Cybersecurity audits uncover vulnerabilities and gaps in corporate security policies and systems that hackers would otherwise, inevitably exploit.
According to a 2013 article in InfoWorld magazine, more than 80 percent of known security vulnerabilities have patches available on the day they are announced. And a 2015 Verizon research report found that almost 97 percent of security breaches could have been prevented if a previously available patch had been applied to the system. An audit gives organizations the ability to correct their deficiencies before having to pay the price of a security breach.
Information security auditors are the people that make audits happen, either working for independent consulting firms that specialize in such services or for autonomous working groups inside of their own company to keep an objective eye on the information systems that serve as the lifeblood of the modern corporation.
Like their financial namesakes, IT auditors benefit from highly organized, even fastidious, minds. The ability to check off every last detail and follow each branch of the network down to the very end is the quality that makes them effective. Unlike their closely related counterparts, white hat hackers, auditors are not encouraged to get creative. Their bread and butter is the dry, coherent world of risk analysis and systems configuration. Flashy exploits of social engineering and uncovering unique zero-day vulnerabilities may make the headlines, but most information system compromises result from more prosaic errors: failure to upgrade operating systems, failure to apply patches to known security holes, basic configuration errors like failing to change default passwords or close factory-service accounts.
IT auditors are charged with the laborious but necessary role of going through information systems and double-checking all these soft spots and more.
IT Auditor Job Duties Rattle Every Doorknob
IT auditors often have broad license and a sweeping mandate to inspect nearly every aspect of a network. Although they are expected to work methodically, they are given considerable freedom to plan and execute audits. They can expect to have to outline their course of action and explain their rationale for inspecting various systems, tying their plan to potential vulnerabilities or extremely valuable targets.
Once they have designed a plan for auditing a system, the auditors go to work. They may observe staff in their day-to-day duties, accumulate data from logs and other sources, and scan networks for known vulnerabilities. Auditors often use automated software tools to detect common misconfigurations. These tools can include:
- Microsoft’s Baseline Security Analyzer tool
- Custom scripts built to assess policy and permission implementations on internal networks
Auditors are expected to write up their findings, conclusions, and recommendations in coherent reports. They must be able to communicate clearly and respond to questions about their conclusions and process, sometimes with high-level corporate executives. Subsequent to issuing reports, auditors may sometimes continue to work with IT departments to follow up on making changes recommended in those reports.
Auditors are also expected to understand and evaluate risk. This requires that they be informed about the latest and most common developments in information security threats. They may stay up to date through open-source resources like the Internet Storm Center, CERT, or the OWASP (Open Web Application Security Project) Top 10 list. Alternatively, some organizations may provide access to private intelligence resources, particularly governmental agencies.
Some auditors specialize in code auditing, looking at the source code for applications to find possible vulnerabilities introduced by poor programming practices. These auditors will spend much of their time using language-specific code-auditing tools such as:
Unlike other auditors, most code auditors spend their time evaluating programs that have not yet been released. They work closely with development and deployment teams to close potential security holes before software is published.
IT Auditor Job Qualifications: The Certifications and Degrees Employers Look For
IT auditors are, in many ways, generalists who are expected to know at least a little bit about a lot of varied aspects of information systems. Candidates to the position often come from system administration or general-duty cybersecurity roles in security analysis or information security engineering. Prior experience with LAN (Local Area Network), WAN (Wide Area Network), WLAN (Wireless Local Area Network), and database or application management can all be valuable in an auditing role.
Many IT auditor positions require a four-year degree, and often prefer candidates with a graduate degree. Although acquiring a bachelor’s in information systems or information security before going on to study cybersecurity at the graduate level is the prescribed path, auditors can also make their way into the field with degrees in finance or accounting.
When looking for a university at which to acquire a cybersecurity degree, it’s important to look for one that has been designated as a Center for Academic Excellence in Cyber Defense (CAE-CD):
- Center of Academic Excellence in Cyber Defense Education (CAE-CDE) for schools offering four-year and graduate degrees
- Center of Academic Excellence in Cyber Defense Two-Year Education (CAE-2Y) for community colleges offering two-year degrees
- Center of Academic Excellence in Cyber Defense Research (CAE-R) for research institutes
The CAE program was established jointly between the Department of Homeland Security and the National Security Agency to find and highlight universities with cybersecurity programs meeting the highest standards of the field.
Candidates for IT auditing positions benefit greatly from one or more of a number of specialized certifications designed to prepare them for those positions. These include:
- Certified Information Systems Auditor (CISA)
- Cybersecurity Forensic Analyst Certification (CSFA)
- Certified ISO/IEC 27001 Lead Auditor
- Certified Ethical Hacker (CEH)
More general technology certifications also often required for auditor positions include:
- Certified Information Systems Security Professional (CISSP)
- Cisco Certified Internetwork Expert (CCIE)
- CompTIA Network+
Although not specifically technology-oriented, hiring managers also look favorably at Certified Public Accountant (CPA) and Certified Internal Auditor (CIA) credentials.
Auditors may need to know how to implement the ITIL and COBIT IT practices frameworks.
Some auditing roles deal specifically with checking and assessing program source code. Candidates for these roles will be expected to have a great deal of experience—five to seven years or more—in programming before moving into code auditing. They are expected to be expert programmers with deep knowledge of operating system internals, programming best practices, and usually advanced skills in a specific programming language.