In this interview we talk to Sailesh Halai – CISA, ISO 27001 CIS LA, MSc, BSc – an Information Security Officer at Redmayne-Bentley LLP, about his choice of career, challenges, opportunities and thoughts on the future of ISO27001.
Sailesh, welcome and thank you for participating in this interview. Tell us, how did you decide to embark on a career in information security?
I stated my career as a Visual FoxPro application developer. I was made redundant and stared working as a contractor. At one point, I had a call from an agency to start work the following Monday to assist in upgrading Microsoft Access Databases. No formal interview or background checks were carried out. Upon reaching the place of work, I was informed that I will be updating MS Access databases, some of them holding confidential information. The company I worked for was impressed with my skills and offered me a permanent post. I quickly realised that none of the employees had ever seen any sort of information security policy or those who had read the policy did not comply, saying that the policies were “show stoppers”.
This inspired me to progress my career towards information security which led me to join London Metropolitan University to do my MSc in Computer Systems Auditing. My final year dissertation was based on ‘Implementing SOX section 404 at (my place of work at the time)’. Upon achieving a distinction I was promoted to IT Auditor and Information Security Officer. This was the first step towards my IT audit career. Not stopping there, I went ahead and did my CISA and ISO27001 Lead Auditor training and am now CISA certified and hold a ISO27001 CIS Lead Auditor qualification.
What has been some of the biggest challenges you’ve experienced with improving information security or building an effective information security management system, and how were you able to overcome these?
The biggest challenge I faced was at one employer where I had to get management to buy in to implementing an Information Security Management System that would be in line with ISO27001 and at the same time meet the regulator’s information security requirements. Management were aware of the requirement of tighter information security requirements and wisely sought further expert guidance on implementation when they acquired new software .
To overcome these issues, I had to write new information security policies that the organisation was missing, meet with the compliance team, carry out a gap analysis with regards to existing IS policies and develop new IS policies.
Another more current challenge is the ever-changing landscape of information security, the need to improve controls and manage risks, while also meeting regulatory information security requirements.
What do you believe is the biggest and most important element of information security today, and why?
There is not one but many important elements of information security in today’s world. Privacy has been in the spotlight quite a bit lately. Recently, a Russian crime ring had amassed the largest known collection of stolen Internet credentials, including 1.2 billion usernames and passwords and more than 500 million email addresses. BYOD is another major element – employees that use their own devices to access corporate information. Their devices may be synchronised with a cloud product of their choice, thereby unknowingly uploading corporate confidential information to the cloud.
What personal attributes do you believe a Lead Auditor should possess?
- Comply with the Lead Auditor’s code of ethics
- Tackle critical issues during the time of audit
- Listen to the auditee
- Do not point out individual mistakes to the person concerned
- Maintain confidentiality
- Record accurate and factual details
- Maintain professional attitude
- Most of all, be qualified to carry out the task taken in hand.
What do you believe enables your company to achieve a successful audit?
I believe to achieve a successful audit the auditor or audit team should have an understanding of the auditable business and operations as well as any of its unique characteristics and business practices.
The team should thoroughly understand the scope and objective of the audit, and management should be confident that the auditor and the audit team are capable of conducting the audit. The audit team should be able to provide assurance that all appropriate risk areas will receive adequate consideration and that important aspects of the audit will not be omitted.
How important is having a formal qualification such as CISA and how has this helped you in the past?
CISA is a certification that validates one’s competency of computer systems audits. It does not offer one any additional knowledge or experience, but merely confirms that one has the knowledge and experience. CISA is not intended to grant a certificate to practice, but to certify that one is proficient in the practice. The lack of such a certification does not signify that one does not have the competency to which CISA attests.
By obtaining CISA certification, it has helped me in being invited for interviews with a number of companies, including the Big 4. It also increases the chance of getting shortlisted. It has helped me carry out audits to the highest standards by following ISACA’s code of ethics.
How do you believe ISO27001 will evolve in the future either in the UK and/ or globally?
Having an ISO27001 certification boosts the organisation’s prospects, providing confidence to customers and stakeholders about how the organisation manages its risks. It also helps ensure the organisation meets its legal obligations and complies with other regulations.
There are organisations that implement ISO27001 to a point where they are ready for certification but due to perceived ongoing expenses of maintaining ISO27001, these companies do not apply for certification. I believe that customers in the future will however be placing their confidence in those organisations that have ISO27001 certification when it comes to trusting them with their personal and confidential data, both in UK and globally. This will be the same for B2B and or B2C or organisations that outsource their IT to other service providers.
Do you have advice for other individuals wishing to enter the profession?
Be ready to interact with different types of companies, clients, and people. If you end up working with a multi-national company or one of the Big 4, be prepared to travel to other countries and to travel while working. In short, the ability to adapt to new environments is very important.
I would also advise individuals to be flexible, because the auditing industry is very demanding. Hard work and commitment will however reap excellent rewards. Flexibility is very important as there may be times where your job will require you to put your personal life on hold. If you are not willing to make sacrifices, then perhaps a career in auditing is not the perfect match for you.
You can find out more about our flexible and affordable ISO27001 solutions that are available in various formats, enabling you to achieve an improved level of security quickly, without having to appoint a consultant first.