Alhaji Sherrif Issah on the Human Element, Business Continuity, and why GIS is the secret weapon for physical risk management.
In the rapidly evolving landscape of African corporate governance, the line between technical security and business survival has never been thinner. Yet, many organizations continue to treat information security as a siloed IT function, a miscalculation that leaves them vulnerable in an era of increasingly sophisticated AI-driven threats.
To better understand how we can bridge this gap, we sat down with Alhaji Sherrif Issah, a seasoned industry expert with experience in Governance, Risk, and Compliance. From the realities of human-centric security to the untapped potential of spatial data analysis in disaster recovery, Alhaji Sherrif offers a refreshingly practical perspective on what it actually takes to build a resilient, secure organization.
In this exclusive interview, we explore the myths holding businesses back, the essential soft skills required for the C-suite, and why the next five years will be the most disruptive and transformative period for GRC professionals across the continent.
Q&A with Alhaji Sherrif Issah
Q: As a frequent columnist and public speaker, you often translate complex security concepts for a broader audience. What is the security myth that you are currently trying to correct in the African corporate space?
A: The myth is related to the ownership of information security within an organization. Some people think the information security function within an organization is the ultimate owner of information security. Ensuring security of information within an organization is a shared responsibility across the business – from the security man at the entrance of the office gate, through to service providers, customers, staff, management, and the board of directors. Each of these stakeholders performs critical roles in ensuring adequate security of information. The information security function only provides the environment and mechanisms to support the process of securing information.
Q: How has your experience as a public speaker influenced the way you approach internal stakeholder management when implementing a new Risk or Compliance framework?
A: My experience has gravely influenced my approach and understanding of internal stakeholder management. I have come to realize that the identification of stakeholders (perceived and actual), clear and regular communication, and engagement help in ensuring involvement and commitment. Poor stakeholder engagement can lead to failure in achieving the objective of the project/program.
I have witnessed instances where stakeholders who were thought to be irrelevant to a project had to be relied on to support the project. In those instances, the stakeholders decided to show their importance by delaying project deliverables on the basis that they have no or limited knowledge of the project.
Q: You’ve spent over a decade in the industry. In your view, has the human element of security in the region kept pace with the rapid technological advancements we’ve seen in the last few years?
A: I will say the human element of security has not kept pace with recent technological advancements. Most breaches in the region have been successful due to human errors – from genuine mistakes, poor behavior, negligence, ignorance, to poor judgment. This can be attributable to a lack of consciousness, training, awareness, and poor security culture. Organizations need to fully understand their peculiar situations and employ effective approaches to mitigate this ubiquitous risk. It is the most valuable investment any organization can make to safeguard its information and information assets.
Q: How do you integrate BCMS into the daily operational heartbeat of a company?
A: The following are approaches I utilize to integrate business continuity management system (BCMS) into organizations’ operational activities:
- Create awareness of the need to ensure continuous operations and the effect of not being prepared to address disruptions.
- Provide business continuity training for all relevant stakeholders.
- Institute adequate governance mechanisms to ensure effective continuity planning, testing, and monitoring.
- Institute a reward and punishment system to take care of compliance and deviations.
Q: Security projects are notorious for scope creep and budget overruns. How does your background in Project Management help you ensure that security implementations remain aligned with business objectives?
A: Scope variations on security projects, in some instances, help in achieving business objectives, especially when the initial scope had not been adequately defined. My background has helped me to ensure security projects always have clearly defined, documented, and agreed-upon scope, and procedures for varying the scope. This helps in easy realignment to support business objectives.
Q: With the increasing maturity of data protection laws across the continent, what do you see as the biggest challenge for organizations trying to balance cross-border data flows with strict local compliance?
A: The biggest challenge for organizations in this regard, I would say, is a lack of data protection expertise to navigate the compliance turbulence. Not having the right expertise can gravely affect organizations’ compliance obligations.
Q: You have a unique passion for Geographic Information Systems (GIS). How does spatial data analysis enhance an organization’s ability to manage physical security and critical infrastructure risks?
A: Spatial data analysis provides real-time insights into threat identification and the contiguity to assets. This provides insight to ensure timely intervention to safeguard assets located in hard-to-reach areas/facilities.
Q: In a disaster recovery scenario, how can GIS tools be used to provide real-time visibility that traditional IT monitoring tools might miss?
A: GIS tools provide a clear visual view of the situation, point out the exact location, show the extent of damage, and the affected assets. This enables responders to access real-time data to adequately salvage the situation.
Q: As a trainer, what is the one soft skill you believe technical security professionals must master if they ever hope to move into a C-Suite or Board-level role?
A: I think innovation skills are very crucial to help technical security professionals progress into leadership roles. Every organization needs leaders who think outside the box to provide solutions, add value, and drive organizational growth. With this skill, progression becomes very certain.
Q: Looking at the next five years, which emerging technology do you believe will have the most disruptive impact, either positive or negative, on the African GRC landscape?
A: I believe quantum computing will have the most disruptive impact on GRC in Africa. Just like any technology, the impact would be both positive and negative. It has the capability to easily compromise security controls and also improve cyber defense.
