With cyberattacks proliferating, it's not surprising that organizations of all sizes are spending more on cybersecurity, including both technology and talent. A recent survey by security firm Kaspersky found that, of 600 North American IT staffers interviewed, about 85 percent predict their security budgets will increase by 50 percent over the next year.
With security budgets likely to increase, tech professionals continue to see increasing opportunities for career advancement, whether it's switching jobs, boosting their salary, or moving into a position to advance into management.
It’s also why a career like information security analyst is not only ranked as one of the top positions for tech professionals, but also one of the top jobs in America, according to recent rankings published by U.S. News and World Report. This position currently boasts a median annual salary of $103,500 and a 1.2% unemployment rate.
“The U.S. government, health care organizations, financial systems and other companies are growing more reliant on information security analysts to protect their information systems against hackers and cyberattacks,” the report added. The U.S. Bureau of Labor Statistics also noted future growth within this field, with hiring and employment expected to grow 33 percent between 2020 and 2030.
There is no one set definition for what an information security analyst does, although the BLS noted these technologists typically plan and carry out security measures to protect an organization’s computer networks and systems. This can range from maintaining and securing an organization’s firewalls and network security to analyzing threats to infrastructure.
“Like most other IT fields, information security is changing. As businesses adopt new technologies, information security analysts need to adapt to the evolving operational environment,” said Bruno Hernandez, an application security consultant at security firm nVisium.
“This means that information security professionals need to be tinkerers and early adopters of new technologies to remain relevant. As new technology emerges, information security analysts need to be some of the first to understand how it works, how it can go wrong, how it can be misconfigured, and how it can be abused so that we can understand how to secure it,” he added.
Which Tech Skills Are Needed?
As with many other types of cybersecurity positions, there’s no one set of skills or certifications that guarantees work as an information security analyst.
Or Saya, a cybersecurity architect at CardinalOps, noted that tech professionals with a solid background in IT make ideal candidates. “Background in IT and security such as authentication, operating systems, networks, databases and cloud platforms is fundamental. This includes a natural curiosity for how things work behind the scenes, such as what can the database logs tell you or what does a specific cloud permission let you do?” Saya recently told Dice. “Don't worry if you don't have all of these covered, though: You will have the opportunity—which you should take—to learn on the job.”
Hernandez added that knowing scripting and programming languages also helps, since information security analysts need to understand how the fundamentals of hardware and software work to better calculate the weak points where attackers may attempt to gain a foothold.
“For programming, learning scripting in PowerShell, Bash and Python is a great way to get started. Scripting is necessary to automate repetitive and menial tasks. After getting comfortable with scripting, [learn] a high-level language like Java, C# and C++. This will become useful since you will need to create a more complex program, such as Object Oriented Programming, which you cannot do with scripting,” Hernandez told Dice. “After learning a high-level language, learning C and Assembly will be useful to understand how the computer works down to the CPU and registers level.”
Why Do Communication Skills Matter?
Several analysts and experts noted that potential information security analysts need to have superior communication skills to not only enter the field but also to thrive in it, especially as threats escalate.
“Communication skills are vital for an information security analyst, both written and verbal,” Mike Parkin, a senior technical engineer with Vulcan Cyber, told Dice. “The ability to clearly and concisely explain what’s going on in their space as well as documenting actual and anticipated threats and being able to report on an event post-incident are often overlooked. Being able to communicate with management and team members is vital at every stage.”
Saya agreed that information security analysts need to communicate the severity of threats both up and down the chain of command. This includes the ability to explain what attackers are doing to non-technical but essential members of an organization.
“Communication skills—written and verbal—are essential for this role. Analysts should be able to convey to peers, managers, and stakeholders what evidence they found, what the impact of the breach is, and what should be done to contain and respond,” Saya added. “They typically also take part in defining what needs to be changed so that such incidents don't recur.”
What Certifications Matter for Information Security Analysts?
As with other cybersecurity positions, experts are split on whether job seekers need certifications to prove they have the skills needed for the position. Hernandez noted that, for information security analysts, having either the CompTIA Security+ or Network+ certification can help but isn’t always necessary.
“While certifications are a good way to ‘get past HR,’ they do not directly correlate to knowledge retained. Much more valuable to an employer is someone [who] is displaying curiosity, drive and motivation now because they have a lot of future potential,” Hernandez said.
Kevin Dunne, president of security firm Pathlock, noted that having one of the broad cybersecurity certificates often helps in securing a better salary. In general, he recommends that information security analyst candidates show a mastery of one of three big IaaS services, since so much data (and so many attackers) are moving to the cloud.
“Candidates with experience across multiple cloud environments, network types, server types and SIEM solutions will usually provide the greatest flexibility and potential return on investment,” Dunne told Dice.
“Now more than ever, cloud threats are becoming a growing area of concern for organizations looking to secure their enterprise landscape,” Dunne added. “Understanding the cloud platforms like Amazon Web Services, Microsoft Azure and Google Cloud Platform and how to both detect and remediate threats in those environments are key skills that are in high demand.”