How to Become a Security Analyst

November 5, 2012 by Ian Palmer

A degree in something like computer science and certifications such as CISSP and CompTIA Network+ wouldn’t be out of place on the resumes of security analysts.

But Jesse McKenna, a fraud expert at Silver Tail Systems in Menlo Park, California, went against the grain … which hasn’t exactly jeopardized his career. In fact, he’s had the good fortune to work for some very well-known and respected companies such as PayPal and eBay

McKenna, who earned an undergraduate degree in music composition from the University of Utah, focuses on the anti-fraud side of things at Silver Tail. This means that he doesn’t require some of the highly-sought-after security certifications. But what he does have is an understanding not only of what needs to be protected, but also of how to locate problems that can compromise what needs to be protected.

“It’s pretty straight forward,” said McKenna. “You need to be able to know what you’re protecting and be able to find the vulnerabilities within it.”

Although it’s possible to take an unconventional route to enter the profession – after all, there are lots of examples of people who’ve done just that – conventional wisdom still suggests that the best bet is to combine the right skill, a degree in an area such as computer science or information technology, and some certifications.

Unconventional Path

As a child, McKenna was interested in computers, albeit not really in any serious capacity. Nonetheless, using technology during those early formative years turned out to be a good move.

“Like most people my age, if you grew up with a computer you were playing computer games,” he said. “You go and buy a computer game and it would take you a day to get it to run – it’s forcing you to dig into the depths of setting up your configuration files to allocate the memory. You just had to dig in and learn it. That experience, the comfort level of digging in under the hood and manipulating systems and setting up patch files and things like that to do the things that you want, was really where I got my start.”

Asked how he got jobs at some of the largest and most targeted brands on the Internet without the background of some of his peers, McKenna explained that, in the case of eBay, his status as an extensive eBay user meant that he knew the system particularly well and could easily envision the ways in which it could potentially be abused.

“And so very rapidly I was the account security expert for eBay globally and was in a position of looking at data,” he said. “And I just had a knack for looking at massive amounts of data and spotting behaviors that just didn’t seem to look right.…And so that’s really how I got started. It was really by accident that I fell into the security role.”

From there, he became involved in account security and fraud, and quickly expanded to identifying malicious code that was being injected into listings on the website. He later went to work for PayPal and helped the company to develop the infrastructure for fraud protection systems.

Nowadays, his role at Silver Tail, a start-up company, is quite varied. Customers, for instance, could ask questions about what to do if they find an exploit, how to fix the issue, and how to protect themselves to prevent such a thing from happening again.

“Outside of that role there’s lots of educating internally – engineering people, people in marketing, or elsewhere – about the cyber crime ecosystem [and about] how the detection and prevention of threats work,” he said.

His work day also involves keeping up to date on threats, determining what the potential impact of threats would be both to Silver Tail and to its customers, and staying on the leading edge of detection technologies. In other words, there really is no such thing as a typical day at the office for security analysts.

Hard & Soft Skills

Although each day will bring different challenges, security analysts need to be able to do the following if they want career longevity:

1. Help devise, implement, and maintain corporate policies related to security monitoring and reporting, intrusion detection and prevention, and escalation so as to reduce the likelihood of successful internal and external attacks. This will necessitate managing the network, intrusion detection and prevention systems, and security management solutions.

2. Take part in the development, implementation, and upkeep of security controls that are in compliance with corporate strategies for curtailing risks associated with internal and external threats. Fulfilling such duties will mean conducting vulnerability assessments, dealing with firewall-change requests, and handling security incidents.

3. Stay abreast of the latest developments as per industry standards and security tools to ensure that corporate security methods and tools not only stay up to date, but also remain capable of keeping up with ever-changing business requirements.

4. Play a role in conducting internal and external security audits as well as threat and risk assessments so as to verify compliance with security rules, standards, and procedures. This task also necessitates being able to proactively correct any security exposures found.

5. Play a role as part of a corporate security response unit, and, in so doing, provide expert counsel on how to solve issues pertaining to security alerts, incidents, and disasters.

