Security business analysts have a range of career options that require varying levels of responsibility, technical knowledge, and leadership skills. The chart below compiles some of the most common information security positions along with a brief description of job responsibilities and a summary of average pay rates.
|Job Title||Description||Average Salary|
|Information Security Analyst||Security business analysts focus on security strategies, rather than hardware. They develop security practices and policies for organizations, ensuring that company operations are conducted in the most secure manner possible. Analysts also coordinate security tools and identify network vulnerabilities, ensuring that security threats are adequately prioritized and remedied.||$70,126|
|Information Security Engineer||Security engineers function similarly to analysts, but they take a more active role in building network security systems. Engineers are responsible for developing and evaluating security protocols, configuring network security measures, upgrading network hardware, and responding to active security threats.||$91,524|
|Security Architect, IT||Security architects typically assume a managerial role in the development of network security systems, and they may serve as project leaders in the creation of an organization’s overall security platform. They frequently delegate tasks to other security team members and integrate different pieces of security architecture into a comprehensive security structure.||$119,941|
|Director of IT Security||Often serving as upper level managers or department heads, IT security directors are typically responsible for coordinating and directing security procedures. They oversee the development of security systems rather than design them. These managers may also be responsible for hiring employees and dictating general IT security practices for the company.||$129,269|
Potential Industries for Information Security Analysts
Information security is important to any business or organization that keeps digital records or operates online, and security analysts can find employment in a variety of industries. This table compiles some of the most common fields in which security professionals find work.
HealthcareEmployed at hospitals, insurance companies, and other healthcare organizations, these security professionals typically focus on securing patient data. In addition to IT practices, they may also need to be familiar with standards of patient confidentiality and health regulations.
Government AgenciesSecurity analysts may find work with any number of government organizations, safeguarding agency and employee data. Others may be employed with the Department of Homeland Security, securing the national computer infrastructure against cyberattacks.
E-CommerceE-commerce security analysts provide protection for online retailers and other virtual businesses. Since these companies often store customer credit card information, they may be targeted by cyberattacks frequently.
Financial MarketsIT security professionals employed in the finance industry work to safeguard company and client financial data. Given the nature of the information handled in this industry, these duties are particularly important and may be higher paying.
Chris Jordan CEO at Fluency
What advice would you give to someone looking to begin their career in information security analytics?
First, get involved. If you want to have a career in security, then find a way to truly be interested in it. There are a number of both professional and casual events. Each year there is Blackhat-Defcon (Las Vegas), CanSec West (Vancouver) and Derbycon (Louisville). There are also countless B-Side conferences throughout the country. Just searching the local MeetUps will provide a list. Cutting edge security is learned by being involved and communicating.
Next, find what you want to do in cybersecurity. Though you might want to take the first job that comes your way, you need to figure out what part of security you want as your career. Saying you want to do security, is like saying you want to work in computers. Figure out if you want to be an analyst, ethical hacker, certifier or network security engineer.
Once you know what you want to do, start lining up formal classes, certificate sessions and informal training. Though CISSP is a common requirement for most jobs, it will not separate you from other candidates. You need to show additional focus, such as ethical hacker and capture-the-flag experience, to make you stand out.
It's also important to remove what you do not want to do. When I graduated, I put my English minor on resumes. With a computer science degree, every employer wanted me to write documentation. When I started looking for my second job, I removed my English minor and removed all the documentation work I did, focusing on the software testing and coding. That was the last documentation job I had. When you first start working we look for things to add to your resume, but as one matures we make our resumes focused on what we want to do and what showcases who we are.
What inspired you to get your master’s in computer science?
I liked War Games, and that was the simple reason why I chose computer science. When I started graduate school: gopher was more popular than HTML, people used "talk" to chat, and "sendmail" was cutting edge. Code writing was focused on algorithms and structure. Hacking was more about talking to others and finding new operating features. To get on the internet from most campus computers, you could do a manual command and then at the colon prompt request a shell.
I was not fortunate enough to go straight to graduate school after finishing my undergraduate. I worked full time and started taking night classes. When I first started in computer security, there were no degrees in security. A master’s degree was actually required by some organizations in order to do what is called penetration testing today.
To me, a computer science master was the key to get a job that was more creative and interesting. While most of the coders I knew had jobs coding database interfaces, I was able to get jobs that involved network design and red teaming. A master’s degree kept me in more cutting-edge jobs.
