Hello all, I am curious on the best path to take to get into security and IT auditing. I am currently a Data Security Analyst and I’m coming up on 2 years of experience. I work on an IT team at a medium-sized company (75 employees) but I am the least technical on the team. I am responsible for writing and maintaining policies, performing GRC audits (ITGCs) for our subsidiaries and Corporate parent, as well as some IDS & vulnerability scanning and management. I also complete web application security audits and assessments from customers which are generally 300-900 questions. I know how to read SOC 2 reports but I obviously don’t perform the audits. I want to get in to the auditing side full time as I like the work and it’s a great balance between technical and the business side. My interest would be in SOC2, PCI-DSS, GDPR, or general IT Security compliance. What is the best way to get in to that industry (I.e. certs such as CISA, CASP or SSCP) ? Are technical skills such as knowledge of vulnerabilities and pen-testing useful or is the business side and management skill set preferred? Any feedback on this would be much appreciated!