Effective Strategies for Creating and Maintaining a Diverse and Inclusive IT Audit Team

Broadly put, it is widely accepted in today’s corporate world that diverse organizations are preferable to their homogenous counterparts. Empirical research reveals that diversity yields myriad advantages, including increased productivity, enhanced problem-solving and heightened levels of employee engagement, among other benefits.

The value of diversity in the context of IT audit teams is worth discussing and a number of practical strategies for creating and maintaining a diverse and inclusive IT audit team as part of an organization’s overall diversity program are offered.

Many countries are experiencing demographic shifts. For example, by 2055, the United States will not be comprised of a single racial or ethnic majority.¹ Millennials are now the largest generational cohort in the US, having surpassed baby boomers, and they are unapologetically challenging the status quo in the workplace.² Women are the primary wage earners in approximately 40 percent of all households with children.³ Simultaneously, there is an increase in demand for individuals with skill sets in information security. The cybersecurity market is “expected to grow from (US) $75 billion in 2015 to $170 billion by 2020,” which is a threefold increase.⁴ Further, by 2019, the number of information security/cybersecurity job openings is expected to rise to 6 million.⁵ “There are one million unfilled security jobs worldwide,” out of which “more than 209,000” are in the United States.⁶ Unfortunately, there is a shortage of skilled candidates to fill these jobs.

To some, these demographic realities, coupled with the inexorable shifts in the job market toward an information worker-driven economy, are unsettling and rattle long-held notions about the very nature of society. In the alternative view, these seismic shifts can be viewed as evidence that the increasing importance of workplace diversity cannot be denied.

What Is Diversity?

Asking 10 people to define “diversity” is likely to generate a wide range of definitions. To some, “diversity” is defined narrowly in terms of race, gender, age or those attributes that fairly easily lend themselves to visual inspection. To others, their definition may depend on whether the attributes in question are afforded legal protection under federal and/or state laws such as Title VII of the US Civil Rights Act of 1964, the Americans with Disabilities Act, the United Kingdom employment equality law, or the Employment Equality Directive and Racial Equality Directive in the European Union—core antidiscrimination statutes that make it unlawful to discriminate against individuals on the basis of sex, race, national origin, color, religion and physical disabilities.⁷ yet others may choose to adopt a broader, more nuanced view that encompasses an expansive range of characteristics that include the aforementioned differentiators, but also embraces such traits as cognitive style, years of service, education, personality, parental status, geographic location and organizational function. Ideally, a comprehensive definition of “diversity” is a relatively fluid concept that reflects a combination of both external and internal elements (figure 1).

In the corporate world, the manner in which “diversity” is defined is important in establishing the context in which individual differences are recognized and celebrated. Moreover, it is critical for the definition to be broad enough that all employees can visualize themselves within the framework of the definition. For example, if the corporate definition is overly narrow and primarily speaks in terms of “advancing historically underrepresented minorities,” it is conceivable that some white males may feel excluded and undervalued by the organization rather than seeing themselves as key contributors to establishing an engaged and inclusive work environment. Diversity, within the specific context of an IT audit team, might pivot on the desire to embrace team members with different educational and professional backgrounds, not limited to experience in IT alone. Given the shortage of experienced candidates and the strong demand for IT audit skill sets, it is important for hiring managers to think “outside the box” and seek out candidates who may not come from traditional IT backgrounds, from both an educational and a professional experience perspective.

The Benefits of a Diverse IT Audit Team

Broadly stated, diverse teams afford underrepresented groups the ability to connect with their peers and colleagues on a level that is comfortable and inclusive. However, this is not the only driver behind the decision of many organizations to expand the makeup and composition of their organizations. An enterprise could simply be motivated by a desire to maximize the effectiveness of its professionals in pursuit of the organization’s strategic business objectives. For example, having a diverse IT audit team could help an organization achieve a competitive advantage because professionals with varied backgrounds can contribute innovative thoughts and ideas and a “variety of solutions on how to achieve a common goal.”⁸