6. Demonstrate strong communications skills – both oral and written – and possess superior interpersonal skills, as well as the ability to work effectively as part of a team and independently.

Hard & Soft Skills: The Experts Weigh In

People who are just starting out need a broad base of knowledge to draw from, said McKenna. As they become more specialized over the course of their careers, they will need to obtain much more in-depth, comprehensive knowledge of the particular systems that they’re protecting, whether databases or web servers or other things.

“[You also need] the curiosity and the ability to really break systems – to be able to … find the loopholes, to figure out how you can break the spirit of the rules while still following the letter of those rules,” he said. “That is how you anticipate threats that will be used against you.”

Being able to anticipate threats will necessitate more than mere head knowledge. In fact, Jerry Irvine, CIO of Prescient Solutions in Chicago, Illinois, and a member of the National Cyber Security Task Force, said that companies are looking for workers who have actual hands-on experience.

Even today I would tell you that that’s what we look for when we look for security professionals,” said Irvine, who earned an undergraduate degree in computer science from Valparaiso University and who has obtained certifications such as CISM and CISSP. “We’re not just looking for somebody who’s just read some books and taken some tests. We’re looking for people that actually have day-to-day hands-on experience from entry level, from application level all the way down to the physical level.

“I’m more concerned with individuals who have learned by actually implementing systems and putting them in place. A great portion of security has to do with the monitoring of solutions to determine whether things have gone past the normal peaks and points of your systems. So it’s really [about] setting parameters.”

Unless cyber criminals all agree to cease and desist from their nefarious ways, security analysts need to be vigilant and learn about how new technologies work. Attackers, after all, have evolved their ploys to the extent that the proverbial smoking gun is not so easy to detect, said Wade Williamson, senior research analyst at Palo Alto Networks in Santa Clara, California.

Williamson, who has degrees in zoology and biochemistry, said that security analysts not only need to comb over the logs to see if something looks fishy, but also need to be willing to investigate issues and follow through until the problems are solved.

“You need to be willing to tinker with new technologies to find out how they work, and just as importantly, how they break,” he said. “I always had a strong interest in computers and having a scientific background has helped me to pick up new technologies over time. But in my case, I have had the good fortune to be able to grow into the career over time.”

An understanding of programming is certainly something that will benefit security analysts. However, Fred Touchette, senior security analyst at AppRiver in Gulf Breeze, Florida, explained that an in-depth knowledge of programming probably isn’t absolutely necessary.

“[Programming] was my initial love when I was young,” said Touchette, who got a good introduction to the sort of skills helpful to many IT and IS professionals when working towards his IT degree at Pensacola State College. “When I was probably in middle school, that’s when I first started programming. A basic understanding of being able to look at code and have an idea of what it’s going to do helps, being able to code is not necessarily [required]”

As part of his job at AppRiver, Touchette basically looks at all the company’s traffic – whether email traffic or web traffic – to check for any security issues like malware or phishing.

“When I find these, I then look at what their intentions are,” said Touchette, who is COMP-TIA Security+ certified and also has other certifications such as CCNA. “That often requires a wide set of skills – not necessarily all of them really deep skills, but a bit of this and that. An example is if I find a piece of malware and I want to figure out what it does, I have to reverse engineer it. Not only do you have to understand … assembly code and how to reverse engineer; it also requires a little bit of the network side.”

Education & Certifications

While there are examples of people making it as security analysts despite taking a non-traditional path, prospective security analysts can’t go wrong taking something related to IT or IS or, of course, computer science. An understanding of computer networks and mainframe computers, and some actual work experience in the IT realm, will help as well. There are various certifications security analysts tend to gravitate towards. Arguably the most popular is CISSP. Others include, but are not limited to, CREA, CompTIA Network+ and CWAPT.

Education & Certifications: The Experts Weigh In

Prenston Gale, director of information security at Dynamics Research Corp. in Andover, Massachusetts, earned a degree in computer science and mathematics from Augustana College and has certifications such as CISSP and Microsoft Certified Professional.

