What are the responsibilities of a Security Auditor?
A Security Auditor keeps a close eye on the effectiveness and safety of computer systems in an organizations and any other related security protocols.
You will be tasked to do a security audit then present a detailed report on the effectiveness of the system. Your report will explain in detail any security issues and recommended changes to improve it.
A Security Auditor is a mid-level position, it will require you to take on the following tasks in an organization/company:
- Evaluate and inspect any information and financial systems, security controls and management procedures
- Administer and develop risk focused tests for installed IT systems
- Conduct and document your auditing process within computing environments and their applications
- Explain your audit results against the given criteria by management
- Report any findings through the auditing process in both verbal and written forms
- Work closely with senior management to make sure all security recommendations are working properly with the company procedures
- Lead, plan and execute security audits in your company
- Evaluate the effectiveness, compliance and efficiency of operation process with the security policies in your organization and government regulations
- Interview personnel within the company to establish new security complications and security risks
- Create a report on exposures that result from missing or ineffective control practices
- Compare the accuracy, perspective and relevance of conclusions against the audit evidence you produce
- Develop best practice recommendations and roll out improved security on all departments and levels
- Collaborate with different departments of your company to improve overall security compliance and then bolster their effectiveness
- Requires traveling
If you want to start a career as a Security Auditor, you will need to begin at an entry level job that deals with security issues. Some of these are as follows:
- Security Administrator
- System Administrator
- Network Administrator
From there on you can move to the following positions
If you want to move away from being a Security Auditor, you can choose to pick on a management role from the following:
IT Project Manager
Security Auditors are sometimes also known by the following names:
Information Security Auditor
Information Systems Auditor
A Security Auditor’s average salary is $64,163 per year. As a starter, you will earn anywhere from $47-$48K per year. As you move on, you can go as high as $100,186 per year (2016 figures)
A Security Auditor position is a technical position. This means that interest employers will be looking for candidates holding at least a bachelors or masters degree in Information Systems, Computer Science, Cyber Security or related field.
You can also take on a couple of professional certifications to boost your chances of getting hired. See recommended certifications below for more information.
Security Auditors are expected to have exposure to security related jobs for at least 3-6 years in general IT. Senior Auditors should have at least 5+ years of experience in auditing.
As a Security Auditor, oral and written communication skills are very important. Many of your employers will judge you on the ability to present reports from your audits. You will have to explain your reports both in written and verbal formats. You should also be ready to travel a lot because as a security auditor, you will often have to travel to different locations to collect data.
A Security Auditor is a technical field hence it requires you to have a good understanding of many technical skills. Some of the most important ones are as follows:
- ISO 27001/27002, COBIT and ITIL Frameworks
- ORACLE and MSSQL databases
- IDEA, ACL and similar software understanding for data analysis purposes
- Understanding of Firewall and intrusion detection/prevention protocols
- Practical knowledge of industry and regulatory security standards such as SOX, NIST, PCI etc
- Linux, UNIX and Windows operating systems
- Programming languages like C++, C, C#, JAVA, PHP
- Auditing and network defense tools like ArcSight, Niksun, Fidelis, BlueCoat, Websense etc
The most valuable certification for a Security Auditor is CISA. But you can also have a look at CISSP. Here are some of the most important certifications you should investigate:
CISM: Certified Information Security Manager
CISA: Certified Information Systems Auditor
CISSP: Certified Information Systems Security Professional
Latest posts by Jake Ciber (see all)
- Why Cybersecurity Professionals Need Certifications - December 9, 2018
- 4 Ways to Increase Security Across Your Business Devices - December 3, 2018
- Preventive Measures to Protect Your SMB from a Cyber Attack - November 23, 2018