How to Become a Security Auditor
[+ Career & Salary Guide]
Just as companies have historically hired financial auditors to ensure that their financial records and processes are “ship shape,” the rapid transition to digital everything has resulted in tremendous need for skilled cybersecurity auditors — professionals who are tasked with auditing and inspecting the computer systems, networks, processes and practices that nearly all organizations use to do business today.
With widespread cybercrime fueling a cybersecurity employment boom marked by high demand for skilled professionals, six-figure salaries and zero percent unemployment, one key role that companies are hiring for both internally and externally is cybersecurity auditor.
Many major companies now hire a third-party cybersecurity auditor to conduct independent reviews, with a heavy emphasis on fully understanding, managing and limiting potential cybersecurity risk. Some also build aspects of the cybersecurity auditing function into in-house roles. Like many positions within the wide-ranging, fast-growing field of cybersecurity, the responsibilities of the cybersecurity auditor can vary greatly depending on the organization and its specific needs.
What Is a Cybersecurity Auditor?
Cybersecurity auditors work with companies and organizations to provide comprehensive audits of online security systems that typically includes:
- A detailed report about existing cybersecurity systems
- Analyses of whether the systems run efficiently or effectively
- Recommendations on changes to protocols and infrastructure
Cybersecurity Auditor Job Responsibilities
The job responsibilities of a cybersecurity auditor can vary depending on the position and the needs of the company or governmental agency employer. Cybersecurity auditor job responsibilities and duties can include:
- Providing an independent or internal review of security controls and information systems
- Testing the safety and effectiveness of individual components of cybersecurity defenses
- Providing an overview of the audit process
- Executing cybersecurity audits
- Analyzing/investigating any recent breaches or security concerns
- Evaluating internal security systems, controls and policies
- Ensuring compliance with application laws and regulations
- Writing technical reports that analyze/interpret audit results
- Writing stakeholder reports that use accessible language to explain the process and recommendations
Overall, the work includes offering deep insight into where cybersecurity systems are sufficient and performing well, and where there is room or need for improvement. If improvements are needed, it may also be the responsibility of the security auditor to provide a cost-benefit analysis of recommended steps for added security.
Cybersecurity Auditor Career Paths
Work experience in computer systems engineering, networking and risk analysis is highly relevant when it comes to positioning yourself for potential opportunities as a cybersecurity auditor, as is general experience in information technology and IT security.
Many employers want to see at least three years of experience in related roles in entry- and mid-level positions, and often look for five years of experience for more senior security auditor roles.
According to the online cybersecurity job resource site CyberSeek, job titles similar to cybersecurity auditor include: IT auditor, IT audit consultant, IT audit manager and IT internal auditor.
Cybersecurity Auditor Salaries
Salary estimates for the cybersecurity auditor positions vary greatly because different methodologies are used and because figures are often adjusted in real time based on changing data. Here are some recent cybersecurity auditor salary snapshots from leading online employment and cybersecurity websites:
Cybersecurity Auditor Employment Outlook
Cybersecurity is a fast-growing field that has been hampered by an ongoing talent shortage, with demand exceeding supply for skilled cybersecurity professionals. Industry watchdog CybersecurityVentures reports a dramatic need for cybersecurity professionals and aggressive hiring on the part of employers across all industries — projecting a total of 3.5 million unfilled jobs globally by 2021.
The U.S. Bureau of Labor Services (BLS), a government agency that tracks employment data, does not yet post specific figures regarding cybersecurity auditor, but offers a great deal of data about the booming cybersecurity job sector.
For example, for the position of information security analyst (average annual salary: $99,730), the BLS projects job growth of 32% between now and 2028 — much faster than the average for other occupations — because companies are acting on the “need to increase their information security capabilities in the face of growing cybersecurity threats.”
Cybersecurity Auditor – Skills Needed
According to CyberSeek, key skills, knowledge and experience that are in-demand for the position of cybersecurity auditor include:
- Internal auditing
- Audit planning
- Information systems
- Risk assessment
- Information security
- Business processes
- Familiarity/experience with Sarbanes-Oxley Act (SOX)
- COBIT (Control Objectives for Information and Related Technology)
Specific job duties, responsibilities and required skills vary depending upon the position. Some common hard skills required may include:
- Up-to-date knowledge of threats and tactics
- Ability to identify risky IT procedures
- Ability to identify potential software and hardware vulnerabilities
- Experience with risk management and mitigation
- Technical skills required to assess the status of networks and systems
- Penetration testing
- Policy development
- Ability to develop recommendations for heightened security
- Ability to communicate recommendations to stakeholders
Soft skills that employers are looking for in cybersecurity auditors often include:
- Written and oral skills needed to clearly communicate complex topics
- Critical thinking
Certifications for Security Auditors
Among industry certifications for cybersecurity auditors, perhaps the most common is the Certified Information Systems Auditor (CISA) certification offered by ISACA. “CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems,” according to ISACA, which lists $110,000 as the average salary of CISA certification holders.
CyberSeek reports that the most sought-after cybersecurity certifications from those hiring for cybersecurity/IT auditor roles also include:
- Certified Information Systems Security Professional (CISSP)
- Information Systems Certification
- Certified Information Security Manager (CISM)
- IT Infrastructure Library (ITIL) Certification
Regarding certifications, job seekers are well-advised to develop an overall understanding of the range of cybersecurity certification options to determine which programs match up well with both your skills and interests, as well as which certifications employers are looking for in the types of jobs you are targeting.
Cybersecurity Education Requirements
Earning a master’s degree in cybersecurity is an option chosen by many cybersecurity job seekers, including auditors, for a range of significant reasons. For example, a cybersecurity master’s degree:
- Provides you with comprehensive knowledge and practical skills
- Positions you to demonstrate work experience in the form of in-depth exercises and hands-on sandbox lab work that closely simulate real-world scenarios
- Helps you gain a strong competitive advantage in the job market
Though there are many cybersecurity positions where a master’s degree is not required, it is increasingly common to see an advanced degree listed as “required” or “preferred” in help wanted listings. According to CyberSeek’s breakdown of the cybersecurity/IT auditor position, 82% of employers require a bachelor’s degree and 14% require a master’s degree.
Cybersecurity Auditor vs. Penetration Tester
Cybersecurity auditors use many different methods to check on the security of various systems, methods that typically include established system surveys and diagnostic tests and checks that are run on a regular basis.
Penetration testing is a method of assessing system security by assuming the imagined role of a malicious hacker and trying to gain entry into networks and systems by thinking like an attacker instead of a defender.
How to Stand Out When Applying
When applying for cybersecurity jobs, it is important to be aware that positions described as “entry level” generally require a higher level of education and experience than in many other fields. So being able to demonstrate significant past work experience is one surefire way to attract attention in your job search.
Advanced education like a master’s degree and industry certifications also give job applicants a competitive edge. Cybersecurity job seekers, particularly those with less experience, are also advised to connect with internship opportunities and do plenty of reading, self-learning and networking.
The University of San Diego — a highly regarded industry thought leader and education provider — publishes a Cyber Blog featuring ongoing reports on the cybersecurity employment landscape. Recent posts include:
The university also offers two cybersecurity master’s degree programs — the 100% online Master of Science in Cyber Security Operations and Leadership and the Master of Science in Cybersecurity Engineering, which is offered both online and on-campus. Both programs feature practical, cutting-edge curriculum taught by expert instructors who share insights drawn from highly relevant industry experience.