What Is an Information Security Analyst? What Do They Do?
Though the title “information security analyst” — or the often synonymous cybersecurity analyst — might not sound impressive, they’re often the stalwart people working behind the scenes keeping companies, their clients and their data safe.
“My friends always joke and call me Peter Parker; you know, just a normal guy by day, computer guy by night,” said David Pickett, senior cybersecurity analyst at Zix.
The role of an information security analyst can vary wildly depending on the industry they serve and the specific needs of the organization. Despite this, it usually includes threat hunting, systems and network maintenance, and working with both technical and business teams to ensure compliance to relevant standards.
“It’s a jack of all trades,” Pickett said of the role of information security analyst, under which his title falls. “You can go anywhere from, say, an ethical hacker who tests vulnerabilities in a company system, all the way over to incident response, or forensic analyst.”
What Is an Information Security Analyst?
What’s in a Name? Information vs. Cybersecurity Analyst
Given the variety of needs that exist in this space, the role behaves as much as a field or type of role as it does a finite title. Someone holding the title of information security analyst in the financial industry might look — and be called something — different from an information security analyst in the healthcare industry, for instance.
To add to the potential confusion, the terms “information security analyst” and “cybersecurity analyst” are frequently used interchangeably. When not used synonymously, “cybersecurity analyst” is treated as a subset of, or specialized title under, the overall umbrella of information security analyst. Basically, all cybersecurity analysts are information security analysts, but not all information security analysts are cybersecurity analysts.
“It’s like the difference between a comedy and a romantic comedy, or a horror [and] a drama horror.”
“It’s like the difference between a comedy and a romantic comedy, or a horror [and] a drama horror,” said Rehan Tariq, security analyst at Simeio. He described his own role, which focuses mostly on identity and access management, as an information security position. Differences in titles often come down to what a company needs. “Whatever best suits their business,” he said.
Pickett pointed out that, while the industry does tend to use the terms interchangeably, he’s noticed the two titles are starting to diverge and become more targeted, particularly as universities are starting to offer specific degrees. In his experience “cybersecurity analyst” more often refers to those who focus on the external or online, while “information security analyst” more often deals with internal concerns.
“As the field has matured, I’ve seen those roles start to spread apart a little bit more and job titles are becoming more and more specific over time and geared towards certain things,” Pickett said.
No Day Is Typical When You’re an Information Security Analyst
With so much variety, there is no normal for information security analysts. For Tariq, most days involve meetings — a lot of meetings — around making sure security projects are moving forward.
“As the analyst, our job is business and the technical; we are the mitigators in between,” he said. “We are expected to have — I’m not going to say in-depth knowledge — but to know how everything is happening and we are responsible for making sure whatever roadblocks we have are mitigated or at least brought to others’ attention.”
A good day for Tariq is one where he communicates effectively to both teams and makes sure everyone understands how a project is moving forward and why. “Easier said than done,” he added.
Meetings with different teams also figure heavily in the life of Matt Bennett, a regional cybersecurity analyst at Fugro.
“An average day for me sees me working with teams all over the world,” Bennett said. “I work predominantly with the Asia-Pacific team, but I also work with the energy team or service line out of Houston.”
A large part of what he does is make sure Fugro meets client requirements and relevant legislation and meets compliance with data governance best practices and accreditations. Bennett also explained that much of what he does is looking for and managing internal vulnerabilities. This includes tasks like tracking down high-risk machines within the internal environment, checking servers and what he calls “actual system hardening.” He also looks at keeping this up to date by eliminating outdated policies.
Take SSL certificates as an example, he said. “For a highly out-of-date transport certificate encryption, I would work to actually identify that policy still in place and then I would look at how we eliminate that with the help of our actual infrastructure lead.”
Finding Vulnerabilities and Threat Hunting Is the Name of the Game
“[Threat hunting is] basically, you’re going out and you’re looking for the threats and how they get in prior to them getting into your system,” said Moses, who is also a member of Women in CyberSecurity (commonly known as WiCyS). “It’s all about making that fortress around your organization stronger.”
