How to Become an Information Security Analyst [Degree Requirements + More]
April 22, 2021
The average data breach costs the victim nearly $4 million. Multiply that by the number of annual cyberattacks and you're talking about many billions of dollars each year. Want to be a white hat in the security war? Become an information security analyst.
As the ongoing COVID-19 pandemic shifts more of our personal and professional lives online, threats to digital information security have increased in kind. In fact, according to a recent Forbes article, "The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals."
Enter information security. Put simply, the term information security (sometimes referred to as InfoSec) describes the systems and safeguards that a company, organization, or government puts in place to protect sensitive data. The people that design and manage these systems are called information security analysts, and it's their job to anticipate and prevent malicious actors from gaining access to private information.
With a truly mind-blowing amount of data being produced each day, it's no surprise that the U.S. Bureau of Labor Statistics (BLS) expects the job market for information security analysts to grow by a whopping 31 percent by 2029. Salaries in this already high-paying field should increase significantly over that same period.
However, before you can secure your own position in infosec, you'll need to develop the background necessary to perform the almost herculean—some would say Sisyphean— task of preventing data breaches.
Curious about pursuing a career as an information security analyst? In this guide, we'll answer these frequently asked questions:
- What is an information security analyst?
- What's the difference between an information security analyst and a cyber security analyst?
- What will I do when I become an information security analyst?
- Why do people choose to become an information security analyst?
- What degree or degrees do information security analysts typically have?
- What other qualifications do information security analysts need?
- Where do information security analysts work?
- How much do information security analysts earn?
- What can I do right now to get started in this field?
What is an information security analyst?
Information security analysts use their technical prowess and creativity to stay one step ahead of hackers and prevent breaches to a company or organization's data. They design the systems that keep this information from being stolen, manipulated, or compromised and continuously watch over them to identify and stop attacks in real-time. They're also responsible for hacking their own infrastructure so they can discover a system's vulnerabilities before someone else takes advantage of it.
When an information security analyst attacks their own networks, it is sometimes referred to as "penetration testing" or "ethical hacking" because the goal is not to steal information but ensure that others cannot. Any information security analyst will tell you that no system is 100 percent secure, and keeping data safe requires a 24/7 offensive strategy. Hackers are constantly devising new techniques to gain entry where they don't belong. Even the most innocent human error within an organization can pose a risk to a system's integrity.
An information security analyst's responsibilities typically include:
- Implementing security measures and managing and monitoring networks for data breaches
- Identifying and stopping security breaches and investigating perpetrators
- Conducting penetration tests to ensure network security
- Tracking down and removing malware
- Setting up firewalls and other security software
- Researching the latest trends in information technology and information security
- Educating staff about information security best practices
- Implementing and auditing data encryption policies
- Identifying assets that may pose security risks
- Creating and implementing disaster recovery plans in the event of a breach
What's the difference between an information security analyst and a cyber security analyst?
As their names suggest, both information security analysts and cyber security analysts focus on keeping an organization's information safe. As a result, their responsibilities often overlap. However, there are a few subtle differences between these titles that you should understand before choosing a career path.
Generally speaking, an information security analyst is responsible for the totality of an organization's information security, whether digital or analog. In contrast, a cyber security analyst usually concentrates on an organization's internet security.
For example, an information security analyst may be more focused on securing an organization's internal data infrastructure, while a cyber security analyst may concentrate on cyberattacks coming from without.
Perhaps the best way to understand what an information security analyst handles is by breaking down a phrase that you'll often hear in the infosec world: "the CIA triad." In this context, CIA doesn't stand for "Central Intelligence Agency," but rather "confidentiality, integrity, and availability." In other words, information security analysts ensure that sensitive information stays private, trustworthy, and accessible to those who are authorized to view it.
What will I do when I become an information security analyst?
Due to the essential role that they play in any organization, information security analysts usually work full-time to ensure that the data they're tasked with protecting is safe from prying eyes. If a serious breach or some other emergency occurs, they can expect to work overtime until the problem is solved or mitigated.
On a day-to-day basis, information security analysts oversee data safety protocols and systems development and monitor them for security issues. If and when breaches occur, information security analysts write reports documenting the extent of the breach and come up with solutions to prevent them from recurring. They also conduct penetration testing to find and plug holes in their security systems.
Information security analysts may also be responsible for educating other people in the organization about security issues and recommending security improvements to senior staff or management.
Why do people choose to become information security analysts?
People choose to become information security analysts for a variety of reasons. In addition to being well-compensated, information security analysts get to deploy their technical skills in creative ways to anticipate and stop the latest security threats. As a matter of survival, they need to stay on top of the latest technological trends and experiment with new software and encryption methods to ensure their organization's computer networks' safety. It's a challenge many people enjoy.
When breaches do occur, stopping them can feel like solving a puzzle that's about to explode. However, some people thrive in high-stakes environments and want to use their hacking skills to protect consumers', businesses', and governments' privacy. Information security analysts also get to play detective since one of their duties is identifying where cyberattacks are coming from.
Successful information security analysts possess a range of hard and soft skills. They need to be expert programmers who know the platforms and software they use inside and out. But they also have to be highly creative because they need to constantly outsmart the hackers trying to outsmart them. Because data breaches can create massive liabilities, the ability to work well under pressure is essential. Interpersonal skills are also vital because instructing other people in an organization about security best practices is key to ensuring compliance.
What degree or degrees do information security analysts usually have?
There are several paths to becoming an information security analyst, but most require at least a bachelor's degree in a technology-related field such as computer science, programming, or engineering. Some schools, such as Marywood University, offer degrees in information security, but there can be advantages to gaining a broader understanding of the information technology sector before you specialize.
Since many employers now look for candidates with advanced degrees, earning a bachelor's is just the first step on their way to becoming an information security analyst.
