How to Become a Security Analyst
A degree in something like computer science and certifications such as CISSP and CompTIA Network+ wouldn’t be out of place on the resumes of security analysts.
But Jesse McKenna, a fraud expert at Silver Tail Systems in Menlo Park, California, went against the grain … which hasn’t exactly jeopardized his career. In fact, he’s had the good fortune to work for some very well-known and respected companies such as PayPal and eBay
McKenna, who earned an undergraduate degree in music composition from the University of Utah, focuses on the anti-fraud side of things at Silver Tail. This means that he doesn’t require some of the highly-sought-after security certifications. But what he does have is an understanding not only of what needs to be protected, but also of how to locate problems that can compromise what needs to be protected.
“It’s pretty straight forward,” said McKenna. “You need to be able to know what you’re protecting and be able to find the vulnerabilities within it.”
Although it’s possible to take an unconventional route to enter the profession – after all, there are lots of examples of people who’ve done just that – conventional wisdom still suggests that the best bet is to combine the right skill, a degree in an area such as computer science or information technology, and some certifications.
As a child, McKenna was interested in computers, albeit not really in any serious capacity. Nonetheless, using technology during those early formative years turned out to be a good move.
“Like most people my age, if you grew up with a computer you were playing computer games,” he said. “You go and buy a computer game and it would take you a day to get it to run – it’s forcing you to dig into the depths of setting up your configuration files to allocate the memory. You just had to dig in and learn it. That experience, the comfort level of digging in under the hood and manipulating systems and setting up patch files and things like that to do the things that you want, was really where I got my start.”
Asked how he got jobs at some of the largest and most targeted brands on the Internet without the background of some of his peers, McKenna explained that, in the case of eBay, his status as an extensive eBay user meant that he knew the system particularly well and could easily envision the ways in which it could potentially be abused.
“And so very rapidly I was the account security expert for eBay globally and was in a position of looking at data,” he said. “And I just had a knack for looking at massive amounts of data and spotting behaviors that just didn’t seem to look right.…And so that’s really how I got started. It was really by accident that I fell into the security role.”
From there, he became involved in account security and fraud, and quickly expanded to identifying malicious code that was being injected into listings on the website. He later went to work for PayPal and helped the company to develop the infrastructure for fraud protection systems.
Nowadays, his role at Silver Tail, a start-up company, is quite varied. Customers, for instance, could ask questions about what to do if they find an exploit, how to fix the issue, and how to protect themselves to prevent such a thing from happening again.
“Outside of that role there’s lots of educating internally – engineering people, people in marketing, or elsewhere – about the cyber crime ecosystem [and about] how the detection and prevention of threats work,” he said.
His work day also involves keeping up to date on threats, determining what the potential impact of threats would be both to Silver Tail and to its customers, and staying on the leading edge of detection technologies. In other words, there really is no such thing as a typical day at the office for security analysts.
Hard & Soft Skills
Although each day will bring different challenges, security analysts need to be able to do the following if they want career longevity:
1. Help devise, implement, and maintain corporate policies related to security monitoring and reporting, intrusion detection and prevention, and escalation so as to reduce the likelihood of successful internal and external attacks. This will necessitate managing the network, intrusion detection and prevention systems, and security management solutions.
2. Take part in the development, implementation, and upkeep of security controls that are in compliance with corporate strategies for curtailing risks associated with internal and external threats. Fulfilling such duties will mean conducting vulnerability assessments, dealing with firewall-change requests, and handling security incidents.
3. Stay abreast of the latest developments as per industry standards and security tools to ensure that corporate security methods and tools not only stay up to date, but also remain capable of keeping up with ever-changing business requirements.
4. Play a role in conducting internal and external security audits as well as threat and risk assessments so as to verify compliance with security rules, standards, and procedures. This task also necessitates being able to proactively correct any security exposures found.
5. Play a role as part of a corporate security response unit, and, in so doing, provide expert counsel on how to solve issues pertaining to security alerts, incidents, and disasters.
6. Demonstrate strong communications skills – both oral and written – and possess superior interpersonal skills, as well as the ability to work effectively as part of a team and independently.
Hard & Soft Skills: The Experts Weigh In
People who are just starting out need a broad base of knowledge to draw from, said McKenna. As they become more specialized over the course of their careers, they will need to obtain much more in-depth, comprehensive knowledge of the particular systems that they’re protecting, whether databases or web servers or other things.
“[You also need] the curiosity and the ability to really break systems – to be able to … find the loopholes, to figure out how you can break the spirit of the rules while still following the letter of those rules,” he said. “That is how you anticipate threats that will be used against you.”
