Security researcher and industry analyst: Is it the career for you?
Most hackers have an extensive selection of tools and techniques to breach an organization’s computer networks and siphon off data. It’s the job of a cybersecurity researcher to stay on top of these hacking trends and the solutions available to stop them, whether they work to protect one organization or several via a consulting firm.
Cybercrime continues to be a global problem, and no organization is immune from a hacker’s attempts. According to the FBI’s Internet Crime Report of 2020, complaints of suspected internet crime increased 69 percent over 2019. Losses exceeded $4.2 billion across more than 790,000 reports.
Cybersecurity researchers and analysts study these high-volume crimes and the available methodology and technology used to block them. Their best thinking is then shared with an organization’s security team or, more commonly in the case of an industry analyst, with many companies. The growing number of threats has resulted in an overwhelmingly positive job outlook for the role. The U.S. Bureau of Labor Statistics projects the employment of information security analysts will grow 31% from 2019 to 2029 — a much faster pace than the national average job growth rate of just 4%.
French Caldwell started his career in the Navy, where he was a nuclear submarine officer. He became a director of knowledge services at Arthur Andersen’s Office of Government Services and a Gartner Fellow. Today, Caldwell is a leading strategist, thought leader and analyst in regulatory technology (RegTech), which includes GRC (governance, risk and compliance), ESG (environmental, societal and governance) and cybersecurity. He is also a book author and contributor to over 400 research papers and articles and the founder and chief researcher at the Analyst Syndicate.
What does an industry analyst do?
Cybersecurity industry analysts work for firms that range in size from large, multi-national companies with several areas of research and consulting to small boutique firms that focus exclusively on one discipline. Regardless of firm size, most cybersecurity analysts rely on vendor briefings as a critical research gathering tool.
While at Gartner, Caldwell regularly met with technology vendors to understand both current and emerging technologies, hear what vendors were learning from their customers and determine the level of success companies were having across different approaches. Industry analysts supplement these vendor briefings with research on marketplace happenings, including quantitative and qualitative projects, and turn their insights into published papers to benefit their vendor clients.
“Gartner analysts talk to between 500 and 1,000 clients per year,” Caldwell says. “They help with their vendor strategies, go-to-market plans and product strategies.”
Industry analysts also field incoming inquiry calls from end-users seeking advice on how to best defend their networks. All are essential fact-finding interactions for industry analysts whose job is to do the heavy lifting behind advancing cybersecurity protections against criminals who are continually evolving their tactics.
Caldwell says the client engagements are much more in-depth. “Each analyst manages relationships with five or six, maybe up to a dozen clients per year. We are more of a cross between being an analyst and a consultant. We either work with an IT team or a vendor, and we can go in as a strategic advisor.”
How to become an industry analyst?
As with many cybersecurity roles, cybersecurity researchers and industry analysts come to the position in varied ways. Some have studied computer science in college, although not everyone has a degree in the subject. Caldwell discovered his love for cybersecurity via his efforts to help launch the study of risk management and compliance in his post-Navy professional experience at Gartner.
“Being in the security group all of a sudden in the early 2000s, I found myself surrounded by security analysts, and I learned quite a bit.”
His constant curiosity, love for reading, researching and writing helped too. So did his willingness to talk to and learn from others. Caldwell says his experiences have shown him how having a professional community to rely on is valuable in many ways.
“Having a research community around you is fantastic. You have people you can bounce ideas off and brainstorm with, as well as people who will give you honest peer reviews of your work. They’ll point you in directions that you would never have thought of going on your own.”
Industry certifications are also an excellent first start to becoming an industry analyst, particularly if you’re newly entering the cybersecurity space. For a well-rounded technical understanding, consider:
- CompTIA’s A+ and Network+ certifications build your foundation of technical knowledge.
- CompTIA’s Security+ is the most popular cybersecurity certification globally; it validates baseline skills required to perform core security functions and pursue a career in information security.
- Certified Ethical Hacker (CEH) is a popular entry-level cybersecurity certification covering how to perform security assessments.
Reaching out and talking to working industry analysts can also be helpful, both to learn and build your own community. “I’ve never turned down an inquiry from a student,” Caldwell added. “We support young people who are studying and researching in just about any area of the field. I don’t think any of our analysts [at the Analyst Syndicate] would ever turn that down.”
For more about what it takes to be a cybersecurity researcher and industry analyst, watch the Cyber Work podcast, Working as a cybersecurity researcher and industry analyst with French Caldwell.
Occupational Outlook Handbook, Information Security Analysts, U.S. Bureau of Labor Statistics