What is the best route to becoming a cyber security auditor in the UK?
The relationship between internal audit and cyber security has grown even closer in recent times – after all the former lays the groundwork for the latter by assessing the effectiveness of an organisation’s internal controls and educates the powers that be of the potential risks the business could face. For individuals working in IT or IT audit jobs, a move into cyber security is a given considering that the type of expertise required for both shares many similarities.
With both functions sharing the need for a fundamental grasp of hardware, software and data from a technical standpoint, the demand for relevantly “cyber-tastic” expertise is a vital step to becoming a cyber security auditor. It is a highly technical role and employers will expect you to have a bachelor’s or master’s degree in one of the following subjects: computer science, information systems, cyber security or a related technical field.
Certainly, the more relevant experience and qualifications your CV boasts, the more impressed the hiring manager will be. The fundamentals of elevated computer science, enhanced by mathematics and followed up by industry standard certifications such as a CISSP, CISA or CISM will better prepare you for a career evaluating everything from statistics to fixed mechanisms.
A degree will ensure you can make headway into cyber security audit as it will provide both the technical knowledge employers expect, but the softer skills of verbal and written communication.
For individuals with a passion for the field, there are various ways to get into cyber security. One way is by starting a career within a general computer or systems-related position. Take the time to learn the basics of auditing computer applications and information systems of varying complexity at any and every opportunity.
Certain hard skills may also be a prerequisite for some employers who may expect their cyber security auditors to have a strong working knowledge of regulatory and industry data security standards, as well as certain frameworks, operating systems and databases. Programming languages such as Java and C++ and experience with auditing and network defence tools, such as Fidelis, Websense and BlueCoat may also be required.
Bear in mind also that the role of auditor, in the cyber security space and otherwise, often requires candidates to travel to various sites to gather data. Moving into that third line of defence role that defines audit within the cyber security space, is highly advantageous as far as long term career progression as it gives individuals a helicopter view of the business. This all-round exposure serves candidates well moving forward, particularly if you have your sights set on a senior leadership role or that of CTO, which require that broader business knowledge and insight.
There is no one path into cyber security audit, but IT audit is certainly an effective launchpad into this field. Obtaining straightforward audit experience initially will furnish candidates with a good understanding of the company’s infrastructure, analysing and evaluating what needs to be improved upon or changed ahead of applying that experience to the cyber security audit function.
What demand do you think there will be for cyber security auditors in, say, two years’ time? Are my skills transferrable or will I need to learn about different regulation if I apply for a job overseas?
Experts predict that by 2019, the demand for cyber security professionals globally will see the creation of six million jobs, meaning overwhelming demand for skilled individuals in that space. The key phrase here is “skilled”, however, as that is where the issue currently lies with over one million cyber security jobs unfilled due to a shortage of relevantly experienced candidates.
With a talent deficit across nearly all areas of cyber security, including its audit function, organisations are facing an existential threat to their daily operations. Handling data and transactions of the general public with a staff that is both lacking in the necessary support and expertise points to the need for candidates to rally forth into the cyber security space, both auditors and otherwise.
As technology continues to move at an unprecedented pace, the demand for cyber security auditors able to navigate application security is only set to grow. IT auditors in general are not experts in properly identifying the vulnerabilities of banking apps, in particular, even less so which controls to put in place to test for weaknesses and security. As a result, this has and will continue to be one of the hottest skills in demand when it comes to what employers are looking for in potential candidates.
Core areas including cloud computing and compliance also form the backbone of requirements for any discerning cyber security auditor moving forward in this digital age. Considering an environment of evolving technology risk and consequently increased expectations from key stakeholders, it is important for candidates to develop those key in-demand skills employers are looking for as well as take on the responsibility of educating your organisation on the importance and value of security to the business.
Remember that data privacy laws are going to be local to any region. Easily learnt, the more you remain up to date with local regulatory changes and developments, something you should be doing in conjunction with your daily absorption of cyber security news and events, the greater advantage you will have in progressing your career.
Simon Wright is operations director at CareersinAudit.com