Despite recent concerns that hiring in the U.S. is now in a slowdown due to inflation and a possible recession, cybersecurity job postings are up 30 percent in the third quarter of 2022 compared to the same three-month time period in 2021, according to a recent study from CyberSeek. That’s great news for any cybersecurity analyst (or anyone who wants to know how to become a cybersecurity analyst).
Economic considerations aside, businesses and government organizations remain eager to hire talented cybersecurity professionals; the same study finds some 770,000 open cyber positions in the U.S. alone. For tech pros looking to get a start in the still-hot cyber market or make a career jump, the role of cybersecurity analyst offers numerous possibilities for those with the right skills and the ability to learn.
What do cybersecurity analysts do?
Cybersecurity analyst remains one of the essential positions within a security organization. They have numerous duties, including monitoring networks for security breaches and investigating when one occurs; using and maintaining technologies such as firewalls and data encryption programs to safeguard essential data; and checking for vulnerabilities within the infrastructure, according to the Bureau of Labor Statistics.
“Information security analysts must stay up to date on IT security and on the latest methods attackers are using to infiltrate computer systems,” according to the BLS listing, which also refers to the position as an information security analyst. “Analysts need to research new security technology to decide what will most effectively protect their organization.”
How much are cybersecurity analysts paid?
The CyberSeek data lists cybersecurity analyst as a mid-level cybersecurity position with room for advancement into more senior-level positions. The same data lists about 33,000 open jobs for cybersecurity analysts, with an average salary of $107,500.
For those who want to break into the cybersecurity field with a few years of relevant tech experience, or those seasoned technology professionals looking for a fresh career path, industry observers note that the cybersecurity analyst position will remain in demand for some time.
“There is no better time to become a cybersecurity analyst than right now. Cybersecurity teams are short of talent and require all sorts of skills and experience,” said Claude Mandy, chief evangelist for data security at security firm Symmetry Systems. “These skill shortages are particularly noticeable in newer and emerging fields like cloud security, data security and application.”
What skills does it take to become a cybersecurity analyst?
To become a cybersecurity analyst, whether you’re starting straight from school or have some tech experience, you need to have some proficiency with the underlying technology, experts noted.
“Many mid-career cybersecurity professionals did time as network administrators or system administrators. It gives you the perspective of ‘how’ something works so you can harden a system or network or take other measures to make sure it continues to do what it needs to do but still be protected from tampering,” John Bambenek, principal threat hunter at security firm Netenrich, told Dice.
For those with less experience in tech or security, Bambenek added, those applying for cybersecurity analyst positions need to demonstrate problem-solving abilities: “For young professionals, my interviewing often may include technical exercises to demonstrate they can solve problems versus talking about them, so the practical exercises associated with [CompTIA Security+ certification] or entry-level exams that are often included in the large books can be quite helpful.”
Do I need certifications to become a cybersecurity analyst?
Certifications that can also bolster a cybersecurity analyst career include (among others):
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Privacy Professional (CIPP)
- SANS/GIAC Certification
- CompTIA Security+
- Certified Information Security Manager (CISM)
- GIAC Certified Incident Handler (GCIH)
- GIAC Security Essentials Certification
You don’t necessarily need certifications to land a cybersecurity analyst job, although many job postings list key ones as requirements. Given the demand for cybersecurity analysts, having the right mix of experience and skills is often enough to land a job (provided you can get past the technical questions during the interview). For those who need additional experience, Mandy told Dice he sees three ways for candidates to get started on the road to a cybersecurity analyst position:
- Start educating yourself: Candidates don’t need a university degree… but do need to show that they can learn.
- Start getting experience: Candidates don’t need to have had a job in security, but they can show experience in securing software.
- Start applying for roles and meeting future employers: Candidates might land a job through a formal application, but more often than not, they might get their next role from a meetup where they showed interest.
There are alternative ways to get started in cybersecurity, and these opportunities can be used as stepping stones to work toward a cybersecurity analyst position.
“There are several different ways to get started in cybersecurity, such as starting as a full-time employee at a company looking to fill a specific need on their security team, or even a consulting firm where they assess and help other companies improve their security posture, usually shadowing a more senior consultant who mentors the junior consultant on cybersecurity controls and technical writing of the reports,” John Hellickson, Field CISO at consulting firm Coalfire, told Dice.
What other skills do cybersecurity analysts need?
For those who are ready to make an effort to become a cybersecurity analyst, the interview process is critical. This is also an opportunity to demonstrate a soft skill that remains an important component of cybersecurity: the ability to communicate.
“Standing out during an interview can be tricky. Oftentimes you have a limited amount of time to demonstrate your skills and experience, and as such your resume should be detailed, clear and provide a list of any qualifications you have,” Chris Mason, vice president of intelligence analysis at Intel 471, told Dice. “Industry-recognized qualifications from organizations such as SANS or EC-Council are always a bonus, but your experience in the [cybersecurity analyst] field will hold a lot of weight. The interview is an opportunity for you to demonstrate your communication skills and how well you can articulate a problem and operate under pressure. Preparation is key and rehearsal interviews are a great way to reduce the nerves.”
The reason why communication remains key to the position is that cybersecurity analysts write front-line reports that help improve their organization’s overall security posture and/or ensure that an attack is stopped. The writing needs to be clear in a way that helps other stakeholders throughout the organization understand what’s going on, even if they don’t have a cybersecurity background.
“Having a good eye for detail and being able to easily spot patterns in large pools of data will take you a long way. Being able to join the dots between disparate pieces of information and drawing out the second and third order of effect—or the ‘so what’—is a key skill for any cyber analyst,” Mason added.
Bud Broomhead, CEO of security firm Viakoo, noted that cybersecurity analysts need to continue to learn even on the job, especially as threats evolve. “With new attack vectors designed to thwart current security measures being introduced every day, focus on where attackers are headed. This means internet of things and operational technology security, open-source software vulnerabilities and multifactor authentication methods,” Broomhead told Dice.
Cybersecurity analysts also must remember that they have been hired to manage risk. “The key thing here is to have the desire to learn and help the business find ways to ‘getting to yes’ in driving positive business outcomes while managing risk,” Hellickson said.