This month, we are thrilled to announce new research: Role Profile: Security Analyst. This research is both a necessary document as well as a labor of love. I often say that security analysts have the worst job in the world, and for good reason: The hours are long, a simple mistake can have ramifications across the organization, and there is a wealth of tribal knowledge needed to succeed.
Despite these factors, the security analyst is viewed as an entry-level role for most security teams. This, in part, makes it difficult for security leaders to find and retain talent — especially over security vendors that can often afford to pay more, provide better benefits, and offer better opportunities for advancement.
The skill required to succeed is one of the main barriers to entry in this industry. Interviewees unequivocally stated that to succeed as a security analyst, working 8 a.m. to 5 p.m. was not enough. And despite being an entry-level role, our research showed that the average security analyst job description listed:
- One to three years of experience within cybersecurity: fewer years of experience required with a college degree, more years of experience with no college degree.
- Preferred bachelor’s degree, with consideration of high school degrees with several years of experience or certifications.
- Preferred certifications in one or more of the following: Certified Ethical Hacker (CEH), CompTIA CySA+, GIAC Certified Incident Handler.
- Familiarity with technical subjects, including a programming or scripting language, firewalls, proxies, security information and event management, antivirus, intrusion protection system/intrusion detection system concepts, technical knowledge of networking, operating systems, enterprise integrations, WAN/LAN concepts, ethical hacking tools, and TCP/IP protocols.
The bottom line is that right now, an entry-level cybersecurity role has requirements much closer to an intermediate one. Time and time again, we hear about how hard it is to find and hire security analysts, yet the hiring requirements necessitate experience most potential candidates simply do not have.
This research guides security pros on what they should look for in qualified candidates beyond — and oftentimes in the face of — traditional job qualifications like degrees, certifications, and previous expertise. Security leaders should highlight fundamental and unique skills in job descriptions such as:
- Previous experience in adjacent roles such as IT, infrastructure, networking, or administering and deploying IT tools.
- Previous experience in high-stress situations, such as an EMT, firefighter, armed forces, or other roles.
- Previous customer support experience.
It’s important to remember that half of the point of the job description is to entice the candidate to apply to work at the company. Many job descriptions fail to provide what exactly the candidate will get out of the role. To avoid this pitfall, include opportunities for growth directly in the job description to show entry-level candidates what they will gain from working with your team. Security leaders should highlight valuable investments in their team in job descriptions such as:
- A security education stipend for CompTIA, SANS, GIAC, or equivalent training certification.
- Percent of time spent in the role focused on broadening skills with various teams — governance, risk, and compliance, incident response, threat hunters, pentesters, etc.
These are just a few areas we’ve highlighted in this research to help security pros navigate writing an effective job description for a security analyst role. Read the full report on the Role Profile: Security Analyst for more information, including success metrics, organizational interlocks, benefits and compensation structure, background, and competencies required for the role.
(written with Alexis Bouffard, senior research associate at Forrester)