We all know IT audit is about providing assurance of the reasonable effectiveness of IT processes and controls, while information security is focused on the protection of data and information assets in all forms. While these differences are stark, do you have an appreciation of the distinctive characteristics that set IT auditors apart from information security professionals?
Are IT auditors more assessment oriented and information security professionals more technically savvy? Do information security professionals know the details better, while IT auditors are better at understanding the business applications of information technology?
Not exactly. The reality is that these days the lines are blurring. If you search any website posting IT audit jobs, in addition to requiring the CISA certification you will find that many IT auditor positions now also require the CISSP and CISM certifications, which are typically associated with the information security industry.
Meanwhile, because of the increase in regulations requiring attestation over information and cybersecurity internal controls—including NIST 800.171 for government contractors and their vendors and the Health Insurance Portability and Accountability Act (HIPPA) for organizations that deal with health information—many information security positions seek candidates who hold a CISA certification, in addition to the CISSP and CISM.
For the layman, here's a quick rundown on what those certifications stand for, and their focus areas:
CISA – Certified Information Systems Auditor – According to ISACA, which issues the certification, it is designed to verify audit experience, skills, and knowledge, and demonstrate that those who hold it are capable to assess vulnerabilities, report on compliance, and institute controls within the enterprise.
CISSP – Certified Information Systems Security Professional – According to (ISC)2, which issues this certification, it is "for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks."
CISM – Certified Information Security Manager – This certification, also provided by ISACA, "promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise's information security."
Take a closer look at the job board postings and you will find that both information security and IT audit departments also compete for individuals with similar skills and competencies, in addition to certifications. And it is safe to assume that the sough-after skill sets will continue be more similar in the future, as both departments seek qualified candidates with deep IT knowledge, an understanding of risk management and internal control, and business acumen and project management competencies.
Converging Skill Sets
Two areas where there is increased skill convergence are data analytics and threat intelligence. Increasingly, IT audit departments are tasked with assessing the reasonableness of the company's monitoring controls and the development and maintenance of continuous auditing routines. Information Security departments are also responsible for continuous monitoring responsibilities, such as ensuring that mobile and transient devices that hop on and off the network don't have security deficiencies and adhere to policies.
The demand for qualified professionals with these varied skill sets is also outpacing the supply, causing challenges for both hiring managers and recruiters to find and hire capable and competent employee candidates with these highly sought after skills. And finding candidates with the desired array of skills can be difficult and costly.
"Information Technology security skills are in very high demand and will continue to grow in 2017 and for years to come. And salaries for senior-level cybersecurity related jobs are now among the highest for IT professionals," says Fritz Eichelberger, a Tampa Bay-area recruiter. "It is very challenging for companies to retain these professionals and it has become a major security issue. Threats of an attack happen with such frequency that many companies are turning to third-party firms to supplement their own efforts," he says. "It's a great career track for college students, IT professionals in other careers with declining demand, and those who wish to change careers."
According to Eichelberger, the top security skills requested by clients looking for IT auditors and information security professionals include: data security, security analysis, cloud security, secure software development, risk mitigation, access management, network monitoring, and intrusion detection.
While thinking more broadly about certifications could help IT auditors and information security professionals secure a sought-after position, some recruiters say the demand for candidates with certain certifications can go too far. "We are seeing a real push toward certifications instead of skills, which is disheartening," says Cindy Brown, CEO of recruitment firm Pratt, Brown, and Associates. "The minimum required certifications we're seeing are COMPTIA Security+ and Certified Ethical Hackers (CEH). At a higher level, there's a real push from our clients for CISSP and CISM," she says.
Brown advocates a balance of earning in-demand certifications with building broad, on-the-job experience. "We're doing our best to educate our clients that certifications are great, but nothing replaces actual hands-on job experience," she says. "We anticipate this trend to continue in 2017 in both the private and government marketplace."
What Employers and Candidate Can Expect
So, what does this mean to employers and those looking for IT audit and information security candidates? Certifications will increasingly drive hiring decisions, and candidates with crossover certifications may prove more versatile in today's IT and security environments. Meanwhile, the number of qualified candidates will continue to lag behind the demand for these position, So there may be a need to cast a wider net to those IT audit and info security positions with other certifications.
Perhaps more importantly, what does this mean for IT audit and information security professionals looking to advance their career or for a new position at a different employer? You can improve your prospects if you get certified in CISA, CISSP, and CISM, regardless of whether you're an IT auditor or information security professional. Some other certifications you might consider include: incident response, process, project management, and business continuity and disaster recovery planning. Another way to advance your career is to see opportunities to broaden information security knowledge and IT knowledge. And data analytics proficiency can certainly be a boon to any IT audit and information security career track.
In other words, don't get complacent. Keep expanding your horizons, seek IT audit training training and information security training opportunities and take certification preparation courses, and don't box yourself into viewing your expertise through too narrow a prism.
Shawna Flanders is Director of Instructional Technology and Innovations and Senior Trainer at MISTI. She can be reached at firstname.lastname@example.org.