For Pickett, active threat hunting is about 90 percent of his days. And he likes it that way.
“The job itself is unpredictable and that’s kind of what I thrive on,” he said. “I wake up in the morning and I’m like, ‘What is going to be the best attack of the day? What are they going to throw at us today?’ That’s what makes it interesting and — I think in my case — prevents burnout.”
“It’s all about making that fortress around your organization stronger.”
Moses similarly shares an appreciation of the puzzle-like nature of countering bad actors, making the analyst part of her title fitting. When something malicious comes in, she said she wants to figure out what it is, how it got in and how she can stop it from happening.
Her passion for protecting people, especially those who can’t protect themselves, is what drew her to cybersecurity.
“I thought, ‘How can I help, say, the senior community? How can I get information to them to help them better protect themselves?’ Because there are so many times where seniors are getting taken advantage of and that makes me mad,” she said. “You’re kind of a warrior out there. You’re out there protecting other people and fighting off the bad guys. And it’s kind of exciting.”
With Great Power Comes Great Responsibility (and Stress)
Moses was not alone in describing the role of information security analyst in good-versus-evil terms.
“The threat actors make a lot more money and they work whatever hours they want,” Pickett said. “And you’ve got the good guy who can’t lie, can’t steal, has good morals and ethics. Those are your security people.”
Pickett explained that if an information security analyst is doing their job right, “nobody will know; you’re kind of the unsung hero.”
But the role of protector comes with heavy responsibilities — and a lot of stress.
“We protect hospitals, schools, banks, critical infrastructure and if we don’t stop those attacks, you’re talking about a hospital being ransomwared or something of that nature,” Pickett said. “So there is a lot of stress and just a big weight on your shoulders to make sure that you’re doing everything, at the end of the day, that you can.”
Leaving aside the potential tasks of an information security analyst, the role itself comes with a lot of access clearance across a company’s networks and data. They get the “keys to the kingdom,” as Pickett put it.
Information security analysts, according to Bennett, regularly interact with various teams across the organization and with managers all the way up through the organization’s highest levels
“You’re not isolated,” he said. “You’re very much part of the business fabric, and your recommendations will make or cost a company.”
Bennett said this dynamic was one of the more rewarding elements of the role for him.
“You are able to challenge the norm,” he said, explaining that being an information security analyst allows one to present and make changes to the business that will have a tangible impact.
“You can go to management and say, ‘Hey, look, we need to do this because it’s going to cost your business X down the track,” Bennet said. It’s not for everyone, of course. He described it as a situation of high risk and high reward.
“If you’re after that role of both a challenge, a bit of stress, and a bit of hard work, it’s quite rewarding,” he said.
It’s in High Demand
The role of information security analyst is expected to grow rapidly in the coming years. According to projections by the Bureau of Labor Statistics, the role will see 33 percent growth between 2020 and 2030, much faster than average. This growth represents an estimated 47,100 additional jobs under this title by 2030.
“The cybersecurity risk is going up by the minute,” Pickett said, specifically highlighting ransomware attacks and the increasingly well-funded nature of international ransomware gangs. He said it is obvious to him that there is a shortage of people filling those cybersecurity positions.
According to Tariq, the demand for information security analysts comes down to people’s growing reliance on digital technology and the constant evolution of that technology, opening up more opportunities for bad actors to exploit.
“Technology is growing faster than we can protect it,” Tariq said.
This constant evolution means real-world experience and certifications are highly valued in information security analysts. Information security analyst job postings often specify that a bachelor’s degree in computer science or a related field is required, but list three to seven years of experience as a suitable replacement for a degree (or don’t mention academic requirements at all). On the other hand, certifications such as Certified Information Systems Security Professional, or CISSP; Certified Information Systems Auditor, or CISA; and Certified Ethical Hacker, or CEH are often requested or required.
Moses got a master’s degree in computer science, having moved from the fashion industry and restarted her career in IT, but she said a master’s degree — or even a bachelor’s degree, in some cases — is not necessary for the industry, in her experience.