Strong interpersonal skills are critical attributes for a person to excel in the IT audit arena. For example, within RELX Group, the information security assurance team is composed of IT auditors who not only possess considerable technical knowledge of operating systems, platforms and security controls, but who also feel comfortable interacting with senior business leaders, mentoring students or volunteering in the community. By focusing on leveraging each employee’s unique skills, the productivity and performance of the entire team is enhanced. The experienced employees on the team serve as coaches to the campus hires, which allows them to develop and demonstrate their leadership skills. The junior employees also contribute to the team by bringing in a rich skill set from their various professional backgrounds. For example, a recent new hire with work experience in quality assurance (QA) at a global technology enterprise in India was able to use his prior experience to document the qA controls within the audit work papers and assist his colleagues on any QA-related questions. In addition, a senior IT auditor on the team leveraged his prior experience working for a US senator, where he served as a correspondent, event planner, researcher/writer and manager of large projects. His experience enhanced the team’s ability to multitask efficiently and communicate with stakeholders across different business areas via email, phone and in-person meetings. These examples demonstrate how candidates with diverse professional backgrounds can be an asset for an IT audit organization seeking to achieve a higher level of performance.

A diverse IT audit team can bring together employees with different thought processes and backgrounds. This enables a single scenario or situation to be examined from multiple perspectives so all possible outcomes can be evaluated. When seeking to build or augment an IT audit team, hiring managers should ensure the candidate talent pool has individuals with diverse professional backgrounds. By adhering to a more traditional homogenous candidate pool, a hiring manager may overlook and discount some of the more critical skill sets that are required for an IT auditor. Also, by not contemplating diversity, hiring managers run the risk of creating a team in which employees possess not only similar technical perspectives, but also similar aspirations regarding career progression. In other words, a homogenous IT audit team is likely to engage in similar problem-solving modes of thinking and may heighten the risk of increased employee attrition rates if employees choose to leave the organization after reaching an arbitrary ceiling based on similar goals. The IT audit field has numerous job opportunities for qualified candidates, and there is considerable mobility available for both lateral and vertical career growth. Organizations should challenge their employees to broaden their skill sets by encouraging them to work on special projects outside their comfort zone in addition to their regular assignments so they can continue to develop relevant and transferrable skills. For example, an IT auditor who would usually work on information security control audits can also assist with performing periodic risk assessments to gain more experience in a different, but adjacent, field.

Creativity and Innovation
Viewing diversity through the prism of immigration reveals that the inclusion of skilled immigrants in the workforce results in an appreciable boost to innovation that can be empirically measured. Data from the United States can be used as one example. The US National Bureau of Economic Research finds that an increase of just 1.3 percentage points in the workforce population of immigrant college graduates results in roughly a 20 percent increase in the share of patenting per capita.⁹ It is common to perceive any influx of skilled immigrants as unassailable evidence of the dearth of native innovation. However, one should proceed cautiously when concluding that this increase in diversity automatically crowds out native-born persons from high-skilled occupations. To the contrary, non-native workers simply buttress and sustain the creativity and growth of organizations and have a positive influence on the global economy.

Common debates also exist as to whether the presence of gender diversity in top-level management truly aids the prosperity of firms. Simply put, it does. Based on a 2015 study by McKinsey & Company, “companies in the top quartile for gender diversity are 15 percent more likely to have financial returns above their respective national industry medians.”¹⁰ Furthermore, results from The Journal of Business Ethics’ study of gender diversity in top management teams indicate that gender diversity positively correlates with enhanced capability and innovation.¹¹ Although the data are clear, it is intuitive that there is much to be gained by being exposed to diverse perspectives and experiences when trying to tackle complex issues and challenges. For example, if a city is thinking of building a new subway system, it would be advantageous to bring civil engineers, environmental scientists, politicians and other relevant stakeholders to the table. The rationale for bringing together disparate groups is that there is value in hearing from and understanding a multitude of views before embarking on such an ambitious, complex project. Indeed, it would seem odd to convene a subway system implementation team composed solely of rail vehicle engineers, for example, when so many other constituent groups have a vested interest in the efficacy of the group and the decisions that are made. Similarly, in the corporate C-suite, it would make sense to leverage the abilities of both men and women (and other available diverse employee resources) to ensure that problem-solving efforts draw from the collective wisdom of the team in a way that leads to the best possible result. Moreover, in the information security context, the Arizona (USA) governor’s office recently sought to leverage the strength of a diverse team to solve complex cybersecurity challenges when it announced the creation of the Arizona Cybersecurity Team (ACT). The team consists of 19 state officials with backgrounds in homeland security, infrastructure, academia, the private sector and more.¹²

To be sure, innovation is a social process that is amplified when different backgrounds interact. The strength of diversity in its myriad forms is that by harnessing the heterogeneity associated with individual experiences and knowledge, organizations can naturally stimulate the work environment in a manner that fosters innovation.

