The many applications of COBIT 5

As the world's leading framework for enterprise IT governance and management, ISACA's COBIT 5 represents a crucial investment for any business today.

With a comprehensive and rigorous syllabus, COBIT 5 training courses are essential for companies looking to make the most of the framework and use it to deliver the best outcomes possible for their organisational IT. However, with such a broad sweep of areas they cover, in which business aspects can COBIT 5 improve best practice?

Here we look at the main applications of COBIT 5 and how they provide reassurance across the entirety of your IT architecture.

Information security

The perennial rise of cyber attacks and related threats means information security is a top priority for any IT business leader.

COBIT 5 for Information Security is geared toward providing IT professionals, and other relevant stakeholders, the knowledge and expertise with which they can implement best practices in information security management. The course teaches users how to develop and maintain an information security program, and also how to manage an Information Security Management System (ISMS).

As with other COBIT 5 courses, there is a strong focus on continuous improvement, meaning you'll learn how to ensure your information security systems are always up to date.

Risk

While malicious cyber attacks are the main cause of concern for IT security professionals, there are a host of other IT risks that can wreak havoc on a business. COBIT 5 for Risk addresses this gap, ensuring businesses adopt an all-encompassing risk culture that covers all technological threats, not just those relating to security.

With this course, candidates can develop the skills and insights needed to implement, manage and improve an IT Risk Management program.

Assurance

A solid IT assurance program can help organisations of any size leverage their information and technology in the best way possible, instantly identifying risks and opportunities as they arise.

COBIT 5 for Assurance helps businesses leverage their COBIT 5 framework in the performance of a range of assurance tasks, such as planning and conducting reviews and developing an assurance roadmap. It is an incredibly valuable course to take, whether or not your organisation has already implemented COBIT 5.

Building a business case for IT governance

IT governance is one of the most talked about and debated issues in the business world today – and for good reason. 

As organisations place ever-increasing value on the importance of Information Technology, having a framework in place that aligns IT strategy with business strategy is becoming an essential part of achieving long-term success.

That's a big part of the reason why many businesses are investing in COBIT 5 training courses which equip employees with proven reference models and established methodologies for governing and managing enterprise IT.

Having an IT governance structure in place should be a priority for organisations of all size, both in the private and public sector. Despite this, some organisations are still struggling to convince stakeholders and key decision makers of the value of this investment. 

So what can your organisation do to build a business case for better IT governance?

The first and most important step is to ensure both the IT department and your internal managers and on-board and convinced as to just how valuable an IT governance structure can be. If either of these parties are acting independently or with different motives, it will be very difficult to convince the board of directors of the true importance of this initiative. 

Next you need to begin looking at IT governance in tangible terms, in order to communicate its importance.

This doesn't necessarily mean breaking everything down into economic values or ROI figures, but it does mean demonstrating how an IT governance structure will benefit your organisation as a whole. 

Having a structured governance policy for IT and data leads to better strategic decision making, greater data ownership, improved accountability and transparency, and stronger data security – all key advantages that can improve the efficiency and cost-effectiveness of your business.

At the end of the day, the most important part of your IT governance business case is this: The value of information and technology is only going to increase over the next decade, and any organisation without a method of monitoring, assessing and evolving IT strategies and objectives is putting itself at risk.

Once you have communicated this to your key stakeholders, you should have no trouble getting them on board with future IT governance initiatives. 

New cyber security research centre established in Canberra

A new centre for cyber security research has opened in Australia’s capital city, and should raise awareness of the growing IT risks for Australian consumers and businesses alike.

Assistant Minister for Defence Stuart Robert announced on June 16 the launch of the Australian Centre for Cyber Security (ACCS), a new research arm of the University of New South Wales. Based at Canberra’s Australian Defence Force Academy (ADFA), the centre will bring together cyber security experts from government and some of the leading Australian researchers in the field.

Mr Robert explained that formal, academic research in the area was necessary given the increasing frequency and sophistication of cyber attacks.

