Security concerns are at the forefront for government agencies, individuals, and businesses of all types and sizes. You’re no-doubt familiar with widely-publicized incidents such as:
- Cyberattack on retail giant Target, compromising the credit information of customers
- Data breaches that may have involved personal information regarding millions of former armed forces veterans
- Hackers penetrating the networks and databases of school districts, financial institutions, and healthcare providers
- On-going investigations into possible tampering with the US election process
There are also an increasing number of cases of ransomware attacks, where businesses or agencies fall victim to the assault of cybercriminals who hold critical systems hostage until financial demands are met.
These incidents not only impact business continuity and consumer confidence, but can result in massive financial loss and penalties, as in a recent court judgement against a Texas cancer center. In this instance, the judge determined the loss of unencrypted data amounted to a HIPAA violation, resulting in a $4.3 million penalty.
A Gartner study found that 70% of small businesses that suffered a significant data loss were out of business within a year. That’s a frightening statistic that spurs even small businesses into action to ensure security and integrity of confidential data.
Prevention is the best solution to data security and loss prevention. Preparation and prompt remediation when incidents do occur are also critical for any business. These are where the services of an information security analyst can become a critical element in business infrastructure.
What Is an Information Security Analyst?
At a high level, information security analysts are charged with:
- Identifying security risks
- Determining appropriate measures to reduce or eliminate risks
- Design and implement procedures for responding to real or potential attacks
- Monitor for compliance and attempted infiltration into databases and network resources
Information security analysts are the guardians of corporate data and infrastructure, and as such must have a comprehensive understanding of the types of data retained within the business, associated regulatory concerns, and the protection of confidential or proprietary information.
What is the Role of Information Security Analysts?
There are numerous aspects of information security analyst duties, from understanding the critical nature of data, knowledge of the technical infrastructure of the business, and providing proactive security solutions.
Functions of information security analysts in most businesses include such critical tasks as:
- Identifying and installing security software for network protection such as firewalls and security certificates
- Perform or manage audits of security procedures for internal employees and IT personnel
- Conduct assessments of vulnerability for data and network resources
- Plan defenses and detailed incident response procedures
- Evaluate infrastructure for potential risks, working with engineers and technical teams
- Conduct tests of security defenses, including penetration tests
- Assist with investigations into real or perceived intrusions
- Participate in the creation and monitoring of security alerts
- React promptly and appropriately when incidents are detected
- Design solutions to prevent future attacks or losses
- Communicate effectively with all business resources and external contacts when incidents are detected, including legal teams and media
- Assist in the establishment and adherence to recovery time objectives (RTO) to promote business continuity and reduce impact from security incidents
- Establish policies and procedures that ensure virus protection is updated constantly, commonly-used functions such as browsers have current updates, and network devices and servers are up-to-date with applicable patches to operating systems and firewalls
As the creativity and tools of sophisticated hackers expand, so must the defenses provided by information security analysts. New responsibilities will be a way of life for the profession, requiring continuous training and career growth.
Managing a data breach is a critical role of the information security analyst. Proper handling of communications, restoring critical business functions, and gaining knowledge to prevent recurrence will reduce the impact of incidents to the business.
Many data breaches have been found to be a result of internal incidents such as employee theft or loss or theft of company data such as laptop computers or flash drives that are unencrypted. Information security analysts need to take such internal vulnerabilities into account, and provide solutions to eliminate exposure from inside resources:
- Unauthorized access to confidential information
- Employee education to mitigate exposer from viruses or phishing attempts
- Controls to prevent download and theft of proprietary information
- Prompt removal of permissions to business systems by former employees or contractors no longer engaged
- Access controls – ensure best practices for password values and frequency of changes
Insider threats to data loss or malicious destruction are more common than many businesses expect. They are often more difficult to detect that outside attacks, and may go on for months – or even years – before being remediated.
Information security analysts assist in developing the training and controls to reduce exposure to such incidents.
