• United States




What are the traits to become an excellent security analyst

Apr 26, 20165 mins
CareersIT JobsIT Leadership

The research of analysts in security drives practice and thought, but passion is what drives the best analysts

collaboration meeting talking discussion corporate
Credit: Thinkstock

Even if you have already crossed the threshold into IT or cyber security, where you began is likely not going to be where you end. Regardless, let it be your passion that determines the trajectory of your career.

Jeff Pollard, a principal analyst at Forrester Research, endeavored into the security field around 12 years ago the way most people found themselves in security—through standardized IT. “The company I was working for had a very small and focused software division. They won a contract with the state to process health care claims and needed to secure that, which intrigued me,” Pollard said.

In the process, Pollard came across vulnerability assessments, which he said, “Led me to work as an industry service provider in pre-sales roles. I grew up at various vendors helping to scope and design and deliver and manage security services.”

When Pollard once heard someone say, through the context of cryptography, that there are makers and breakers, he said “I discovered about myself that I had a solid mindset of how to attack things. That led me to security.”

Because he had the experience of working with a wide array of vendors of all sizes for over a decade, he found the perfect fit for the next chapter of his career at Forrester Research. “It’s a paradise for the autodidact. If you are willing and able to educate yourself, you can grow. The things I found really appealing at Forrester was not only the collaboration internally—the ability to work with other analysts who have led the industry for years—but also the ability to work with vendors and users and to gain a platform to say things that were really important that I probably wouldn’t be able to say in other roles,” Pollard said.

One of the great aspects of information security as a whole, in Pollard’s mind, is that the people working in security are either those who entered the field by accident and loved it or those who entered on purpose because they loved it. “This is an industry of people who either stayed intentionally or got in intentionally,” he said.

That passion is what made getting comfortable at Forrester so easy for Pollard, who has continuously been inspired to go to work and be around people who have chosen security as their craft. “There is a culture of open collaboration, even newer people were incredibly open with feedback by showing me what they were doing and giving pragmatic advice,” Pollard said.

The range of professional backgrounds among his colleagues proves to be an asset to Pollard’s intellectual and professional growth as well. Pollard said, “The organization as a whole understood how to get someone from new to productive and comfortable very quickly. I don’t think anyone is ‘comfortable’ actually. Everyone is yearning to be challenged intellectually, because of that you are always sharpening your mind and ideas because everyone is willing to talk about them.”

What’s interesting about the role of a principal analyst is that you don’t have to have the industry experience in order to work your way into the position. “You could be a research associate where you are working with someone who has a pretty advanced knowledge of the space, who is really showing you lots of things about the industry. You are helping them collect info used in reports—doing a lot of the hands on research,” Pollard said.

While many outsiders come into the organization from other companies, Pollard also noted that there are people who have “grown up” at Forrester, starting as a research associate, then researcher, then analyst. “These people develop excellent skills because they really understand the research craft from having been involved in every step of it.”

The transition, though, is a little different for those who worked “in industry”. Speaking on his own experience, Pollard noted, “You have to turn down some of your technical skills and amp up the problem solving skills.”

In order to help make that transition smoother, Pollard recommends that first you commit to being an autodidact. “Don’t’ wait for others to educate you. Educate yourself. Develop and gain specific skills. With the number of open source projects and blogs available online today, you can teach yourself so much easier than ever before,” he said.

Information security is welcoming to new people and new ideas, so develop the analytical and critical thinking skills needed at an analyst level. “Network,” said Pollard. “Get to know lots of people and differing ideas. Expose yourself to the diversity of ideas and people. Start thinking about and writing and developing your own contributions. Blog whether it’s on your own or part of your company’s blog. Keep it professional and factual, and make sure you love it!” he continued.

Because technology and security are ever changing, knowledge and skills will also evolve, so the most important quality any candidate in the security industry should have is passion.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author