Path to IT audit

I am looking for some advice on the best cert path to a position in IT audit/Infosec. The only cert I currently possess is the A+ which I know is not much but looking to expand greatly. I know CISA or CISSP will be on the list a bit down my career path.

I was thinking of starting with Security+ along with some MSCE in server 2012.

What type of certification path can you suggest?

Find more posts tagged with

Comments

Remedymp

yasina2990 wrote: »

I am looking for some advice on the best cert path to a position in IT audit/Infosec. The only cert I currently possess is the A+ which I know is not much but looking to expand greatly. I know CISA or CISSP will be on the list a bit down my career path.

I was thinking of starting with Security+ along with some MSCE in server 2012.

What type of certification path can you suggest?

IT Auditing is very broad. You may get placed as an IT auditor to focus on pen testing(offenseive) or even defense auditing. What I think you may be referring to is Controls auditing.

Security+ and Network+ is beneficial. CASP & Wireshark certification as well.

Alexsmith

Like Remedymp said, IT security auditing can have different position but in this case I belive your referening to security control assesments. I'd take a look at the CAP certification and NIST 800-53 to see if you really want to get into the IT audit field. It's also good to have a general knowledge of each area of IT such as systems and networking to be good at auditing. What do you currently know about the field and what are your reasons for wanting to get into the field?

--chris--

Auditing is quite broad, for example the two Deloitte auditors I know both came from an Accounting/financial background. If you have worked in another field, its possible to parlay your skills and experience from that field into a auditing career in IT.

dou2ble

Auditing is very boring. You have a checklist of controls and you audit to see if xyz company is following them. Are you sure it's not pentesting or security engineering you're actually interested in? Do you like finding vulnerabilities, researching how to fix them, giving recommendations or applying mitigations? Engineering a secure solution whether it's software, hardware or network architecture? Or do you just want a list of IT controls and check the box, pass or fail?

Alexsmith wrote: »

Like Remedymp said, IT security auditing can have different position but in this case I belive your referening to security control assesments. I'd take a look at the CAP certification and NIST 800-53 to see if you really want to get into the IT audit field. It's also good to have a general knowledge of each area of IT such as systems and networking to be good at auditing. What do you currently know about the field and what are your reasons for wanting to get into the field?

NIST 800-53 controls apply to the Federal sector. Some commercial side companies will reference them as a guide, but they aren't required to adhere. Other commercial companies, especially publicly traded ones, will follow ISO27000. This standard can be used for C&A or just a guide.

--chris-- wrote: »

Auditing is quite broad, for example the two Deloitte auditors I know both came from an Accounting/financial background. If you have worked in another field, its possible to parlay your skills and experience from that field into a auditing career in IT.

Like I mentioned earlier getting into auditing is not that hard because almost anyone can do it. I used to for one of the Big 4. Their requirements are usually Bachelors degree. But if it's pentesting or security engineering that you want to get into then that is something different. This fields are far more interesting and fun. These require more technical skills and knowledge. Most big companies have an internal security staff (maybe Security Engineering) that will "audit" their network before the auditors come (Big 4) to make sure they're compliant. It's definitely possible to go from IT Auditor to pentester or security engineering, which is what I did, but you'll have to pursue more technical skills and knowledge. Because during your audits you'll have exposure to very smart IT professionals you can easily gather skills and knowledge like a sponge. A lot of employers like to hire from Big 4 because they work you like slaves, you gain a valuable skillset and move on. Check out this urban dic definition for a laugh. http://www.urbandictionary.com/define.php?defid=1153279&term=deloitte