Expansion of the Talent Pool and Assistance With Recruitment
Global unemployment rates have steadily improved since 2000 and, as a result, the hunt for qualified, available talent is fierce.¹³ Employers who choose to rely on the same tried-and-true recruitment strategies that were effective when there was a surplus of labor may find themselves unable to fill critical positions. Data breaches have become inevitable over time, and with the “wide skills gap for cybersecurity jobs,”¹⁴ there is a dire need to fill these cybersecurity job positions.

It is no revelation that cyberthreats are evolving as quickly as the media through which they act. In recent years, cyberattacks have been launched against both the public and private sectors by a variety of actors. State-sponsored attacks, including Korean ransomware attacks against healthcare providers and Russian meddling in US democratic processes, have occurred. Criminals have penetrated the credit juggernaut Equifax. Social hacktivist groups such as Anonymous have released sensitive information pertaining to prominent government officials and corporate executives. The list goes on, but the point is clear: There are a multitude of faces and intents acting in the threat universe, and those faces are daily becoming more varied. This begs the question: Why would forward-thinking organizations fail to expand their information security and IT audit talent pools to include experiences, backgrounds and cultures that can help them cast a broader net across the array of motives, modes and origins behind these attacks? To this point, former US Deputy Chief Information Security Officer, Mischel Kwon, asserts, “In cybersecurity, I always take the view that our adversaries don’t fit into one demographic, therefore, why should we? When security professionals have a broader lens through which to look at security, we’ll be able to provide better answers and support in protecting our systems.”¹⁵

Kwon has also strongly advocated for greater female involvement in the field of cybersecurity. According to an (ISC)2 study, women represent nearly 50 percent of IT users, but only 11 percent of the global cybersecurity workforce. Regardless of where the blame may lie for the latter figure, one organization in particular, Girl Scouts of America, has taken action. In a move to get more females involved in cybersecurity, the organization has focused on offering a curriculum and certification to educate young girls about cybercrime, network security and computing basics.¹⁶

While it is understandable that employers will continue to focus primarily on the applicable skill sets, education and professional experience of the candidates they are recruiting, it is important not to overlook potential candidates who may emanate from nontraditional educational and/or professional backgrounds. For example, it may be natural for a hiring manager to seek out candidates from his or her university or individuals who share similar interests or hobbies. However, this method, if followed consistently, is likely to result in a recruitment strategy that does not add sufficient richness to an organization’s talent pool. A more thoughtful strategy may involve seeking candidates who are a departure from the standard recruit, but who still possess the necessary skills and experience and complement the organization’s culture. In this regard, the US military has been successful in trumpeting the numerous benefits and incentives to organizations that commit to hiring veterans.¹⁷

Reduced Turnover
Enterprises have come to understand that an engaged workforce is one in which the employees feel a sense of comfort and belonging. If employees believe the organization values their contribution to the enterprise, they are more likely to be productive and loyal. However, an aesthetically pleasing office or gourmet coffee in the break room may not be sufficient to keep employees wedded to the organization if they feel marginalized and alone. Humans are social beings by nature who tend to associate with others who have similar interests, backgrounds and culture. By working hard to increase the representation of diverse groups through targeted recruiting efforts and, equally important, implementing a diversity retention strategy that contemplates everything from mentorship opportunities to the adequacy of compensation to the reputation of the organization in the community, it is possible to send an unambiguous signal to existing employees that the organization’s commitment to diversity and inclusion is more than mere lip service.

There are various professional organizations that focus on information security, IT governance and IT auditing that could be resources for new employees entering the field of information security. ISACA, the Institute of Internal Auditors (IIA) and the International Association of Privacy Professionals (IAPP) are a few examples of organizations that lead in their respective fields. Employers should support and encourage their employees to attend training/conferences hosted by such organizations so that those employees can gain cutting-edge industry knowledge and incorporate it into their daily job activities. In addition, attendees can network with other experienced professionals at these events to learn and benefit from their experiences. The organization’s support of employee involvement in professional organizations will make employees feel valued, which will help to increase retention.

