The Short Version
A Security Auditor probes the safety and effectiveness of computer systems and their related security components.
After conducting a security audit, you will issue a detailed report that outlines the effectiveness of the system, explains any security issues and suggests changes and improvements.
Security Auditor Responsibilities
In this mid-level role, you may be required to:
Plan, execute and lead security audits across an organization
Inspect and evaluate financial and information systems, management procedures and security controls
Evaluate the efficiency, effectiveness and compliance of operation processes with corporate security policies and related government regulations
Develop and administer risk-focused exams for IT systems
Review or interview personnel to establish security risks and complications
Execute and properly document the audit process on a variety of computing environments and computer applications
Assess the exposures resulting from ineffective or missing control practices
Accurately interpret audit results against defined criteria
Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
Provide a written and verbal report of audit findings
Develop rigorous “best practice” recommendations to improve security on all levels
Work with management to ensure security recommendations comply with company procedure
Collaborate with departments to improve security compliance, manage risk and bolster effectiveness
Some Security Auditors work as independent consultants; others are integral members of IT security teams. Senior Security Auditors, like Senior Security Architects, may answer to C-level executives.
Cybersecurity: Managing Risk in the Information Age online short course
Security Auditor Career Paths
Just starting out on your career path? Consider an entry-level job that will give you some exposure to security issues. For example:
On the rung above this level are dedicated IT security positions such as:
Some auditors choose to stay forever in the world of technical testing. But if you’re interested in shifting to management, you could investigate:
IT Project Manager
Security Auditors are known by a variety of names. Some of them (like IT Auditor) may have testing tasks that are unrelated to security.
Information Security Auditor
Information Systems Auditor
SECURITY AUDITOR SALARIES
According to Payscale, the median salary for an IT Auditor is $67,278 (2014 figures). Overall, you can expect to take home a total pay of $46,027 – $102,274. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
SECURITY AUDITOR JOB REQUIREMENTS
Since this is a technical position, hiring agencies and employers will want to see a bachelor’s degree and/or a master’s degree in Computer Science, Information Systems, Cyber Security or a related technical field.
You can burnish your résumé with further training and professional certifications.
Many security auditors have little dedicated security experience, but have done lots of work in IT. Broadly speaking, Security Auditors are expected to have around 3-6 years of experience in general IT. Senior Security Auditors often have 5+ years of auditing experience.
Wherever and whenever you can, gain experience in auditing computer applications and information systems of varying complexity. Employers may also specify a working knowledge of:
Working knowledge of regulatory and industry data security standards (e.g. FFIEC, HIPAA, PCI, NERC, SOX, NIST, EU/Safe Harbor and GLBA)
ISO 27001/27002, ITIL and COBIT frameworks
Windows, UNIX and Linux operating systems
MSSQL and ORACLE databases
C, C++, C#, Java and/or PHP programming languages
ACL, IDEA and/or similar software programs for data analysis
Fidelis, ArcSight, Niksun, Websense, ProofPoint, BlueCoat and/or similar auditing and network defense tools
Firewall and intrusion detection/prevention protocols
Brush up on your oral and written communication skills – a Security Auditor is often judged by the clarity and thoroughness of his/her reports. Employers will also be looking for candidates who aren’t afraid of travel. Auditors frequently have to visit a wide variety of sites to gather data.
Certifications For Security Auditors
When it comes to auditing accreditations, the most valuable certification may be the CISA. We would also suggest looking into the CISSP. Both appear frequently in job requirements.
CISA: Certified Information Systems Auditor
CISM: Certified Information Security Manager
CISSP: Certified Information Systems Security Professional