Security analysts help keep computing safe, and work to protect computer users from loss, harm and other sorts of damage. They are security assurance experts who constantly examine an organization's systems, networks, applications, infrastructure and digital communications to look for security exposures or vulnerabilities and, where necessary, remediate or mitigate them.
To do this they run all kinds of scans to conduct hardware and software inventories, and then use the results of those scans to seek out and address potential security issues or vulnerabilities. Because security is so important to meeting business goals and complying with mandated protections for privacy and confidentiality, security analysts are Involved in all stages of IT deployment and development. They start at the planning and design stage, provide assistance during deployment and development, and stay on the job at the end of the lifecycle, monitoring and management security during the maintenance and upkeep phases for systems and software.
Most security analysts work for computing companies, consulting firms or business and financial companies. Increasingly, small to medium-sized firms are turning to managed security providers (MSPs) to help them establish and maintain proper information security. Thus, a great many security analysts work for such firms, which fall somewhere between the foregoing computing company and consulting firm designations where such jobs are to be found.
Because establishing and maintaining proper information security is important for all companies and organizations, security analysts are in extremely high demand. The US Bureau of Labor Statistics projects that employment of such professionals is "projected to grow 18 percent from 2014 to 2024, much faster than the average for all occupations." Demand is expected to remain high because security analysts have a vital role to play in preventing hackers from stealing important information, protecting business operations, and foiling attacks of all kinds on computer networks and systems.
Essential Education, Background and Skills for Security Analysts
Many employers look for security analyst candidates with a bachelor's degree in computer science, math or engineering, or another computer-related field. If you've got security experience, a stable work history and solid references or letters of recommendation, it's possible to land a job in security without a college degree. But a degree – especially one with some security-related coursework included – will definitely help.
An intermediate-level security analyst position typically requires three to six years of direct experience in information security, or some combination of education and experience. In fact, this is a field where experience counts greatly. Thus, for example, a military veteran with documented cyberwarfare experience and a security clearance would probably be a more attractive candidate for a security analyst's job than a person with a bachelor's degree straight out of school. That's starkly true, even if that degree-only person graduates from a top-flight institution such as Carnegie-Mellon University, Perdue or another school belonging to the National Centers of Academic Excellence in Information Assurance/Cyber Defense (CAE IA/CD) program.
Regardless of how you prepare for a career as a security analyst, here are the skills you should have or plan to develop:
- Create and document security policies, including acceptable encryption, acceptable use, data breach response, disaster recovery planning, digital signature acceptance, email and ethics, password construction and use, and so forth (for a complete collection see the SANS Information Security Policy Templates)
- Perform security audits and reviews, with thorough knowledge of best auditing practices and procedures, and enact remediation and mitigation
- Understand how to design and establish perimeter security protection and controls, including firewalls, content filters, proxies, intrustion detection and prevention, and more
- Understand role-based security, access controls (including physical, software and human security processes and procedures), identity management, authentication and authorization, and proper use of rights and privileges
- Be a multi-tasker, with good time-management and self-motivation skills
- Be an excellent communicator (written and verbal)
Some positions require programming skills and an understanding of databases. You don't necessarily need years of programming or scripting experience to be a security analyst, but it will help.
Many government or military jobs in national security and intelligence, as well as some federal contractors, require a TS/SCI clearance. TS/SCI is short for Top Secret/Sensitive Compartmented Information. It's sometimes referred to as a "TS/SCI poly clearance" because a polygraph is usually part of the process.
Security analysts should consider getting one or more certifications to prove their mettle and get the attention of hiring managers. Many information security certifications are vendor-neutral, and recognize knowledge and skills applicable across all facets of the information security field. Here are three of the most popular and sought-after information security certifications.
- CompTIA Security+: An entry-level certification for IT professionals with two or more years of experience working in the field. While the Security+ is probably not enough by itself to land somebody a job, it's a valuable first credential in information security to earn en route to more serious and valuable credentials. Check out our CompTIA Certification Guide.
- EC-Council CEH (Certified Ethical Hacker): A mid-level certification that seeks to train security professionals in recognizing, responding to, and dealing with unwanted attempts to break into an organization's systems and networks. Qualified candidates understand hacking practices (such as foot printing and reconnaissance), networking scanning and enumeration, system hacking, malware, denial of service (DoS) attacks, social engineering and other techniques hackers use to penetrate and attempt network and system takeovers. The CEH is a well-respected and reasonably valuable information security certification. Check out our EC-Council Certification Guide.
- (ISC)2 CISSP (Certified Information Systems Security Professional): A senior-level certification for IT professionals who seek (or already have) a full-time career in information security. CISSPs possess expert skills and knowledge needed to design, develop and maintain security standards, policies and procedures for their employees or clients. The CISSP has regularly appeared in Top 10 certification lists for highest demand, most valuable, and best-paying IT certifications since the mid-2000s, and remains one of the most sought-after IT certifications today.
Vendor- or platform-specific information security certifications are plentiful, so there are many options from which you may choose in this category. For vendor-specific credentials, if you have experience with a specific platform or product and want to work on projects built on that platform, find out if the vendor's certification program includes credentials to match (and document) your experience, skills and knowledge. Then you can pursue such credentials with vigor, knowing that organizations who also use such platforms and products will appreciate your skills and knowledge.
Information Security Training and Resources
Candidates interested in information security training can take advantage of some free starter courses available online. Microsoft Virtual Academy (MVA) offers an entire track (40 courses) on Enterprise Security, including Cloud App Security: Deploying, Cybersecurity Reference Architecture and Planning for a Security Incident, among many others.
Interested candidates should also check out the U.S. Government's Information Assurance Support Environment (IASE) website. If offers a plethora on interactive web-based training courses on a variety of useful and informative information security topics, including cybersecurity awareness, cyber law, best security practices and procedures, network operations (NetOps) with a security slant, and information about cyber security tools used in the U.S. Department of Defense (DoD).
Surveying Information Security Opportunities
The U.S. Bureau of Labor Statistics says the median annual salary for a security analyst is a whopping $92,600. That's not too shabby, but that number will rise or sink depending on the company and city where you wind up in this field.
Though demand is strong, looking for work as a security analyst will benefit from spending time searching on job boards such as Monster, Indeed, SimplyHired and LinkedIn Jobs. You might want to post your resume on such sites, and then create alerts so you'll get notified as new security analyst job listings appear. Once your resume has been posted, you'll also start hearing from recruiters who may bring you opportunities at companies that you may not otherwise hear about. One more thing: if you want to work at a particular company, seek out opportunities by all available means. That translates into: visiting its online job board regularly, using your LinkedIn and other networks to ask around about security analyst jobs there, and reaching out to the company's HR folks to make contact and express interest in a security analyst position, should one become available.
In addition, you'll want to exploit free resources such as LinkedIn security analyst groups, Reddit, professional organizations such as the Information Systems Security Association (ISSA.org), and other forums and online communities. They are great sources of information about good/bad employers, which certifications you should earn and leads on security analyst jobs.