An SVP of Enterprise Risk Management (ERM) at a highly influential financial services company recently told me that succeeding in ERM is all about “breaking down the silos.” It’s a good mantra – one that IT audit and GRC professionals should take to heart and execute on daily.
One increasingly effective way to do that is through expanded understanding of information and cyber security. Information security has become critical to understanding an enterprise, its risk and its processes. To add increased value now, IT audit and GRC professionals have to build solid information security skills. This is the golden ticket to short-term success and long-term career sustainability.
The director of IT SOX compliance for a global medical device company and I were talking about who she hires for her team. She views information security knowledge as part and parcel of the requisite qualifications. She noted that a lot of people coming from public accounting have reviewed change management from an IT controls perspective, but they don’t really understand the technical processes that underlie change management. Without the technical knowledge of how a network works and its security requirements, for instance, the auditor provides a review at a superficial level. Beyond that, without baseline level knowledge of information and cyber security, it is very hard to make the jump to applying what you know to an unknown system and applying critical thinking.
CAEs, IT audit directors and IT risk directors all are crying for talent that can demonstrate critical thinking skills, and a big picture understanding of how to align risk, enterprise strategy and appropriate controls. Critical thinking skills come from a combination of intellectual curiosity and knowledge. Innovation as well as nimble and proactive responses to dynamic business environments require more than rote practice. They require the ability to leverage knowledge and experience to develop pragmatic and, when necessary, creative solutions to risk and controls. Information security is a key domain area that supports critical thinking in IT audit and GRC.
The NA IT audit director at a global financial services company said he views information security skills as a core skill set that is necessary for being hired as a senior IT auditor – and even more so as an IT audit manager – on his team. To add value, he noted, IT auditors need to be able to challenge the configuration and the build of the information security environment (encryption, firewalls and so forth).
His strong statement was: “If an IT auditor doesn’t have information security knowledge and experience, they don’t even know how to ask about how the system was built. A key question they have to ask is ‘Are the in-built controls enough?’ If they have had only general controls experience, they will typically only ask ‘What is the control?’ and “Is the control being followed?’”
As an executive search provider to Fortune 500 companies in the IT audit and GRC space, we have seen an incredible uptick in the requirement for information and cyber security knowledge in candidates for IT audit and GRC roles. This year alone, a major FinTech company built out its “Second Line” IT risk, internal controls and compliance functions, doubling its existing resources in these areas due to risk and regulatory requirements. The CISO was clear: He wanted the new resources to have strong knowledge of information security, including cybersecurity, plus cloud, blockchain, operating system security, NIST, and COBIT 5.
The drivers contributing to the growing need for information security knowledge and skills (mounting external threats, emerging tech, outsourcing and third parties, new regulations such as GDPR) are increasing and will continue to do so.
Developing a solid understanding of information security fundamentals is vital as IT Audit and GRC professionals build out and enhance current skills in order to achieve near-term career goals. Information security skills and knowledge are absolutely critical for crafting sustainable, long-term career growth no matter which career path you chose: IT Audit, GRC, or security.
Start with small steps: reading, online coursework, setting up a tech sandbox in your basement, talking with your information security colleagues and sharing their passion. Participate as a guest resource within IT or information security. Volunteer or lobby to be the audit, risk or compliance representative on the corporate information security roundtable. Finally, consider a serious move: a security-focused certification or certificate.
In the words of Stephane Nappo, Global Head of Information Security for Société Générale International Banking & Financial Services: “A holistic vison can help to build the comprehensive approach we need nowadays … the real scope includes five main factors: cyber-threat, technology issues, business evolution, behavior gaps and legal compliance… Security basics (vulnerability management, access rights review, password policy, system hardening, vendor management, awareness, etc.) are often 20% of costs and 80% of risk coverage.”
The mission for IT audit and GRC professionals for 2019: Be part of that holistic vision. Firm up your information and cyber security skills. Break down those silos. Add value.
Editor’s note: Are you an auditor seeking to improve or demonstrate your cybersecurity knowledge? Take a look at ISACA’s brand-new Cybersecurity Audit Certificate here.