The head of IT audit at a major global organization once told me that an absolutely critical thing to success on the job was “getting to the next question.” It was the drive to do this that took people on a journey of discovery. Instead of swimming on top of the lake, they dove down below the surface to take a look around.
Staying with that analogy a bit longer, imagine trying to do a comprehensive ecological study of a lake and only looking at the animals around the lake, sitting on the lake or swimming just below the surface. The report on the lake’s ecosystem would be missing a huge chunk of critical information. Conservation managers would not be able to craft accurate policy with such a faulty analysis.
So it is when an IT audit, risk or cybersecurity project is tackled only at the surface level. In audit that might mean sticking with the checklist and never going off script. For cybersecurity professionals that might mean not going through all the stacks of the IT environment and questioning what is going on and why.
Here we are at the dawning of a new year. You can measurably help improve your skills, the quality of your deliverables, and, in fact, your career trajectory in 2022 by building out this essential skill of getting to the next question. Catelyn Schmiedebusch, a regulatory compliance professional at the OCC (Options Clearing Corporation, Chicago), summed this up well: “That’s what sets people apart and plays a role in who is going to move up next – that mindset of how to get to that next question. It will be a deciding factor.”
One more factor that makes this an especially important skill to develop this year is the continuing level of uncertainty about how organizations, people, processes, and technology are going to function with the vast amount of change stimulated globally by the pandemic. The old scripts and former solutions are probably not to be entirely relied upon now. It’s time to deploy experience but to also challenge past assumptions and look at projects and problems with fresh eyes and a beginner’s mindset.
Ozan Varol, a NASA rocket scientist turned law professor and author, writes in his best-seller, How to Think Like A Rocket Scientist, “We’re inevitably influenced by what we know and the beaten-down paths walked by the pioneers before us. Escaping our own assumptions is tricky business—particularly when they’re invisible to us.” (A slight digression, How To Think Like A Rocket Scientist was recommended to me by a very perceptive IT audit and risk leader. It is an excellent book that I think those of you reading this would not only enjoy but find very useful in your work).
How one actually achieves that depth of perception that drives value can feel vague and perhaps somewhat overwhelming. Where do you start? What works? To figure that out, and provide you with some actionable steps and techniques, I spoke with leaders in ISACA’s core disciplines to find out how they learned to do this and how they trained others.
- Cultivate the “Beginner’s mind.” The very best technologists I worked with when I was working in executive search did not self-rate with the top score on IT platforms where I knew they were an SME. When asked about that, the reply was typically “There are people out there that know a whole lot more than I do.” Damian Ng, director of internal audit at Sprout Social, told me “I never think of myself as an expert on anything. So, if I feel like I have reached my limit on a subject, I look for help from others with more knowledge.” This was echoed by another senior leader in IT risk and IT audit who said, “No matter what level you are at, you have to rely on others to help you understand things.”
- Research and learn. Identify what you know and what you don’t. This is often done in the pre-work or planning phase of many projects. Experienced leaders underscored how critical spending time on this work is to project efficiency and the overall value of the project. Understanding company policies and procedures; researching the appropriate frameworks (e.g., ISACA, NIST, IIA, ITIL); getting training related to the topic (such as an ISACA webinar) are great starting points. From there, move on to networking within your organization, and then later talking with peers and colleagues within the ISACA community and at other organizations. The goal is to learn as much as you can, fill your bucket with good stuff, that you can use as the basis for your questions and analysis.
- It’s OK not to know! Ask questions, many questions. Children ask why constantly. We are innately curious. It’s how humankind has always learned. Over time, we learn that questions are often met with negative feedback from parents, teachers, and later, from unskilled bosses. Unlearn that! Unleash your curiosity and ask. This may seem daunting, especially when we are relatively new in our jobs, but this is actually an absolutely critical time to be asking and learning. Asking questions can feel awkward, particularly for those of us who tend to be more introverted. And many of us are afraid we’ll look stupid for not knowing. In fact, it’s asking that will help you deepen your knowledge and understanding and go beyond the superficial finding or easy solution. It will also move your career forward. Jeremy Zahora, head of IT audit at Wintrust Financial, offered this: “Asking questions gets you noticed up the chain. It’s not enough to just do great work. It’s also participation. These two pieces in tandem will help you advance your career.”
