Lateral entry as an IT security auditor - a field report

The majority of CIS auditors come from the IT sector. Our colleague Elma Pichler shows that you can become an information security auditor even without a technical background.

Portraitfoto Elma Kozlica mit blauer Bluse

“I recommend further training to become an auditor to anyone who is enthusiastic about the subject – you can learn technical background information, but you have to be interested yourself,” says Elma Pichler.

From finance and risk management…

After completing her Bachelor’s degree in Management Consulting with a specialisation in Finance and Real Estate Management, Elma completed her Master’s degree in Risk Management & Corporate Security at FH Campus Wien in 2017. Her professional career in the insurance and banking sector began during her studies. In the course of her career, she gained valuable experience in various industries such as consulting and the public sector and took over as deputy CISO in the banking sector. Her responsibilities included the internal control system, business continuity management, risk management, quality management and information security management. These diverse experiences sparked her interest in the interconnectedness of management systems and strengthened her desire to deepen and pass on her knowledge.

… to IT security

In November 2023, her path finally led her to CIS – Certification & Information Security Systems, where she was hired as an auditor and quality manager. In order to qualify in information security management and as an auditor, she completed the courses “Information Security Manager according to ISO 27001” and “Information Security Auditor according to ISO 27001”. “The CIS courses were very suitable for me, also because they allowed me to expand my network. I realised that the area of information security is becoming increasingly essential. I recognised a lot of the content from my professional career and my studies,” said Elma Pichler.

Without traditional IT training, her work as an auditor in the field of ISO 27001 required the CISSP certification (Certified Information Systems Security Professional) from ISC². This globally recognised certificate confirms sound technical and administrative expertise in the field of information security and represents her next professional milestone. This examination is necessary in order to actually be able to carry out ISO 27001 audits.

This story impressively shows that even career changers without a technical background can be successful in the field of IT security if the motivation is there. CIS offers interested parties training courses and certifications as a solid foundation and qualifications to gain a foothold in this exciting and important field.