While acknowledging the importance of certifications, Gale noted that they’re not absolutely necessary.

“Now from a knowledge perspective, certifications certainly aren’t necessary because what they do is test your knowledge and certify that you have the knowledge,” said Gale. “So you don’t need a certification to gain that knowledge. What certifications are good for is to make you…more marketable as an individual.”

If security professionals who have been in the field for, say, a decade don’t have certifications, prospective employers will wonder what they’ve been up to all that time, said Gale, who added that certifications are important from the perspectives of personal growth and career development.

Although McKenna has succeeded as a security analyst despite lacking some of the more popular security certifications, he’s not exactly knocking them. Professionals who will be focusing on things like network layers would certainly benefit from some related certifications, he noted. But the certifications available for the fraud side are generally not of the must-have variety. So he’s opted to pass.

“There’s definitely people who are going to say, ‘You absolutely have to have your CISSP,'” he said. “You’ll also see people, like myself, who don’t have those certifications. I wouldn’t say that you don’t need them, and I wouldn’t say that they’re absolutely necessary. They can absolutely help get your foot in the door for interviews and for receiving jobs, but they’re not mandatory for performing the functions of the jobs.”

Posted: November 5, 2012
Articles Author
Ian Palmer
View Profile

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as Linux.com, ITManagersJournal.com and ITBusiness.ca.

9 responses to “How to Become a Security Analyst”

  1. Sue K says:

    I have the following certifications:
    MCP, MCP+I MCSE (NT, 2000, 2003), MCSA, MCT (as well as A+, Network+), Etc….

    I have more than 30 years of experience in IT; and I taught both college and certification courses for several years.

    However, due to health problems/limitations, I haven’t worked for about 8 years (although I have kept up with the field)

    I’d like to get back into the field…I’m curious as to how you think I might be able to do that (am I still “relevant?…what positions should I consider?)

    • Geez says:

      With your certification, you qualify for latrine carrier. Give it a shot and good luck

    • JP says:

      Who says you are out of the game… Once an IT pro.. always stays an IT pro.. never doubt your capabilities.. thats the only ammunition you have to every job interview.

  2. JP says:

    Who says you are out of the game… Once an IT pro.. always stays an IT pro.. never doubt your capabilities.. thats the only ammunition you have to every job interview.

  3. rizzy says:

    what qualifications do i need to get to a cyber security analyst role

  4. erod says:

    I am 45 years old, and suddenly decided I want to go back to school and study. At my age I realize there are many obstacles I will encounter, especially when competing for jobs against many people half my age when in my 50’s. I decided I want to study, and try to become a security analyst, after reading an article that said this profession is expected to continue growing in the next 10 years. I would like for anyone, with the experience in this field, to give me some advice, and let me know if you think I am making a good career choice. Thank you.

    • Jeff says:

      I did exactly what you are trying to do. After 22 years of public service I went back to college and got my degree in IT. I focused on security and obtained several certifications. Less than 2 weeks after I graduated I got my dream job as an IT security analyst.

      I’m in my mid-forties. I was scared to death my age would play a role in hiring decisions regardless of the discriminatory prohibition. I just happened to find a company looking for someone with a public service background AND an education specific to the field.

      To answer your question, yes! Heck, yes! By all means get back in school and follow your instincts. All your hard work will pay off.

  5. JASON H. says:

    I graduated in Computer Information Systems in 2003 and have not used it because it was hard to get jobs at that time I graduated that year. I work as an Administrative Assistant and I still use computers but not for what I graduated in. I just want to know what is a good start in order for me to get back and improve myself in Security Analyst. What classes and other information I need. I am in my 40’s now. We have Cybersecurity at work and I want to get into that field. Thank you.

  6. Nicole says:

    I have a Compuer and Information degree and masters in Information Technology Management- I want to do Security + certification how that help my career in Information Security? Thank you for any all feedback.

Leave a Reply

Your email address will not be published. Required fields are marked *