Comment by aurinsomnia

I am close friends with someone who has been an IT/Cybersecurity Auditor for several years now and is apparently doing well (receiving praise/bonuses from upper management recently), despite on multiple occasions demonstrating they lack basic technical knowledge and don't understand what they are auditing. Apparently they just have a list of questions they ask and then fill out a spreadsheet despite having no technical understanding of what they are asking; e.g. on multiple occasions this person has said to me that they don't understand the difference between a server and a database. It boggles my mind that someone can be responsible for auditing a company when they don't understand simple concepts like servers or databases, but who am I to judge?