What was your last team building event? Your next, and why?

It’s not an event but a process to work on interpersonal relations…with intended benefits such as improved performance, alignment and reduced ambiguity within a TEAM.  You can google for the definitions…but the entire activity and should be "cycle", from planning, agreeing, participating and reflecting is all part of the experience.  Envision the problem-solving skill that is required to gain agreement on the activity alone i.e. there’s no “i” in team, the event that focus on results-based outcomes, simply promoting full engagement, or whatever the theme might be.  Feeling like you’re a member and helping to motivate each other is essential to driving downstream productivity – because feeling valued is second to none.
APA’s Psychologically Healthy Workplace Program – deemed most effective activity:

• Volunteering
• Physical Activities
• Field Trips
• Professional Development Activities
• Shared Meals

Considerations points: Its about problem-solving and communication, self-examination, underlying leadership (from facilitator or host), theme / goal hopefully with some analytics, and feedback

Constant improvement: The upshot is everyone learns differently and each take away will be based on personal experience and self-discovery.  Answering the question WHY during the entire process / activity will allow each person to get the most of the experience.  Oh, don't forget to celebrate!

Synopsis of IIA’s Managers Forum on IT Security

With good presenters and maybe over half of the 70+ registered in attendance, the focus centered on cyber security, CEO/executive concerns on the topic, and M&A exposures i.e. breach trends and controls on the topic

• Among the culprits of cyber hacking include Morpho group – no association with nations yet but linked to 49 corporate data breaches / theft in 2013 i.e. who knows how many more under investigation and cannot be published yet; and Psuedo-nation state group – operating in hostile countries with no evidence of government funding and focuses on avoiding R&D costs
• Many statistical studies and publications including Version security breach mentions 2015 being height of data breach thus far i.e. approx. 4000 incidents, 1854 occurred with for profit organizations, and 736 Million records exposed 
• Key points mentioned was cyber-espionage up-tick in Manufacturing (overall #2) and 90% of incidents related trade secrets, e.g. Pharma manufacturing, newspaper/magazine paper mills with PHI data...
• Companies conduct due diligence during M&A including: value of trade secret, market analysis on brand and of course capability/viability…but a hidden danger is for unreported breach due to non-customer PI data since public disclosure is not necessary
• Additional considerations include: determining security posture/risk and efforts to sustain your security requirements/controls, ability/agility to activity react to log activities i.e. proactive threat vectors, and having a eye on data inventory and distribution/flow including 3rd-party connects

Finally, when out with executives or senior leadership, have your elevator speak ready.  Know with confidence where your highest security risks / threats are; your capability and diligence to react/correct/recover (tools, processes, SMEs); awareness strategy; and put a healthy plug for budget to ensure delivery of your security goals.

On M&A, my personal take/experience is try analyzing the “value” of the company data and analytics on related exposure cost (due to non-compliance or lack of security controls); and have the value clause written into the contract.  If anything, might be used to leverage the price/bid of the company being acquired!  Can you put an ROI on that math/benefit?

Cyber shift from banking to healthcare / education

Tripwire Inc. reports an increase in cyber attacks in generally all major sectors except banking and finance.  Citing 3 trends / examples:

1. Anti-Phishing Report Group noted 250% increase in phishing activity between 10/2015 and 3/2016 and nearly 300K unique phishing sites just in Q1 of 2016
2. UK’s Telegraph noted about 80% drop in digital attacks
3. University of Calgary reported a digital state of emergency when malware infection resulted in shutting down the university’s infrastructure just as an international academic event was being hosted for over 8000 participants.  A similar event happened to MedStar, a healthcare provider.

So while banks are heavily investing in securing systems/infrastructure, cyber programs may be a step behind in general, or are not as mature for Internal Audit departments, for example.  A few industry comments summarized on where to begin, from Linkedin post:
Approach:

• Continuious / non-static review and as important as the framework maybe, value of output is key
• Study Governance structure and IT framework which will lead to 2-4 year audit program/cycle

Major to-dos:

• Map IT audit universe
• Determine risk and gap assessment
• Conduct risk assessment

Audit types listed: Operational, management, business risk, HR, financial, IT, incident, problem, backup, log, data center, outsourcing, application, 3rd-party management
And, prevalent topics offered: Access control – on/off-boarding, Change management, Anti-malware.
We'll update as more weigh in on the IA topic...