules are: Management and Organizational Change (P.4) Leading Strategic Decision
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
WHITE PAPER Cybersecurity in Modern Critical Infrastructure Environments SECURE-ICS Be in Control Securing Industrial Automation & Control Systems This document is part of CGI s SECURE-ICS family of cyber
Qatar National Cyber Security Strategy MAY 2014 i ii TABLE OF CONTENTS FOREWORD... v EXECUTIVE SUMMARY... vi 1. INTRODUCTION...1 2. THE IMPORTANCE OF CYBER SECURITY TO QATAR...3 2.1 Threats... 3 2.2 Challenges...
Adopted: April 8, 2013 Updated: January 31, 2015 Eligibility Procedures and Accreditation Standards for Accounting Accreditation Engagement Innovation Impact AACSB International The Association to Advance
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
110101001101101101010011000 11011010100110110101001100 11011010011011010100110000 10100110110101001100010010 Protecting Information The Role of Community Colleges in Cybersecurity Education A Report from
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
Managed Hosting: Best Practices to Support Education Strategy in the Career College Sector Online learning is playing a critical role in the delivery of Teaching and Learning and the overall experience
Connecting Health and Care for the Nation A Shared Nationwide Interoperability Roadmap DRAFT Version 1.0 Table of Contents Letter from the National Coordinator... 4 Questions on the Roadmap... 6 Executive
WHITE PAPER IT Governance and the Emergence of Cloud Computing May 2011 IT governance and the emergence of cloud computing: using project and portfolio management to make effective cloud decisions Steven
manufacturing service small business nonprofit government education health care Baldrige Excellence Builder Key questions for improving your organization s performance Improve Your Performance The Baldrige
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Internet Society 2010 2012 Business Plan Board of Trustees 2010-2012 Business Plan Table of Contents I. Executive Summary 4 Plan Overview 4 2010 Strategic Investment Areas 5 Financial Overview 6 II. Three-Year
2 SECOND EDITION IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity.
ICANN Draft Five Year Strategic Plan (FY16 FY20) For best results, download this document and view it outside of your browser with Adobe Reader version 9 or higher. Introduction The core value of ICANN
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Inspiring leaders to improve children s lives Schools and academies Diploma of School Business Management Professional development Diploma of School Business Management Contents Introduction 1 1 Aims of
TAKING OUR PLACE: U NIV ERSITY O F MAN ITOBA 2 0 1 5-2 020 STRATEGIC PLAN TABLE OF CONTENTS Message from the President...3 Introduction... 4 Planning Context....5 Consultations: What We Heard....7 Acknowledgement...
Foreword FOREWORD I am pleased to present government s IM/IT Enablers Strategy for Citizens @ the Centre: B.C. Government 2.0. For the first time, we are laying out a vision and an action plan for a corporate
J U L Y 2 0 1 2 OpenText Enterprise Information Management CIOs are under siege Do more with less is no longer an ideal, it s a mandate. With growing volumes and a host of information formats to manage
Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach
Dr. Stephen C. Schoonover is the president of Schoonover Associates, Inc., a management consulting firm that specializes in leadership and executive development, organizational effectiveness, change initiatives,
the Future series Predictions and insights The spotlight is now on tax Never before has tax been more important to governments, taxpayers and other stakeholders. Tax forms the basis for public spending,
The International Journal of Digital Accounting Research Vol. 7, N. 13-14, 2007, pp. 71-120 ISSN: 1577-8517 Exploring Information Technology Governance (ITG) in Developing Countries: An Empirical Study
A framework for Responsibly Mobile kpmg.com 2 A framework for Responsibly Mobile A framework for Responsibly Mobile 1 Contents 02 Introduction 03 Common Challenges and Risk Considerations 04 Defining the