#IamISACA: Defining Our Success Metrics

#IamISACA: Defining Our Success Metrics
Author: Glenda Suarez Cabrera, CISA, CISSP, CISM, Director IT Quality, Risk, Compliance (QRC) & Security at Pitcher
Date Published: 13 May 2020

Do you believe that where we come from helps us shape our own success? Personally, I do. Actually, I think this has a great deal of impact on what we are able to achieve in life. As a child, I used to believe that people born in richer countries had a competitive advantage over people born in less privileged places; that people belonging to more prosperous families had better life prospects, and so on. Hence, I used to think that my future outlook did not look very promising. Being born in Cuba, in a stagnated economy and in the heart of a humble family, did not meet my criteria at the time for becoming a “successful” person. Through my adolescence and adulthood, I experienced a series of events that proved that where we come from does help us shape our success, but not because of our country, ethnicity, social status, race or gender, but because of the principles we adopt, the values that we set for ourselves and the way that we defend these principles and values. Most importantly, our success depends on our metrics of success, on what we believe is important to us, and not on what has been prescribed.

As a result, today I consider myself to be successful according to my own metrics. At my age of 28, I have lived in four different countries (including Netherlands, where I currently live), speak five languages, have traveled across all continents meeting beautiful people and their cultures, and I am able to support my family back at home. Just as important, I find my work to be fascinating.

After a couple years as a business/operational and IT auditor, I became an information risk manager. I believe that my genuine determination to help others to strive for the best and my self-expectation to be someone people can trust and rely on is what has made me a risk manager. And why information risk in particular? Well, that’s an interesting story.

Glenda Suarez Cabrera

For someone who studied economics and business administration, information and technology could not have been more outside my comfort zone. At the start of my career, I was advised to purely focus on business/operational audit because it would make more sense and because I would probably have more chances of being successful, but this didn’t feel totally right. I had a natural interest in both business and technology, but more importantly, I wanted to find out how much value we can add when we have knowledge of the two. I believed that the world was changing (and clearly still is). In fact, it is now moving faster than ever, and it is no longer news that companies are embracing digitalization fiercely. Consequently, the exposure to information risks is increasing dramatically, and so is the need for a professional opinion on what this means for businesses.

I was surprised by how the majority of my network were people with incredible knowledge and expertise, but an important gap existed – people from the business audit and risk community usually do not feel comfortable speaking about information risks and making recommendations in this area. Similarly, people in the IT audit and risk domain tend to have less understanding on how business operations work, and therefore, it is usually hard to translate observations or indicators of IT risks into direct business outcomes. As a result, this became a motivation for me to constantly bounce between business engagements and IT engagements. Even though this was not a “normal” practice, I received the support of my mentor, for whom I am still very grateful today. The combination of both fields worked very well, at least based on my own metrics. I was bringing more in-depth analysis into finance and commercial risks related to the use of tools and information processing technologies, while at the same time, bringing finance knowledge to better estimate the business impact of underperforming IT projects.

Today, as an information risk manager, I continue to strive to understand how we, as risk experts, can bring the best value to our businesses. Regulatory authorities increasingly expect that businesses are able to justify their digital transformations. In particular, they expect senior management and board members to be well aware of the information risk implications of technology decisions. So, more than ever, there is a need for business leaders to have a solid understanding of both business and information risks in order to make and justify critical decisions. The current COVID-19 crisis is a clear example where knowledge of the requirements for the continuity of business operations and the assessments of new risks introduced by new technology and new ways of working become essential for sound decision-making.

All of this said, I would like to call on our community to strive for continuously educating ourselves on topics that are outside of our expertise and comfort, but that are of significant impact. Show interest in what other colleagues do, and understand their perception of risks and risk appetite. Let’s take courses, join workshops, and participate in projects and events that do not necessarily add more lines to our CV, but do add more to our understanding of the business, the people in it, and its environment from different angles. Based on a wider spectrum of information and the enrichment of our perceptions, we will be able to formulate our own best opinion, and define our own metrics of what is better or worse for the business, and for our own success in the process.