Being able to anticipate threats will necessitate more than mere head knowledge. In fact, Jerry Irvine, CIO of Prescient Solutions in Chicago, Illinois, and a member of the National Cyber Security Task Force, said that companies are looking for workers who have actual hands-on experience.
“Even today I would tell you that that’s what we look for when we look for security professionals,” said Irvine, who earned an undergraduate degree in computer science from Valparaiso University and who has obtained certifications such as CISM and CISSP. “We’re not just looking for somebody who’s just read some books and taken some tests. We’re looking for people that actually have day-to-day hands-on experience from entry level, from application level all the way down to the physical level.
“I’m more concerned with individuals who have learned by actually implementing systems and putting them in place. A great portion of security has to do with the monitoring of solutions to determine whether things have gone past the normal peaks and points of your systems. So it’s really [about] setting parameters.”
Unless cyber criminals all agree to cease and desist from their nefarious ways, security analysts need to be vigilant and learn about how new technologies work. Attackers, after all, have evolved their ploys to the extent that the proverbial smoking gun is not so easy to detect, said Wade Williamson, senior research analyst at Palo Alto Networks in Santa Clara, California.
Williamson, who has degrees in zoology and biochemistry, said that security analysts not only need to comb over the logs to see if something looks fishy, but also need to be willing to investigate issues and follow through until the problems are solved.
“You need to be willing to tinker with new technologies to find out how they work, and just as importantly, how they break,” he said. “I always had a strong interest in computers and having a scientific background has helped me to pick up new technologies over time. But in my case, I have had the good fortune to be able to grow into the career over time.”
An understanding of programming is certainly something that will benefit security analysts. However, Fred Touchette, senior security analyst at AppRiver in Gulf Breeze, Florida, explained that an in-depth knowledge of programming probably isn’t absolutely necessary.
“[Programming] was my initial love when I was young,” said Touchette, who got a good introduction to the sort of skills helpful to many IT and IS professionals when working towards his IT degree at Pensacola State College. “When I was probably in middle school, that’s when I first started programming. A basic understanding of being able to look at code and have an idea of what it’s going to do helps, being able to code is not necessarily [required]”
As part of his job at AppRiver, Touchette basically looks at all the company’s traffic – whether email traffic or web traffic – to check for any security issues like malware or phishing.
“When I find these, I then look at what their intentions are,” said Touchette, who is COMP-TIA Security+ certified and also has other certifications such as CCNA. “That often requires a wide set of skills – not necessarily all of them really deep skills, but a bit of this and that. An example is if I find a piece of malware and I want to figure out what it does, I have to reverse engineer it. Not only do you have to understand … assembly code and how to reverse engineer; it also requires a little bit of the network side.”
Education & Certifications
While there are examples of people making it as security analysts despite taking a non-traditional path, prospective security analysts can’t go wrong taking something related to IT or IS or, of course, computer science. An understanding of computer networks and mainframe computers, and some actual work experience in the IT realm, will help as well. There are various certifications security analysts tend to gravitate towards. Arguably the most popular is CISSP. Others include, but are not limited to, CREA, CompTIA Network+ and CWAPT.
Education & Certifications: The Experts Weigh In
Prenston Gale, director of information security at Dynamics Research Corp. in Andover, Massachusetts, earned a degree in computer science and mathematics from Augustana College and has certifications such as CISSP and Microsoft Certified Professional.
While acknowledging the importance of certifications, Gale noted that they’re not absolutely necessary.
“Now from a knowledge perspective, certifications certainly aren’t necessary because what they do is test your knowledge and certify that you have the knowledge,” said Gale. “So you don’t need a certification to gain that knowledge. What certifications are good for is to make you…more marketable as an individual.”
If security professionals who have been in the field for, say, a decade don’t have certifications, prospective employers will wonder what they’ve been up to all that time, said Gale, who added that certifications are important from the perspectives of personal growth and career development.
Although McKenna has succeeded as a security analyst despite lacking some of the more popular security certifications, he’s not exactly knocking them. Professionals who will be focusing on things like network layers would certainly benefit from some related certifications, he noted. But the certifications available for the fraud side are generally not of the must-have variety. So he’s opted to pass.
“There’s definitely people who are going to say, ‘You absolutely have to have your CISSP,'” he said. “You’ll also see people, like myself, who don’t have those certifications. I wouldn’t say that you don’t need them, and I wouldn’t say that they’re absolutely necessary. They can absolutely help get your foot in the door for interviews and for receiving jobs, but they’re not mandatory for performing the functions of the jobs.”