With a Bachelor’s and Master’s in Computer Science, Clay did not originally train to be an auditor, but a software developer. After a few years of development work, Clay moved into system administration, networking and information security roles, both as a “doer” and a manager for consulting firms and Southeastern Oklahoma State University. His roles have been in software development, technical training, LAN and WAN operations, and IT management in both the private and public sector. This diverse background has made it easier for him to work with the administrators and managers he deals with daily. Audit is the natural culmination of decades of work in this field. For Clay, there’s nothing like the feeling of helping an organization to effectively manage risk while meeting its goals.
Staying current on technology is an enjoyable hobby and necessary part of the job for Clay. A former system administrator, now he works in his home lab to understand new technologies that clients and students are likely to encounter. No one ever seems to be happy to see the auditor walk in the door, but Clay sets out to make this a positive experience for his customers. He believes when done correctly, audit is a process that makes everyone better at doing their job. In his own words: “It’s very enjoyable to perform audits for clients who see the value of properly measuring and managing risk - and even better when you’re seen as one of the “good guys.”
Since becoming an independent auditor and consultant in 2003, the highlight of his career has been training interns and releasing them “into the wild.” Clay has been excited as his interns have graduated to jobs in software development, system administration, security, and in one case, emergency medical work. Doing his job right supports multiple enterprises becoming more secure and effective every day.
Clay was always the guy who volunteered to give presentations and teach classes at work. Having thoroughly enjoyed the SANS courses he took earlier in his career, when given the chance to author and teach for SANS, it didn’t require any thought. Clay was excited to jump in with both feet and his opinion is that SANS students are the most fun to teach of any group that he’s had the honor to instruct. While Clay has also taught the SEC22: Defending Web Applications Security Essentials course for SANS, he most enjoys teaching audit classes. The special blend of diverse enterprise technologies with important risk management and business topics keeps every day interesting. Having held a multitude of positions throughout his career, he’s done the work that is discussed in his AUD507 course. In many ways, his non-linear career path has ideally suited him to authoring and teaching AUD507, which covers auditing aa wide range of enterprise technologies.
When teaching, Clay tries to immerse students in the audit mindset and process. While it’s important to learn tools and techniques, he wants students to learn the skills and thought processes that allow them to positively impact the security and effectiveness of operations wherever they work – whether they are in management, security, operation or audit roles.
Learning how to identify and manage risk is important; learning how to communicate that risk to the organization is crucial. Students must learn to see multiple ways of identifying and solving problems for their organization, and then choose the one that is most effective for that situation and organization. Clay’s goal is for students to understand problems faced by administrators, management and organizations in trying to operate securely, so they can make appropriate observations and recommendations.
Many students show up for AUD507 thinking that it’s going to be five days of dry, boring talk about risk, controls, mitigation and other “audity” topics. While these topics are covered, many students find that their biggest challenge isn’t staying awake - it’s staying caught up on the wide range of technologies covered. Very few students come to class with expert-level knowledge of audit, cloud, containers, web technologies, Windows and Linux, so nearly everyone has at least one day where they must concentrate a little extra to keep up. Clay approaches the mix of technologies by presenting a broad range of information each day, from introductory to highly specialized tips on how best to measure risk around each topic. Students of every skill level walk out of class saying things like “I never knew you could do that,” or “I’m going to use that at work to solve a problem I’ve been having.” This is what Clay finds so rewarding about teaching audit courses.
Clay holds a Bachelor’s and Master's in Computer Science from Southeastern Oklahoma State University, as well as a number of technical and security certifications, including GPEN, GSNA, GCCC, GWEB, GWAPT, GSSP-.NET, CISA, CISM, and CISSP. Outside the IT audit world, Clay would rather be “unplugged”. You might find him out running, cycling, enjoying yard work, woodworking and tinkering around the house.
ADDITIONAL CONTRIBUTIONS BY CLAY RISENHOOVER:
Windows PowerShell for Auditors, Sept 2017