IT programs
Share:
Facebook
Twitter
LinkedIn
Programs
Degree Outline
More Information
Printable Outline (pdf)

What Does it Take to be a Cybersecurity Analyst?

One of the primary responsibilities of a cybersecurity analyst is security monitoring. What this entails really depends on the organization’s program and the different types of technology the security team manages, however, entry-level analysts can expect to be reviewing and investigating logs and alerts from various security tools.

These tools can include the organization’s SIEM, antivirus solutions, internet protection, email security, and intrusion detection/prevention systems(IDS/IPS). While there won’t always be active threats on the network, it’s important that a team understands their “normal”.

In order to understand this baseline, the security team must be performing monitoring tasks daily, which could be as simple as checking a dashboard to see the trends in activity over the last 24 or 48 hours. By doing this, the team can better understand when something seems out of the ordinary and begin investigating it to determine whether the abnormal activity is expected or not.

In addition to security monitoring and analysis, an analyst might be tasked with various types of other work that doesn’t involve reviewing and investigating alerts.

Part of a security team’s job is to continuously improve via automation and optimization of tools and processes to achieve overall efficiency. Analysts might be tasked with small projects like configuring a new feature in the antivirus solution that will streamline an existing process or creating a new alert in the SIEM tool to provide visibility into certain events currently not being alerted on.

So as you can see, the day-to-day includes not only security monitoring and analysis tasks, but usually involves administration of the security technology as well.

What are some essential tools & skills that come into play?

The most important skill an analyst should possess is likely obvious. They must be analytical, but in addition to that, I think it’s important to be a problem-solver. Much of the work involved in an analyst’s day-to-day is reviewing security tools and finding ways to optimize them.

As an analyst, you must be able to look at the current state of a tool, process, or procedures, and always be thinking about ways to improve upon the way things are done. Cybersecurity is all about automation and efficiency because there’s always so much work and so few resources.

Critical thinking and problem-solving skills come in handy when you need to think outside of the box and get creative and many hiring managers look for candidates to portray these capabilities.

As I mentioned, analysts may spend a lot of time performing reporting and metrics-related tasks, so attention to detail is critical to ensure the accuracy of the reports. The ability to create a report is one thing, but it’s just as important to pay attention to what the report is showing and validate its accuracy prior to sharing it.

Lastly, strong verbal and written communication skills are a must. As an analyst, you’ll likely be interfacing with employees from all parts of the business and at all levels. You’ll likely have to interact with end-users every now and then, you’ll be expected to collaborate with other IT teams, and you’ll have to engage with management and sometimes executive leadership.

In all of these types of interactions, it’s important to be able to effectively communicate whatever it is you’re discussing or sharing in a way that’s understandable for your audience.

While these aren’t the only skills successful analysts possess, these are some of the most important ones.

What is one of the biggest challenges of being an analyst?

One of the biggest challenges of being an analyst is really a challenge all security professionals face: trying to stay ahead of threat actors.

The threat landscape changes and evolves every day and we must continue to evolve with it. Cybersecurity is a fast-paced industry to be a part of so it’s important to stay in the know for starters. Having a pulse on the happenings in the industry is critical to understanding the threats you’re up against.

This knowledge is important, as current trends in the industry directly impact the defense strategies and techniques employed in a security program. Analysts must be dedicated to the continuous improvement of their organization’s defenses and frequently reference current trends to further improve their security controls.

Without a continually evolving security program, the defenses will quickly become irrelevant and easy for attackers to circumvent.

Cybersecurity personnel must always be on top of their game because we never know when an attacker will strike. That’s one of the biggest challenges, but it’s also what drives our profession and pushes us to strive for robust and effective security programs.

What is your favorite part about being an analyst?

My favorite part about being an analyst really ties back to why I love working in IT to begin with: the sense of accomplishment when you create something or solve a problem.

In a previous role, I was tasked with creating various alerts in our SIEM tool. The alerts were written in regex, which I was still learning, and both my manager and I couldn’t get a specific alert working for some reason. I spent hours testing and researching, testing and researching until finally, I got it working as expected.

Another time my team was attempting to solve a problem and I came up with an idea that could potentially resolve the issue. I spent an hour or two making my idea come to life and then testing it to confirm it worked as expected. Once it did, I was able to implement it into the workflow we were trying to build and in turn, resolved the issues we were facing.