“I am very encouraged to see academia engaging in research on cyber security issues and contributing to the wider efforts to protect Australia from cyber threats that pose a significant challenge to national security,” he stated.

“The centre’s research will cover issues such as cyber ethics, law and justice as well as those issues that affect the everyday lives of people and businesses, such as computer and network security.”

In total, the centre will focus on five broad areas of cyber security: computer and network security, risk management, international politics and ethics, law and big data analytics.

As business technologies become ever more sophisticated and complex, cyber criminals are upping their efforts to match. The foundation of the ACCS should shed more light on the prevalent risks and ultimately benefit industries across Australia.

As an extra measure, businesses can take advantage of information security training courses to ensure their IT team is equipped with the latest skills and knowledge to deflect such threats.

“The cyber threat facing our nation comes from a wide range of sources, including individuals, issue-motivated groups, criminal syndicates and state-based actors,” Mr Robert concluded.

“We are lucky to have this centre located at ADFA where our future leaders will have access to state-of-the-art research on this significant issue.”

New cyber security research centre established in Canberra

A new centre for cyber security research has opened in Australia's capital city, and should raise awareness of the growing IT risks for Australian consumers and businesses alike.

Assistant Minister for Defence Stuart Robert announced on June 16 the launch of the Australian Centre for Cyber Security (ACCS), a new research arm of the University of New South Wales. Based at Canberra's Australian Defence Force Academy (ADFA), the centre will bring together cyber security experts from government and some of the leading Australian researchers in the field.

Mr Robert explained that formal, academic research in the area was necessary given the increasing frequency and sophistication of cyber attacks.

"I am very encouraged to see academia engaging in research on cyber security issues and contributing to the wider efforts to protect Australia from cyber threats that pose a significant challenge to national security," he stated.

"The centre's research will cover issues such as cyber ethics, law and justice as well as those issues that affect the everyday lives of people and businesses, such as computer and network security."

In total, the centre will focus on five broad areas of cyber security: computer and network security, risk management, international politics and ethics, law and big data analytics. 

As business technologies become ever more sophisticated and complex, cyber criminals are upping their efforts to match. The foundation of the ACCS should shed more light on the prevalent risks and ultimately benefit industries across Australia.

As an extra measure, businesses can take advantage of information security training courses to ensure their IT team is equipped with the latest skills and knowledge to deflect such threats.

"The cyber threat facing our nation comes from a wide range of sources, including individuals, issue-motivated groups, criminal syndicates and state-based actors," Mr Robert concluded.

"We are lucky to have this centre located at ADFA where our future leaders will have access to state-of-the-art research on this significant issue."

Deloitte report warns of “disruptive forces”

A new report from consulting firm Deloitte is reminding businesses of the constant growth in disruptive technological forces, prompting business leaders to shake up their IT governance strategies.

The Tech Trends 2014 report from Deloitte Australia draws attention to the rise of forces such as crowdsourcing, mobile, big data and cybersecurity, and how such disruptions are challenging chief information officers (CIOs). In fact, in order to adapt and continue to thrive in the midst of constantly changing technologies, Deloitte urges CIOs to think and act like venture capitalists in the management of their organisational IT.

"The digital disruption of business models, combined with a bewildering array of consumer technologies, is challenging the way CIOs plan and finance the information technology for their organisations," explained Robert Hillard, Deloitte's managing partner for the technology agenda. 

"Innovative CIOs are deploying venture capitalist (VC) strategies and tactics to manage their technology portfolios and these CIOs are elevating their own roles to that of a business partner and strategist."

So what are some examples of how CIOs are adapting venture capitalist strategies in their IT governance?

One such tactic is to emphasis investment, with CIOs increasingly acknowledging the need to "manage their own portfolios of IT investments more effectively by developing detailed investment strategies". Through such an approach, CIOs and their IT teams can concretise the link between IT projects and the assets – such as hardware, software and delivery models – that will be needed to support them.

