Author: Jen Stone
I love working as a cybersecurity assessor and recommend it to anyone who thinks in terms of big picture systems, who wants to bridge the communication divide between technical and non-technical teams, and who values data privacy and security.
Gaining the knowledge and experience to be an assessor takes time and commitment. If you start your career path with goal of becoming an assessor, you can put your efforts into the right areas.
First, let’s step back and discuss the role of a security assessor. As an assessor (also called an auditor or analyst), you will evaluate an organization’s policies, procedures, and technical security controls against a defined cybersecurity standard, privacy regulation, or risk framework. You might test controls yourself or examine the results of tests performed by others.
An assessment could result in certification if you are acting as a member of a certifying body (e.g., PCI DSS or HITRUST), or you could produce a report that offers the degree of assurance you have that the entity you’re assessing is in compliance with a regulation or standard that does not offer a certification (e.g., HIPAA or CCPA).
The information I’ve laid out in this article involves becoming a Qualified Security Assessor (QSA) for the PCI Data Security Standard (PCI DSS). I chose this example because PCI QSA is internationally recognized and the steps for achieving this role can be applied as a blueprint to pursuing other cybersecurity assessor jobs.
The requirements for becoming a PCI QSA start with a minimum of one year of experience (each) in the following four areas:
Application Security
Information Systems Security
Network Security
IT Security Auditing
This doesn’t typically add up to four years of security experience, because the jobs you can get in each of these areas don’t typically give you necessary knowledge to transfer over to any of the others. For example, knowing how to identify and correct cross-site scripting (application security) doesn’t prepare you to properly manage a patching program (information systems security). This generally results in assessors spending several years of their career in one or two areas, resulting in deep knowledge in those domains, while spending the minimum time in other areas, which might result in a less rigorous understanding.
It’s worth having a solid knowledge base in all four areas, though, because you will be expected to assess security controls related to each of them. If you have a solid understanding of what you’re evaluating, and the implications of each security control in the cyber kill chain, you will be able to help the entities you’re evaluating to gain a more robust cybersecurity stance. Conversely, if you don’t understand what you’re evaluating, you run the risk of missing critical vulnerabilities.
Required Certifications
In addition to experience, you will need a minimum of two industry certifications: one in information security and one in IT audit. PCI refers to these as List A and List B.
List A includes:
(ISC)2 Certified Information System Security Professional (CISSP)
ISACA Certified Information Security Manager (CISM)
Certified ISO 27001 Lead Implementer
List B includes:
ISACA Certified Information Systems Auditor (CISA)
GIAC Systems and Network Auditor (GSNA)
Certified ISO 27001, Lead Auditor, Internal Auditor
IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
IIA Certified Internal Auditor (CIA)
Each of these certifications also requires specific experience. I’ll take CISSP from List A and CISA from List B to demonstrate this, since they’re the ones I chose to get, so I’m most familiar with them. I know it seems like the requirements are piling up, but if you’ll stick with me to the end, I’ll offer suggestions for meeting them. This job is absolutely worth pursuing! Let’s get back to the requirements.
CISSP requires a minimum of five years of cumulative, paid, full-time work in two or more of these eight domains:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
CISA requires a minimum of 5 years of professional information systems auditing, control or security work experience, as described in these five CISA job practice areas:
Information Systems Auditing Process
Governance and Management of IT
Information Systems Acquisition, Development and Implementation
Information Systems Operations and Business Resilience
Protection of Information Assets
There are a few other considerations that come into play. You’ll need endorsements (someone to vouch for your experience) and background checks, plus ongoing continuing professional education (CPE) maintenance every year.
For each certification, you will also have to pass an exam. If you work for a company that pays for certifications or related training, make sure you take advantage of that, because the tests are several hundred dollars each. When you add in textbooks and training classes, it can quickly become very costly.
I recommend taking classes to prepare for the exams and using digital practice exams whenever possible. This will help you learn how to answer the questions in the way the exam is expecting. Take the time it takes to learn.
Finally, here are four steps that can help you move toward the goal of becoming an assessor.
Evaluate your current status against the various requirements for each of the certifications you need to earn.
Find the gaps and determine how to gain experience in missing areas.
Track your education, training, work project participation, experience and successes.
Keep your resume current with information that supports your drive toward a cybersecurity career.
Consider starting as an Associate QSA (AQSA)
An AQSA only requires a university or college diploma or two years’ experience in information security or IT, plus an exam. This is a much more attainable goal for many job seekers. Starting as an AQSA could help you fill the missing gaps and show a QSA company that you have a good work ethic and ability to become a full QSA. Both the QSA and AQSA must be employees of a QSA company in order to perform PCI compliance assessments.
For more details on the information covered in this article, please refer to the following resources:
About the Author: Jen Stone is a Principal Security Analyst at Security Metrics. With over 20 years working in IT and holding numerous certifications, she brings a breadth of experience to her work performing audits. Jen also hosts two cybersecurity podcasts and is a prolific writer and speaker.