Pickett also said that, in his experience, most information security analysts start in other areas of IT work and come to the role as a result of experience and interest.
“Most people I know traditionally started out as a help desk or support tech role,” he said. “They’ve grown along the way and they’ve proven themselves. They’re hungry, they want to strive to professionally develop and that’s how they get there.”
Fast-Moving Tech Means You Must Always Learn and Adapt
“Security by nature is always changing; the vulnerabilities, the attacks, are changing daily, by the minute and second,” Pickett said. “You have to be a self-driven learner. You have to be that person who’s asking, ‘Why does this work the way it does?’”
Always being willing to ask questions is a big part of that constant need to learn and self improve. Tariq said that this can be a challenge for more junior information security analysts.
“When I was new, I was afraid that any question I had, or if I didn’t understand something, I was going to look dumb,” he said. “You don’t want to do that; you can only succeed if you know. You can only succeed if you understand.”
Moses had similar advice, noting that feeling like an imposter is common for people in the information or cybersecurity industries.
“I find this with everybody I’ve come in contact with, regardless of experience or not,” she said. Another thing that everyone in the field knows is to look things up when you don’t know them, she added. “You look it up because there’s just so much stuff to know.”
Bennet echoed this theme, stressing that information security analysts must be honest about their knowledge and seek the advice of others.
“You’re never going to know everything about every system because they are, unfortunately, forever changing,” he said. “So as an analyst, I think the worst thing you can do is pretend you know. Always be honest with yourself and question, even if it’s a dumb question.”
Tariq also stressed the importance of information security analysts questioning and learning from the best teacher of all: mistakes.
“You’re going to make mistakes because people make mistakes,” he said. “But it’s okay, the best thing to do is to own up to it. Own up to the mistakes and learn from them.”
It’s Not All About the Tech — Soft Skills Matter Too
While the need to constantly keep learning might come as no surprise — few roles or industries sell themselves on stagnation — the importance of soft skills for an information security analyst might.
“To be in cybersecurity, you do have to have a strong technical acumen, but also the ability to communicate with anybody, whether it’s a highly technical CTO versus my grandparents, let’s say,” said Pickett. “You’ve got to be able to change that conversation to who you’re trying to communicate with. You’ve got to be able to communicate well with others and put yourself in their shoes to sell them on, say, a new security control or educating them on risks, threats or vulnerabilities.”
Communication is key to working as an information security analyst role for Tariq too. “You communicate with your team, you communicate with your business, you communicate with your clients,” he said.
Tariq also said he wished he had known at the beginning of his career how much people matter to the job. “The people who you work with are the key to your success,” he said. “The technology will always be growing and the technology will always be changing, but the people who you work with are the ones that matter.”
Bennett also spoke about the importance of people as a key to success in an information security analyst role. It requires a lot of teamwork and team effort to be done right. He recommended finding allies, particularly on other teams, whose perspectives and experience you respect who can challenge you on issues.
“I think anybody that has a drive or a passion to protect others, or basically to protect their environment, should definitely go into this industry.”
“Like if I make a recommendation, before I go and talk about that recommendation, I will discuss that with the infrastructure lead and say, ‘Hey, look, I want to implement this. What do you think?’” he said.
In Bennett’s experience, this has given him perspectives on approaching implementation that he might not have thought of, or made him aware of roadblocks to achieving a security goal he didn’t know about.
“You’re not just an advisor to them,” he said, particularly as a more senior information or cybersecurity analyst. “You are getting advice from other people as well because that is what will shape your best recommendation.”
Of course, it’s not just the people inside an organization that matter, but also people on the outside — those who are being served by your organization.
“I’ve always had a need to help people out, and I was tired of people getting scammed or getting taken advantage of,” said Moses of her motivations to get into cybersecurity and her role as an analyst. “I think anybody that has a drive or a passion to protect others, or basically to protect their environment, should definitely go into this industry.”