Editor’s note: ISACA Now recently moderated a conversation among a trio of millennials to discuss topics including professional development, networking, certification and how their generation differs from others when it comes to career priorities and workplace dynamics. The following is the first installment of the two-part conversation – edited for length and clarity – between Ashley Spangler, CISA, CISM, CRISC, SunTrust Banks, Inc., AVP Information Security; Leigh Ann Montgomery, CISA, Solutions Architect, and Mick Gomm, CISA, GWEB, PMP, Sr. Information Security Engineer and Board Member, ISACA Utah Chapter.
ISACA Now: Why did you decide to pursue certification at a relatively young age?
AS: Both of my degrees are in accounting and information systems. The firm I started to work for was creating this information security and assurance services group. I originally applied for a financial audit position and was not picked. However, they liked my background in information systems so they were like ‘Hey, why don’t you come join our team?’ Of course, I was completely green and didn’t really know what I was getting into. When I first got there, they said ‘You need to start working on certifications.’ I met an individual through ISACA, which is how I got intertwined with being a volunteer board member for the Nashville location, and I just started to learn more about the different certifications which were available in the information security industry. … I didn’t like being the only person that didn’t have a certification and especially when my name and bio would be listed on a statement of qualifications for bidding on work. CISA was most prominent in the information security assurance world that I was in at that point, so I made that my target for my first certification. So, I really looked at it, one, as validation for myself and what I was doing, and secondly for helping our group’s chances of winning engagements.
LAM: I was mentored by the president at the time of the North Texas ISACA chapter … He invited me to a meeting and talked about the different certifications, and mentored me through taking the CISA certification. Through that process, I really got to know my internal audit team of my company at the time. I took the test both to grow my knowledge of that type of audit and really understand what the terms were, and how to best get the information and pull evidence. It helped me in my day-to-day job and definitely added an acronym after my name, and got me exposed to a lot of really great people and networking in the process.
MG: I started out in audit consulting, and kind of the baseline or the bar to working in that space is an audit certification, and CISA is the most recognizable and known. I think the IT audit and information security industries really just look for that, especially in the past few years. Having multiple certifications is almost a barrier to entry. That’s why I got my third certification, the CISA, because starting in consulting, they were like ‘Alright, the first thing you need to work on is getting your CISA.’ Certifications like CISA are important, but I also think the industry is headed toward requiring additional specialization in specific technologies and spaces.
ISACA Now: How does your certification help you most on a daily basis?
LAM: On a day-to-day basis, part of my job is to build security programs and security awareness programs for other companies, and I always try to do that with audit principals in mind. Make a program metrics-driven, and seeing how we can improve year over year and clearly think about how, from an auditor’s perspective, how I can make my suggestions for other companies with those basic audit recommendation principles in mind. So, I go back to what I learned during my CISA certification studying. A lot of the language that I use for these types of recommendations are very similar to what I learned, so it definitely helps me communicate not only with security professionals, but audit professionals, and executives from both of those sides.
AS: It seems like there are so many moving pieces and parts within our enterprise, constantly dealing with different lines of business and their needs. I think having the CISA, CRISC and the CISM may have been most helpful in giving me those multi-faceted knowledge bases which I can leverage to solve problems for the various lines of business and segments of our bank. Overall, from a career perspective it helps solidify the knowledge that I use in solving those problems. I think people see my work in combination with the certifications as a justification of my value that I bring to the table, especially being a millennial.
ISACA Now: Can you elaborate on that?
AS: I don’t know if you’ve ever heard this, but the way I’ve heard it and thought about it is a lot of Baby Boomers and Gen Xers, they kind of have a strange feeling regarding millennials and how we impact the workforce. We’re essentially change agents and we’re ambitious and we want to impact our organizations in a positive way, and ultimately some of us want to be able to change the world. We don’t necessarily climb that ‘career leader’ that older employees or Gen Xers climb; we essentially just take the elevator. We don’t like the red tape. We don’t like the bureaucratic processes. We’re always looking for bigger and better ways to do things. In my situation, being as young as I am and having the certifications but not necessarily having extensive experience, it helps stabilize my footing when I’m interacting with more seasoned professionals.
LAM: I would absolutely agree with you, Ashley. Often I’m looked at as very young in the field and therefore very inexperienced. I think having the CISA and serving on my local ISACA board have really helped to get my name out there.
MG: I totally agree. When you meet face-to-face and people realize how young you are, they’re like ‘Oh, you’re not qualified.’ But when you have certifications, people pay attention more. You have more clout in those situations, especially when you’re interacting with other companies or vendors and you introduce yourself on a phone call, and somebody asks that question ‘What credentials do you have?’, it’s always nice to be able to respond that you have multiple certifications because people in the industry know what the certifications are and what they mean. I also think the industry is leaning toward the certifications being less book knowledge and more hands-on technical knowledge, which I think is really good.
AS: I can’t agree with you more about those times where, working in a larger organization, we have a little over 33,000 employees, and I speak with a lot of people on the phone, and when I meet them in person, they always say ‘Don’t take this wrong, but you sound so old’ or ‘I can’t believe how young you are.’ I’ve had that happen quite a bit.
LAM: My company works with many global organizations and currently we’re expanding into the Asia Pacific region. Especially with my age and length of experience, I find that when I speak to audit members or different security team members in that region about having CISA certification, they’re very impressed and willing to work with me when before they might not have been as willing. So, it definitely has helped me prove myself as a consultant trying to get into those types of deals. Despite any cultural differences, I have found that having a particular certification and serving on [an ISACA chapter board] has opened up a lot of communication with people who are very different from me. Being able to gain that common ground has been really interesting and has really opened a lot of doors.