How to Become an Information Assurance or Cyber Security Specialist

Information security (InfoSec), also known as cyber security or information assurance, is the field of information technology dealing with the protection of information — keeping it from being stolen, exposed, modified, or destroyed. InfoSec workers build security into networks, applications and data storage. They test existing information systems for vulnerabilities so these systems can be fixed. They respond to information security-related incidents and determine how and when an attack occurred and if it was successful. They also perform complex system forensics to provide evidence for ongoing investigations.

The importance of InfoSec workers continues to increase over time. Every successful attack against a private or public information system results in an embarrassing, and sometimes massively expensive, outcome for businesses and governments alike. The protection of information assets has become a top priority, requiring experts in a number of different InfoSec job roles.

What Does an Information Security Analyst Do?

An Information Security Analyst is responsible for designing the security features for a new network or for the refit of an existing network. Security analysts create the plans for a security infrastructure, which is then built and implemented by network engineers and other security-related personnel. In smaller organizations, the IS Architect may also be the one to build the network security systems.

Here are the core competencies of the Information Security Architect job role:

• Create a security infrastructure capable of expansion as information systems grow
• Check that information security designs comply with relevant industry compliance or country-specific regulations
• Be constantly learning about new developments in hardware and software security products
• Collaborate with network engineers and others to ensure proper implementation of the security design
• Review and adapt previous information security systems to improve them and keep them modern

Security architects can be found anywhere networks and information systems exist. Small businesses, corporations and all levels of government require IS architects to design the security infrastructure for their systems. This requires IS architects to be excellent communicators, as they must collaborate with executives, managers, IT personnel and other security experts in order to create a security design that takes business requirements into consideration.

What Education Do You Need to be an Information Security Analyst?

The starting point for many candidates looking to enter the InfoSec field as an information security analyst is a bachelor’s degree in computer science or computer engineering. Both of these degree programs will often give students the ability to specialize in information security.

Alternatively, a growing number of schools are offering bachelor’s degree programs specifically dedicated to InfoSec. These bachelor’s degrees can exist in one of several different identities. Here are some examples:

• Information Security and Risk Analysis
• Cyber Security
• Information Assurance
• Information Technology Security
• Information Systems Security

A bachelor’s degree program typically takes four years of full-time study at a university or college to complete. Most candidates will find that a bachelor’s degree is the minimum education required to enter the InfoSec field as an information security analyst.

Here are some examples of course subjects commonly found in information security analyst-related degree programs:

• Network systems and components
• Security planning and design
• Privacy requirements
• International security standards
• Department of Homeland Security standards
• Information security and business strategy
• Managing security policies

What training do you need to be an Information Security Analyst?

Cyber security is constantly changing and evolving as new technologies find their way into the enterprise. This requires analysts to regularly update their knowledge, in order to keep current with industry developments.

This constant learning can be accomplished using a combination of sources. Hardware and software vendors often hold conventions, seminars, webinars and online courses based on their latest products. These types of events are also held by industry associations dedicated to information security. Some of these groups are:

• Computer Emergency Response Team (CERT)
• Information Systems Audit and Control Association (ISACA)
• System Administration, Networking, and Security Institute (SANS)
• International Information Systems Security Certification Consortium (ISC)²
• Cloud Security Alliance (CSA)

What is the Job Outlook for Information Security Analysts?

Data has become the lifeblood of corporate vitality, and any reversal of cyber fortune can impugn the company reputation, or destroy company resources. Consequently, there is a high demand for technically schooled and certified security analysts:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What’s a typical information security analyst salary?

The BLS groups information security analysts with Web developers and computer network architects. Here are the median salary numbers for that category of IT professionals:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What Does a Network Security Specialists and Administrators Do?

Network security specialists/administrators implement and maintain the security for networks. This job role requires excellent knowledge of network security hardware (e.g., firewalls, routers, proxy servers) and the security features built into networking software platforms such as Microsoft Windows Server and Linux/UNIX. Network security admins will often have a number of junior technicians assisting with the ongoing maintenance and revisions to the network security infrastructure.

