Who is a Security Analyst?
One of the most vital positions in implementing and maintaining security controls around a company’s critical data is the security analyst role. The main responsibility of a security analyst is to keep sensitive digital assets out of reach when it comes to cyber attacks. This can be accomplished by working to protect the company’s technological infrastructure including its computers, servers, applications, terminals…etc. Security analysts thus occupy an inter-departmental role that spans a wide variety of objectives to fix previously identified security flaws within both assets and security controls, and to recommend safeguard measures to prevent breaches.
To meet their objectives, security analysts can run thorough assessments on their targeted assets (hardware or software), the results of these assessments will be used to direct effort towards and focus on mitigating security issues and vulnerabilities. Cyber security operations are so important to business continuity and their success is an essential part of meeting compulsory industry regulations and standards, that is exactly why security analysts have versatile duties that span across the whole compliance process. They are responsible for planning and design, assistance and IT help, management and audit, and maintenance of systems and software. Their adaptable roles make sure that security analysts are involved, in one way or another, in every single stage of IT development and deployment.
While a small percentage of security analysts work for financial and computing companies, the vast majority of them work for security firms and managed service providers (MSPs). The number of small to medium-sized businesses who outsource their security operations to third party MSPs is increasing and thus making the role of security analysts more in demand. Analysts facilitate security operations by establishing and maintaining proper security controls for their clients’ digital assets.
According to the US Bureau of Labour Statistics, security analyst roles are expected to grow a substantial 18 percent by the year 2024. 18 percent is significantly higher than the average growth rate of all other occupations, which can only make the demand for these professionals higher and higher with time.
What do Security Analysts do?
Security analysts take on the responsibilities of ensuring the security of a company’s cyber assets from both outside and inside threats. To be able to do that, they are required to carry out an all-around set of objectives that usually includes: devising both online and physical security programs, analyzing security data and metrics to identify security threats and their likelihood to occur, and taking the right measures when/if a breach happens.
Security analysts are also responsible of keeping executive management and/or information technology departments informed about the organization’s risk level by generating both technical and non-technical assessment reports. These reports can uncover critical vulnerabilities and serve as a blueprint for prioritizing and tackling them based on their exploitability and impact. Analysts can also evaluate the accuracy and efficacy of security policies which will help the organization meet compliance with security standards and regulations.
Furthermore, one of the most important duties of security analysts is to keep security controls up to date by updating and patching software, creating the necessary documentation and renewing existing ones when necessary, and crafting operational frameworks for disaster recovery processes and breach incident response. A quick job search on indeed.com will add these specific responsibilities to the list:
- Digital forensic investigation of suspected security breaches and minor events
- Performing vulnerability and risk assessments along with internal and external penetration tests
- Carrying out application security patching procedures
- Collaborating with third party vendors in security assessment projects
- Updating documentation and breach response/disaster recovery operational frameworks
An Entry Path to the Cyber Security Industry
There is a serious talent gap in the cyber security industry as many companies and firms continuously fail to get the necessary workforce to meet its human resources requirements. It does not help that the industry has a notoriously high bar of requirements for first time recruits, and even individuals who hold a bachelor’s degree in computer science and possibly a security certification like CEH (Certified Ethical Hacker) can sometimes fail to get an entry level job. There is a lot of sensitive information and digital assets at stake for companies and/or their clients that they raise the bar high for their first time recruits to ensure business continuity.
The security analyst position offers a partial solution for this labour shortage because the bars of entry are relatively lower. Many cyber security professionals quote security analyst as their first full-time paid job in the industry, serving as an entry path and a chance to test their skills in real-world settings and scenarios.
There are rarely any other entry level job openings and aspiring professionals are taking note. Indeed.com reports that security analyst positions have a higher number of applicants than any other industry related job, but qualified professionals remain in demand as it is also the position with most opening. This is due to the nature of work security analysts are required to do. Because job opportunities can be found across sectors and industries from healthcare and insurance to finance and education, the demand for security analysts is not going away anytime soon.
The Versatility of the Role
Security analysts are required to take part in every single security operation an organization might carry on. This makes them one of the most versatile experts of the industry. Here is a list of the most important areas of expertise that security analysts should possess:
- Incident response: analysts handle data breaches with precision and efficiency throughout the entire lifecycle of an incident. They are also required to report progress and recommend the best course of action after the breach
- Network defense: in other words intrusion prevention. This includes monitoring traffic, threat analysis, and implementing proper security controls
- Malware analysis: as malicious software became more sophisticated in the recent years, analysts try to analyze malware and contain it to prevent its threats
- Digital forensics: security analysts launch investigation efforts to assess and contain threats through the collection & analysis of information to pursue certain actions
- Penetration testing: this is one of the most important assessments as analysts simulate real world attacks on their organizations. These assessments serve as a good measurement of the company’s security posture and it can guide future prevention efforts
- Security controls: firewalls, SIEM’s (security information and event management), honeypots, intrusion detection systems, and antivirus software make a large chunk of an organization’s security infrastructure. It is up to analysts to work with these controls and inspect their results for possible threats.