Conversely, organizations must be careful to not push employees into closed circles, as it may limit the full capacity of exposure to career growth opportunities. Organizations must instead balance the representation of all employees to avoid creating artificial subcategories that subvert the minority’s and the majority’s contribution to the pool of knowledge. An example is affinity groups and the reality that the many of these efforts are not properly funded and are managed only in the spare time of a willing leader.¹⁸ This can lead to well-intentioned, but ineffective, support groups that, if improperly managed, may divert attention away from overall assimilation and toward division and seclusion. Inevitably, the summation of all minorities is evolving to be the majority. However, the responsibility to assimilate should not be placed solely on these “outside groups.” Instead, organizations must push for the “inside groups” to also reach outside their comfort zone and enter the normality of diversification. The key to reducing turnover is not simply recruiting for diversity, but to acknowledge that inclusion is key and reaching out should come about from all sides.

Improved Customer Service
This is an area in which changing demographics will have a major impact. For example, the United States is expected to grow to a population of 417 million by 2060, with undeniable growth in the number of what are now considered minorities. Moreover, by 2060, nearly 20 percent of the country’s population will be born outside the United States.¹⁹ If these predictions come to pass, businesses must also adapt to the changing composition of their customer base. Organizations that have staff representatives who can speak a multitude of languages, understand various cultural nuances and mirror the communities in which the business resides will be competitively well positioned to serve, satisfy and retain customers.

Strategies to Build and Retain a Diverse and Inclusive IT Audit Team

Successfully building and retaining a diverse and inclusive IT audit team requires tackling the issue as a business problem, not a human resource (HR) issue. Much as an organization would tackle any business issue, such as building a new product or system, it must have a clear, documented go-to-market strategy (with buy-in from the appropriate stakeholders) including the following areas:

• Development of a diversity vision and strategy (tone at the top)
• Targeted recruitment and relationship building
• Investment in employee development and training
• Mentoring
• Use of metrics to track success

A diversity vision and strategy should come from the top down and should be viewed as a business issue owned by the C-suite. To work effectively, the vision and strategy must be adopted at all levels of management. Formal goals should be set, and managers should be held accountable for these goals just as they would for revenue and sales targets. A good starting point for carrying out senior management’s vision is the use of employee resource groups (ERGs), also known as affinity groups. ERGs can partner with different areas of the business, including HR and talent development, to execute a clear strategy to fruition.

The chief complaint from hiring managers is that they would hire someone from a certain background, but they were not presented with any candidates with that background. The easiest solution to this complaint is to target groups and universities where diverse candidates can be identified. Much like a sales pipeline for selling products/services, building these relationships can take time to see the end result. Because of this time-intensive nature, an efficient way to implement such an initiative is to start small. A good start is to build a relationship with an organization or school and ultimately create a repeatable process that can be leveraged across multiple organizations. This is where ERGs can play a key role. It also helps to develop the ERG members’ soft skills, which will play a significant part in on-campus recruiting, guest lecturing/presentations, interviewing candidates and mentoring, to name just a few areas.

Once diverse candidates are hired, it is important to ensure that these employees are retained and feel welcome in the organization. ERGs can be used to assign mentors to candidates to help them navigate the enterprise and its culture. Employees with mentors are less likely to leave the organization and can use the mentor as a support system as they grow through their career. Along with mentorship, it is important to invest in specialized training and development for new employees so they feel constantly challenged and experience growth in the environment.

Organizations should prioritize the professional development of different groups through their internal ERGs.

Predefined steps on the career ladder also assist in retention so that employees have an idea of potential opportunities and specific milestones to achieve those opportunities. Without this infrastructure in place, diverse candidates are more likely to leave the organization, as they may feel that nobody in the organization “looks like them” or cares for their well-being and success.

The old adage “what gets measured, gets done” is as true in the diversity context as it is with any important business-focused initiative. The success or failure of a diversity and inclusion program cannot be effectively quantified without metrics in place. Goals and objectives should be set up as part of the overall organizational strategy and must be measured at least quarterly, much like financial performance indicators. By assessing metrics on a quarterly basis, senior management will have current information with which to assess the effectiveness of the strategy and make any changes or tweaks along the way. To effect change, these goals and measurements should be part of a manager’s annual performance review.

Conclusion

Diversity is more than compliance with laws and rules. It is more than a mere empirical exercise of counting people and assigning them to discrete boxes on a spreadsheet. It is even more than just “doing the right thing.” Diversity in the enterprise context should be about creating an environment in which all people feel included, valued and free to achieve the best of which they are capable. A diverse IT audit team brings together different minds and perspectives to facilitate innovation, solve problems and advance learning—all of which, if harnessed properly, are likely to have a positive impact on audit quality and overall team performance.

