What Does a Security Auditor Do?
The Short Version
A Security Auditor probes the safety and effectiveness of computer systems and their related security components.
After conducting a security audit, you will issue a detailed report that outlines the effectiveness of the system, explains any security issues and suggests changes and improvements.
Security Auditor Responsibilities
In this mid-level role, you may be required to:
- Plan, execute and lead security audits across an organization
- Inspect and evaluate financial and information systems, management procedures and security controls
- Evaluate the efficiency, effectiveness and compliance of operation processes with corporate security policies and related government regulations
- Develop and administer risk-focused exams for IT systems
- Review or interview personnel to establish security risks and complications
- Execute and properly document the audit process on a variety of computing environments and computer applications
- Assess the exposures resulting from ineffective or missing control practices
- Accurately interpret audit results against defined criteria
- Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
- Provide a written and verbal report of audit findings
- Develop rigorous “best practice” recommendations to improve security on all levels
- Work with management to ensure security recommendations comply with company procedure
- Collaborate with departments to improve security compliance, manage risk and bolster effectiveness
- Travel extensively
Some Security Auditors work as independent consultants; others are integral members of IT security teams. Senior Security Auditors, like Senior Security Architects, may answer to C-level executives.
Security Auditor Career Paths
Just starting out on your career path? Consider an entry-level job that will give you some exposure to security issues. For example:
- Security Administrator
- Network Administrator
- System Administrator
On the rung above this level are dedicated IT security positions such as:
Some auditors choose to stay forever in the world of technical testing. But if you’re interested in shifting to management, you could investigate:
Security Auditors are known by a variety of names. Some of them (like IT Auditor) may have testing tasks that are unrelated to security.
- Information Security Auditor
- Information Systems Auditor
- IA Auditor
- IT Auditor
Security Auditor Salaries
According to Payscale, the median salary for an IT Auditor is $64,377 (2018 figures). Overall, you can expect to take home a total pay of $50,380 – $103,367. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Security Auditor Job Requirements
Since this is a technical position, hiring agencies and employers will want to see a bachelor’s degree and/or a master’s degree in Computer Science, Information Systems, Cyber Security or a related technical field.
You can burnish your résumé with further training and professional certifications.
Many security auditors have little dedicated security experience, but have done lots of work in IT. Broadly speaking, Security Auditors are expected to have around 3-6 years of experience in general IT. Senior Security Auditors often have 5+ years of auditing experience.
Wherever and whenever you can, gain experience in auditing computer applications and information systems of varying complexity. Employers may also specify a working knowledge of:
- Working knowledge of regulatory and industry data security standards (e.g. FFIEC, HIPAA, PCI, NERC, SOX, NIST, EU/Safe Harbor and GLBA)
- ISO 27001/27002, ITIL and COBIT frameworks
- Windows, UNIX and Linux operating systems
- MSSQL and ORACLE databases
- C, C++, C#, Java and/or PHP programming languages
- ACL, IDEA and/or similar software programs for data analysis
- Fidelis, ArcSight, Niksun, Websense, ProofPoint, BlueCoat and/or similar auditing and network defense tools
- Firewall and intrusion detection/prevention protocols
Brush up on your oral and written communication skills – a Security Auditor is often judged by the clarity and thoroughness of his/her reports. Employers will also be looking for candidates who aren’t afraid of travel. Auditors frequently have to visit a wide variety of sites to gather data.
Certifications for Security Auditors
When it comes to auditing accreditations, the most valuable certification may be the CISA. We would also suggest looking into the CISSP. Both appear frequently in job requirements.
- CISA: Certified Information Systems Auditor
- CISM: Certified Information Security Manager
- CISSP: Certified Information Systems Security Professional