Main image of article IT Auditor: Good Entry-Level Position for a Cybersecurity Career?

While layoffs have rocked the tech industry over the past six months, cybersecurity hiring remains robust, with over 755,000 open positions in the U.S. alone. For many tech pros looking to enter the field, gaining experience is a must. An IT auditor position offers an entry-level path into the security field while still featuring a solid salary and potential career growth.

While the role of IT auditor might not sound like a way into a cybersecurity career, CyberSeek lists the position as an entry-level cybersecurity job, with a clear pathway to mid-level roles such as penetration tester or cybersecurity consultant.

An IT auditor needs a solid background in technology and enterprise business skills. The position is essentially designed to ensure that an organization's IT networks and infrastructure run at optimal levels and that company data stored in that infrastructure is secure. The IT auditor also needs to assess cybersecurity gaps and relay the business risks from those gaps. 

Finally, an IT auditor is also tasked with ensuring compliance with various government laws and regulations, which are growing and becoming more complex.

“Helping organizations ensure the confidentiality, integrity and availability of their information assets, reduce the risk of data breaches, and comply with relevant laws are important contributions made by IT auditors,” George Jones, CISO for Critical Start, recently told Dice. “Their work is critical in an environment where the risk of cyber threats is ever increasing, and organizations face increasing pressure to protect sensitive data.”

For those looking to start a cybersecurity career or add valuable experience to a resume, an IT auditor position opens the door to mid-level jobs. There’s also a chance for a six-figure salary as well as an abundance of current opportunities for those with the right skills.

IT Auditor: What Skills Are Needed

IT auditors need a mix of business and technology skills to handle the job’s complexities. CyberSeek notes that the main skillsets for the position include knowledge of internal auditing, audit planning, information systems, accounting, risk assessment, information security COBIT framework and business processes.

It’s also critical that IT auditors understand government regulation standards such as Sarbanes-Oxley (SOX), since a good portion of the position is understanding compliance issues and the risks an organization may face. 

“An internal company auditor is important to ensure compliance with SOX, ISO, SOC or any combination of them,” Walter Ford, IT manager at Keeper Security, told Dice. “To be out of compliance could lead to fines and loss of business. Working in operations, we support all aspects of a company’s business. Going through audits also helps us to understand all the connections that our systems have by working through the various controls.”

The CyberSeek site also recommends that IT auditor candidates have at least one cybersecurity certification, including:

IT Auditor Salary and Job Openings

While CyberSeek lists IT auditor as an entry-level position, the job site notes that, on average, these tech pros can earn an estimated $111,400. Additionally, there are currently over 7,600 open positions in the U.S. for this type of skilled cyber-worker.

While internal auditing has been a staple of the enterprise for some time, the proliferation of government regulations and an explosion of new, internet-connect devices makes having an IT auditor with relevant skills more valuable to a wide range of organizations, said Bud Broomhead, CEO at security firm Viakoo.

“Internal auditing as a function has existed for a long time and exists within any organization that wants to hold itself accountable to meeting its own policies,” Broomhead told Dice. “IT systems have well-established compliance requirements, with governance more recently evolving for internet of things and operational technology devices. This job role involves staying current with a variety of new mandates and initiatives.”

While technical skills and certifications do help, especially during the hiring phase, experts noted that knowing how the business works and an understanding of risk can also help candidates and those thinking about an IT auditor career path.

“An auditor does not necessarily need to be highly technical, but it does help,” Ford added. “They do need critical thinking skills to determine whether a control is covered by the company's processes. They must also be able to work through evidence of compliance with a critical eye. They are not looking for problems as much as looking at where there are areas of improvement. For this, I am always open and welcoming of auditors at any organization.”

IT Auditor: What Experts & Organizations Look For

Since the IT auditor’s job is far-ranging (enterprises can emphasize various criteria or areas of concern to the business), experts note that hiring managers and IT and cybersecurity leaders usually develop their specific job criteria for open positions.

“Hiring managers often have their own personal criteria which can vary widely. But a good starting point is one or more of the certifications that are available in the field,” Mike Parkin, a senior technical engineer at Vulcan Cyber, told Dice. “While IT auditing has some special technical expectations, the skillset and mindset that makes a good auditor are common. Attention to detail, the ability to communicate, etc., are all useful. It can be good to have an IT background, but it’s generally easy to learn those specifics when a person already has what it takes to be a good auditor.”

While many organizations will require a degree or a certain set of certifications, Jones noted that those are not necessary. He prefers someone with a technical background and knowledge of critical areas such as cloud computing.

“A degree is nice to have but not a requirement; I would be more focused on the experience brought forth in IT, auditing, or another related field, and cloud experience,” Jones added. “The ability to be able to understand data security measures, assess the effectiveness of IT controls and evaluate compliance with relevant laws and regulations is key to success.”

In addition, Jones found that candidates with technical writing skills have an advantage since IT auditors are responsible for creating policies and procedures that ensure compliance with regulations and controls for company-specific assessment needs, such as with SOC-2 or PCI-DSS.

At a time when data breaches and other cybersecurity threats can make significant headlines for businesses and bring the scrutiny of government regulators, the role of the IT auditor is becoming more important and integral to organizations’ overall cyber posture.

“Auditors are also important in post-breach remediation,” Ford noted. “Insurance companies use consulting firms that deploy auditors to ensure that another breach is less likely. At times, we do not see our own issues and auditors are there to help us see ourselves from the ‘outside.’”