Our international study discovered a significant knowledge gap in Big Four IT Auditor's theoretical knowledge and practical skill! (Deloitte, KPMG, EY, PwC, and more)
We discovered that the IT auditor's lack of hands-on skill in information technology influences data breach likelihood and technical evidence interpretation for critical infrastructure (power, water, communication, and banking)
๐๐ก๐๐ฌ๐ ๐ซ๐๐ฌ๐ฎ๐ฅ๐ญ๐ฌ ๐๐ซ๐ ๐ ๐๐ง๐๐ซ๐๐ฅ๐ข๐ณ๐๐ ๐ญ๐จ ๐๐๐,๐๐๐ ๐๐ ๐๐ฎ๐๐ข๐ญ๐จ๐ซ๐ฌ ๐ข๐ง ๐จ๐ฎ๐ซ ๐ข๐ง๐๐ฎ๐ฌ๐ญ๐ซ๐ฒ.
For instance, this assessment expounded on common concepts like least privilege and separation of duties via task-based activities. This strategy required the respondent to test their knowledge against specific technologies like Microsoft Server, Amazon Web Services (AWS), Palo Alto firewalls, Kubernetes containers, and Microsoft Azure.
Unfortunately, as IT auditors, we had inadequate levels of procedural knowledge. IT auditors had an average procedural knowledge score of 19.35 (Level 2 โ Assist). See grading scale on page 465 (Note: Level 3 is average proficiency)
These findings suggest that the current education models in IT certification exams, college curricula, certification boot camps, and training seminars do not provide task-based skills to help implementers and assessors improve their procedural knowledge (demonstrable skills) and identify controls that reduce data breach likelihood. See SME and IT Auditor SFIA Procedural Knowledge Scores figure on pages 455 and 465.
However, I'm optimistic about our future. ๐ In Chapter 5 (18 pages), I detail strategies on how we can improve our technical competency and create the next generation of cybersecurity auditors and cybersecurity professionals. Particularly by adopting National Initiative for Cybersecurity Education (NICE) and SFIA Foundation
Creating the Next Generation Cybersecurity Auditor: Examining the Relationship between It Auditorsโ Competency, Audit Quality, & Data Breaches - ProQuest
https://lnkd.in/gTaxhVkC