Walt Blackwood, Colonel, US Army Reserve (ret.), CISA
Is a managing director in the Internal Audit Division Information Technology (IT) Audit Team at TIAA, a Fortune 100 diversified financial services organization. Since joining TIAA in 2014, he has been a leader on a team of IT Audit professionals located throughout the United States and Mumbai, India, and led global reviews of all aspects of IT including cybersecurity, technology infrastructure, application, US Sarbanes-Oxley Act (SOX) IT general control, and business-integrated audits. He has also led advisory reviews of significant IT and strategic business acquisitions and implementations. Blackwood has an IT, data analytics and operations background in internal audit and operational risk with a number of Fortune 100 and professional services consulting firms. He is a retired colonel in the US Army Reserves with an extensive background in deployed logistics operations and leadership training. During his 30-year military career, he served in numerous leadership positions and locations. He currently volunteers as a North Carolina Field Force admissions liaison officer for the US Military Academy at West Point.
What is the biggest security challenge that will be faced in 2020? How should it be addressed?
Protecting sensitive data and preventing data breaches. Addressing it starts with ensuring organizations have strong, clearly defined IT and data governance standards that identify the required controls to store, protect, and securely transmit data, and requiring the same control expectations from vendors.
What are your three goals for 2020?
What industry-related sources (e.g., blogs, newsfeeds) do you read on a regular basis?
Articles on IT risk and assurance identified by the Big Four consulting firms, The Wall Street Journal, Federal Financial Institutions Examination Council (FFIEC) notifications, the ISACA Journal, Internal Auditor Magazine, and Verizon’s (annual) Data Breach Investigations Report.
How do you keep your own information safe? That is, what do you do to protect your own data privacy?
Vault my personal passwords, shred mail with personal information, conscientiously manage my social media presence, leverage my financial institutions fraud monitoring controls, and continuously review financial transactions on accounts for any irregularities.
What is your number-one piece of advice for other audit, risk and assurance professionals as they build their careers?
Find a mentor who you trust who knows the “real” you and will provide you balanced guidance. Having a voice in the room other than your own when you feel you are at an important professional crossroad is essential.
What do you do when you are not at work?
Personal fitness (e.g., jogging with my dog, yoga), yard work and gardening with my wife, travel, and spend time with my grown children. My youngest son plays Division I rugby at West Point, so we enjoy attending those games.
What is it that drew you to the audit, risk and assurance profession? What keeps you in the profession?
In 1997, I was transitioning out of active duty (US Army) and needed to find a career that could leverage my abilities that included a degree in computer science, 10 years of project management and leadership experience, and an interest in financial services firms. Through a junior military officer recruiting firm, I was able to land a role as an IT audit associate at Prudential in Newark, New Jersey, USA. This opportunity and a successive role as a senior and later a manager in public accounting gave me work experiences that aligned with my values and work ethic. I felt in small ways I was always contributing to beneficial differences in the organizations for which I worked. Over time, I came to realize these risk management skills were also helping me to be successful in project management positions in IT and operations.
At this point in my career, I continue to remain in the profession because of the people I work with and for; risk and assurance roles to be done well require talented professionals. The best part of my job is being able to leverage my historical experiences and provide team members guidance, professional development opportunities and mentoring in helping them meet their career goals. Holistically, this also helps build a professional team that supports the governance over the IT control structure at TIAA.
How do you think the profession has changed and evolved? How have those changes impacted the audit and risk professional?
Due to the speed of implementing technology changes and increased expectations from regulators and corporate boards, assurance and risk professionals must be continually learning and growing as professionals. While consulting always has had an accelerated cadence, IT audit and IT risk inside enterprises traditionally had more manageable cadences and delivery expectations. Since the financial crisis and the acceleration of technology initiatives, IT assurance and risk professionals inside an enterprise have been challenged to raise the bar and meet elevated expectations.
What skills will be most important for audit, risk and assurance professionals to develop in the coming years, decade?
Something that can be gleaned thematically from me is that to be a professional now and in the future, I strongly believe practitioners must be professionally engaged with peers and industry forums outside of their organizations.
The pace of technology change is too great to do otherwise and remain competent at a job. Practitioners should embrace opportunities to learn from other organizations and peer professional experiences and share their own. Technology and the uses of technology will continue to expand and change beyond any individual experiences within an organization. Reading and staying abreast of the current trends remains important, but professionals who will truly distinguish themselves will be those who have the ability to stay connected with a variety of risk experts whom they can reach out to dynamically to enlist their assistance in problem solving and gain authentic, applicable first-person perspectives.
What do you think are the most effective ways to address the skills and gender gaps in the technology workspace?
It starts with performing an honest self-assessment of where the organization is, setting skill development goals, and developing diversity and inclusion objectives. In skill development, funding and rewarding the acquisition of a baseline professional certification sets the expectation. For example, in IT audit, it is important to obtain the Certified Information Systems Auditor (CISA) certification as an initial goal. Team leadership needs to leverage personal development plans to include a diverse range of professional experiences and targeted professional development objectives. Team members need to have a voice in the process to take ownership of personal competency and management needs to allocate resources and assist each employee in achieving those development goals.
Gender and other diversity gaps also need to be recognized by management in order to be kept in mind when generating a diverse hiring pool of candidates for open positions and when determining candidates to be considered for next-level leadership. Management has to be committed in actions and deeds—we have to walk the talk.
What do you see as the biggest risk factors being addressed effectively by audit, risk and assurance professionals?
As organizations seek to leverage new technologies and outsource cost-managed IT solutions, it is important for risk professionals to continue to embrace professional skepticism and be that voice in the room that provides credible challenge to accepted practices that may not mitigate risk associated with new technologies and new ways of doing business. Efficiency can equate to better ways of doing business, but it can also lead to elimination of key controls that may need to remain or be adapted. Audit, risk and assurance professionals will still need to ask the “What could go wrong?” questions and remain committed to ensuring that risk and controls are recognized and implemented, respectively, to meet regulatory expectations, protect customer data and business transactions, ensure the availability of a continuously stable business processing environment, and uphold the reputation of the organization.
What was the most significant event or experience to date that has impacted the evolution of your career?
Working in downtown New York City for Goldman Sachs on 9/11 was personally significant; however, experiencing the Great Recession/financial crisis a number of years later in a failed financial institution impacted me the most professionally. In late September 2008, I had returned from a year of being deployed in Iraq and started a new role at Wachovia in operational risk the same week it was announced that Citigroup would be acquiring the bank. Within a week’s time, the acquirer switched to Wells Fargo. As I came to learn, the role I was in was being phased out. I focused on finding another position in the organization in the midst of a series of hiring freezes and significant competition (e.g., 100 employees applying for the same role). Eventually, I embarked on a two and half year journey as an IT senior project manager and participated in the largest bank integration, as of that time, in the midst of the most significant financial crisis experienced since the Great Depression.
I was performing roles that I had historically audited—software development, testing, data conversion, software and hardware implementations, production support, supplier management etc.—which provided me a hands-on appreciation for the importance of making informed risk-based decisions, gaining stakeholder buy-in and approval on those decisions, collaborating horizontally with professionals across the three lines of defense, and taking ownership and accountability for less than successful results.