Five Questions With... 

Download Article

William R. Stanek ( is a leading technology expert, an award-winning author and an instructional trainer. As the author of more than 100 books, his practical advice has helped millions of readers all over the world. His books include Exchange Server 2010 Administrator’s Pocket Consultant, Windows PowerShell 2.0 Administrator’s Pocket Consultant and Windows Server 2008 Inside Out. In addition to his IT-related works, Stanek is an accomplished fiction writer of comic books, graphic novels and children’s books.

Stanek recently rediscovered his love of the great outdoors. When he’s not writing, teaching or making presentations, he can be found hiking, biking, backpacking, traveling and/or trekking in search of adventure.

Follow Stanek on Twitter at


How do you think the role of the IT auditor/ professional is changing or has changed? What would be your best piece of advice for IT auditors as they plan their career path and look at the future of IT auditing?


Anyone working as an IT auditor/IT security professional today had best be ready for a ride. Change is happening in the industry and more changes are inevitable. Government regulation and compliance requirements are increasing and likely will continue to do so. Continued reform and revisions to existing guidance that closer approximate reality must come, and the professionals working in IT security and auditing should be the driving forces behind these changes (rather than waiting for change to happen). IT security is an ongoing continuous concern; IT security policies and IT auditing practices need to be ongoing and continuous as well.

In the US, government agencies (and some other organizations) use Federal Information Security Management Act (FISMA) guidance to aid in their security practices and help establish baseline guidance. Widespread reform of FISMA is needed to close the gap between what is perceived and what is real. Certification and accreditation are parts of a larger whole and must be seen as such. Achieving compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 controls is a start, but compliance must be backed by enforcement and penalties for lack of enforcement, as well as by expanded guidance beyond the minimum requirements provided in NIST SP 800-53.

Recent revisions to key NIST documents, including SP 800-53 and 800-37, provide starting points for needed change. Many more changes are needed and must occur to complete the needed reforms.


How do you see the role of governance of IT changing in the next five years?


In the past, change in security standards and practices happened rather slowly. Well, it is catch-up time, and over the next five years, the role of IT governance will grow markedly as organizations large and small increasingly adopt IT governance, risk and compliance guidelines to keep pace with the rapid changes in the real world.

This whole notion of governance of IT is expanding and only will continue to do so. IT must support and enable an organization’s strategies and objectives. Otherwise, IT is an impediment to the organization’s success.

ISO/IEC 38500, Corporate governance of information technology, provides good guidance on better aligning IT with organizational decisions, but a standard is only a starting point. Beyond such, standards are recognized frameworks that are continuing to evolve and change as our understanding of what IT governance, risk and compliance must entail evolves and changes.

IT governance frameworks such as COBIT® and Val IT™ provide the strategic concepts and tactical principles, and operational frameworks such as Microsoft Operations Framework (MOF) and IT Infrastructure Library (ITIL) define best practices for IT service management and support in operational environments. All of these policies and guidelines are meaningless if they are not current with the times and actual needs—and this is why the role of IT governance must expand and adapt, becoming more proactive and responsive.


How do you see information management practices in business changing in the short and long term? What are the biggest concerns with cloud computing, and how do you see them being addressed?


Information management practices increasingly must focus on data governance. Proper data governance helps an organization better manage, protect and use the intellectual property and other data in its possession. In the short term, an increasing focus on data governance likely will require ongoing changes to information management policies, and those ongoing changes must then be implemented in increasingly wider scope while ensuring that privacy, confidentiality and compliance needs are met. In the long term, fully aligned data governance, risk management and compliance objectives must become a core focus and a way of doing business.

Increasing adoption of cloud computing will make this increasing focus on data governance a challenge, and a balance will need to be found between the way data are governed internally and externally. Successful IT organizations will identify, analyze and evaluate the risks of outsourcing infrastructure/services and storing data in the cloud and then implement policies to mitigate, remedy and monitor those risks. My biggest concern is that a strong balance between transferred risk management and internal risk management will need to be found. Some risk management tasks may be best performed by cloud service providers themselves and others by internal teams. If the proper balance is not found and maintained with excellent oversight, the organization may put itself and its future at risk.


How do you balance your careers as an IT professional and fiction writer? Do you use your experiences as an IT professional when writing fiction? How do the two careers converge?


I work hard every day to balance my careers as both an IT professional and a fiction writer. Working in IT, especially with my focus on new and emerging technologies, gives me excellent insights into the ways complex processes and environments should be managed. Writing a work of fiction, such as my latest release, Rise of the Fallen (Ruin Mist: Dawn of the Ages, Book 1), is itself a complex process that requires excellent management to carry the project through to completion. My many years of managing and writing about complex systems as an IT professional have made it easier for me to write about complex worlds and societies in my fiction. My experiences as an IT professional also enable me to work comfortably in every aspect of the writing and production processes. So, not only did I write the Bugville Critters picture books for children, I also rendered and finalized the art and did the layout. For my upcoming comic books, including Betrayal (A Daughter of Kings, Comic #1), and the related graphic novels, I wrote the scripts, rendered and finalized the art, and lettered the works in their entirety. The result, I think, is a tighter, more cohesive product.

The IT and fiction careers converge in many other ways as well. For example, I developed the digital production processes used by my fiction publisher at a time when most other publishers were nondigital, and I continue to evolve these processes. These digital processes allow the publisher to more easily produce my work in the many forms and formats needed in this increasingly complex digital age.

From time to time, I also sneak technology into my writing. For example, Pieces of the Puzzle is, on the surface, a thriller about agent Scott Evers who is forced to go rogue to clear his name. Rippling under the surface is the story of the machines that control the world’s financial networks and the cautionary tale of how tampering with those machines propels the world into financial chaos.


What has been your biggest workplace challenge, and how did you face it?


My biggest workplace challenge has always been one of reversing negative perceptions about IT. It seems every time a company I work or consult for gets new managers outside of IT, the new managers come in with a negative perception of IT. They seem to think IT exists only to put up roadblocks and hinder progress, when this is not true in a well-run IT organization. Great IT organizations are the beating heart of any business, and like any well-oiled engine, IT should be seen as the doer who gets things working and keeps them working, all while performing the Herculean feat of ensuring governance, risk management and compliance objectives are met.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.