Master's degrees that can help you land a job as an information security analyst include:
- Master of Science in Information Management (MSIM): The standard curriculum for an MSIM includes coursework in systems analysis and design, project management, and policy and ethics. MSIM program lengths vary among institutions; most take roughly two years. The MSIM degree at the The University of Washington, for example, offers three different career tracks (early-career, early-career accelerated, and mid-career) that can be completed with as little as 36 credits or as much as 65 credits.
- Master of Science in Cybersecurity: Typically, a master's in cybersecurity takes one to three years to complete. It includes coursework in information security for the public and private sector, cyber security engineering, risk management, and cryptography. Many prestigious institutions offer this degree, including New York University and Johns Hopkins University.
- Master of Business Administration in Information Systems Management (MIS): Receiving an MBA in information systems management usually takes between one and three years. The degree program includes coursework in statistical analysis, information security management, and cyberterrorism. Several schools, including the University of Pittsburgh and Villanova University, offer this option.
Most information security analyst jobs do not require a PhD, but having one can be a tremendous advantage if you're willing to put in the time and hard work. Dakota State University, for example, offers a PhD in Cybersecurity (PhDCS) that can prepare you for a high-level position in government agencies and private companies.
What other qualifications do information security analysts need?
When you're job hunting in the world of infosec, certifications that demonstrate your proficiency securing a specific platform (or your skills as an ethical hacker) can make you a much more attractive candidate. They can also introduce you to other professionals in the field and help you gain a sense of where you want to focus. Some jobs will require specific certifications as a prerequisite to apply, while others may be more inclined to offer you a higher salary because of the expertise you bring to the table.
The following is a list of certifications that you should consider to bolster your technical skills and resume.
- AWS Certified Security
- Certified Cloud Security Professional (CCSP)
- Certified Ethical Hacker (CEH)
- Certified Information Privacy Professional/US (CIPP/US)
- Certified Information Security Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Secure Software Lifecycle Professional (CSSLP)
- CompTIA Advanced Security Practitioner (CASP+)
- CompTIA Cybersecurity Analyst (CySA+)
- CompTIA PenTest+
- CompTIA Security+
- GIAC Security Essentials (GSEC)
- Offensive Security Certified Professional (OSCP)
Where do information security analysts work?
Employers that rely on information security analysts to keep their data safe include:
- Banks and financial systems
- Car manufacturers
- Construction companies
- Government agencies
- Hospitals and healthcare providers
- Law firms
- NGOs and other non-profit organizations
- Retail operations
- Technology companies
As you can see, just about any sector that handles sensitive data needs information security analysts to ensure that data's safety. And if you followed the last two US presidential elections, you already know that information security is vital to maintaining the integrity of our voting process. In fact, there are very few endeavors in the modern world that don't require information security professionals.
Many organizations and businesses contract work out to security companies specializing in information security. Larger companies tend to hire their own in-house information security analysts to protect the massive amounts of data they store.
Some large, well-known companies that hire many information security analysts include:
- Cisco Systems
- General Motors
- Goldman Sachs
- Lockheed Martin
- Patient First
How much do information security analysts earn?
Information security analysts play a vital and active role in their organization, and as a result they are generously compensated for their efforts.
According to Payscale.com, the average base salary for an information security analyst is $72,764, with incomes ranging between $51,000 and $111,000. In addition, some information security analysts have the opportunity to earn bonuses and partake in profit sharing. And over the next ten years, as this industry continues to grow much faster than the United States economy as a whole, base salaries should rise.
As in most other industries, your years of experience and education will determine how big your paycheck is. Postgrad degrees and certifications can help, but perhaps the biggest factor is where you live and work. Not every state has the same high-paying opportunities. US News & World Report indicates that the five states that pay information security analyst's the highest mean salary are:
- New York
- New Jersey
- Washington D.C.
Within those states, high-paying jobs tend to be concentrated in large cities. It remains to be seen what the advent of remote-work does to the industry over the long-term.
What can I do right now to get started in this field?
No matter what your level of undergraduate or postgraduate education is, there are many steps that you can take right now to immerse yourself in the world of information security.
One of the best ways to quickly boost your knowledge and gain valuable problem-solving skills is to complete an information security bootcamp. Bootcamps are intense by design; information security is a demanding and challenging field that requires a broad understanding of computer networks as well as the threats they face. When an employer sees that you've completed a bootcamp, they'll know that you possess not only the technical chops they're looking for but also the ability to work under pressure.
Since many bootcamps have a group-work component, they also offer an excellent opportunity to network with other people in the field. Bootcamps range in length, but most last 10 to 36 weeks. Many offer part and full-time options so you can fit them into your schedule if you have other obligations.
A short (but intense) bootcamp worth looking into is the Flatiron School's 12-week bootcamp in Cybersecurity Analytics. It covers the foundations of network administration, system administration, strategy and analysis, security intelligence and event management (SIEM) administration, hunt skills, threat intelligence, and government, risk, and compliance (GRC). At the end of the program, you'll complete a capstone project and be paired with a career coach to help you find a great job in the industry.
For an even deeper learning experience, the Columbia Engineering school offers a 24-week Cybersecurity Boot Camp that immerses you in programming, networking, systems, cybersecurity methods, ethical hacking and penetration. This bootcamp also prepares you to take the Security+ and CEH certification exams, both of which enhance your CV.
Massive open online courses (otherwise known as MOOCs) are another great way to develop technical skills and expand your knowledge base. These are great for self-starters because they are less personalized than bootcamps, meaning you'll have less pressure to complete them. Many also have the advantage of being either free or significantly less expensive than other courses. Some will only charge you a small fee if you want a certificate of completion.
Questions or feedback? Email firstname.lastname@example.org