Audit , Governance & Risk Management
What It Takes to Be an IT Security Auditor
A Conversation with GAO's Gregory WilshusenGregory Wilshusen, director of information security issues at the Government Accountability Office, which audits government agencies, says he learned some essential career skills in one of his first jobs. After receiving a business administration degree with a concentration in accounting, he served as a U.S. Army performance auditor and became skilled in flowcharting and recognizing the steps in processes.
"At the end of the audit, I typically knew more about that entire process than many of the individuals actually involved in the process," Wilshusen says in an interview with Information Security Media Group. "They were focused only on their own responsibilities and duties whereas I had to look at that entire thing. That gave me a good understanding of just taking a process, deconstructing it down to its individual parts and looking to see where inefficiencies lie, and trying to make improvements in that."
Wilshusen says IT security auditors need to be skilled in operating systems, coding and databases. But they also need to be good writers who can easily explain complicated technologies to nontechnical individuals.
In the interview (see audio link below photo), Wilshusen discusses:
- The importance of IT security auditors having credibility with those who they are auditing as well as, in GAO's case, members of Congress who request audits;
- His ability to empathize with those he audits because he once worked as an agency controller who oversaw operations that were audited; and
- The technical and software skills required to be an effective IT security auditor.
As a director at GAO, Wilshusen leads cybersecurity and privacy-related studies and audits of the federal government and critical infrastructure. He has more than 30 years of auditing, financial management and information systems experience. Prior to joining GAO in 1997, Wilshusen held a variety of public- and private-sector positions. He was a senior systems analyst at the Department of Education, controller for the North Carolina Department of Environment, Health and Natural Resources and held several senior auditing positions at Irving Burton Associates and the U.S. Army Audit Agency. A certified public accountant, certified internal auditor and certified information systems auditor, Wilshusen holds a B.S. degree in business administration with a concentration in accounting from the University of Missouri and an M.S. in information management from George Washington University's School of Engineering and Applied Sciences.