IT Audit v Cyber Security
While cyber security is a component of the IT Audit profession, falling under that extensive audit umbrella, it does in its practice fall outside the audit sphere in its efforts to prevent, detect and respond to threats. IT Audit on the other hand is focused on looking to determine how compliant an organisation is within the remit of its prescribed audit.
There are some audit frameworks which exist in order to audit for response in relation to cyber-attacks, but the majority do not.
Candidates weighing their options as to which route to take should first understand the necessary skills and experience required by each. There is a far greater need for specific technical understanding and expertise when working in cyber security. From network and system administration and management to perimeter technologies (eg. firewalls, proxy, DNS), authentication systems, security principles and application protocols; cyber security or information security jobs come with an intensive list of expectations.
Candidates looking for jobs in cyber security will find it much easier down the line to move into an IT Audit role, if they choose, than the other way around. Audit is entrenched in cyber security with an individual already well versed in internal controls and knowledge of the necessary audit requirements. There is not the same emphasis on technological prowess when it comes to working in IT Audit.
You’ll also find that the hefty list of certifications you gleaned through qualifying for a role in cyber security will benefit your move into IT Audit. In addition to the prerequisite CPA, CA or CIA qualification required for jobs in IT Audit, the CISA cert you earned as a cyber security professional will also come in handy, as well as any SOX experience learned along the way.
As far as cross-over skills, jobs in cyber security and IT Audit demand individuals with the ability to communicate effectively in person and on paper with colleagues, board level executives and stakeholders. A knack for problem solving, taking the initiative and thinking outside the box will also serve either role equally well.
There is of course a rather poignant difference in pay grade between cyber security jobs and roles in IT Audit, looking at candidates with between 0-4 years’ experience. While cyber security engineers, cyber security analysts and cyber security architects can earn between $95-210k, professionals working in audit will take home between $65-110k. The kicker is, however, that jobs in IT Audit are far easier to acquire than cyber security jobs, demanding less certifications, more straightforward candidate criteria and a shorter hiring period unlike the potential 6 month trial common of applying for opportunities in cyber security.
There is an important point to note for individuals looking to enter the fields of IT Audit and cyber security. With the continuing trend for automation and offshoring, the more au fait you are with new and emerging technologies the more successful you will be in securing the role that’s right for you, particularly with regards to entry level roles.