Home / Resources / News and Trends / Newsletters / AtIsaca / 2022 / Volume 36 / Rookie Success Factors Career Advice from the ISACA community

Rookie Success Factors: Career Advice from the ISACA community

Caitlin McGaw
Author: Caitlin McGaw, Career Strategist and Job Search Coach, Caitlin McGaw Coaching
Date Published: 7 September 2022

Career Corner

Early in your career, you don’t always have a mentor. And few folks starting out in a new field have a cadre of mentors who can provide critical career advice. (Word to the wise: Develop a cadre of mentors!)

The worldwide ISACA community is so rich in knowledge and career wisdom. I tapped into that gold mine for this column. I reached out to the global ISACA community via LinkedIn and asked them to share their hard-won career advice to help early-career professionals succeed.

What an outpouring of emails and conversations! Analyzing the input, 10 major themes emerged. This article is organized by these themes, with quotes and stories that illustrate the collective wisdom.

What follows is a treasure trove of priceless career advice – for early-career professionals, and for all! This piece is a huge testimony to the generosity of the ISACA community. Many, many thanks to all of you who contributed.

Here are the 10 themes:

  1. Career essential: Communication skills and soft skills (Mentioned again and again!)
  • “One of the most important aspects of any cybersecurity career is the ability to explain technical concepts in a non-technical way. Learn to translate between cybersecurity risks and business value.” - Manager, Cybersecurity
  • “Learn how to talk. Carrying conversations in both the virtual and in-person world can lead to successes in the battlefields of audit, IT, and cyber. Things get solved in this world not in your intro meeting or the closing sessions or walkthroughs. It happens in the one-off conversations directly with someone when you have follow-up questions. Take off the Zoom background and show some insights into who you are.” - Cybersecurity Director
  • “Bottomline upfront: Know your audience. And If you are speaking to an executive, don’t go into the weeds with the information you are providing.” - Manager, Cyber Risk and Compliance
  • “Learn how to disagree with people so they don’t come back wanting to put a target on your forehead. Coming across as unlikeable will sink your career really quickly. Your goal is to win them over to the facts that support your position. Make sure your facts are 100 percent accurate!” - Senior Manager, IT Risk
  • “Everyone hired has the skill set and knowledge to do the job but what separates people are the soft skills. Learn to read non-verbals; develop a sense of humor; time and stress management; and hone your ability to speak and write clearly. You may have the best ideas but if you're unable to communicate effectively, it's essentially wasted.” - Senior Manager, GRC
  1. Deepen your business and cultural knowledge
  • “Work to understand the business. This will help with understanding business processes that are not always that visible and not easy to learn quickly. Then, when you are working on a specific audit, your understanding of the details of the business will help you craft the right audit questions.”
    - Global Head of IT Audit
  • “Recognize your auditees and internal clients as being SMEs and don’t be afraid to follow up with questions. Ask for feedback, especially during contentious audits. Put yourself in their shoes. Build relationships early and maintain them. If you have a relationship, it’s easier to get information you need.” - Manager, IT Compliance and Risk Management
  • “Cultural contexts are important. You have to consider the cultural context when asking questions. For example, ‘Are you responsible for X?’ The concept of what being responsible is can vary, and how you ask and gain understanding of that may need different approaches, depending on the country and culture.” - IT Audit Director
  • “Prepare for the audit before you get in front of the auditee. Preparing is crucial. It shows that you care and builds trust with the client. Use both external and internal resources. Google the topic. Get a basic foundational knowledge. Use the ISACA website. Within the organization, ask about prior engagements that have involved the area. Use the company intranet to research the area you are planning to audit.” - Senior Manager, Internal IT Audit
  1. Get comfortable with gray

“IT audit, IT risk, cybersecurity are not black and white. There are a lot of gray areas. Understand that and put it in proper context. How do you learn to understand the gray areas? Learn from others. Sit in meetings with senior auditors and learn how they negotiate risk and compliance. Take in all the lessons and observations. The ability to see and understand gray comes from experience.” - Senior Director, IT audit

  1. Ask for feedback. Take it well. Run with it.

“I see feedback as a way to add value quickly. Early on, someone told me that documenting my project and performance review conversations with my management was how you can take some control of your narrative.

“Here’s how I did that. The first step is to send an email to your manager documenting the conversation. Ask if you have understood everything correctly. This gives your manager a chance to comment. Next, plan a second meeting 3-6 months out. Ask, how am I doing? Is there anything I need to change? If you are not doing well in an area, you can then create a plan to improve.

“At the end of your project, document the results, what you learned, training and development ideas, and suggestions of the types of projects you would like to be on, and send that to your manager for review. With all this documented, neither you nor your manager are starting in on the review process from scratch, and you have a bit more control over the feedback because you have helped guide the process.” - Manager, Cybersecurity

