Adam Kohnke, CISA, CISSP
Is currently serving as the senior IT auditor for Total Administrative Services Corporation. Kohnke has more than three years of IT audit experience and more than six years in IT operations with various Fortune 500 companies as an incident, change and project manager. As an IT auditor, Kohnke has performed continuous control testing engagements against the US National Institute of Standards and Technology Special Publication (SP) 800-53 rev. 4 standards, performed annual SOC 1 Type 2 and SOC 2 Type 2 engagements, audited Amazon Web Services (AWS) deployments, and been involved with various other technological or operational-based audit engagements.
What is the biggest security challenge that will be faced in 2020? How should it be addressed?
Rogue technology companies that are more politically motivated than anything are a great security threat to people and enterprises. Those companies should be more heavily regulated and fined should they not be acting in a more balanced manner.
What are your three goals for 2020?
- Move into a security, risk or audit management role
- Obtain a penetration testing certification
- Begin my cybersecurity master’s degree program
What industry-related sources (e.g., blogs, newsfeeds) do you read on a regular basis?
ISACA Now Blog, the ISACA Journal and Infosecurity Magazine
How do you keep your skills and your knowledge current?
IT certification, webinars, conferences, ISACA chapter meetings
How do you keep your own information safe? That is, what do you do (or do not do) to protect your own data privacy?
I put as little of it out on the Internet as possible and try to minimize the online sources with which I interact.
What is your number-one piece of advice for other audit, risk and assurance professionals as they build their careers?
Focus on yourself in the present and not what your boss, coworkers or your peers are doing, saying or accomplishing. Build relationships with them and learn from each of them, but your focus should be on how to improve yourself, providing value in your engagements and becoming a strategic partner in the business. Small successes lead to larger ones.
What is on your desk right now?
A laptop, a desktop, a coffee cup, my phone, a pen and a small writing pad
What do you do when you are not at work?
Spend time with family and friends, exercise, read books, and play my PlayStation 4
What is it that drew you to the audit, risk and assurance profession? What keeps you in the profession?
At the end of 2015, I was a contract incident manager working for a large construction manufacturer in Illinois, USA. I was searching for a new opportunity while my current employer was in the process of restructuring my team out of their jobs. I was approached by a recruiting firm about an opportunity to join an audit team in my home state of Wisconsin, USA, working for a federal student loan servicer. To be honest, I never knew IT audit was an actual career opportunity until that moment in 2015, but as I reviewed the job description, I thought IT audit sounded very exciting and fulfilling from a career perspective. I interviewed for the role onsite, was hired a few days later and never looked back.
How do you think the profession is changing and evolving? How will those changes impact the audit and risk professional?
The technology is getting a lot more complex with a lot of vendors offering similar, but highly competitive products. Technology is also becoming increasingly interconnected and the enterprise’s reliance on technology to achieve its needs is also quickly expanding. The challenge this presents to audit and risk professionals is a requirement to obtain increased levels of ongoing education related to emerging technology, not only within the enterprise with which they are employed, but at the professional level such as through certification, advanced degrees or vendor-based education materials.
What skills will be most important for audit, risk and assurance professionals to develop in the coming years, decade?
Audit professionals need to educate themselves and their stakeholders around high-level technology topics such as blockchain, artificial intelligence (AI), augmented/virtual reality (AR/VR) and drones.
Regarding blockchain, practitioners should perform a search on Google for “cashless society.” You will see the drumbeat is increasing for countries to dump cash and move toward digital currency such as Bitcoin or Facebook’s Libra, which are associated with the use of blockchain technology. Blockchain is likely to have increasing financial impacts on a global scale at some point over the next decade or so.
AI, on the other hand, is exploding in its rate of adoption and use and seems almost limitless in how it can be exploited by any enterprise. It is great for helping humans make informed decisions at faster rates, for lower costs. It can help practitioners with performing audits, identifying fraud, acting as a fourth line of defense (coined here first!) in enterprise security and many other uses.
AR/VR use is expanding away from simply gaming to corporate training, manufacturing, marketing and other traditional business segments. Security frameworks and technology controls are very lax in the AR/VR space to date, so these technologies will present tremendous risk to enterprises depending on when and how they are adopted.
Honorable mentions include penetration testing knowledge (to think like a hacker and more completely understand how technology used in the enterprise can be exploited) and software development skills to help automate parts of the audit process.
What risk scenario keeps you awake at night? How can it be addressed?
(Laughs.) I never let work keep me up at night and neither should anyone else! On a more serious and broad note, those potential security breaches that force the enterprise to close the doors and go out of business are worrisome. Obviously, those are usually the result of poor security controls and internal processes. Fortunately, we as audit and risk professionals are tasked with identifying and remediating these issues before they impact the enterprise.
What do you think are the most effective ways to address the skills and gender gaps in the technology workspace?
Audit and risk professionals on a personal level need to be a lot more self-motivated to seek out and broaden their skill sets. Employers should also help them get there with incentives such as predetermined merit increases for obtaining relevant certifications and time off during the work week or during elective periods to pursue professional education.
I think there needs to be more oversight of those offering certification and training as well. I have been obtaining certifications since 2009 across many exams and vendors. I can tell you, based on experience, that their approaches are generally all the same. As of 2019, certification is this “Wild West” scenario with IT certification training. Prices for study materials and the exam costs vary widely from vendor to vendor, and some certification training programs teach students to remember facts without providing any performance-based component that helps the student to develop needed technology or risk skills.
Regarding the technology gender gap, the question presupposes that there is a problem that needs to be addressed and corrected. I would say this is potentially misleading. The causes for men vs. women working in technology are debatable, but my thoughts here are that individuals, whether man or woman, naturally gravitate toward professions in which they initially have some interest. I suppose I do not understand the need to manufacture this interest in women to get them working in technology if the desire does not exist there naturally. The desire to dabble in technology could be explored and cultivated by parents, schools and/or after school programs that introduce technology to young women in a way that would make them more comfortable.
What was the most significant event or experience to date that has impacted the evolution of your career?
The more than four years I spent at GE Healthcare as an incident manager were the most profound in my career. That experience allowed me to understand IT operations, taught me patience, helped me develop deep technical analysis skills, strengthened my technical writing for non-technical audiences, and helped me develop the ability to thrive in high-pressure situations. It was the catalyst for every success that has followed for me since then.