Why is information security such an important topic in our modern society?
We have progressed from the industrial age to the information age, and now to the autonomous age. Security has changed from protecting data to protecting devices. It’s obvious that everything from cars to internal medical devices requires security.
As an information society, being able to control information is a foundational need. In the industrial day, the control of actions was performed by people using machines. Securing industry was about physical security and trusting people. But in the autonomous age, the internet-of-things, people manage decisions. Systems implement action without people. This is how companies and governments can scale.
Information security is about how to control these scaled devices. While we use to worry about controlling secrets, we now must maintain a greater control on who controls devices.
Why is information security an exciting and/or lucrative industry to join right now?
The security industry talks about a shortage of people, mostly in security analyst. It’s a good fit for a career as security analysts are normally entry to mid-level positions. The key to making it both interesting and lucrative is to change to a more technical position in other related security activities. It would be a mistake to think about moving up-the-chain in an operations center. There are already a high-number of managers that have moved laterally from an organization’s IT department.
I think there is more to security than just a good job. Security is a rare job based on competition. One side is trying to enforce security, while another is actively trying to defeat it. Both sides are extremely well funded, and this makes for incredible jumps in technology.
However, security is not just about security. Every new technology feature changes how security works. While iPhones are now implementing augmented reality, there is going to be a need on how to secure it. Security is always being dragged into every technological advancement.
In your opinion, will this industry grow as time goes on? Will there be a higher demand for security analysts?
Security analysts as we know it today will disappear in the next 10 years. Automated processes that perform validation can scale while hiring more people cannot. There is too much business in solving this scalability problem. This is always the issue with information technology and technology jobs, that everything you learn the first year in college is outdated by the time you graduate.
But security is like math. Each succeeding generation of technology is better understood by knowing the previous technology. The fundamentals of security have not changed. Knowing the fundamentals and learning how to apply them to a problem is timeless. This is why higher education is desired by employers. We know that the technology changes, but the processes to understand and resolve problems is the true skill that advanced education provides.
While there are many paths to enter the information security field, almost all of them include a degree from an accredited college. Most security jobs require the combination of education and hands-on experience that only comes from a comprehensive information security program, and this is typically the only way to advance in the industry.
What Degree is Needed to Become an Information Security Analyst?
The typical education requirement for an information security position is a bachelor’s degree in computer science, programming, or another relevant IT field. While an associate degree may lead to some career opportunities, a bachelor’s is typically the minimum requirement for most IT careers. A bachelor's degree also prepares students for career advancement. A computer science degree is appropriate for the field, particularly if it includes coursework in information security. Some colleges also offer dedicated degrees in information security, which can lead to greater opportunities in the field.
Upper-level positions may require you to hold a master’s degree in computer science or a related field, such as an MBA in information systems. These two-year degrees offer a deeper understanding of the field and more specialized knowledge. Graduates are prepared for leadership positions in cyber security. Most master’s degrees also include a significant internship or practicum component, which builds professional experience and makes you more desirable to employers.
Internships for Information Security Analysts
A professional internship is often part of the curriculum for an information security degree, at the undergraduate and graduate level. Internships typically take place in a professional environment, such as a business or government agency. They provide students the opportunity to gain hands-on experience and apply knowledge outside of the classroom. Internships typically occupy a set number of hours per week and fit your class schedule.
Many schools include optional or mandatory internships within their information security curriculum, though you can also pursue internship opportunities independently. These opportunities are typically more about building professional experience than bringing home a paycheck, but some of the more prestigious internships are paid. In many cases, internships translate into college credit, but even when they don’t, these experiences offer opportunities to network and make professional connections.
Information Security Certifications
Recognized worldwide, the CompTIA Security+ certification covers topics such as compliance and operation security, identity management, and host security. The 90-minute, multiple-choice certification exam is recommended for IT professionals with at least two years of security experience.
Certified Ethical Hacker
The CEH certification teaches you to recognize weaknesses and vulnerabilities in network systems the same way that a hacker would, but from a professional security perspective. This four-hour exam requires at least two years of security experience, but you can bypass this requirement by attending an official training session.
Certified Information Systems Security Professional
One of the most recognized professional standards in the IT industry, the CISSP certification focuses on eight domains, including security and risk management, security operations, and identity and access management. To sit for the exam, you need at least five years of professional security experience in at least two of the eight domain areas.