Interested in learning how to become a cyber security auditor! Read on as you learn everything to get your auditing career started!
What Is a Cyber Security Auditor?
A cyber security auditor assesses an organization’s information security program from a top-down perspective to ensure compliance with a specified cyber security framework.
What Does a Cyber Security Auditor Do?
The auditor will analyze the presence of an enterprise’s data and information to determine if it is protected appropriately by:
1) Assessing whether the organization has proper controls in place to regulate data access
2) Determining if those controls are appropriate based on its policies and procedures
3) Ensuring that the controls being implemented to protect their data and assets are effective
4) If weaknesses are found, the auditor will make recommendations regarding what corrective actions should be taken, normally involving documenting processes and procedures, additional training for employees or upgrades to hardware or software.
Information Systems Auditor vs Information Security Auditor
It’s important to understand that both job titles are not interchangeable. In general, there are many similarities between the two roles: both positions involve auditing computer systems for the purpose of ensuring accuracy and risk reduction. However, the key difference is the nature of their roles:
Information Systems Auditor (aka IT Auditor)
During an information systems audit, the auditor is concerned with the efficiency of the company’s information systems.
Information Security Auditor
During IT security auditing, the auditor is concerned with the security of the company’s information systems and not its efficiency.
Internal Security Auditor vs External Security Auditor
There are two types of security auditors, external and internal. Let’s look at both:
External Security Auditor
An external auditor is a third-party agent whose purpose is to validate a company’s compliance with a government or regulatory requirement.
Internal Security Auditor
An internal auditor is an employee or third-party consultant hired to perform audit functions to help the organization maintain compliance with an external audit.
For example, if a company wants to be ISO 27001 certified, they may hire an internal auditor to identify deficiencies in their IT policies, procedures, and controls, who then works with the company to bring them into compliance. The external auditor would then validate that the company has made the necessary adjustments to their information system practices to meet the requirements of ISO 27001 certification.
Compliance Standards for Security Auditors
When your company decides upon a cyber security framework, they might be required by law to follow a specific framework. For instance, medical facilities are required by law to follow the Health Insurance Portability and Accountability Act (HIPAA) dictating how personally identifiable information should be maintained by the healthcare industry.
While there are many frameworks or laws for which a company may follow, some of the more common ones are:
As an auditor in the US, you’ll find that these four frameworks are worth learning. To make it easier, you’ll find some overlap between them.
Information Security Auditor Job Description
While information security auditor responsibilities will often vary from role-to-role, the following lists your daily activities in four steps:
Security Assessment Plan Preparation
Prior to conducting an audit, the auditor must prepare for the assessment. You’ll need to be familiar with the organization’s operation and structure as well as the key stakeholders involved in the audit. Additionally, you’ll need to work with executive teams to determine the objective, scope, and length of the assessment. Be prepared to gather all the necessary documentation, status of operations, and other facts required to consider as part of the assessment.
Security Assessment Plan Development
During the development of a security assessment plan, the auditor will determine what security controls are to be included as part of the audit. The procedures for the assessment are selected and tailored to the environment, even if that means developing new procedures. Assessment procedures are then optimized and finalized with organizational approval.
The assessment plan will include any vulnerabilities or security gaps that you’ve identified, measures to mitigate those vulnerabilities and gaps, as well as reporting procedures.
Security Assessment Plan Performance
After the plan’s development, you’ll begin auditing the system for those controls having been identified as part of the assessment plan. This includes documenting the outcome of the controls’ effectiveness and any deficiencies.
Security Assessment Performance Review
During the review period, the findings of the assessment report are reviewed. At this time, auditors will collaborate with the executive team to understand and formally plan for methods to address deficiencies and manage the organization’s risk. As needed, the auditor may be required to run through multiple iterations of these four steps.
While the above four steps were sampled from NIST, these steps are common to any IT security job description.
Auditing Tools for Information Security
There are multiple cyber security audit and compliance tools that are used to provide reports for your audit. Each tool serves a specific purpose within the information system. Here are the common tools used by security auditors:
Code Scanning Tools scan for broken or low-quality coding issues that may cause vulnerabilities to arise.
