Before entering the field of IT auditing, one must understand that it is a field of continuous and constant change. Therefore, IT auditors must look ahead at their future and develop a plan focusing on what they hope to attain in their career, whether formal or informal. Either way, the plan should help one attain most career goals. The career development plan also is a way to find out if an organization values the IT audit process. Investing in human resources can go a long way in attracting and retaining skilled, talented staff.

Typically, a functional, successful and formal career development plan consists of at least six major components that must be integrated into an established process within the organization. These components are:

• Career path planning with management support
• Definition of knowledge, skills and abilities
• Performance assessment
• Performance counseling/feedback
• Training
• Professional development

Each element is a necessary component of an effective career development plan; however, the most critical of these components is the first, as it is related to the IT auditor.

Effective Career Path Planning Needs Management Support

The establishment of the career development planning process must begin with the support of management in the organization. The support requires a commitment from management to acknowledge and define horizontal and vertical career path opportunities within the organization. This means that the IT auditor could make IT audit a career or use it as a steppingstone into corporate management. The IT audit career path can offer professionals tremendous diversity in their career. Management must support such diversity and job opportunity. Often, management support can help infuse an organization with knowledge, skills and abilities to implement change. Without support, IS audit staff will view career opportunities with mixed emotions and doubt. This can cause the eventual loss of employees to outside concerns because the opportunities are similar.

An example of this would be an IT audit professional who starts with a large CPA firm and, after four years, moves to an IT audit manager position in a private firm. After another three to four years, this audit professional transfers to an audit director position with another firm. External opportunities will be sought by employees who are not satisfied with their own career development or advancement.

The organization's management must ask itself a serious question: Can management continue to afford to bring new staff into these critical positions and train and develop them, only to lose them to opportunities outside the organization? With a good career development plan, organizations are building resources who are knowledgeable about the life systems of the organization and who have strong skills in IT technologies, audit methods, communication and administration. Such a person is an ideal candidate for managing or integrating new technologies into the operating environment of an organization.

If one plans to enter this field, it is important to look closely at the institution to learn if it has in place and supports career development planning. The other components should be part of the career development planning process and career plan.

The organization should be able to tell entering professionals what the career path looks like and define the knowledge, skills and abilities needed to advance to the next level. Next are the components of performance assessment and performance counseling. Performance assessment should be given at least twice a year by a manager or supervisor to tell auditors how they are performing compared to the knowledge, skills and abilities of that level. Performance counseling and feedback inform auditors how they performed their work in accordance with the audit objectives of that assignment and what they can do to improve their audit performance and the knowledge, skills and abilities needed to reach the next level. Added skills can be reached through training, so an organization's commitment to provide the necessary training when needed is a critical measure of the organization's commitment to career development planning. One also must understand that training provides added skill, but the measure of whether one has learned the skill is in application. Application demonstrates the knowledge individuals have gained and their ability to do the required work.

The last component, but not the least, is professional development. If the organization supports individual involvement in the professional community or in a professional association, give that company the highest marks. It is supporting professional development by allowing auditors to network with their peers and associates in this field. Through this process, individuals can gain access to new methods, techniques, best practices and the awareness that they and their colleagues are not alone in this challenging and ever-changing field. If the organization does not engage in professional development, then it is a signal to look elsewhere or invest in oneself. Some organizations, due to tight budgets or the economy, may not be able to offer full or partial reimbursement support. However, they may allow time off to participate. Therefore, individuals in the IT auditing field have to invest in themselves to maintain their currency and development to practice their trade.

Conclusion

One could go on and on about career development planning and the process. Development of staff was a key factor in this author's success in this field. It can be in anyone's, too. However, behind all of this is the need for management support and commitment to the process. Career planning can be formal or informal. If informal, then individuals must be responsible for the paths they seek and take the steps necessary to gain the knowledge, skills and abilities of their trade—their career.

As the most difficult exam I’ve taken (for a certification or otherwise), I figured I’d provide a brief overview of my experiences in hopes that they will be of benefit to you.  I successfully completed the CISSP exam approximately 2 years ago, so the recommendations contained herein should still be applicable.

About the CISSP Test

The CISSP exam is a 6 hour test with 250 questions in total, administered via paper and pencil.  To pass the test, a minimum raw score of 700 out of 1000 is required.  The test covers 10 domains in total, which provides comprehensive coverage of the Information Security space.  The domains are listed below:

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

Again, the test covers an exhaustive list of domains in the Information Security arena.  Because of this broad coverage, your study techniques are important.  We’ll cover the best study resources below.

How to study for the exam

The best study resource, bar none, is Shon Harris’ CISSP All-In-One Exam Guide.  This book is so highly thought of that my CISO recommended this above all other methods of study.  As an additional recommendation, I was able to pass the CISSP exam without attending any training seminars and without any other CISSP study aid.  While this study resource is not free, it’s a real bargain in comparison to the thousands of dollars currently being charged for a hands-on CISSP training seminar.  As an alternative, I’ve heard very positive things about http://www.cccure.org/, which provides free training resources for the CISSP exam.  I’ve looked over the materials available on the cccure website after I sat for the exam, and the majority of information provided on this website is correct.

How hard is the CISSP?

This is the most comprehensive test of Information Security available.  Additionally, it tests technical acumen over a wide variety of subject matters.  Having said that, provided that you have the requisite experience for sitting the CISSP exam and you study well, you should be able to pass.  At the time that I sat for the exam, I had just barely fulfilled the experience requirements but I had studied for the CISSP approximately 8 months (10 – 15 hours per week).  I had also passed CompTIA’s Security+ certification and EC Council’s Certified Ethical Hacker (CEH) exam within the last 12 months, so I was familiar with the testing routine by that time.  If you haven’t sat for an exam in some time and you are concerned about passing the CISSP on the first time you sit, I’d recommend sitting for at least one exam in a domain you’re familiar with about 2 to 6 months before you sit for the CISSP.  The experience of going through an actual test day, nerves and all, should better prepare you for the CISSP exam. 

After the test

Your results will be sent out to you via e-mail and postal mail from ISC2, once available.  You should expect your results to take approximately 4 – 6 weeks.  If you can’t stand to wait, many times persons sitting for the CISSP exam post their experiences (and results) on the Cccure forums.  That may give you some insight as to how far ahead (or behind) schedule exam notifications are running under present conditions.

Congratulations for choosing an exam that will truly separate you as an Information Security Professional (or more specifically as an IT Security auditor).  Best of luck!

If you have any questions or comments regarding this article, please send them to us.