While it was exciting to have seen my idea come to life, the best part was helping the team solve the problem we were facing. Having a hand in achieving a desired outcome is so rewarding.

That coupled with my passion for cybersecurity is really what makes me love what I do so much.

How much of the job is more mundane vs. handling active threats/incidents?

I’d say it’s a 70/30 split, 70% being mundane and 30% handling alerts, but it really depends on the environment you’re working in. A common misconception of a career in cyber is that security professionals spend all their time actively responding to incidents, which is far from the truth.

The only people that likely do that are the ones who work in a 24×7 SOC, but even then, they aren’t dealing with incidents all the time. Most of the time SOC analysts are reviewing and investigating alerts to determine if said alert indicates a potential incident.

For your average corporate security team, analyst work entails continuous improvement of security tools, vulnerability management tasks, and risk management and compliance activities. Depending on the maturity of the program and the defense tools in place, a team may spend more or less time responding to active threats.

While I’m not sure it’s been proven, my experience leads me to believe there is a strong correlation between the time spent responding to threats and the maturity of a security program. In past roles, the less security technology and processes in place, the more incidents that occurred.

When I first started at one of the companies I worked for, the security program was still in what’s called the Initial phase of the Capability Maturity Model (CMM). In this phase, security tasks are “ad-hoc and chaotic”.

When I left that company two years later, the program was nearing the third level in CMM, Defined. In this level of the model, a program has processes built out which are leveraged to create standards and procedures. In other words, the program is more structured and leverages standards and procedures to achieve consistency.

When I think back to my first year as an analyst with that company, I was spending probably 10 hours a week responding to alerts, active threats, and incidents. Fast forward to my last few months, my time spent responding to threats was less than three hours a week, and sometimes zero.

This goes to show that with a mature security program in place that has minimal gaps, the time spent responding to alerts and active threats is greatly reduced.

How does an organization’s industry affect the security program?

The industry you work in will greatly impact your experience in an analyst role. I’ve been an analyst in two different industries: Wholesale and Healthcare.

I’ll also note that whether the organization is publicly held or private affects the security program as well.

The wholesale company I worked for was private, and the healthcare one public. The differences here made for very different experiences as a security analyst.

For one, publicly held companies are subject to various financial audits and some industries, like healthcare, may also be subject to additional audits in regards to compliance with HIPAA, GDPR, etc.

Conversely, private companies are not subject to any financial audits and have minimal regulations. Add to that, a wholesale company that hardly handles any personal information or financial/banking information, and you’re left with few reasons to enforce security at your organization.

This is the main difference I’ve noticed in how the industry affects the security program. A non-regulated, non-publicly held organization is much less likely to have an effective security program than a public, regulated company. This is largely due to the importance of security not being fully understood by board/executive leadership and therefore, minimal funding to build an effective security program.

However, with the rise in cyberattacks across all industries many organizations are beginning to invest more in their IT infrastructure and cybersecurity programs.

In terms of the industry, heavily regulated industries usually lead to stronger or better-developed security programs. Organizations in healthcare and finance must be compliant with various regulations and in order to do that, must have certain security capabilities and defenses in place.

Naturally, executive leadership must ensure compliance with these regulations so security funding is much easier to justify and receive.

Companies in non-regulated industries like retail and wholesale are really only subject to things like customer security questionnaires and third-party audits. Without those sorts of audits being done, executives may be more hesitant to provide a sufficient budget to implement a strong security program.

This is why it’s so critical for security management to be able to effectively communicate the importance of a security program in a way that non-IT leadership can understand.

As you can see, a cybersecurity analyst has many responsibilities and they differ from organization to organization. Much of the tasks also depend on the scope of the role. Many analysts that work in a 24×7 SOC only work in the security tools, investigating and responding to security alerts.

Security analysts that work on a blue team or a security operations team are the ones that likely spend some time doing project-like work that involves process improvement and security tool optimization.

With that, I hope this Q&A has provided valuable insight into a day in the life of an analyst, the skills a successful analyst possesses, and some of the real-life experiences I’ve had in my time as an analyst.

Source: What Does it Take to Be a Cybersecurity Analyst? | by Katlyn Gallo | Dark Roast Security | Medium

Randy Hollifield

Randy Hollifield

Faculty - Cyber Crime Technology
828-659-0426

Interested?

Contact us today to find out more!