My Journey of Transitioning from Information Security to Information Assurance

TL;DR: Of the various paths to transition into information assurance, I took the education route by pursuing a two-year Master of Information Systems Assurance Management program. My approach, hard work, and other efforts paid dividends a year into the program.

To provide more context, I am honored to have secured an IT Audit role with one of the big four accounting firms just about a year before the conclusion of my master’s program, which was a boost in writing this piece. Though it has not been a walk in the park, the journey has been rewarding, thanks to the efforts invested, the visibility provided by Concordia University of Edmonton, and the support of the faculty.

In this article, I will delve into my journey of transitioning from an experienced information security professional to the information assurance space, hoping this could help shape the career trajectory of someone with a similar pursuit. First, and to be clear, my transition does not mean an exit from cybersecurity, which was the primary reason for the existence of this personal blog. Cybersecurity, or information security more broadly, is an integral part of information assurance—a component of a giant puzzle.

At its core, information security ensures confidentiality, integrity, and availability of information in various forms and storage for authorized entities. On the other hand, information assurance seeks to provide reasonable confidence that the implemented controls to provide information security are adequate, appropriately designed, operating effectively, and ensuring information is reliable and free from material misstatements. These two closely related disciplines share several critical components, including risk management and control activities—areas in which I already had some experience that eventually proved advantageous.

After over five years of professional experience in IT and information security, I am officially transitioning to the information systems audit space, otherwise known as IT Audit or Technology Risk. While I have always desired and tried to work there during my spell as a pure cybersecurity-focused professional, the need for more requisite knowledge and specialized skills held me back. I also realized that although information security and information assurance relate closely with many shared transferrable skills, the information systems assurance field has different ways of approaching concepts and its unique lingos that could throw newcomers off, at least for me.

Everyone’s journey will be different. Mine officially began with a decision to pursue the Master of Information Systems Assurance Management (MISAM) degree at Concordia University of Edmonton (CUE). At the time and based on my findings, CUE was the only post-secondary school offering a graduate program specifically with a primary focus on information systems security or assurance among Canadian universities. That made my college and city of choice an easy one. But before I finalized my decision, I was caught at a crossroads between choosing between two security-aligned programs at CUE. The other one was Master of Information Systems Security Management (MISSM), which is a more technical-aligned course.

The Master of Information Systems Assurance Management (MISAM), as its name suggests, is an information assurance, business-focused degree with some other core components. Since I was already a technical-inclined professional and understood the importance of aligning technology to business strategy, the business pieces of MISAM were significant in my thought process and eventual decision. Also, I have long understood the challenges of many super technical folks communicating the business value of technology and security due to their inadequate understanding of business and its language. This essential skill remains relevant and critical to excel and advance in today and future workplaces. Hence, my decision to go for the MISAM program.

The program put together different courses that cover current and future industry expectations. Among other things, they prepared me with the skills to perform information systems audits end-to-end, collaborate effortlessly with financial statement audit counterparts in future integrated audit engagements, and help organizations to be resilient against threats that could negatively impact their operations or take them out of business. In addition, the program follows the ISACA model curriculum, preparing students to sit for Certified Information Systems Auditor (CISA)—the industry gold standard certification, upon graduation. Moreover, the courses’ workload also drills students, preparing us for the profession’s enormous on-the-job demands.

During this journey, I have come to love so many things about the information assurance space for the unique challenges it brings and its ever-evolving landscape. Assurance professionals hold a position of trust as critical stakeholders, including the boards of directors, shareholders, investors, creditors, and the general public alike, rely on our works and opinions on the reliability of the information they use for decision-making, trusting that we objectively, independently, faithfully, and competently discharged our duties. These trust principles are priceless and are the cornerstones of any quality audit, which, in turn, are the bedrock of investors’ confidence, influencing market participants from average citizens, pensioners to small businesses, and the entire capital market—Main Street to Wall Street, if you like. Assurance is a cause whose larger picture is about protecting the public interest.

This newfound passion of mine has also challenged me to remain a lifelong learner, given the evolving nature of the field and the wide range of expertise required. Auditors wear many hats to discharge their immense responsibilities effectively. IT Auditors especially must understand business, operations, and relevant information systems in the sectors where they function. It does not end there. It is also crucial that we are knowledgeable about the flow of information between information systems, their security intricacies, associated and emerging risks, internal controls activities, fraud examination, data analysis, relevant laws, frameworks, standards, and regulations, at the very least. We must always be able and ready to comprehensively evaluate new technologies as they become widespread in supporting businesses.

While one may not need to be an expert to begin their information assurance journey, having an adequate background in fundamental concepts, especially for me personally in IT, information security, risk management, and control activities, helped significantly in my master’s program and will undoubtedly be rewarding while on the job. From the soft skills perspective, an auditor must have excellent probing skills to ask their auditees the right questions and interpersonal skills like attention to detail, active listening, and verbal and non-verbal communication skills at the very least. An auditor will also greatly benefit from having leadership and project management skills. It may be tricky for newcomers to get their foot in without those. Even if they do, they may find it challenging to succeed without proper support, given the level of skillset required by the information systems assurance professionals’ job. My prior experience and skills and the knowledge and skills gained in my master’s program have filled the gap previously missing to enter the assurance space.

In conclusion, transitioning from information security to information assurance has been a transformative and rewarding experience. Embracing the education route by pursuing a Master of Information Systems Assurance Management at Concordia University of Edmonton opened doors to new opportunities and a deeper understanding of the information assurance field. To crown it all, securing an IT Audit role with a prestigious accounting firm a year before the conclusion of my master’s program marked a significant milestone in the transition journey. My blend of technical knowledge and business acumen acquired through prior experience and during my master’s program has prepared me to excel in this field, where protecting the public interest is paramount and an ongoing pursuit. As I continue this exciting journey, I am committed to remaining a lifelong learner, continuously adapting to emerging technologies and the ever-evolving assurance landscape to make a meaningful and lasting impact.