  1. Building your career with diverse experience, expertise and certification
  • “Try to get experience in several cybersecurity domains. Choose one or two and get advanced experience. After you decide on the one you like, look for projects and connect with people in that area. At this point, you can get a master’s degree or start your certification path. Do not specialize too early in your career.” - Manager, Information Governance
  • “Most recognized certifications require work experience plus an exam, but there are others with fewer requirements. Get the ones that you have experience with as soon as possible because they will boost your career, promote your name, and help you to understand concepts better while studying.” - Manager, IT GRC
  • “Be open to various opportunities and projects when starting your career, being sure to consider the long-term benefits of these experiences. You may be offered experiences that might not sound as exciting as others, but they will give you high visibility, get you new skills, or look good on your resume. I started in consulting and accepted a few projects with big companies that everyone knows and it still helps me today when I am interviewing.” - Senior Manager, Cyber Security
  • “Don't be afraid of a lateral move. I moved from an IT audit manager to a cybersecurity manager role. Some thought I was settling while others saw the potential. We all want to move upward in our careers. However, sometimes those lateral moves allow you to build up certifications, get back to IT/cyber basics, and grow overall in your career potential.” - Cybersecurity Director
  • “Stay current with happenings in your company and business unit, industry and your function. This will help keep you relevant in a fast-paced business environment. Belonging to professional organizations such as ISACA is a great way to help keep abreast.” - Global Audit & Compliance Leader
  • “Find a mentor. It’s critical to have an advocate on your side. Do this by identifying someone who shares your passion or your developmental goals (e.g., to work on your presentation skills, seek out a good presenter). Build a relationship with them first. Then ask if they would be open to mentoring you.” - Senior Manager, Information Security
  1. Show initiative. Go above and beyond. Be bold. Contribute.
  • “Every time I’ve had the chance to do a new project, I have jumped at it. There were some scary moments. When I moved from my first job in the private sector to Big 4, that was scary. I had done a little bit of UAT testing, but that is not the same as an IT audit. You take the leap, not always with confidence! One of the biggest stories we sell ourselves is that everything we do, we are going to be confident in, but often we succeed because we are scared.” - Senior Compliance Specialist
  • “The early-career professionals who don’t do as well are those that are passive – the ones who sit and wait for you to tell them what to do. If you want to learn and grow and stand out, you have to put in the effort. For instance, if you are put on an IT audit that is going to do vulnerability scans of Unix servers, and you haven’t done that before, go find a course, a training session. Don’t wait for your audit lead or manager to hand the information to you.” - Global IT Audit Director
  • “I have often had early-career folks say to me, ‘I did everything you asked me to do, why didn’t I get a 5-star review?’ The thing is, doing just what we asked, and not bringing anything extra to the table doesn’t earn you a 5-star rating.” - Director, Internal Audit
  1. Be proactive in communicating your career goals

“Discuss your career aspirations and goals early on. I made the mistake of not doing this, and although my experience was fulfilling and enriching, it was not great in terms of promotion and pay raises. It is important to have those candid discussions with leadership and your immediate manager. Build your goals into your performance and personal development plan. Make sure your goals are clear and measurable. And, have regular touchpoints for assessment.” - Senior Manager, Financial and IT Audit

  1. Network!
  • “Technology is pervasive, so it is important to network and build strong relationships across various cross-functional teams such as Development, Operations and Enterprise Architecture. Be engaged in their activities. For example, attend lunch & learn sessions and awareness conferences.” - Integrated Audit Senior Manager
  • “Put yourself out there. Interact with different stakeholders. That’s one of the key advantages you get from being in IT audit and cybersecurity, visibility to leadership – especially as an auditor. Be willing to capitalize on those opportunities and those relationships. One way I did that was to schedule a follow-up meeting to thank them for providing insights. Build the relationship. Down the road, I might reach out to that leader, and let them know that I was interested in a specific area that was in their wheelhouse. Could we have a short meeting to discuss this? I’d like their advice. But you definitely don’t want to look like you are trying to use this person.” - Director, IT Audit
  1. Hold yourself to a high standard of ethicality
  • “Always remember that you always represent your company, whether during work hours or during off hours. Hold yourself to a high standard. Your company has a Code of Ethics; read it so you can always uphold expected standards of conduct what dealing with everyone – other employees, customers, suppliers.” - Senior Finance/Audit/Compliance Leader
  • “What hill do you want to die on? There were times when I was asked to do some unethical stuff, and that was a hill to die on. Others weren’t, and in retrospect, I realize I put up too much of a fight. Know what your values are!” - IT Compliance Leader
  1. Do great work, AND take care of #1

“So many people starting their careers will attempt to work longer hours, take on more work, say yes to any request, not take all the allowed vacation, and spend more time at the office instead of anything else. Long term, these sacrifices to look good at work will not matter. I guarantee you that a raise 3 percent higher than your peers early in your career won’t matter long term if your personal health and happiness are impacted.” - Senior Manager, Cybersecurity

A few final gems from IT audit, IT risk and cybersecurity leaders

  • Mistakes (generally) are not career-ending. You live and you learn – don't get discouraged by mistakes.
  • The best auditors are not necessarily the ones who are the most technical but the ones who read the crowd.
  • Anything outside of your comfort zone means you’re growing. Accept the discomfort.
  • Working hard is not good enough. You are in charge of your own career. Promote yourself and your accomplishments.
  • Your word is your bond.

A closing thought: This piece was just the tip of the iceberg in terms of the excellent career advice that is available in the ISACA community – a community that is ready to share and to help others, particularly early-career professionals. Your local chapter is a fantastic place to ask for technical help and input on your career. You can also participate in ISACA’s online discussions. Finally, ISACA events and conferences offer excellent opportunities to meet fellow professionals in settings that foster comfortable networking and sharing. It’s all there. Be bold. Take the plunge. It’s worth it!