Endnotes

¹ Demographic Trends That Are Shaping the U.S. and the World,” Pew Research Center, 31 March 2016, www.pewresearch.org/fact-tank/2016/03/31/10-demographic-trends-that-are-shaping-the-u-s-and-the-world/
² Ibid.
³ Egan, M.; “Still Missing: Female Business Leaders,” CNN Money, http://money.cnn.com/2015/03/24/investing/female-ceo-pipeline-leadership/
⁴ Morgan, S.; “Cybersecurity Market Reaches $75 Billion in 2015; Expected to Reach $170 Billion by 2020,” Forbes, 20 December 2015, https://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#392c483830d6
⁵ Morgan, S.; “One Million Cybersecurity Job Openings in 2016,” Forbes, 2 January 2016, https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#449738e827ea
⁶ Cisco, “Mitigating the Cybersecurity Skills Shortage,” 2015, https://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf
⁷ Civil Rights Act of 1964, section 7, 42 U.S.C. section 2000e et seq., USA, 1964 and Americans with Disabilities Act of 1990, Pub. L. No. 101-336, 104 Stat. 328, USA, 1990
⁸ Johnson, R.; “What Are the Advantages of a Diverse Workforce?” Chron, http://smallbusiness.chron.com/advantages-diverse-workforce-18780.html
⁹ Hunt, J.; Gauthier-Loiselle, M.; “How Much Does Immigration Boost Innovation?” National Bureau of Economic Research, USA, September 2008, www.nber.org/papers/w14312.pdf
¹⁰ Hunt, V.; D. Layton; S. Prince; “Why Diversity Matters,” McKinsey & Company, January 2015, www.mckinsey.com/business-functions/organization/our-insights/why-diversity-matters
¹¹ Ruiz-Jiménez, J. M.; M. Del Mar Fuentes-Fuentes; “Knowledge Combination Capability and Innovation: The Effects of Gender Diversity on Top Management Teams in Technology-Based Firms,” The Journal of Business Ethics, May 2016, vol. 135, no. 3, p. 503-505, https://link.springer.com/article/10.1007/s10551-014-2462-7
¹² Office of the Governor Doug Ducey, “Governor Ducey Announces Appointments to Arizona Cybersecurity Team,” USA, 7 March 2018, https://azgovernor.gov/governor/news/2018/03/governor-ducey-announces-appointments-arizona-cybersecurity-team
¹³ International Labour Organization, “Unemployment, Total (% of Total Labor Force) (Modeled ILO Estimate),” The World Bank, November 2017, https://data.worldbank.org/indicator/SL.UEM.TOTL.ZS
¹⁴ Kauflin, J.; “The Fast-Growing Job With a Huge Skills Gap: Cyber Security,” Forbes, 16 March 2017, https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#2fc802975163
¹⁵ Siwicki, B.; “Why Diverse Cybersecurity Teams Are Better at Understanding Threats, Patient Needs,” Healthcare IT News, 28 September 2017, www.healthcareitnews.com/news/why-diverse-cybersecurity-teams-are-better-understanding-threats-patient-needs
¹⁶ Girl Scouts, “Palo Alto Networks and Girl Scouts of the USA Announce Collaboration for First-Ever National Cybersecurity Badges,” 13 June 2017, https://www.girlscouts.org/en/press-room/press-room/news-releases/2017/palo-alto-networks-girl-scouts-collaborate-cybersecurity-badges.html
¹⁷ Riggins, N.; “15 Benefits of Hiring Military Veterans,” Small Business Trends, 2 November 2017, https://smallbiztrends.com/2017/03/benefits-of-hiring-veterans.html
¹⁸ Wittenberg-Cox, A.; “Deloitte’s Radical Attempt to Reframe Diversity,” Harvard Business Review, 3 August 2017, https://hbr.org/2017/08/deloittes-radical-attempt-to-reframe-diversity
¹⁹ Colby, S. L.; J. M. Ortman; “Projections of the Size and Composition of the U.S. Population: 2014 to 2060,” US Census Bureau, March 2015, https://www.census.gov/content/dam/Census/library/publications/2015/demo/p25-1143.pdf