Information Security Analyst Skill Requirements
Most businesses looking for security-related professionals are seeking candidates with at least some minimum qualifications:
- Bachelor’s degree in computer science or similar computer-related field of study
- Experience in a technology-based position
Certification plays a factor for many potential hiring managers, especially for consulting firms. Many schools now provide certification programs for IT security professionals, with various focus based on specific areas of interest:
- Security administration
- Legal issues
- Security audits
- Security forensics
Some of the certifications available are:
- CISSP – Certified Information Systems Security Professional
- CISM – Certified Information Security Manager
- CISA – Certified Information Systems Auditor
- OSCP – Offensive Security Certified Professional
Certificates can be pursued and obtained at various levels, and represent to some prospective employers your commitment to training, qualifications, and security. As their names suggest, these specific certificates are focused on varying professional interests.
Future Demand for Information Security Analysts
The U.S. Bureau of Labor Statistics estimates the growth potential in this field at 18-28% over the next 10 years. This is an incredibly positive outlook for the profession, ensuring job security with increased demand and career growth.
Information security requirements are ever-changing due to many factors:
- Ingenuity and persistence of cybercriminals
- Reliance on technology for managing data and global networking
- Legislation and regulatory compliance
Analysts will be in high demand to keep one step ahead of cyberthieves intent on penetrating government or business defenses – just one reason the job spotlight is on information security analyst positions.
Businesses recognizing the incredible importance of security in their network architecture and mission-critical data are today investing in “C” level positions including Chief Information Security Officer (CISO). This position on the company’s board provides a vision of the company’s utilization of technology and the protection of all digital assets and IT resources.
Compliance with all relevant regulatory agencies can also be assured through executive-level participation in security-related decisions.
Where the Jobs Are
Information security analysts are already in high demand for data-driven agencies and businesses. Computer, software, and consulting firms are hotbeds of potential for security professionals, but many mid to large-scale businesses have incorporated security analysts into their IT environments.
Growing demand for analysts is found across many markets and industries:
- Government agencies – Electronic espionage has become a highly-publicized element of our technology culture. Legislative bodies, armed forces, and law enforcement agencies are continuously working to improve network defenses and data security.
- eCommerce – With the amazing growth in online retail, consumer-based businesses are charged with making internet shopping fast and easy, while still protecting consumer information and financial data.
- Finance – Certainly, financial institutions such as banks, credit unions, and investment firms are potential victims for cybercriminals. Protecting customer data and financial records from unauthorized access are prime potential openings for qualified information security analysts.
- Healthcare – With US HIPAA regulations come not only strong requirements to protect patient information, but significant financial penalties from any failure to provide such protection.
- New businesses – With the current economy, many entrepreneurs are taking advantage and starting their own businesses. Armed with the visibility of security threats, viruses, and ransomware, these startups are incorporating information security with new business systems. This provides opportunities for information security consulting or getting in on the ground floor for analysts.
- Home security – Even home security systems have recently fallen victim to unscrupulous cybercriminals. As smart homes and even smart appliances become increasingly common, information security analysts can be expected to play a role in closing vulnerability gaps in these technologies.
As quickly as sophisticated businesses such as financial institutions develop comprehensive security solutions, new doors are opened that provide prime targets for criminal elements.
Technology continues to evolve at a record pace, providing job opportunities for individuals skilled in security matters.
Benefits for Information Security Analysts
Information security analysts enjoy a wide range of benefits, not the least of which is an attractive rate of compensation:
- Median salary of $92,600
- Extremely low unemployment rate of 3.2% (some estimates are much lower)
- Increasing demand for security professionals
- Ever-changing, fast-paced position with upward mobility
Candidates knowledgeable in cybersecurity will continue in high demand.
The low unemployment rate for professionals in information security reinforces the importance that businesses place on protecting their technology investment and data from intrusions.
Certainly, this profession can carry along with it a higher-than-average stress level, due to the critical nature of responsibility and high visibility of security risks. Those candidates with a keen interest in technology with a focus on security can nonetheless enjoy a challenging and fulfilling career as an information security analyst.