Jason1 sat across the table with a worried look that was familiar to me after five years as his manager. It was performance review time and, as usual, Jason had had a good year. Positive input from clients and the good progress on technical services he was delivering had already been noted, but this was the career pathing discussion. Despite giving us an enjoyable opportunity to focus on Jason’s future, it was nerve-wracking, given how fast the work was changing. It was exciting to work in technology and imagine the future, but here we were, on the cusp of another transformation. Even though we had been through this before, Jason’s worry was growing. By the time we sat down, the words were flowing like a waterfall.
“I am worried about my future. I know I have great expertise on Waterfall, software development life cycle (SDLC) and even DevOps assessments. I often get feedback from clients and they are happy with what I am delivering.” Jason paused and then looked me straight in the eye. “But I cannot sleep at night. I feel I am getting stuck in a specialist corner because I know this work so well. Meanwhile, technology is moving ahead, and I do not know anything about it. I am too busy to learn, and I am not getting exposure to new ideas and areas that I might want to explore. I do not want to get stuck in a rut, or even worse, find myself out of a job without the skills I need.” Jason had a good point. He knew his role and, as usual, there was more work than people to do it. Like most of us, he had a family and outside activities. It was not as if he could spend his free time researching emerging trends and then not have a chance to apply his newly acquired knowledge on the job. And it did not seem fair that he needed to consider personal time to broaden his knowledge, but that is the way things were, given the ever-growing client demands.
When reading this scenario, one would think the performance review conversation was a recent one, but, in fact, it occurred almost 15 years ago. The reality of technology is that once it is mastered, there is something new replacing what was learned, which makes it hard to keep pace with changes. Today, with technology being so pervasive, there is no choice but to adopt a learning mentality, but no matter what one does, there is technology, front and center, changing daily—whether it is car care, healthcare or even the applications (apps) one uses to listen to music. Ultimately, it seems that once technology becomes familiar, things have changed. Again. Is there a way to make working in technology fields such IT audit and risk management less stressful? The answer is yes.
As the speed of emerging technology accelerates, the skill sets for IT audit, cybersecurity and privacy become more important. Organizations and individuals want assurance that what they are using in their personal and work lives is reliable. If everything is technical and everything is changing, there needs to be a way to feel secure about apps, data sources and devices that connect us to our world. The work undertaken by ISACA professionals becomes critical as the world embraces technical innovation in almost every discipline and in every industry. That does not mean practitioners need to know it all. The skills tool kit already in place will serve us well, even as technology changes. We can learn on the job, and we can do more than become homework hounds.
Future Skilling IT Audit and First Line of Defense
The need to inspect and monitor technical advances has been the mission of auditors since the beginning of human invention. Although there are various approaches to auditing—from being part of the business team as a first line of defense (FLOD) inspector to practicing zero trust as a member of an external audit organization—the skills of successful IT auditors have remained intact based on core tenets that align with ISACA principles. The top three are:
- Framework knowledge
- Humble skepticism
- Agility
Why these three skills? One might say that anyone who is detailed oriented can inspect for imperfections or errors. Yet successful auditing is based upon a foundation of consistency and transparent rules that guide the audit team and are understood by the organization. Framework consistency is the key skill that allows audit professionals to move easily from one industry to another while still maintaining core audit expertise.
With a solid methodology in hand, the successful auditor then employs the next key skill of humble skepticism to the work. This skill implies the obvious fact that an auditor cannot know the scope of work being audited and the operations of the team that performs the work, day after day. One must respect the business knowledge inherent in the operations team and be willing to ask probing questions, examine relevant records and observe work in progress. Teaming with the operations group to understand the work and to share findings as they are uncovered is important for accurate and useful final results. Skepticism is part of the job. After all, only factual evidence can support the audit report findings and substantiate the operations team’s good work. Aggressive skepticism will close doors to necessary information and observation by inhibiting collaboration during the audit process. Instead, working on an accurate outcome must involve everyone.
Technology has always been complex, and for each generation, it seems to move at accelerating speeds of execution. The third top skill, agility, is one that the auditor must have to manage the work and record results that benefit the organization and meet regulatory requirements. Today’s auditor must be willing to use in-line processes and take advantage of apps and tools that keep work moving. Equally important are understanding and using monitoring alerts and timely human intervention to uncover and substantiate findings. Does one need to read about every new tool available? No. Rather, willingness to use the tools, learn from coworkers, and ask questions about the tools under consideration are key. Participating in pilot programs when new tools are launched is always helpful, and remaining open to trying new ways of completing work is important to stay current with new processes and procedures.
