What Does a Security Auditor Do?
What is a Security Auditor?
A Security Auditor probes the safety and effectiveness of computer systems and their related security components (e.g. IT procedures). It’s all about analysis & documentation! After conducting a security audit, you’ll be expected to issue a detailed report outlining the effectiveness of the system, explaining any security issues and suggesting changes and improvements.
It’s not as dull as it sounds. Some Security Auditors work as independent consultants, which means plenty of travel and opportunities to work on creative security solutions; others are valued members of IT security teams. Auditors get to create virtual environments, probe for vulnerabilities, assess the probability of threats, and recommend best practices (e.g. how to avoid human error). That’s a position of considerable power.
Security Auditor Job Responsibilities
In this mid-level role, you may be required to:
- Plan, execute and lead security audits across an organization
- Inspect and evaluate financial and information systems, management procedures and security controls
- Evaluate the efficiency, effectiveness and compliance of operation processes with corporate security policies and related government regulations
- Develop and administer risk-focused exams for IT systems
- Review or interview personnel to establish security risks and complications
- Execute and properly document the audit process on a variety of computing environments and computer applications
- Assess the exposures resulting from ineffective or missing control practices
- Accurately interpret audit results against defined criteria
- Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
- Provide a written and verbal report of audit findings
- Develop rigorous “best practice” recommendations to improve security on all levels
- Work with management to ensure security recommendations comply with company procedure
- Collaborate with departments to improve security compliance, manage risk and bolster effectiveness
- Travel extensively
Senior Security Auditors, like Senior Security Architects, may answer to C-level executives.
Security Auditor Careers
Security Auditor Career Paths
Just starting out on your career path? Consider an entry-level job that will give you some exposure to security issues. For example:
- Security Administrator
- Network Administrator
- System Administrator
On the rung above this level are dedicated IT security positions such as:
Some auditors choose to stay forever in the world of technical testing. But if you’re interested in shifting to management, you could investigate:
Security Auditors are known by a variety of names. Some of them (like IT Auditor) may have testing tasks that are unrelated to security.
- Information Security Auditor
- Information Systems Auditor
- IA Auditor
- IT Auditor
Security Auditor Salaries
According to Payscale, the median salary for an IT Auditor is $65,100 (2019 figures). Overall, you can expect to take home a total pay of $50,837 – $102,499. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Security Auditor Job Requirements
The road to a job as a Security Auditor begins with a relevant bachelor’s degree. It’s a challenging role, and companies need to trust that you know your stuff. Stick CISA certification on your to-do list (InfoSec runs a CISA Training Boot Camp)—it’s the most common certification that employers want to see. We also recommend you connect with current auditors (e.g. via LinkedIn or at a conference) and see if they’re willing to offer advice.
Finally, try to get as much practical experience in auditing techniques as you can. An internship is one option, but you could also ask to participate in any audit-related projects that your company is running and volunteer to help non-profits that need auditing & security assistance.
Since this is a technical position, hiring agencies and employers will want to see a bachelor’s degree and/or a master’s degree in Computer Science, Information Systems, Cyber Security or a related technical field.
You don’t have to be an expert in auditing to land the job. Broadly speaking, Security Auditors are expected to have around 3-6 years of experience in general IT/security. Senior Security Auditors often have 5+ years of auditing experience.
Large companies, including the Big 4, may be more willing to hire less experienced candidates because a) the current security team, including senior-level auditors, can help train you in relevant tasks b) the company can pay you a starting salary. Small companies often have limited budgets, and they don’t want to trust their entire organization to a newbie.
Wherever and whenever you can, gain experience in auditing computer applications and information systems of varying complexity. Employers may also specify a working knowledge of:
- Working knowledge of regulatory and industry data security standards (e.g. FFIEC, HIPAA, PCI, NERC, SOX, NIST, EU/Safe Harbor and GLBA)
- ISO 27001/27002, ITIL and COBIT frameworks
- Windows, UNIX and Linux operating systems
- MSSQL and ORACLE databases
- C, C++, C#, Java and/or PHP programming languages
- ACL, IDEA and/or similar software programs for data analysis
- Fidelis, ArcSight, Niksun, Websense, ProofPoint, BlueCoat and/or similar auditing and network defense tools
- Firewall and intrusion detection/prevention protocols
- Virtualization techniques
Brush up on your oral and written communication skills – a Security Auditor is often judged by the clarity and thoroughness of his/her reports. Employers will also be looking for candidates who aren’t afraid of travel. Auditors frequently have to visit a wide variety of sites to gather data.
Certifications for Security Auditors
When it comes to auditing accreditations, the most valuable certification may be the CISA. We would also suggest looking into the CISSP. Both appear frequently in job requirements.
- CISA: Certified Information Systems Auditor
- CISM: Certified Information Security Manager
- CISSP: Certified Information Systems Security Professional