How to become an information security (IS) auditor
Being a security auditor means working with companies while conducting audits of security systems relating to the IT infrastructure. The work can be difficult, as it is based in information security and compliance; it ordinarily requires that the candidate has experience in IT administration and information security as a starting point. (This is not always the case for compliance auditors.)
The information security audits performed are used for creating in-depth reports that reveal details about the current state of the organization’s security stance, how things can be improved and how things are running in general. This is helpful because planners and decision-makers need to know how efficiently the IT systems are running and whether the current security precautions that are in place can be improved upon to ensure better operational capacity and performance within the organization, as well as the overall integrity of the information systems that serve the company.
There are multiple ways to become an information security auditor. Some people start out in entry-level IT positions such as system technicians, system administrators, and so on. They then work their way into information security, and from there it is possible to transition into risk management and auditing if they possess the required skills and abilities. Examples of entry-level positions that could lead you into information security are positions like a system administrator, network administrator or security administrator.
These positions require that candidates deal with both technical and administrative issues. Most system admins will process new employees, grant and revoke access and perform rights management for resource-based access to the network. These are good foundations to build on and can help to point you in the right direction if you are chasing a career in information security auditing.
In rare cases, candidates can find themselves in an audit internship, but it is more practical to come into the auditing field with some technical skills from the information technology and information security areas of expertise.
As with most information security roles, the skills that are required for the individual to be successful are more than just theoretical knowledge. The candidate needs to possess a mixture of technical and soft skills in order to allow them to successfully carry out the tasks that are required of them at this level. Below are some examples of skills a candidate should possess if they are considering a career in information security auditing.
IT systems knowledge such as networking, operating systems and licensing are useful for conducting a security audit. Experience with user and system administration is also necessary if the audit work that is required means that auditors will need access to servers to check compliance and other audit-related information.
Strong communication skills, both written and verbal are necessary if candidates are going to be successful in this line of work. Confidence and assertiveness are important, combined with a proactive approach to work which will ensure that potential auditors are able to ask for relevant information when it is needed and that they can take the initiative and dig deeper when necessary. Some audits will require communication with the executive members of a company, so proper speaking and writing skills are a big advantage.
Getting certified to become an information security auditor requires that candidates have at least a bachelor’s degree in computer science or equivalent, as well as more specialized information security certifications such as the Certified Information Systems Auditor (CISA).
What makes this line of work a little more challenging is the fact that most employers require candidates to be certified prior to joining the organization, which is different to some IT career paths that allow candidates to work while they earn their certification. If candidates are looking to work in the compliance auditing side of information security, then technical knowledge is far less of a requirement, as these audits check compliance.
From there, most candidates specialize in the security aspects of IT as an analyst, consultant or engineer, and will earn their CISM, CISSP or similar qualifications.
Job Function Overview
Information security auditors do not actually fix any of the problems that they uncover during the course of an audit. Instead, the give a qualified opinion about the current state of systems within an organization and compile all of their findings in a comprehensive report. The information in the report is then acted on by the cybersecurity teams that are responsible for maintaining the systems within the audited department or company.
There are many aspects of IT that information security auditors need to be aware of, but there are many other job responsibilities that need to be taken care of at the same time. These include:
- Willingness to travel
- Security audit involvement from start to finish, including the execution and completion of auditing tasks
- All aspects of business operations need to be audited, from IT and financial systems to managerial functions and security procedures
- Risk assessments and procedures must be assessed, evaluated. These must be changed and reworked where shortcomings are detected, and new procedures must be created where none currently exist
- Communicate with employees, stakeholders, executives and owners to establish current behavior and adherence to security policies
- Once gaps in security are found, simulations and tests must be conducted to establish what extent these shortcomings expose the operation to risk
- Document the process and methodologies used in the audit so that the results can be independently recreated and verified if necessary
- Make sure that the audit activities adhere to the audit scope. Results must align with audit objectives
- Audit conclusions must fit the original audit criteria
- Report creation and interpretation, including presentations to all relevant stakeholders
- Interdepartmental collaboration to ensure compliance and adherence to security recommendations
Becoming an information security auditor requires a lot of organizational skills and a high level of attention to detail. The way that audits are carried out requires meticulous planning and documentation, as well as thorough and comprehensive investigation.
Information security auditing is not a line of work where shortcuts can be taken, as the security and integrity of an entire business entity rely on these types of audits to ensure safety and compliance. If you are an organized and patient person that pays attention to detail, then this could be the career path for you.
InfoSec Institute offers a unique CISA Boot Camp to help you get there, with instructor led material that will help you to get certified and work towards landing that dream information security auditing job.
- Top 5 Traits of Successful Audit and Compliance Professionals, Careers in Audit
- Learn How to Become a Security Auditor, Cyber Security Education