Senior IT Auditor, Fortune 500 global manufacturing organization: “I joined a Big 4 firm advisory practice out of college, did two years, and then moved over to IT Internal Audit a year ago. Information security is my next goal. When I look at information security job postings, they all seem more technical than my current skill set, which is heavily ITGC focused. What should I do to build skills that will be marketable to information security?”
IT Audit Director, large financial services company: “Can you please help us find a technical Senior IT Auditor with 3-5 years of experience who has application auditing skills at the level where they can do code review? Some programming skills would be very helpful. We also need mainframe, cyber security, cloud, IoT, and data analytics experience – from an audit project perspective. We need actual experience with IT operational audits – not just ITGC / SOX experience.”
CISO, global eCommerce company: “I’ve met a number of auditors lately (from audits that have hit us), that can’t understand why something is NOT a high risk. They are just following a check list and it is really frustrating. Maybe that is something you call “mind-set”? These auditors just want to go through the motions, without really understanding either technology and/or the risk it really represents.”
These comments are real. More importantly, they are BIG signals that point to the critical career directions for IT audit professionals in 2017:
- Deeper technical skills;
- More knowledge of the business, especially IT;
- The move away from checklist thinking to a better understanding of risk.
IT audit functions are quickly becoming more focused on technical audits. There is a huge drive for value-added that can be gained from operational IT audits and advisory projects performed by IT internal auditors. Concurrently, information security, IT risk, and data analytics continue to grow, presenting more job opportunities for IT auditors—if they are adequately technical, and develop the thought process needed to join info sec and IT risk teams.
The CISO quoted above provided additional insight into the perspective that career-mobile IT audit professionals need to cultivate: “The advent of cloud computing and the concept of DevOps is challenging the controls that traditional IT auditors have grown comfortable with. For example, cloud represents a way to do infrastructure in a quick and non-structural way (think creating an entire data center by coding/scripting it), while DevOps breaks the segregation of duty model, which makes auditors uncomfortable. But what the auditor does not see is that DevOps is a way that we have developed to ensure we still have ‘control’ in an agile development cycle.”
Beyond mindset and a change in perspective, the problem for hiring managers and practitioners is that the on-the-job experience that many IT auditors have received is in the ITGC space. In the end, both sides of the equation depend on professionals gaining more technical skills.
For the IT auditors, staff through light manager, the task to immediately jump on is a skills gap assessment. What hot skills do you need to acquire to become more marketable internally and externally? If you are in IT internal audit, the annual plan is your guide. For a broader perspective, review professional journals and job descriptions; both will provide clues.
Next, create your road map to your next role. Are you looking to deepen your skills for a step-up promotion within your team, or are you looking to take your skills to an information security or IT risk team? Plot the timeline for skill attainment, which will come from a combination of hands-on work, internal/external training, post-grad coursework, or certification.
Todd Miller, who has led IT audit functions at two global Fortune 500 companies, suggests a 70-20-10 model: 70% on-the-job training; 20% mentoring; 10% formal classroom work.
Let’s start with on-the-job-training through project work.
Determine a technical area that interests you and is feasible within the scope of projects done within your department. Let’s say you want to become more fluent with networks and network security. Explain your plan to your manager and lobby to participate on the upcoming network audit.
Do your homework for the project so you can ramp up quickly and are able to build good rapport with the network team. Once you’ve done a project, and your skills and knowledge deepen, you might see if you can do a stint as a guest resource on a project for the network security team.
Ed Dudek, an IT audit manager at a Fortune 100 company who gained expertise in SAP by moving out of audit into an SAP team before moving back to audit, stresses the need for mentoring. To this end, you’ll want to foster dialogue with the network team members who you have now met on that technical audit you just completed. Get to know team members over lunch or coffee. Ask interesting questions and share what you have been reading, learning. Your goal is to demonstrate intelligence, intellectual curiosity and readiness to learn.
Through this interaction, you’ll be able to identify people on the team who are knowledgeable and might be good mentors. By the same token, various team members will get to know you, and may be receptive to being mentors. Mentoring relationships are developed step-by-step. It takes time.
The goal with mentoring is also to eventually build such trust and mutual respect that the mentor becomes a sponsor. A sponsor will talk up your skills and interest. Through mentors and sponsors, you have the chance to be tapped for an internal opening when it comes along.
At some point in the process, you will need to add coursework, training, or certification to the mix – the final 10% of the 70-20-10 plan. If your employer will pay for training, communicate your plan to your manager and get buy-in. If your company will not pay for the training you want, determine a cost-effective way to get it on your own. It is your career in the end, and investing in your skills is one of the smartest things you can do to create long-term career sustainability.
To cement the concept that a focused action plan for technical skill development really works, here’s the story shared by the head of IT audit and data analytics for a global airline. He explained that he had developed a passion for data analytics when he was a senior IT auditor at a company running SAP. He joined the local ACL users group, studied on his own, and got a data analytics certification. He was then recruited by another company that wanted to build out a new data analytics function within audit.
Once on board, he took post-grad courses in data analytics at a local university to gain additional skills in Structured Query Language (SQL) and Statistical Analysis System (SAS). The build-out of the data analytics program at his company was successful, and this was the stepping stone to a data analytics management role with a Big 4 firm. From there, he was recruited to lead the IT audit function by his current employer.
As a recruiter and career coach, I see similar career planning and skill attainment in the candidates who land the best jobs. Your career is your opportunity to direct a mission-critical project and bring it to fruition.
Technical skill development is the best thing you can do for your career this year and for the foreseeable future. No time like the present: Develop your 70-20-10 plan, and start executing!
Candor McGaw, President and Chief Recruiting Officer, Candor McGaw Inc.
[ISACA Now Blog]