Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security
Most of us will be aware from the regular reports we hear or read about in the news of the dangerous reality and consequences of cyber-attacks, particularly in the wake of numerous high profile cases including Canadian dating site Ashley Madison, UK telecom company TalkTalk and even the FBI.
Without an effective cyber defence force working across global business, the threat to sensitive data contained within the hundreds of thousands of organisations worldwide continues to be immense.
According to Cisco, there are a currently 1m cyber security jobs unfilled, a number tech giant Symantec predicts will grow by half by 2019 as the global demand for cyber security is expected to reach 6m in the next two years. Thus, the need for skilled cyber security professionals remains a critical issue. As an internal auditor, you have some of the fundamental skills required for a career in cyber security because of your ability to assess the effectiveness of an organisation’s internal controls, as well as being in the position to educate the powers that be of the potential risks that the business could face and the value of security to its infrastructure.
The core skills
As an internal auditor hoping to move into the cyber security space, an initial and helpful step would be to get involved with cyber security projects within your company in order to gain some first-hand exposure to what they do and how they do it. However, there are a range of core skills you will need to add to your resume if you want to make that move from audit to cyber security. Employers are looking for a balance of technical strength and soft skills that will enable their cyber team to take on network issues and database management equally as competently as communicating with non-IT colleagues and understanding business procedures and processes.
In a recent report, published by ESG/ISSA, 371 cyber security professionals were quizzed on the key areas in which organisations they worked for had the most critical skills deficits. The majority of respondents pinpointed the need for security engineers as well as those in possession of security analysis and investigations skills, although this is a long-cultivated skillset with opportunities generally reserved for the more experienced cyber security alumni. Application security skills was the second biggest area for talent shortage, largely as a result of the rise of the smart-everything as the world becomes increasingly digitised. Banking Apps is one crucial area that needs individuals who are skilled in understanding the necessary controls to implement to properly identify their vulnerabilities.
Meanwhile, the move from desktop to public and private cloud infrastructure indicates that opportunities are only set to grow for those with cloud computing and cloud security expertise, and they come with pretty impressive salaries too. Penetration or pen testers are also in demand.
Qualifications to boost your CV
If you are seriously contemplating making the move, particularly into an audit role within cyber security, then you should consider taking a degree or professional qualification in one of the following subjects: computer science, information systems, cyber security or a related technical field. Certainly, the more relevant experience and qualifications your CV boasts, the more impressed the hiring manager will be. The fundamentals of elevated computer science, enhanced by mathematics and followed up by industry standard certifications such as CISSP, CISA or CISM will better prepare you for a career evaluating everything from statistics to fixed mechanisms. Take the time to learn the basics of auditing computer applications and information systems of varying complexity at any and every opportunity. Certain hard skills may also be a prerequisite for some employers who may expect their cyber security auditors to have a strong working knowledge of regulatory and industry data security standards, as well as certain frameworks, operating systems and databases. Programming languages such as Java and C++ and experience with auditing and network defence tools, such as Fidelis, Websense and BlueCoat may also be required.
The key qualities
Cyber security demands continuous self-education, as the nature of technology means its landscape is forever changing. So, above all, anyone planning on working on the all-important first line of defence must be flexible and forward-thinking.
Simon Wright is operations director at CareersinAudit.com.