Security Analyst: Rising to the Challenge

Security is of utmost importance and often it requires quick thinking and foresight on the part of security professionals, as fast evolving technologies also bring with it newer threats that need to be addressed immediately.

A security breach can have far reaching effects, especially in business environment, as there is a lot of sensitive data at stake. It goes without saying, therefore, that a lot of money and effort is invested to ensure up-to-date secure environments. Ensuring this is the job of a security professional, who has to iron out flaws, recommend changes, ensure network security, prevent external threats, etc. It's a challenging profile and highly sought after.

Within information security, the person could become a security analyst and help conduct penetration tests, vulnerability assessments, source code reviews, or security audits. He/she could also explore the exciting field of compliance As you progress in this field, you can become a security architect and help design secured network architectures. Other opportunities exist in terms of information security management and eventually growing to the position of a Chief Information Security Officer (CISO). A good information security professional should have a thirst for knowledge, be able to grasp new concepts quickly, work hard on their own, and have a great love for technology.

A Security Analyst is a person with broader responsibilities, such as:

1. Analyzing the security of the organization from external hackers by trying to hack from the Internet.
2. Analyzing the security of the organization from internal threats by trying to hack the network.
3. Analyzing the network architecture of the organization.
4. Analyzing configurations of various systems and firewalls.
5. Analyzing Web application security.
6. Analyzing processes in addition to the above technology elements.

Points 3 to 6 would be not usually covered withing an ethical hacker's scope of work. Secondly, the definitions are not very clear. So these are mine, but someone else's might be different. Another way to look at it is that no one would carry "Ethical Hacker" on their visiting cards, so when ethical hackers enter the corporate world, they become security analysts.

Information security is a booming field within IT, and with increasing regulations, the job opportunities are vast! Salaries for information security professionals are at least 20-30% higher than for most other positions at the same level in other fields og IT. A fresher in this field can take up the role of a security analyst, and expect a salary anywhere between Rs 25,000 and Rs 30,000 based on his aptitude and skills.

Security is all about evangelism to get people to change their behavior, and this is not easy at all. In addition to this, there is a plethora of new technologies that people are now using so frequently - cloud, mobile apps, social networks, etc. All of these add to the security professionals' set of challenges, as he/she has to ensure the companies are able to use these technologies and yet not compromise on security.

The three typical aspects of security are - people, process and technology. Each of these three pillars has to function effectively for security to actually work. People have to be constantly trained and encouraged to follow due processes. Strong processes have to be outlined to address key technology risks. The right technology solutions have to be deployed to ensure protection from viruses, worms, internal data leakage, external hackers, etc.

The key criteria for establishing a career in this field include thirst for knowledge i.e. not restricting yourself only to one field, but rather aiming to learn about security across a wide variety of systems and technologies, ability to think out of the box, use creative approaches to test systems, having a problem-solving mindset, and good communication skills. The person should be able to focus on finding solutions to challenges rather than getting bogged down by problems. Communication skills are also equally important, as there's no point doing a great assessment and then not being able to communicate the issues through well-written reports. Finally, security is about assurance, and if that assurance cannot be provided through strong communication, then the main goal is not being achieved.