Another crucial strategy for CIOs to implement is building agility, taking a leaf out of the venture capitalist's book – often the experts of adapting to rapid change. CIOs need to learn to approach market, economic and other disruptions – such as technology – as "givens" and incorporate these into their IT governance.

"The traditional CIO role is about providing reliable cost-efficient technology to meet known business demands," concluded Mr Hillard.

"In a rapidly changing business world, those business needs cannot be predicted in advance. The most successful CIOs need to cover more eventualities with a portfolio, like a VC, rather than a small number of big bets."

3 steps to a smooth PRINCE2 implementation

First introduced to the business world more than two decades ago, PRINCE (Projects in Controlled Environments) has long been the undisputed standard in project management methodologies.

With PRINCE2 representing the latest iteration in this very successful formula, companies over the years have used it time and time again to establish best practices in project management. As a highly sophisticated and powerful tool, it makes sense to embed it into your organisation right from the get-go.

Taking the time to implement PRINCE2 correctly from the start will ensure your company begins on the front foot and can instantly reap the benefits. Here are three tips to keep in mind.

1. Remember – it's not set in stone

There is often a misjudged perception that PRINCE2 is highly inflexible and bureaucratic, offering a generic, one-size-fits-all solution regardless of user. 

This is simply not true – although PRINCE2 does prescribe processes and methodologies, remember that it is in fact a very flexible system that can adapt to your organisation's specific needs. Taking this open approach to implementation will help ensure you can leverage the most out of PRINCE2 and make it work for your organisation – not the other way round.

2. Assess your existing business processes

One of the benefits of PRINCE2's flexibility is that it can work with your organisation's existing processes, meaning you don't have to make any radical changes to accommodate it.

Take a look at the methodologies offered by PRINCE2 as well as your existing methods, and assess how you can seamlessly embed it to fit in with your way of doing things.

3. Get your staff trained up

Being a highly powerful and complex system, it's essential that your staff receives the right accredited training to make the most out of PRINCE2.

With a range of PRINCE2 training courses available today – whether provided in-house or at the facilitator's venue – your organisation can quickly equip its employees with the skills required to implement PRINCE2 and take its projects to the next level.

What is PRINCE2 and how can it help your organisation?

Are you a project management professional looking to expand your skillset and become a more effective leader?

Perhaps you are an aspiring project manager who wishes to gain a global qualification that will put you ahead of the pack when it comes to securing in-demand employment positions? 

Either way, you may want to consider investing in PRINCE2 certification.

What is PRINCE2? 

PRINCE2 is an acronym that stands for the second edition of the hugely popular project management methodology, PRojects IN Controlled Environments.

Some of the world's largest public and private sector organisations – including the UK and Australian governments – use PRINCE2 in order to ensure the successful management and completion of crucial business projects. 

One of the factors behind the success and popularity of PRINCE2 is its comprehensive and collaborative development process. Over the years, the PRINCE methodology has been updated and driven through practical utilisation and regular reviews with project management specialists.

Today, PRINCE2 is built largely around the rule of seven – seven key principles, seven themes and seven processes. Together, these 21 elements come together to construct a comprehensive and proven methodology to successful project management. 

Due to the thorough and detailed nature of PRINCE2, any project manager looking to become familiar with this methodology will want to consider in-person training courses. 

What options are available for people looking to learn PRINCE2?

A number of PRINCE2 training courses are available for those looking to develop experience and understanding in the theory of project management.

For interested parties with limited time to invest in this certification, two or three day foundation courses can provide a solid basis in PRINCE2. They are perfect for those looking to utilise and capitalise on this methodology, but who are not necessarily aiming to develop professional level knowledge.

More in-depth, five day practitioner programs are also available which offer project management professionals a comprehensive education and certification in the world leading PRINCE2 project management methodology.

Regardless of which course you choose, it's impossible to overstate the benefit of having access to a knowledgeable tutor with proven, hands-on experience in utilising PRINCE2.