Here are the core competencies of network security specialists and admins:

• Implement a new security design into an existing network, or build it into a new network
• Administrate the day-to-day operation of the network security system
• Troubleshoot issues with security hardware devices and software tools
• Oversee the activities of security and network analysts and technicians
• Coordinate the response to a security threat or network breach

Network security admins in smaller organizations may also fulfill the job role of network administrator. Generally speaking, the larger the organization, the more likely it is that certain specialties will be split into unique job roles. Security admins are usually called upon to work unconventional hours, and are sometimes required to be reachable 24/7 in the event of an emergency.

What Education Do You Need to be a Network Security Specialist?

The network security specialist career path is essentially the same as that for network engineers, with a higher emphasis on security education. Candidates looking to get into this field should consider earning a bachelor’s degree in computer science, information technology, network engineering, or computer information systems. A bachelor’s degree program generally takes four years of full-time attendance at a college or university.

The following is a list of courses typically found in a network security engineer degree program:

• TCP/IP networking
• Network protocols and monitoring tools
• Network administration (LANs, WANs, SANs)
• Security management for Microsoft Windows networks
• Security management for Unix/Linux networks
• Securing virtual private networks (VPNs)
• Wireless networking security
• Security incident reporting
• Cloud computing security

What Training Do You Need to be a Network Security Specialist?

Network security specialists need to constantly update their knowledge and skills, so they can work with new technology and protect networks from new hacking techniques and tools. Some of this training is available directly from networking product vendors. The majority of these companies offer online courseware, instructor-led classroom training, webinars, self-paced learning materials and product information events.

Security specialists can also augment their knowledge by participating in local and online peer communities. These groups exist at many colleges and universities, and are readily found on the Internet.

What is the job outlook for network security specialists?

According to the BLS, the career super sector that contains network security specialists is projected to grow:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What sort of salary can a network security specialist expect?

The industry in which a network security specialist is employed can also influence salary expectations. The BLS counts network security specialists among network and computer systems administrators:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What Does an Application Security Engineer Do?

An application security engineer typically has two primary responsibilities. First, they are responsible for reviewing and evaluating every software application used in an organization to ensure that these programs do not pose a threat to existing information systems. AppSec engineers also work with software development teams, reviewing source code and application interfaces to identify any possible security issues with new products and revisions to existing ones.

Here are the core competencies of the application security engineer job role:

• Review and analyze software for possible security threats
• Coordinate and manage software test scenarios in safely isolated environments (sandboxes)
• Collaborate with security analysts and other specialists if an application-based security incident occurs
• Keep current with new software-based exploits that affect common applications like Microsoft Office

AppSec engineers are commonly found in software development companies, where they work alongside testers and quality assurance personnel. Some organizations prefer to contract AppSec engineers as needed, rather than having a full-time position dedicated to this job role.

What Education Do You Need to be an Application Security Specialists?

At their core, application security specialists are software engineers with a specialty in assessing code for security issues. With this in mind, it’s not surprising that the education requirements for both careers are similar. Candidates should look at attending a four-year bachelor’s degree program at an accredited university or college. Applicable degrees will have one of the following majors, or one similar:

• Software Engineering
• Software Development
• Computer Science
• Computer Information Systems
• Information Systems Security

What Training Do You Need to be an Application Security Engineer?

Much like software engineers, application security engineers need to be fully skilled with one or more programming languages. Some of the more common languages found in the industry are:

• Java
• Python
• C++
• Ruby
• JavaScript
• Swift
• C#
• PHP
• SQL

Security engineers must also be familiar with the solution development kits (SDKs) used to create applications. Microsoft Visual Studio and Apple’s iOS SDK for mobile apps are two such platforms.

What is the Job Outlook for Application Security Engineers?

Currently, the BLS doesn’t document specific data for the application security engineer role, but here is its most recent projected outlook for the larger category of IT security analysts:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

Application Security Engineer Salary

Here are the most recent BLS numbers for average median salary within the IT security analyst category:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What Does a Penetration Tester or Ethical Hacker Do?

