We all know IT audit is about providing assurance of the reasonable effectiveness of IT processes and controls, while information security is focused on the protection of data and information assets in all forms. While these differences are stark, do you have an appreciation of the distinctive characteristics that set IT auditors apart from information security professionals?
Are IT auditors more assessment oriented and information security professionals more technically savvy? Do information security professionals know the details better, while IT auditors are better at understanding the business applications of information technology?
Not exactly. The reality is that these days the lines are blurring. If you search any website posting IT audit jobs, in addition to requiring the CISA certification, you will find that many IT auditor positions now require the CISSP and CISM certifications, which are typically associated with the information security industry. Meanwhile, because of the increase in regulations requiring attestation over information and cybersecurity internal controls—including NIST 800.171 for government contractors and their vendors and the Health Insurance Portability and Accountability Act (HIPPA) for organizations that deal with health information—many information security positions seek candidates who hold a CISA certification, in addition to the CISSP and CISM.
For the layman, here's a quick rundown on what those certifications stand for, and their focus areas:
CISA – Certified Information Systems Auditor – According to ISACA, which issues the certification, it is designed to verify audit experience, skills, and knowledge, and demonstrate that those who hold it are capable of assessing vulnerabilities, report on compliance, and institute controls within the enterprise.
CISSP – Certified Information Systems Security Professional – According to (ISC)2, which issues this certification, it is "for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks."
CISM – Certified Information Security Manager – This certification, also provided by ISACA, "promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise's information security."
Take a close look at some recent job postings, and you will find that both information security and IT audit departments also compete for individuals with similar skills and competencies, in addition to certifications. And it is safe to assume that the sought-after skill sets will continue to be more similar in the future, as both departments seek qualified candidates with deep IT knowledge, an understanding of risk management and internal controls, as well as business acumen and project management competencies.
Skilled Professionals in High Demand
The demand for qualified professionals is also outpacing the supply, causing challenges for both hiring managers and recruiters to find and hire capable and competent employee candidates with these highly sought after skills.
Information Technology security skills are in very high demand and will continue to grow in 2017 and for years to come. And salaries for senior-level cybersecurity-related jobs are now among the highest for IT professionals," says Fritz Eichelberger, a Tampa Bay-area recruiter. "It is very challenging for companies to retain these professionals and it has become a major security issue. Threats of an attack happen with such frequency that many companies are turning to third-party firms to supplement their efforts," he says. "It's a great career track for college students, IT professionals in other careers with declining demand, and those who wish to change careers."
According to Eichelberger, the top security skills requested by clients include data security, security analysis, cloud security, secure software development, risk mitigation, access management, network monitoring, and intrusion detection.
Some recruiters say the demand for candidates with certain certifications can go too far. "We see a real push toward certifications instead of skills, which is disheartening," says Cindy Brown, CEO of recruitment firm Pratt, Brown, and Associates. "The minimum required certifications we're seeing are COMPTIA Security+ and Certified Ethical Hackers (CEH). At a higher level, there's a real push from our clients for CISSP and CISM," she says.
Brown advocates a balance of earning in-demand certifications with building broad, on-the-job experience. "We're doing our best to educate our clients that certifications are great, but nothing replaces actual hands-on job experience," she says. "We anticipate this trend to continue in 2017 in both the private and government marketplace."
So what does this mean for employers and those looking for IT audit and information security candidates?
- Certifications will increasingly influence hiring decisions.
- The number of qualified candidates will continue to lag behind the demand for these positions, so employers may need to cast a wider net and seek qualified candidates in related fields.
- Competition for top security skills will continue to drive salaries in both IT audit and information security.
And, perhaps more importantly, what does this mean for IT and information security professionals looking to advance their careers or for a new position at a different employer?
- Consider seeking certifications, including CISA, CISSP, and CISA.
- Seek opportunities to broaden information security and IT knowledge and experiences.
- Increase business acumen by keeping current on IT risks and best practices (especially those that are industry specific) and improving your understanding of the associated threats and vulnerabilities.
IT audit and information security professionals may also want to seek additional training as they consider expanding their horizons to meet the requirements of these demanding roles. MISTI offers seminars, webinars, and on-site programs designed to assist audit, information security, and risk professionals fulfil their development goals while helping their organizations improve internal processes. Some examples are IT General Control Reviews, Auditing Networks for Non-IT Auditors, Advanced IT Audit School, Introduction to Information Security, and Securing and Auditing Your Network Infrastructure: Network Services, Devices and Perimeter Security.