Why you need to take a SABSA course

Of the numerous information security training frameworks available today, SABSA (Sherwood Applied Business Security Architecture) is one of the most beneficial.

As the world's most sophisticated and widely implemented security architecture framework, developing a strong grasp of SABSA is a massive boost to any IT worker's career – and not just for those in the security field. Gaining an accredited SABSA qualification can certainly boost your professional credentials and open up other career opportunities in future.

Within the top-to-bottom framework of SABSA, you'll learn how to design, implement and manage security in a range of business models. People in a diverse range of IT roles can stand to benefit from a course – so what are some of the top learning outcomes on offer for specific individuals?

Security professionals

Obviously the main target audience for SABSA courses, this training will provide aspiring security experts with the fundamentals of the world's leading open security architecture framework. It will equip these professionals with the skills they need to gain a greater understanding of the business and apply the most appropriate security measures.

Security professionals will learn how to collaborate with key business stakeholders, gain their support and really stamp their authority in determining the security needs of any business.

Enterprise architects

For more generalist enterprise architects, SABSA training allows them to explore a range of modelling techniques that can help them integrate security with any enterprise architecture.

Architects can obtain a greater understanding of the frameworks and standards involved in implementing security into their business's system.

Compliance and governance professionals

In an era of increasingly tight and constantly shifting business regulations, the areas of audit and compliance are growing in focus.

Those in IT compliance and governance would do well to obtain a SABSA certification, which allow them to convey to stakeholders that IT, security and risk management are being taken care of in an appropriate manner.

Executives have wrong perception of cyber threats, survey finds

As the business world shifts and evolves at breakneck pace, organisations are constantly facing new sources of risk. Whether it's corruption, fraud or other forms of corporate crime such as cyber attacks, the board in particular needs to develop strategies to combat these emerging threats.

Cybercrime is one of the fastest growing risks to businesses today – but are executives around the world suitably concerned by it? As a recent global survey from EY found, the answer may be no.

According to the consulting firm's 13th Global Fraud Survey, entitled 'Overcoming compliance fatigue: reinforcing the commitment to ethical growth', many executives around the world recognise that threats such as fraud, bribery and cybercrime are increasing around the world, but do not treat them as sources of concern. While the majority believed the emergence of cybercrime is on a "significant scale", barely half (48 per cent) said it represents "a very or fairly low risk to their business".

The survey involved in-depth interviews with almost 3,000 business leaders from 59 countries, around half (48 per cent) identified hackers as the biggest cybercrime concern. However, worryingly high proportions of executives do not appreciate the true extent of such threats and underestimate the risk presented.

Brian Loughman, EY Americas leader of fraud investigation and dispute services (FIDS), said that company boards simply need to assume a greater role in understanding the scale of these threats and suitably monitoring them.

"Cybercrime and other emerging threats are becoming more prevalent, and with the US Securities and Exchange Commission increasingly focusing on cyber risks as they relate to the integrity of financial statements, boards and audit committees need to be vigilant in monitoring these risks," he stated.

It is therefore essential that those at the head of an organisation appreciate that cybercrime is now a rampant business threat, and one that will only grow into the future. Taking steps such as offering information security training for staff is the best way to protect your business from these risks, today and tomorrow.

Dell highlights the high costs of IT security breaches

A recent survey from computing giant Dell has demonstrated the skyrocketing financial costs of IT security breaches – and pointed out that many organisations still aren't doing enough to protect themselves from this threat.

Earlier this year, Dell surveyed more than 1,400 IT decision makers around the world – including 60 in Australia – from organisations with at least 500 employees or end users. It revealed that although security breaches place a staggering cost burden of AUD$27.5 billion per year on US organisations alone, there is still a high proportion of firms around the world that aren't factoring in the IT security risks from "unknown threats".

This new wave of threats stems from the rapid rise of new business technologies, including mobility, bring your own device (BYOD) policies, cloud computing and increasingly prevalent internet usage. Threats are also coming from internal sources, both accidental and malicious.

