I must say I’m impressed they managed to get someone to say these words about an IT certification: “It’s the best thing that’s ever happened to me.”
But there it is, caught on film, in a video clip produced by the Information Systems and Audit Control Association (ISACA), which today celebrated a major milestone of 75,000 people who have obtained the Certified Information Systems Auditor (CISA) credential. I can’t embed the video in this post, but it features CISAs from Kenya, Chile, Switzerland and elsewhere, all talking about how becoming a CISA gave them better job opportunities, better pay, and respect among their peers. Sure, it comes close to sounding like “I’m a sissy,” when you hear a series of them proudly proclaim, “I’m a CISA,” but 75,000 people can’t be wrong. Right?
At the risk of raining on this particular parade, the fact that so many people are how certified doesn’t mean IT audits have gained any popularity within the corporate enterprise, or that IT departments do anything other than chafe at their very existence. There are still many disputes between what various controls are and how they should be implemented. And despite all those thousands upon thousands, many firms still experience painful security breaches, data loss, and struggle under the poor management of the distributed systems they maintain. We may now have a worldwide base of great auditors, but companies may be failing to capitalize on what those auditors are telling them.
When I bring up COBIT and related frameworks to better deal with the governance issues surrounding IT, I sometimes see a funny look come over the faces of those outside the audit function. They don’t frown, exactly, but they sort of brace themselves against something which they know will tire them. They throw up their hands, figuratively or literally, at the complexity of governance even when the auditors are there to help them. Only once have I actually heard an IT professional say they welcome audits, because it allows her to learn something important.
I am speaking in broad generalizations, of course. I’m sure there are stories of good auditors, and good auditors. It’s just that no one tells them, because, much like IT security, you don’t pay attention to it until something has gone wrong. I’d like to suggest we begin to change that. Let’s have some of those 75,000 CISAs begin to share their experiences outside their peer group, in compelling ways that capture how their work actually makes businesses successful, rather than a necessary part of compliance. If there is strength in numbers, CISAs should start exercising some marketing muscle.
