Five Questions With...
Justin Greis, CISA, CISM, CGEIT, CRISC, CISSP,
CIPP, PMP, ITIL, GIAC/GSEC
Justin Greis is a senior manager in the advisory practice of Ernst
& Young. He specializes in IT risk and assurance by helping his
clients manage risk and improve business performance from
their IT investments. Greis has more than 10 years of executive
and entrepreneurial leadership experience in I T. He currently also
serves as professor of information systems at Indiana University’s
Kelley School of Business (USA). In 2010, he was selected as one
of nine global winners of the Ernst & Young Chairman’s Values
Award, the firm’s highest honor, for his outstanding commitment
to the firm’s values and its people.
Q What do you see as the importance and role of values in business?
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
A Values are the very core of who we are. Without shared values, a business will never
be able to articulate its beliefs and demonstrate
what makes it different from the next company.
We have been witness to countless examples of
fraud and inappropriate behavior by business
leaders because the ideals for which their
companies stood were not truly ingrained into the
culture. However, values are just words on a page
without the actions to demonstrate that we live
what we believe; it is the action and behaviors that
strengthen the values for which we stand.
In professional services, much of what we do
can be copied or replicated by our competition.
We manufacture with our minds, and in the age
of information mobility, intellectual capital can
leave your company with every employee. So,
what makes us as individuals and businesses
unique? What differentiates one company from the
next? Simply said: It is our values. They create a
common bond between our employees and keep
our client relationships strong. I believe that the
values we instill in our people give us a tangible
competitive advantage in the market and make our
companies feel like families.
Q What do you see as the biggest risks being addressed by IT governance and risk
professionals? How can businesses protect
themselves?
A I believe the biggest risk we encounter today has to do with information proliferation and
accountability. The features and functionality we
build into our advanced information systems to
promote integration and interoperability can be
turned against us and can introduce risk that must
be managed. At E&Y, we call this “the challenge
of building trust through information security in
a borderless world.” Perhaps the most important
lesson to keep in mind is that there is no silver
bullet, no one tool to manage and control all
the IT risks that borderless technologies such as
mobile computing, social networking and cloud
computing cause. The connectivity and complexity
we have built into our systems must be mirrored
in the effectiveness of the controls that we design
for them. Information security professionals have
preached “defense in-depth” for years; it is this
concept that should be applied in a company’s
layered control environment.
But technical controls and automated
processes are just one part of the solution;
accountability is critical to any controlled
environment. It is not sufficient to implement a
solution for data protection, application portfolio
management or change control, and hope that it
works. Functional owners must be empowered to
