As an IT or systems auditor, my job is all about assessing and testing controls designed and in place to protect the company’s treasure trove of information. In my case, health insurance claims data of our members is the Holy Grail to be protected. When I go into an audit, my credibility sets the tone for an open and honest dialogue throughout the engagement.
Audits tend to cause disagreements in viewpoints and can be a result of the auditor not speaking the language or fully understand the function of IT and security. This barrier can be easily bypassed with an investment in learning more about IT and security. I want to share with you my journey to establishing credibility and leveraging ISACA’s CSX Cybersecurity Practitioner (CSX-P) certification to do so.
My role is constantly evolving to keep pace with the ever-changing technology landscape, such as cloud computing and other new threats. Prior to assessing an organization’s defend and respond capabilities, we have to establish credibility with whom we are to engaging. Imagine walking into a meeting with your clients or auditees (owners of the process you are about to audit) for the very first time and telling them what processes and controls they have right and what they have wrong. Your auditees will think to themselves “Are you qualified to tell us if our controls are working properly?” Trust me, I have been an auditee, and we question your qualifications.
To effectively accomplish your objectives as an auditor, you must first establish credibility to build trust to tell your auditees at the beginning that “Yes, I am qualified to perform this audit.” What makes up your credibility is what you know (i.e. education, training and experience) and how you are perceived (i.e. integrity, character). Credibility starts with displaying your knowledge through verbal and written communication. Displaying your degrees and certifications in your email signature speak volumes and those designations gives you a competitive advantage in establishing credibility. Before you begin writing your assessment, your auditees already know you have met ISACA’s requirements to be certified and have the appropriate expertise to tell them if their control is working and, if not, what recommendation you can offer to remediate.
Over the years, the CISA has become well-recognized by auditees around the world as the standard certification for IT auditors to have, giving the auditor immediate credibility based on prior CISA-holders with whom they may have interacted. CSX-P is newer and may not be as widely recognizable, but it is during this initial period that CSX-P holders can take the opportunity to showcase their knowledge and show the value they bring to auditees. That value lies in the ability to speak your auditees’ language and understand the work that they do daily.
CSX-P showcases an auditor’s desire and willingness to learn and explore areas they are not accustomed to in their normal day job. That was the case for me when I took initial steps to go through the labs and take the test. Learning to use Linux command line was a challenge for someone who points and clicks every day, but it taught me how operations are performed when you cannot move your mouse to get to your destination. I learned how to scan the network for assets, configure rules on a firewall, detect potential threats, and back up and recover failed systems, among other useful and practical applications.
When I walked around at ISACA’s 2019 North America CACS event proudly displaying my CSX-P ribbon, I was approached by a fellow ISACA member asking me how the exam was, and my response was it is a challenging test but the labs really guide you through performing the various computer security operations. The exam recently was updated to cover even more critical cybersecurity skill sets.
My challenge to you is to take the time and initiative to pursue the CSX-P to learn new skills, explore new career opportunities and most importantly, stay relevant and show that you are qualified in the fight to protect your organization’s assets.