Skills & Qualifications of a Cyber Security Analyst
For entry-level positions, many employers look for security analyst applicants with a bachelor’s degree (or sometimes a master’s) in computer-related fields such as computer science, information science, and possibly math and engineering. Security certifications (or the pursuit of one) are sometimes mandatory and can boost the candidate’s chances. It is also possible to land this job without a university degree but the candidate needs to have a good work history in a related field (such as system administrators) with solid references and possibly a security certification.
An intermediate-level security analyst position requires a combination of education, certifications, and industry experience. At least 3 years of direct information security experience is required to get this promotion. Crossovers from other industries are also possible but the chances are slim. Military veterans, software engineers, and investigators who performed information security duties can be considered as reliable candidates given they have some related certifications. This position is, and will remain, unattainable for candidates with no work experience and valid credentials. Intermediate-levels have a list of duties that require years of experience and solid industry knowledge.
Senior-level analysts need to accumulate at least 8 years of work experience strictly as a security analyst and there is no way around that with little to no exceptions. To be a successful analyst, a security professional must be detail-oriented and have thorough analytical skills. A good theoretical security knowledge along with an adaptable mindset to work with various real world scenarios will also prove crucially beneficial. This will require years of training and hard work but it is deemed necessary to succeed in such a consequential role.
Here is a list of skills that aspiring security analysts need to master regardless of their entry path to the industry:
- Strong communication skills, both written and verbal
- The ability to explain complex technical concepts to non-technical staff and clients
- Good time management skills to meet strict deadlines
- Multi-tasking and the ability to take-on many projects at the same time
- Awareness of security best practices when it comes to physical, human, hardware, and software security
- Programming skills (for select positions only) and an understanding of databases, front-end and back-end practices
- Creation of security policies and documentation
- A good mastery of identity management, authentication, authorisation, and risk assessment concepts
- Knowledge of industry best practices and frameworks when performing penetration tests and vulnerability assessments, both internally and externally
- A good insight on how to design and deploy security controls such as firewalls, intrusion detection/prevention systems, honeypots, encryption solutions, VPN’s …etc
- A strong theoretical knowledge of access controls and their best implementation practices
There are also several certifications that could demonstrate the applicant’s security skills and make them more desirable by employers. Here is a list of the most in-demand ones:
- CEH: the Certified Ethical Hacker certification is the most sought-after title by HR departments. It is the ‘core’ certification of cyber security and it is tailored to the security analyst position. It is provided by ec-council which continues to set standards in cyber security training and certifications
- Comptia Security+: this popular certification serves as a test for baseline security skills and knowledge and is attractive to beginners who want to get into the industry. It covers the main theoretical topics of cyber security such as security controls, penetration testing, and incident response.
- GSEC: Giac Security Essentials Certification holders can demonstrate both practical and theoretical security defense skills that go beyond terminology and definitions. The test covers everything from access control and endpoint security to IT risk assessments and cryptography.
- ENDP: Elearnsecurity Network Defense Professionals can demonstrate practical network security skills. It can prove that the candidate can practically remediate security issues and harden a network infrastructure to prevent targeted attacks.
- OSCP: this is by far the most practical certification for security analysts. Offensive Security Certified Professionals can demonstrate strong ethical hacking skills because of the hands-onl nature of the test. Applicants need to compromise a series of vulnerable boxes in a twenty four hour time-frame and document the whole process.
Career Development of Security Analysts
Because the role is unusually versatile, a security analyst enjoys many career development opportunities than any other cyber security professional. They can choose to become more or less technical in their future positions given they are qualified.
Some very common future career paths for security analysts might include: penetration tester, senior security analyst, security engineer, security manager, security architect, security consultant, and security operations center analyst. The degree of technicality on these titles depends on the job opening itself and might vary even within the same organization.
Further steps usually require specializing in one the above professions and get promoted to their senior positions. A few examples might include: senior penetration tester, security operations center manager, incident response lead, security program administrator, and lead consultant. The demand for these positions continues to grow and senior opportunities keep on emerging. The top of the ladder positions a security analyst can aim for are security director and chief information security officer.
Compensations and Salaries
Since this is an entry level job, beginner security analysts are expected to earn a salary that is below the average of the security industry. According to indeed.com, entry-level analysts take home a median compensation of $72,934. This is expected to increase substantially after acquiring experience and going up the ranks. The average salary for intermediate-level analysts in the United States can reach $102,518 in major cities such as New York and the San Francisco bay area. Senior security analyst positions can pay up to $160,000 according to the same website.