A Security Auditor is responsible for investigating and auditing the effectiveness of the IT security of an organisation.
They can help to detect cyber threats by exposing any weaknesses in the organisations cyber defenses. The ultimate objective is to produce an IT Security audit report that can be easily understood by the client. They will expect to utilize this Security audit report to inform future decision-making regarding strengthening their overall IT security by implementing any recommended changes and improvements.
The security auditor may need to liaise with other specialist IT security professionals together with software and hardware vendors and any others supplying computer security related services to the organisation.
Typical job duties for the role of IT Security Auditor include a lead role in planning, executing and reporting on the IT security of an organisation by producing a Security Audit report.
In order to produce the report they will need to inspect and evaluate the existing IT systems, management procedures, security protocols and controls.
They will need to develop a good understanding of the organisations IT systems so that all important elements of the organisations cyber security are incorporated in the final audit report.
Reporting on Servers, Virtual Private Networks (VPN’s), Local Area Networks (LAN’s) and Wide Area Networks (WAN’s) will need to be included in the scope of the report.
More specific Security Auditor responsibilities may include:
1) Gaining a good knowledge of an organisations IT Security, technology and Information Systems.
As Security Auditor you will be working with existing skilled staff, applying your IT Security skills including your understanding of relevant security standards, authentication protocols, and security related hardware and software to produce a useful audit.
2) Plan and execute IT Security Audit
You will normally need to inspect all elements of the organisational infrastructure relating to IT Security within the scope of your audit. The audit will encompass the LAN (Local Area Network), Public Key Infrastructure (PKI), the WAN (Wide Area Network), and VPN’s (Virtual Private Networks). Your audit will hopefully identify any previously unidentified risks and threats as well as confirming the strength of the organisations existing defenses to online attack or exploits. You will need to review the security risks posed by staff members, with or without their knowledge, and must be able to efficiently document your findings.
You must b able to weight and prioritize all risk factors, interpreting your findings against your pre-defined benchmarks for IT Security.
3) Produce IT Security audit report and explain conclusions
Your security audit will need to produce a comprehensive report, with all findings and recommendations clearly identified. Recommended upgrade paths should be clear to follow. Security weaknesses should have all been identified with the incorporation of the results from your penetration and vulnerability testing. Senior IT management and IT Security staff will need to be able to digest and act upon your IT Security Audit reports finings.
4) Recommend future IT Security best practice and compliance with regulations
As IT Security Auditor, you will recommend upgrade paths, bug fixes and workarounds for potential IT Security issues as part of your audit. Your report may also feed into project planning enabling the organisation to migrate to a more robust security infrastructure. Your report should clearly recommend the correct IT security tools, threat countermeasures and other tactics to keep the organisational data as secure from threats and exploits as possible in future.
You need to be able to clearly and effectively communicate with and report to decision-makers such as senior managers and any other stakeholders.
The job of Security Auditor is usually a daytime role, working an average 40 hours per week. Short-term IT Security Audit Contractors and Consultants may be paid a day rate where any additional work is chargeable.
Many employees will desire a Bachelors degree in a related field such as Computer Science, IT or a Cyber-Security related field, but this is not a necessity.
What can you expect to earn as a Security Auditor? The position of an IT Security Auditor is an important role. Salaries will of course vary depending on your experience, qualifications, the organisation and sector plus whether you are employed on a full-time, short-term Contractor or Consultant basis.
According to Payscale* Salary expectations for the role of Security Auditor range from $50,207 – $98,955 or £38,620 – £76,119 at a conversion rate of 1.3 for USD/GBP.
Sources: * Payscale – http://www.payscale.com/research/US/Job=Information_Technology_%28IT%29_Auditor/Salary