Penetration testers and ethical hackers perform much the same function: they attempt to attack and/or break into a network or other information system in order to discover vulnerabilities so they can be fixed. These professionals do more than just scan a network for possible entry points; they actually break in just as an actual cyber criminal would in order to prove the system is vulnerable. They will test ecommerce sites for exploits, and attempt to bring down corporate or government websites with denial of service attacks and other techniques.

Here are the core competencies of the Penetration Tester / Ethical Hacker job role:

• Know the full hacker toolkit, including all forms of attack and related tools
• Keep current with new techniques and exploits as they emerge in the wild
• Report findings to security/network engineers, and collaborate on solutions
• Honor non-disclosure agreements and maintain confidentiality with client information

Penetration testers and Ethical hackers are often found working as private consultants, or as members of a specialized contract-based service provider. That said, more organizations are choosing to have these experts on their staffs on a full-time basis.

What Education Do You Need to be a Penetration Tester / Ethical Hacker?

Unlike many of the cyber security career paths, there is no well-defined education plan to become a Penetration Tester / Ethical Hacker. People in this job role come from all over the computing industry. The PT/EH profession is often based on a “show me what you’ve got” challenge from potential employers — they will almost always want to see candidates demonstrate their skills before being hired.

That said, employers still value post-secondary education when it appears on a resume. A bachelor’s degree or associate degree in computer science, network engineering, cyber security, or another related field is a good selling point for any candidate.

What Training Do You Need to be a Penetration Tester / Ethical Hacker?

While the PT/EH job role is less conventional than other roles in the InfoSec industry, the requirement to constantly update and upgrade information security knowledge and skills is very much present. There are several training and certification programs available for PT/EHs. Here are some of the organizations associated with this type of training:

• International Council of Electronic Commerce Consultants (EC-Council)
• Global Information Assurance Certification (GIAC)
• System Administration, Networking, and Security Institute (SANS)
• Information Assurance Certification Review Board (IACRB)

What is the Job Outlook for Penetration Testers and Ethical Hackers?

The job outlook for penetration testers and ethical hackers, categorized under IT security analysts by the BLS, is as follows:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

Penetration Tester and Ethical Hacker Salary

These are the latest median annual salary numbers published by the BLS:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What Does a Computer Forensics Expert Do?

Computer forensics experts, also known as cybercrime investigators, are masters of retrieving evidence from computer hardware and software, networking equipment, and other electronic devices. This job role has received a lot of attention due to its portrayal in crime procedural movies and television shows. Computer forensics experts use specialized equipment and software applications to find data that criminals have tried to destroy or cover up. They must follow strict procedural routines in order to make their findings legally admissible during criminal trials.

Here are the core competencies of the computer forensics expert job role:

• Discover and collect electronic evidence without altering the original source
• Provide clear and precise evidence reports for use in courtroom trials
• Be an expert at data encryption/decryption
• Know how to find and collect data from damaged or corrupted sources
• Maintain a high-level of professional integrity and character

Computer forensics experts are commonly found in law enforcement, armed forces and other governmental departments and organizations. They also work for law firms, private investigation companies, and large corporations that are forced to deal with repeat incidents of intellectual property theft, fraud, industrial espionage and inappropriate employee conduct.

What Education Do You Need to be a Computer Forensics Expert?

Computer forensics experts are high-level, multi-disciplinary technology professionals who are well-versed in investigation procedures, cybercrime law, evidence analysis and findings reporting. They are often called upon to instruct law enforcement personnel on how to properly collect and transport computer-based evidence from crime scenes.

The preferred education requirement is a bachelor’s or master’s degree in computer Science, information technology, or computer engineering. A bachelor’s degree program typically takes four years of full-time attendance at college or university. Graduates can choose to advance to a Master’s degree program, which usually takes three years of full-time attendance.

Here are some typical courses associated with this career:

• Cryptography
• Steganography (data concealment)
• Data structures and algorithms
• Hardware interfaces
• Digital forensics systems
• Computer security architecture and design
• Cybercrime law
• Criminal investigations
• Legal evidence procedures

What Training Do You need to be a Computer Forensics Expert?

