How do I become an Auditor?

25. May 2023

Are you passionate about both the technical and organizational aspects of cyber security and want to help companies improve their security as an Auditor? Nico Fechtner, Senior Consultant in the division Security Audits & PCI, provides insights into his daily work and offers tips on starting a career.

What does an Auditor do?

As an Auditor, my job is first to independently assess our customers' IT security and then to identify potential for improvement. The clear goal here is always to help companies protect themselves even better against cyber attacks in the future. With our audits, we support both customers who are still at the very beginning in terms of cyber security, as well as companies that already have a fairly high level of maturity and are striving for concrete certification - for example ISO 27001 or PCI DSS. 

The focus of my daily work is on interviews with various contact persons of our customers - from CEOs, network administrators or software developers to human resources managers. In these discussions, I work with our customers to determine the current situation regarding cyber security in their company. For example, we discuss how employees are trained in security awareness, how information security incidents are handled, or how the company currently protects itself against malware. In the course of these interviews, live demos are often held, in which our customers demonstrate, for example, how they have dealt with vulnerabilities that have been found so far, or how the security monitoring they use works. I then analyze the results of the interviews and prepare a corresponding final report for our customers, including recommendations on how they can protect themselves even better from hackers and criminals in the future. 

In addition to the day-to-day business, we at usd also place a lot of emphasis on continuous training and keep ourselves up to date through weekly team meetings, among other activities, at which colleagues present current topics related to IT security. 

What do you particularly like about your role as an Auditor?

For me, what makes the job so special is the enormous versatility that comes with the role. You have the chance to get to know companies in a wide variety of industries and of all different sizes, and to learn firsthand how they are securing themselves against cyberattacks. In addition, as an Auditor, you deal with process and management-oriented as well as technical topics. On the one hand, this ensures that you gain a very holistic insight into the topic of cyber security, and on the other hand, you are guaranteed never to get bored - every day and every project presents you with new challenges that allow you to grow both professionally and personally.

What skills should I have as an Auditor?

It is essential that you have the curiosity to familiarize yourself with complex customer situations every day. We always communicate with our customers as equals, so you should be able to explain complex content in a comprehensible way. On the one hand, you need a solid overview of basic security-related concepts and processes (Identity & Access Management, Incident Management, Vulnerability Management, etc.), but on the other hand, a certain basic technical understanding is also indispensable. In addition, depending on the project, in-depth knowledge of relevant IT security regulations and standards (e.g. ISO 27001, PCI DSS, KRITIS) is necessary. 

What is the best way to learn these skills?

A technical degree - for example, computer science or electrical engineering - will help you acquire the necessary basic technical understanding. In addition, you should have already dealt with the basic topics related to IT security. Otherwise, I would say "learning by doing": just give it a try and see if you enjoy the audit job - I didn't know 100% what to expect at first either, but I'm still very happy in my role as an Auditor. 

How do we support you on your way to becoming an Auditor?

No matter whether you are a working student or a new full-time employee - at usd you will be supported from day one, you will get to know the company and your colleagues very well in the "Become a Hero" program and you will never be left alone, both professionally and personally. After a structured induction in our Security Audits & PCI department, you will quickly have the opportunity to work directly on customer projects. Once you have gained the necessary experience together with other colleagues, you will soon manage your first projects yourself and also have the opportunity to acquire prestigious certifications, such as Certified Information Security Auditor (CISA) or Qualified Security Assessor (QSA).

Are you interested in learning more about your career opportunities as an auditor? Find out more about your career opportunities with us here.

Also interesting:

Top 3 Vulnerabilities in SAP Pentests

Top 3 Vulnerabilities in SAP Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

PCI DSS v4.0.1 Released

PCI DSS v4.0.1 Released

In response to stakeholder feedback and questions received since the release of PCI DSS v4.0 in March 2022, the PCI Security Standards Council (PCI SSC) released an update to PCI DSS: Version 4.0.1 on June 11, 2024. This update incorporated feedback from key...