The security is among the fastest growing industries over the past 25 years. It is an environment that has expanded in unanticipated ways in response to changes in the global landscape. This billion-dollar growth industry meets a variety of needs for a variety of organizations, groups and individuals; and changes are constantly occurring, which means that professionals in this industry must continually add to their knowledge and skills to remain current. As the industry has grown, individual roles are being more clearly defined. Positions and job titles not known 25 years ago are now common. Oversight and evaluation positions require specific skills and abilities to keep all facets of security in focus and harmony for an organization. Enter the Security Auditor.
The Security Auditor provides feedback to an organization about the integrity and effectiveness of the entire scope of security. The Security Auditor designs, implements and evaluates the various security systems in order to provide a detailed, comprehensive report that demonstrates the effectiveness of the organization’s security suite of programs and policies. This valuable feedback allows the organization to make changes and improvements to their security protocols.
Foundations – Education
This highly technical role requires an extensive background in computer technology, information technology and systems, mathematics and security-related studies (i.e. cyber-security). A Master’s Degree in Computer Science, Information Systems or Cyber Security is very desirable; although any gaps in educational background can be covered through industry-related certifications. The role of Security Auditor is not entry-level, so the educational requirements will parallel many other security-related fields.
Foundations – Experience and Certifications
Because the role of Security Auditor is not entry-level, an employer will require 5 years’ of auditing experience over and above 5+ years’ of Information Technology (IT) experience. Network administration, cryptography and cyber-security work show well on the resume of the Security Auditor. The role encompasses many facets of security, so the successful Security Auditor will have specific, hands-on experience in as many elements of security as possible.
To supplement the educational requirements of the position, there are recommended Certifications available. There are several options, recommended accredited certificate programs include (but are not limited to):
ISACA (Information Audit and Control Association):
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
ISC2 (International Information Systems Security Certification Consortium, Inc.):
Certified Information Systems Security Professional (CISSP)
Foundations – Continuing Education
Due to the constant change associated with the Security Industry, continuing education is vital for the long-term success of the Security Auditor. Information travels at light-speed and hackers work around the clock to defeat the security systems of an organization. It is imperative that one stay informed of technology advancement through trade publications, news, blog and organizational affiliations; continuing education programs, classroom training and field exercises are critical to staying current (and effective) in the industry. It is also vital to recognize advancement in threat approaches, attack vectors and the technology used to defeat (or circumvent) security protocols and systems. Certifications are subject to periodic renewal, which keeps the successful Security Auditor informed of changes, updates and enhancements to security protocols and systems. Many certificate programs have an annual component of follow-up courses (continuing education) and a three-year expiration. While it may be a requirement to maintain current certification, it is best practice to keep current on advancements and trends.
Employment Opportunities – Job Titles
The Security Auditor role is an upper-level position; there are several job titles and roles that will point the candidate in the proper direction toward the goal. Some entry-level examples are:
Mid-level positions to seek include the following (not an exhaustive list):
Other job titles that encompass the role and duties of the Security Auditor position include the following, although there could be elements beyond technical testing involved:
Information Security Auditor
Information Systems Auditor
While a Security Auditor is a technical, “task-related” position, there are management and leadership opportunities to consider, including (but not limited to):
IT Project Manager
Chief Information Security Officer
Employment Opportunities – Job Duties, General
The role and duties of the Security Auditor are varied. There are opportunities to work independently or on a team; evaluate integrated and independent security systems and review recommended policies and procedures for risk evaluation (and mitigation). The role could involve working with HR to review individual staff members for security risks or complications within the organization. The overarching duty of the Security Auditor is to confirm the integrity of an organization’s security suite of programs, policies and protocols.
On any given day, a Security Auditor may be tasked with any of the following:
Design, implement and oversee audits of systems, policies or protocols
Evaluate information systems and security controls
Determine the effectiveness, efficiency and compliance of a specific process with organization and legal policies and regulations
Create risk evaluation models and examinations for specific networks and systems
Conduct personnel interviews to establish security vulnerabilities and risks
Review all audit processes within an organization for effectiveness and compliance
Determine vulnerabilities related to security gaps or ineffective practices
Confirm all conclusions and recommendations drawn from audit report data
Prepare accurate, detailed reports that clearly define and explain audit review findings
Develop recommendations for policy changes and best practices to ensure the strength of the organization’s security suite of programs, policies and protocols
Present comprehensive audit reports to organization leadership and make appropriate recommendations for enhancement, upgrade and maintenance
Coordinate with leadership and management to ensure compliance with company procedures and regulations
Collaborate with all internal teams, groups and departments to ensure compliance with all security policies and protocols, manage risk and maximize effectiveness of security systems within the organization
Be prepared to travel
Security Auditors can also work on a consultant basis as well as staff positions (typically within the IT department).
Employment Opportunities – Job Duties, “Hard” Skills
There are specific, non-negotiable skills a Security Auditor must possess. These include (but are not limited to):
Expertise in regulatory and industry data security standards (i.e. FFIEC, HIPAA, PCI, NERC, SOX, NIST, EU/Safe Harbor and/or GLBA)
ISO 27001/27002, ITIL and COBIT frameworks
Windows, UNIX and Linux operating systems
MSSQL and ORACLE databases
C, C++, C#, Java and/or PHP languages
ACL, IDEA and/or similar data analysis programs
Fidelis, ArcSight, Niksun, Websense, ProofPoint, BlueCoat and/or similar audit tools
Firewall and intrusion detection/prevention protocols
Employment Opportunities – Job Duties, “Soft” Skills
Additionally, there are other, somewhat more universal skills required for excellence in the field:
Oral and written communication skills
Integrity, trustworthiness, strong ethics and good judgment
The role of the Security Auditor encompasses both the technical side of audit and the interactive side of presenting conclusions and recommendations. The successful candidate will break free from the stereotypical computer nerd with no social skills to be a discerning data-digger and an engaging speaker.
Employment Opportunities – Job Duties, Private Sector
Opportunities are available in various organizations, large and small, business and non-profit, civil and retail. Nearly all businesses have need of security for their data, information and network regardless of its size or function. This results in a significant responsibility given to the Security Auditor, as there are risks and threats to consider, regulatory measures to keep in view and the integration of existing networks to review.
Whether working for a large financial institution, a law firm or a local retailer, the duties of the Security Auditor will be remarkably similar in scope (although not task): ensure the integrity of defense systems for data, information and networks.
Employment Opportunities – Job Duties, Public Sector
The National Security Agency (NSA) is considered to be “security central” when it comes to domestic security of all stripes. Protection of data is critical within governmental agencies, military and federal law enforcement teams, and the defense of data, information and networks must be strong. Security Auditors provide valuable feedback from testing and evaluation to ensure that the security programs, policies and protocols are at their peak of effectiveness. The role is vital to ensuring security to all citizens and protecting the country’s assets from harm.
Similarly, all branches of the military require data and information security similar to that of the NSA, with the additional level of importance being the national defense. Troop/personnel orders, statistics and locations must be guarded from unauthorized individuals and organizations to maintain a strong national defense.
The Department of Homeland Security is another massive agency that requires the testing and validation of security systems, policies and protocols. There are numerous opportunities within the public sector for the skilled Security Auditor; fortunately, there are many entry-level positions available to get into the organization and work up to the level of Auditor.
The Security Auditor’s role is uniquely challenging as they must stay ahead of the ‘enemy’ to maintain security of information and data. Because the nature of the business is so complex and changeable, the Security Auditor is always learning and growing in knowledge. This is a role that has universal application and a never-ending learning curve!