While Dell found that almost three-quarters of global organisations said they suffered from a security breach within the last year, fewer than one in five said they consider predicting and detecting these risks a top priority for security. Of particular worry is the finding that only around a third (37 per cent) of respondents felt these unknown threats would be a major security concern over the next five years.

Despite this apparent apathy towards one of the biggest risks to business, it appears that organisations are at least recognising the importance of appropriately training staff to meet these challenges. In fact, the survey revealed that two-thirds (67 per cent) of respondents said they increased funds for information security training and education over the last 12 months, while half stated that "security training for both new and current employees is a priority".

As the risks and consequences of IT security breaches becomes more advertised through such studies, it is likely that companies will up their security investment – with accredited staff training likely to be one of the wisest steps to implement.

The growing threat of cybercrime in Australia

New research suggests that incidents of economic crime – including cybercrime – are on the rise in Australia, highlighting the need to invest in information security training for your IT team.

Consulting group PwC recently released the Australian edition of its '2014 Global Economic Crime Survey', which drew attention to the rising number of professional misdemeanours such as procurement fraud and cybercrime. Of particular concern was that criminals are increasingly using IT as an avenue through which to attack businesses.

And if figures published by PwC are to believed, being the victim of a corporate cyber attack can be costly indeed.

In the 2014 edition of the survey, cybercrime was identified as the second biggest economic crime threat around the world, behind asset misappropriation in first place and ahead of procurement fraud. According to PwC, one in 10 organisations in Australia suffered losses of more than AUD$1 million from cybercrime within the last two years.

Almost half (43 per cent) of respondents said that if they were the victim of a cyber attack, the theft or loss of personal identifiable information would be their main concern.

The rise of economic crime, whether of a cyber nature or otherwise, does not appear to be abating any time soon. PwC revealed that well over half (57 per cent) of Australian businesses experienced economic crime at some point in the last 24 months – an increase from the 45 per cent recorded in the 2012 survey.

Richard Bergman, a partner at PwC, said it was encouraging to see the entire organisation – not just the IT department – taking cybercrime seriously.

"Cybercrime is not just an IT issue. Recent high profile data breaches such as the US Target breach have increased the level of awareness and concern among senior management and the board," he said.

"Information is valuable and attackers are determined to get it. Many of the attacks we've recently investigated have targeted merger and acquisition information, and what surprises many organisations is how long attackers are inside their networks before the attack occurs."

Big data driving a big push towards security

One of the most revolutionary trends to hit the IT sphere in recent times, big data is radically transforming the way organisations are handling their information. The use of powerful analytics tools simply means that no data set is too large, and the ability to quickly and accurately extract meaningful insights from large reams of data is no longer a pipe dream.

However, Gartner warns the explosion in big data analytics does raise a very important issue – namely, the importance of maintaining IT security in this large-scale data framework.

In anticipation of its Security & Risk Management Summit, the technology research firm warned that chief information security officers (CISOs) around the world need to ensure they have measures in place to protect data that is constantly "expanding in volume, variety and velocity". This is important to keep in mind because, according to Gartner, more than 80 per cent of organisations in 2016 are not expected to have consolidated data security policies in place.

Brian Lowans, principal research analyst at Gartner, said that the nature of big data sets – which are often broken up and dispersed across silos – is a major worry.

"The advent of big data and cloud storage environments is transforming the way in which data is stored, accessed and processed, and CISOs need to develop a data-centric security approach," he asserted.

"Unfortunately this is not common practice today, and its planning is critical to avoid uncoordinated data security policies and management."

Some of the potential consequences of failing to have stringent data security policies include noncompliance, security breaches and financial liabilities, Gartner stressed.

As a result, Mr Lowans said that collaboration across the organisation is going to be key, in addition to ensuring security staff take advantage of appropriate IT security training.

"Business stakeholders may not be accustomed to having strong relations with security teams, and CISOs will need to build partnerships with them to develop new management structures for data security accountability and to identify cross-functional training needs," he concluded.