So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.
The field desperately needs more of us, so I’m happy to share with you how to become someone like me.
Some definition will also help. This job title varies a bit. Government often uses the title Information Assurance Analyst, or Info Assurance Analyst. In the private sector, the same job is called a security analyst.
Let me start out by caveating a few things. The pay will vary based on where you live in the country. And the pay is a median–a junior-level analyst isn’t going to make $96K a year. But the $70-$75K that a junior analyst is likely to get is nothing to sneeze at. The $126K analyst jobs are mostly on the east coast, where the cost of living offsets the pay bump.
I’m also not sure I completely agree with the quality of life ratings. It can be stressful work. My stress level as a junior infosec analyst was lower than my stress level when I was a senior sysadmin, even though the pay was a bit higher. My day-to-day stress level now as a senior infosec analyst is only slightly lower than my stress level as a senior sysadmin. One thing that lessens it is knowing that I’m always in demand. When I was a sysadmin, there were 100 times as many qualified people I was competing against as there are now. Then again, your area of specialty can play into the stress level–a disaster recovery analyst probably leads a less stressful life than I do. Or, if you’re an adrenaline junkie, you could go into incident response work and be the hero when it’s all said and done.
I also think that the personal satisfaction and benefit to society rankings are low. I find it to be very satisfying work, and the benefit to society is much higher than, say, job #4, a patent agent. I don’t see how feeding patent trolls is more beneficial to society than keeping people’s identities from being stolen.
So, how do you get my job? First, I am going to assume you are in IT already. Information security (a synonym for information assurance) isn’t a field that you can generally just dive right into from another field. If you’re not in IT, you need to get into IT, and, specifically, into software development or systems or network administration. You’re going to need a good couple of years of experience writing code or keeping systems running to build your foundation from.
The next trick is, while you’re a sysadmin, to volunteer for security-related tasks. Be the one who pushes the patches to systems every month, or help out the one who does. Be the one who talks to the auditors and to the security analysts who make sure the system is patched up to date and hardened properly. This gives you an opportunity to learn from your security professionals, develop a rapport with them, and gauge your skills against theirs. Chances are you’ll surpass the auditors first, then, with some luck, meet or exceed the analyst’s skills.
Here’s how it happened to me: I took a job in 2005 that involved a system that had to have a high degree of security, so it got audited yearly, and every month I had to prove to the security analysts that I’d gotten the previous month’s patches down to 100% of the systems. At that point in time I’d been pushing patches for three years already, and I had a couple more years of sysadmin experience from an earlier job on top of that, so I was a lot more skilled than most of the auditors I had to deal with. (I crossed paths with one of those auditors several years later, and she tried to coerce me into giving her a copy of the CISSP exam. She got mad at me and called me unhelpful when I told her no such thing exists, and that cheating on the CISSP is probably harder than passing it legitimately would be.)
Anyway, after a couple of years it was pretty clear that I could match wits with any of the security analysts over in the information assurance department as well. A year or so later, one of my colleagues got the opportunity to jump over into the information assurance arena. And about nine months after he jumped, I passed him in the parking lot. He told me about an opening over there that was freshly posted, and said he thought I would be good at it. I applied for the job and ended up getting it. It was a junior-level position and I was always the guy in greatest danger of getting cut in the event of a falling budget. But I learned a lot from the smartest guy in the room–in hindsight, I wish I’d spent more time talking to him and shadowing him–and after a couple of years, when he moved on to another opportunity, he recommended me for his old job. It may have surprised most of the people in the office, but I proved to be a perfectly adequate replacement. I wasn’t a superstar, but I held my own.
A couple of years further down the line, I found my calling as a threat and vulnerability analyst–essentially the same guys I matched wits with every month earlier in my career. I proved to be much more than adequate in that role. I was good at it because I knew the work, but also because at another position I’d learned enough Excel skills that I can now tear through a 2.6 GB CSV file and find the data that points to which patches that are going to give the biggest return on effort if you apply them. You never know what you’re going to learn from the smartest guy in the room that’s going to serve you well later in your career.
The other thing I really recommend is listening to security podcasts. A really good one to listen to is Liquid Matrix Security Digest. It’s incredibly profane, so use headphones if you listen to it at work, but they do a fantastic job of talking about information security at all levels, literally from beginner to CISO and everything in between. Start at episode 1, and listen to each episode a couple of times until you have some idea what they’re talking about. As you move on, you’ll find yourself understanding more and more. It may very well take all year, or two years, to listen to each episode enough times to have a good understanding of what they’re talking about, but it’s worth it. I wish I’d known about them when they got started back in 2012, but that’s OK. They’ve slowed down considerably in the last year or so, which makes it fairly easy to catch up.
What about certifications? Sure, I recommend them, but I think the best way to learn the work is to do the work. If an entry-level job requires an entry-level security certification like Security+, go get it, then get the job, but I can tell you I learned and retained more from doing CISSP-level work for three months than I ever would have from a boot camp. I place a much higher value on doing the challenging work for a while, really knowing and retaining the material, then going and getting the cert. I have a coworker who crushed the GCUX test (a Unix security certification) last week, partly because he’s been doing that work for several years. In his case, the certification just validates what the rest of us already knew.
Having certifications helps you get the job, but most interviewers will try really hard to figure out if you know a lot or just happen to be really good at passing tests. Some are much better at it than others, but if you flub up many of their questions, they’re probably going to keep looking. The certification will get you interviews, but don’t count it getting you the job. At least not on its own.