- Deploy the “5 Ws”: Who, What, When, Where, Why. A senior director in IT risk management with a major financial institution noted that “People often stop at the first “Why.” At that point the explanation is typically too broad. It’s about getting down to specifics. To do that you have to keep asking, of yourself and others, “Well, why is that? You have to do that until it is intuitive.” She trains her team to do this in their project pre-work and then, when conducting interviews, to check which of the Ws have been answered and which have not.
- Run without a script. Rene Kennedy, director, IT audit and data analytics at Fortune Brands, noted that he learned to audit with a white board and Visio. It was pre-SOX, and many of his operational IT audits were new. There was no audit program. He said he used his analytical training as an engineer to dig into his projects. “With zero in your hands, you have to do interviews. A script may help in the beginning but hurts in the long term because you don’t have to think outside the box.” This was echoed by the other practitioners I spoke with. They highlighted the value of trying to figure things out on your own in the first go round, and then asking others for input, or looking at what was done in the past.
With this counsel comes a caveat offered by Damian Ng, audit director at Sprout Social: “Do your homework first so that you have the basic knowledge so you don't have to ask the questions that anyone can answer by Googling.” So Step 2 (research) fully informs your off-script line of questioning, the goals being to make the most effective use of your stakeholders’ time and to show them that you care about their time by doing appropriate pre-work before coming to them.
- Network. Talk with stakeholders. Walk in their shoes. “Many auditors just sit and do their work in a conference room. Go out to the shipping dock and talk to people,” was the counsel from Jon Lindus, a CFO and former Motorola audit director. An IT audit manager with a large global bank told me that by creating a collaborative, collegial rapport with his internal clients, he is able to ask them about any concerns they have or pain points they are experiencing. With a good relationship in place, stakeholders understand that IT audit can be an excellent ally in helping them make their case. This dialog also allows audit to surface important issues that they may have overlooked while “down in the weeds.” Growing your network within your organization makes this a whole lot easier. Get to know your internal clients, and make time for affinity groups or volunteer projects that allow you to build relationships organically with colleagues in other areas.
- What can managers do to support this skill development? In the course of these conversations with leadership professionals, there were a number of suggestions for managers who want to see their teams develop these critical thinking and analysis skills. A short list here:
- Foster a tone at the top that invites and applauds asking questions.
- Create a collegial team where people share information and feel free to ask questions of peers and those above them.
- Encourage discussion around divergent viewpoints.
- Buddy-up new staffers so they have a senior resource to learn from and get started on growing their internal network.
- Have staff start out with a blank slate and have them develop an initial plan or program (without letting them flounder too long before providing a template or past program.)
- Have staff handle meetings with stakeholders. The preparation for the meeting will help them be more thorough, encourage them to dig deeper, and put them in the place where they need to listen actively and take ownership for understanding.
- Take staff to stakeholder meetings and model the deeper dive question asking process.
- If possible, create opportunities for job shadowing or guest assignments in operational areas to deepen business and process knowledge, as well as rapport and empathy.
- Embracing curiosity. Learn how to ask questions that go deeper and deeper into the topic at hand, stepping back from the weeds to see the aerial view of the forest.
- And perhaps most of all, allow yourself to be a beginner who is soaking up all the great stuff to be learned and understood. These skills can be practiced each day as you work. They will allow you to see greater nuances in what you are doing and allow you to find the gems of insight that will add value to your organization.
Let me leave you with this, another anecdote from How To Think Like A Rocket Scientist. When Steve Jobs was fired from Apple in 1985, he went on to start another computer company and to work with Pixar. Here’s what Jobs had to say about that time. “The heaviness of being successful was replaced by the lightness of being a beginner again. It freed me to enter one of the most creative periods of my life.”
Onward into 2022!