The U.S. Department of Labor expects employment of “Information Security Analysts” to grow by 37 percent from 2012 to 2022, or more than twice the rate of all “computer occupations,” which are themselves expected to grow 60 percent more than “all occupations.” In other words, if you are an information security analyst or studying to be one, then you are looking at rapidly growing demand for your services. Your future is likely to be very bright.
But in the global economy, your income is always someone else’s cost. And that means if you are looking to hire an information security analyst, you’re going to be competing with a lot of other organizations to hire these folks. You have probably already felt the effects: the jobs you can’t fill, the bidding wars that seem to start whenever you find a candidate with security certifications, and the need to constantly market your organization to prospective information security analysts.
According to the 2015 (ISC)2® Global Information Workforce Study, a survey of over 14,000 security professionals worldwide, respondents reported the most pressing need for security professionals is in the role of security analyst. Nearly half of respondents (46 percent) cited that role as being their top need. The report defined the job as “[One] who conducts the integration and testing, operation, and maintenance of systems security. In addition, a security analyst possesses significant higher order skills and has a deep understanding of all business systems, knowing what information an organization cannot afford to lose. They are proficient in cyber threat analysis and in identifying and assessing the capabilities and activities of cyber criminals or foreign intelligence entities. They may also analyze threat information from multiple sources and disciplines, synthesizing it and placing it into context while drawing insights about the possible implications, according to the NICE Cybersecurity Workforce Framework.”
The security analysts, in other words, must have a well-rounded understanding of the tools, processes, and strategies employed when protecting an information system. They need to know the business as well as they understand IT, and they need to be able to predict security breaches. This may not sound like the traditional IT professional you are used to hiring, but it is what you need to thrive in a hacker’s world.
Security analysts are like any other business resource, in that you can either buy them or build them. Good luck buying them. They are rare, and they are well paid. According to the Bureau of Labor Statistics, they command a 13 percent salary premium over “other computer occupations.” And for industries in which security is even more critical, such as finance and insurance, the median salary for security analysts is even higher than that.
And so, organizations are left to develop these individuals internally. With such varied skillset, this may seem like a daunting task, but rest assured there are ways to make this happen. While not all businesses have a dedicated security team on-staff, most have an individual or individuals serving in the IT function. These employees understand IT as well as how it relates to the overall business. The skills they are lacking are in cybersecurity.
This is where training and certification come into the picture. Individuals within IT have displayed the technical proficiency needed to serve in the security analyst job role, and there are a number of training programs that can help facilitate the move to security. The question then becomes which one?
It is important that security analyst possess skills that can benefit their organizations before, during and after a cyber-attack. With this in mind, it’s critically important that their training takes a holistic approach to network security. Many training programs place a very narrow focus on particular aspects of securing an information system. This could be penetration testing, or incident response, for example. These specialized programs are of benefit to large organizations or individuals looking to fill a particular job role, but for organizations looking to build a team of security analysts, something more inclusive of all security practices is needed.
After all, a security analyst is asked to wear many hats. Which one is often dependent on industry, organizational size, and a number of other factors. At any given time a security analyst may be asked to aid in a number of tasks, which could include:
- Assessing the organization’s security risk and posture
- Analyzing threats
- Designing secure environments
- Collecting real-time security intelligence
- Responding to and investigating incidents
- Auditing to ensure a secure environment
With the need for a broad skillset in mind, the training and certifications programs available to organizations becomes somewhat limited. Once trained and certified, security analysts will be ready to serve their employers overall security needs, helping to prevent attacks and to limit the damage when they do occur. In a world where everyone is a target, organizations cannot afford to overlook this important role.
ABOUT THE AUTHOR
Bill Rosenthal is currently the CEO of both Communispond and Logical Operations. Communispond offers business communication skills to individuals. Bill oversees the company’s marketing, sales, content development and course delivery for the company. Logical Operations, which Bill co-founded, is a business training program that has been in existence for more than 30 years. Bill was also CEO of Digi-Block, a publisher of K-12 mathematics curriculum, a company which was eventually acquired by Logical Operations. Prior to his employment with Communispond, Bill was President of Kaplan College, the online college which he helped develop and launch. His experience also included being the President of Ziff-Davis Education. Bill has a bachelor’s degree in psychology from the University of Rochester.