2009 Career Trends in Information Security: W. Hord Tipton, (ISC)Â²
Upasana Gupta: Going forward in 2009 what trends can we see in compliance audit in terms of career, jobs and opportunities for audit and IT Governance professionals?
Gary Baker: I think there will continue to be a strong need for information security and risk management skills and competencies in the marketplace. With the economic situation that faces us, it is quite likely that those IT security and risk management that can effectively make the connection between security, risk management and regulatory compliance on the one hand, and adding value to the bottom line of the organization on the other, will be the most successful. Management will want to focus on improving bottom line performance - in addition to meeting their compliance requirements.
Gupta: What certification and education is ISACA focusing on for IT Governance professionals in 2009?
Baker: In the IT Governance space ISACA continues to promote its Certified Information Systems Auditor ("CISA") designation. This designation demonstrates that the individual has achieved a certain baseline level of competency in the areas of IT risk and control. In addition, a new designation - Certified in the Governance of Enterprise IT (CGEIT) -- is a senior practitioner certification that demonstrates experience and capability related to establishing and maintaining systems and processes for the effective governance of IT within the enterprise. Certifications and designations such as these are important to demonstrate mastery and competence in the subject matter. Long-term success, however, will require individuals to leverage those competencies and capabilities to help the organization be successful. Having the designations is one thing, but the important capability is being able to consistently and successfully apply those skills and capabilities.
Gupta: Given the tight economic condition, what additional skills and attributes will the compliance and audit professionals need to acquire jobs within the industry? What will make them marketable?
Baker: Certifications and experience will help. They help to establish recognizable credentials and capabilities. However, the successful individuals will be those that leverage those capabilities to add incremental value to the organization. For example: Regulatory compliance is a marketplace requirement - organizations that are not compliant will struggle. However, what will differentiate a highly successful individual will be one who can go beyond achieving compliance with their organization, but can also leverage that capability to add incremental value such as improving flexibility and "speed to market," create marketplace opportunities, etc. Just being compliant will not be enough to be successful.
Gupta: What career advice will you give to existing IT Governance and compliance audit professionals?
Baker: My advice is to think beyond risk management and compliance. Recognize the difference between "unrewarded risks" and "rewarded risks." When thinking about governance and risk management, often people focus on the "downside" of risk - i.e. "how do you prevent bad things from happening". These are very often "unrewarded" risks in the sense that they are often the expected outcomes - i.e. management expects that IT will take appropriate steps to prevent bad things from happening. As such there is seldom a "reward" for doing that extra well. Take, for example, Internal Control Certification (such as under SOX) - this is an "unrewarded" risk in the sense that there is typically very little added value in being "more" compliant.
Rewarded risks, on the other hand, are those risks that provide the potential to add incremental value to an organization. Being able to effectively manage risks and thereby reduce process time or costs helps to add value to the organization - hence a "rewarded" risk, as the organization is typically rewarded for the improvement they are able to achieve. Governance and risk management are not all about managing the downside. IT governance and risk management practitioners should be encouraged to adopt a balanced view of risk that includes the upside possibilities (rewarded risks) as well as the downside exposures (unrewarded risks). Regulatory compliance is table stakes, and to be successful you must look to add incremental value beyond compliance.