Security Staff Acquisition & Development

My Transition From Internal IT Auditor to CISO (Chief Information Security Officer)

Author: John Pouey
Author: John Pouey

My transition from internal IT auditor to CISO in banking felt natural because, while working as an auditor, I developed a strong knowledge of information security and control concepts while also improving my communication skills.

Communication skills are crucial to the success of a CISO. Effective communication helps build positive relationships with employees at all levels within the organization. As an auditor, I presented audit reports to the Audit Committee. This served as excellent experience because I learned how to communicate effectively with top-level personnel, which was also required in my role as CISO.

Internal auditors are facing new challenges. Sensitive information is pervasive in the digital world because users expect it to be available when needed. Prior to the Internet-connected world, the focus in banking tended to be on business continuity planning, the exposure of sensitive information from threats to physical media, and other financial fraud activity such as physical credit card theft.

Testing Security Controls

In the connected world, data is readily available through connected networks, and that data is the target of cyber attacks. Given the rise of successful attacks, IT auditors must continually educate themselves on the new types of threats and be knowledgeable of information security controls and how to test those controls.

There are many resources available to auditors. Just as a mechanic needs to acquire a toolset, an IT auditor must also assemble an array of resources. An auditor must network with other IT audit and information security professionals by participating in professional organizations. In addition to networking, websites such as ISACA’s and SANS’ provide audit and information security resources. ISACA has an online library with information security and audit books. These are useful resources for professionals new to IT audit.

IT auditors must remain relevant by constantly educating themselves regarding the latest information security threats, trends and controls by using all available resources. IT auditors are no longer an asset to their organization when they stop learning.

Communication Breakdown? Nope

Changing career paths from IT audit to CISO was a smooth transition because I developed strong communication skills as an auditor, I had a strong knowledge of the latest security threats and trends, continuous education was a priority to me, and I assembled a set of resources. For those who are interested in a career path change from IT audit to CISO, these key items should help ensure success.

John Pouey is secretary for the Greater New Orleans chapter of ISACA. Read more ISACA blogs here.