Moving from IT Audit to Cyber security
Published: 28 Jun 2016 By CareersinAudit.com
The relationship between Internal Audit and Cyber Security has grown ever closer in recent times as the former lays the groundwork for the latter by assessing the effectiveness of an organisation’s internal controls and educates the powers that be of the potential risks the business could face. Thus the line between the two disciplines has become somewhat blurred and the opportunities for career crossover ever clearer. For individuals working in IT or IT Audit jobs, a move into cyber security is all but a given considering that the type of expertise required for both shares many similarities.
Recruitment consultant Leonard Coronel, at Clearedge Consulting, explains the skillset crossover between IT Audit and Cyber security as a fundamental grasp of hardware, software and data from a technical standpoint. “These three components of expertise would be key for both IT Audit roles and jobs in cyber security,” says Coronel. “At the end of the day, both sectors have the same goal, and that is to protect the company’s assets.” In addition to the technical aspect, Coronel advises those looking to make a move into cyber security that experience and proficiency in project management is equally as valuable. “As new software or hardware is being released, so projects will be rolled out throughout the company in order to facilitate the use of those mechanisms,” he says.
A passion for technology is undoubtedly a trait that is mutual between those in IT and IT Audit and those in cyber security. Moving from one to the other, it is important to extend your passion beyond the fundamentals of configuring systems and coding to understand exactly what you’re protecting and what makes it vulnerable to begin with. Cyber security demands continuous self-education as the nature of technology means its landscape is forever changing which means those working on the all-important first line of defence must be flexible and forward-thinking. Coronel explains that as businesses grow more and more reliant on technology, new threats arise. Thus as an IT consultant or IT Auditor hoping to move into the infosec field, a beneficial step would be to get involved with cyber security projects within your company in order to gain some first-hand exposure to what they do and how they do it.
While there are numerous similarities between the two disciplines, Coronel asserts there is a core difference, which comes down to the focus of each area. “IT Audit objectives focus more on the company infrastructure,” says Coronel. “IT Auditors make an evaluation on physical presence, understanding the existing internal control structure to minimise business risk, which includes implementing all regulatory requirements.” Cyber security analysts examine the same areas; however they are looking at them through a different lens intent on preventing and protecting the company’s systems physically and electronically. “They do this through continuous monitoring and testing, including penetration and vulnerability assessments,” says Coronel.
There is no one path into cyber security, but IT Audit is certainly an effective Launchpad into this field. Coronel explains that candidates looking for opportunities in cyber security typically stay within the audit field for 6 months to a year in order to gain a good understanding of the company’s infrastructure, analysing and evaluating what needs to be improved upon or changed. “Moving away from the IT Audit piece into cyber security, the candidate would then have a better grasp on what can be used to help avoid cyber-attacks,” says Coronel.
Possessing a balance of technical strength and soft skills in order to take on network issues and database management just as competently as communicating with non-IT colleagues and understanding business procedures and processes is what employers are looking for in high calibre cyber security candidates. Realising that the field is incredibly vast, the underlying advice from employers is to eschew trying to become an expert in all categories of security and just focus on one area and do that to the best of your ability.