Computer forensics experts must keep current with new computer hardware and operating systems as they are released. This can involve attending vendor training events, watching webinar presentations, or taking courses through licensed schools, either via traditional classroom environments, or virtually through online training. Organizations will often provide appropriate training as part of the forensics expert’s employment. If not, this training is available from numerous sources.

Here are the latest job growth numbers for computer forensics experts, according to the BLS:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

Computer Forensic Expert Salary

The graphic below illustrates the BLS’ most recent numbers of median annual salary in the IT security analyst field:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

What Does a Data Security Analyst Do?

Data security analysts are the front line soldiers in the battle with hackers and other malicious users. These professionals are coordinated and directed by senior security personnel to respond to information security-related incidents. Security analysts are able to replace networking equipment, lock down discovered vulnerabilities, and revoke access to networks or specified resources/systems for unauthorized employees. This job role is a common starting point for someone entering the InfoSec industry.

Here are the core competencies of the data security analyst job role:

• Be able to swap out common networking hardware components
• Know how to revise/implement security policies on network operating systems
• Recognize the most commonly used hacker attacks, and how to respond to them
• Create clear and concise incident reports on security alert responses

Security analysts are found anywhere information security is a priority — which is pretty much everywhere these days. There are security analyst jobs throughout the entire public service and private sector, which makes it a popular point of entry into the InfoSec workforce.

What Education Do You Need to be a Data Security Analyst?

Data security analysts are commonly organized into tiers in an organization, from junior to senior ranks. Senior analyst positions usually need to be earned through experience rather than education. Employers typically want junior security analysts to meet one of the following education requirements:

• Bachelor’s degree in information technology or related field
• Associate degree in information technology or related field
• Computing technology diploma from a post-secondary institution or technical school

Candidates who hold one or more industry certifications related to networking and/or information security may receive extra consideration by potential employers.

What Training Do You Need to be a Data Security Analyst?

The key skills for prospective data security analysts are troubleshooting and problem solving. Employers will look at a candidate’s education and work experience for evidence of these skills, even from previous jobs outside of IT that required analytical thinking. Security analysts should have knowledge of networking fundamentals, as well as cyber security tools and procedures. Analysts also need to have strong communication skills (both verbal and written), as they must be able to discuss issues with other analysts and create clearly written incident reports.

What is the Job Outlook for Data Security Analysts?

As with all of the specialties falling under the information assurance and cyber security mantle, data security analysts are categorized by the BLS under its IT security analysts category:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

Data Security Analyst Salary

Here are the most recent median annual salary figures for IT security analyst roles:

2019 Occupational Employment Statistics and 2018-28 Employment Projections, Bureau of Labor Statistics, BLS.gov.

Cyber Security Certifications

IT security professionals looking to add credentials to their resume should consider earning one or more IT security certifications. There are a number of security certifications available from a wide variety of vendors and industry associations, including the following:

• Microsoft
• Cisco
• ISC²
• CompTIA
• Global Information Assurance Certification (GIAC)
• Shared Assessments

Sources
“15-1152.00 – Computer Network Support Specialists,” O*NET OnLine, 2015, https://www.onetonline.org/link/summary/15-1152.00
“15-112.00 – Information Security Analysts,” O*NET OnLine, 2015, https://www.onetonline.org/link/summary/15-1122.00
Committee on National Security Systems, 2013, https://www.cnss.gov/CNSS/index.cfm
“Network and Computer Systems Administrators,” U.S. Bureau of Labor Statistics, Occupational Outlook Handbook, 2014, http://www.bls.gov/ooh/computer-and-information-technology/network-and-computer-systems-administrators.htm
“Information Security Analysts,” U.S. Bureau of Labor Statistics, Occupational Outlook Handbook, 2014, http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
United States Computer Emergency Readiness Team, 2015, https://www.us-cert.gov/
“Global Information Security Survey 2015: Key Findings by Region,” PricewaterhouseCoopers, 2015, http://www.pwc.com/gx/en/consulting-services/information-security-survey/territory-focus.jhtml