Network Scanning Tools scan the network for vulnerabilities as well as network traffic for possible security threats.
Vulnerability Scanning Tools checks the system for any potential points of unauthorized access that will allow the possibility of a security breach.
SIEM Tools integrate multiple security tools and are able to correlate security events to alert users to real-time threats.
Though you’re not required to know how to use these tools, you do need to understand how to interpret the reports generated from such tools.
Cyber Security Auditor Skills
Let’s break down the skills needed for a cyber security auditor job into several categories.
While evaluating the company’s security posture, you’ll be working with multiple personnel, some of whom are used to doing things a different way. Unfortunately, your role is somewhat intrusive in nature which may not be appreciated by all those involved. As a result, having empathy is essential in your role, especially for those with limited resources or lack of knowledge in your area of expertise.
Being technically savvy is part of the job. Information security is highly technical in nature, so you’ll need a deep understanding of how information systems operate as well as a solid understanding of how to interpret security audit tools.
Vital when performing your role as an auditor as you need to have a keen eye for details and be inquisitive. You’ll be required to gather and analyze information from various sources such as information systems; security documentation; personnel interviews; and security procedures, processes, and controls to understand where deficiencies are present.
Expect to present your findings to leadership regardless of the outcome. The ability to present usually requires a bit of finesse; you’ll be speaking to personnel that may not understand the technical language or might have difficulty in accepting your findings.
Conducting an audit takes a few weeks to several months. Leadership teams will expect you to provide them with continuous status updates. During that time, you’ll have an enormous amount of information from which to gather and process.
Cyber Security Auditor Salary
Based on the average “information security auditor” salary for the first three websites listed below, expect to earn an average of $108k/year.
Salary.com: Salary range falls between $100k to $142k and averages $114k
ZipRecruiter: Salary range falls between $63k to $124k and averages $93k
Glassdoor: Salary range falls between $78k to $194k and averages $117k
PayScale: Salary range falls between $55k to $103k and averages $72k (for IT Auditor)
How to Become a Cyber Security Auditor?
If you’re truly interested in learning how to become an information security auditor, one of the best methods to get a job is to gain experience first. Even if you don’t have a degree or any other certification, experience is an absolute must!
And, while you might get lucky and obtain a junior or associate level cyber security auditing position, you’ll always be second best to someone that already has a background in IT auditing. If you’re having trouble finding a role, look below at an alternative step to become a security auditor.
IT Security Auditor Career Path
Apply for an IT Audit Role
If you can’t find a job as an information security auditor, then don’t waste too much time. The next best method, as counter intuitive as it may seem, is to find a job working in IT auditing, not information security.
Is IT audit a good career? Yes, as an IT auditor, you’ll gain enough experience to pick up some security knowledge along the way. As an added benefit, there are more job opportunities as an IT auditor then IS auditing. For example, a quick search of Indeed showed approximately 750 jobs for “Information Systems Auditor -security” vs ~100 jobs available for “Information Security Auditor”.
Get Your Security+ Certification
Before you even think about moving into information security, you’ll need your very first certification, the CompTIA Security+. The good thing about this certification is that it doesn’t require any experience and immediately gives you some infosec credibility.
Become a Certified Cyber Security Auditor
Once you’ve had sufficient experience as an IT auditor and have passed the Security+ exam, you’ll want to make the move into information security and audit. It’s at this point you’ll want to consider taking one of the following certifications to appear more serious about your auditing career:
Information Security Audit Training
Though it’s not required, you might want to take a security audit course if you’re having trouble getting certified. There you’ll be trained to understand the security aspect of auditing which may or may not be associated with any certification program. Here are a few programs to get you started in the right direction:
Regardless of your choice, as always, I recommend going with an officially authorized information security auditor training program if you’re goal is to pass a certification exam; otherwise find a program that’s been certified by an accredited body. You’ll find a list of accreditation bodies by country along with the certification body listed here:
Apply for Security-Focused IT Audit Roles
If at this point you’re still having trouble obtaining infosec auditing roles, start by making the move into IT auditing roles that have some focus on security. By doing this you now get to work with a mix of responsibilities. Then, if you feel successful at the job, you’re now only a step away from getting a full information security auditing role!