Cybersecurity as a discipline has two distinct origin stories.

First, cybersecurity came out of the military-intelligence complex. Cryptography, the security of military and government communications, real-world nation-state adversaries—for decades this was a separate thread.

Second, corporate accounting. When you move from paper records to digital records, accounting auditors needed to answer the question “How can we trust the books when the books are no longer made of paper?”

The latter origin story led to the CISA (Certified Information Security Auditor) certification. Financial auditors created this new sub-discipline that evaluated the trustworthiness of computing-based financial systems.

These two threads have wound together over the last thirty years to the point that they are now a unified discipline of cybersecurity. A large financial institution is (or should be) as equally concerned about the integrity of their accounting systems as they are about nation-state adversaries and their wide spectrum motives of espionage, sabotage, etc.

So I took my CISA certification this week. I read a book, I studied some questions, I took a multiple choice exam—and it was bad.

So bad.

This certification is a dinosaur. Questions that would have been timely and relevant during the Carter administration.

ISACA are updating the exam content this year, or so they claim, but even still, for me it raises the question—what is this certification even for, anyway?

On the one hand, as a CISO, I engage with external auditors as part of industry certifications such as ISO 27001, SOC 1, SOC 2, and so forth. And the CISA exam is the foundation professional cert for these kinds of auditors—and it’s useful and practical for me to be able to look at the world through their lens.

If I’m going to be audited, I should understand at a sufficiently deep level what auditors are looking for and how they are going to engage with me.

But my dog—the horror. The horror.

What does the concept of “security auditor” even mean in 2024?

Is a pen tester a security auditor?

The idea of red teaming or penetration testing surely did not exist in 1969 when CISA was first invented. But even a casual glance at the pen testing role makes it look a whole lot like an audit of security controls.

But a proper pen test or red teaming exercise designed to simulate real-world adversaries veers well outside of the finance origin story of security auditing.

The two threads, the two origin stories, of cybersecurity have merged. Security auditing can no longer mean “How do we trust the numbers on a mainframe in our office”?

A more interesting question to ask is rather, “In 2024, what should security auditing mean?”

I don’t have a concrete proposal here but I think it’s worth asking the question. What are the goals we are trying to achieve?

Both government regulation and industry certifications want to ensure a minimum level of security due diligence. You can’t mandate excellence, but you can force everyone to raise the bar to a certain standard.

Someone has to check that people are actually doing the things they say they are doing. I know literally zero about environmental regulatory compliance but one imagines there are underfunded bureaucrats with clipboards who show up at chemical factories and take samples.

But this assumes the adversary is only incompetence and corruption. What about real world adversaries?

How do they do it in the military? Not having served in the military, I can also not answer that question. But security auditing in 2024 seems like it should be going well beyond ensuring compliance with government regulations, but rather ask the question, “Is this organization prepared for an foreign military to attack them?”

You see this on the military parade ground, or so I hear. A commanding officer inspects soldiers, their grooming, and spot inspects rifles. What standards are being executed consistently in this unit?

And here is where the problem lies: Civilian organizations are not military, nor is it reasonable given our current socio-economic system to demand that they start acting like military. To achieve such a goal would require a drastic rethink of our socio-economic system resulting in some sort of government takeover of industry, in either an overt or covert manner.

“Are we ready for an attack?”

At the end of the day, this is the big question for security auditing in 2024. Ensuring regulatory compliance does not answer that question. And the CISA certification does not prepare candidates to answer that question.

Once an organically-emerging certification that prepared job seekers for a new and exciting field of employment, the CISA now feels like a sagging dinosaur, a wrinkled paleontological curiosity that I doubt can be re-invented, and most likely needs to be scrapped and replaced with something new.