Technology has always been complex, and for each generation, it seems to move at accelerating speeds of execution.
Cybersecurity
Where there is opportunity, there is crime—one of the oldest professions known to humankind. Criminals are experts at what they do, but skilled cyberprofessionals have a very high catch rate in detecting and finding breaches and vulnerabilities despite the fast pace of cybercrimes and the seemingly endless number of cybercrime targets. Preventive technology lessens the burden when executed properly and upgraded on a timely basis. Still, machine learning (ML) will never replace the subject matter expertise of the cybersecurity professional, whether it is ethical hacking or cybercrime detection, recovery or remediation—or most important, becoming the subject matter expert that builds awareness within the organization. What are three critical skills for success in cybersecurity? The cybersecurity professional needs a strong technical background and needs to keep pace with the latest trends, regardless of the cybersecurity discipline chosen. Investigative skills are equally crucial, and are often best learned on the job or through an internship where practical knowledge of analyzing and uncovering criminal activity can be honed. The third key skill is a focus on results; an operations mentality that keeps searching until the security breach is discovered, the source is uncovered, and enough data are collected to secure prosecution of those committing the criminal acts.
Privacy
Whether managing through the General Data Protection Regulation (GDPR), respecting attorney-client privilege, or ensuring investment and financial confidentiality, staying abreast of privacy requirements while educating clients on maintaining their own privacy in a very public and social world is daunting. Privacy professionals will find that certification is a door opener to myriad careers across various industries. As with the disciplines of audit and cybersecurity, skill sets based on sound frameworks and technical knowledge are crucial. Yet privacy benefits from additional skills, given the unique complexities of managing today’s privacy environment. Three top skills to consider are:
- Regulatory research skills
- Strong organizing skills, with a penchant for detail
- Ability to manage change to pivot from one set of regulations to another based on the industry and client environment
Although audit disciplines find their foundation in a rules-based or regulatory framework, privacy has become specialized to a significant regulatory framework based on specific industry requirements that uniquely address the data in that environment. Understanding the nuances of the regulatory climate and knowing what specifically applies to the organization are important. Presenting facts in an organized manner builds clarity for others and helps ensure compliance.
Conclusion
So, where is Jason today? Did he get stuck in the same work? Did his skills become outdated? What about his personal life? Did he have to sacrifice his work-life balance just to keep current? The good news is that Jason found it easier than he thought to reinvent himself. He found networking with colleagues and others in the profession gave him a certain peace of mind. He learned what others were doing to manage and understand overwhelming technology so that it was not so overwhelming. He realized that he had the core skills to not only keep up with technology, but also add value to his profession. He got involved in his local ISACA chapter, a chapter that focused on professional and technical trends, while providing a fair share of family and networking opportunities for members. He also used his innate strengths as a collaborative individual focused on doing things right to build and maintain his base of supporters. He leveraged his interest in being informative and involved to build awareness with clients who, in turn, rewarded him with their trust and their business.
Endnotes
1 Jason’s story is a combination of several individuals and is not meant to represent any one person specifically.
CINDY BAXTER | CISA, ITIL FOUNDATION
Is executive assistant to the Massport Community Advisory Committee (MCAC). Baxter is pleased that technology has allowed her to reinvent her career and continue learning through all of it. She had the privilege of learning technology and managing Fortune 100 client relationships at AT&T. Baxter then applied her expertise as an IT operations director at Johnson & Johnson before moving to compliance and risk management roles at AIG and State Street Corporation. After a brief period of running her own consulting business, Baxter joined MCAC, which advocates on behalf of communities impacted by the US State of Massachusetts Port Authority aviation and port operations. She applies her expertise to website redesign, drafting vendor requests for proposals (RFPs), updating bylaws and providing regulatory support to the MCAC board. In her spare time, Baxter serves as compliance and operations officer for the ISACA® New England Chapter (Maine, Massachusetts, New Hampshire and Vermont, USA) and volunteers on the Nantucket Lightship.