How to write an information security analyst job description

Whatever the role, good communication regarding the duties and expectations of a security professional is key to that person’s success. That communication starts with a solid, thorough job description. It will be an important benchmark when hiring for the role, and a touch point for performance once the candidate is on board.

The job description is also a baseline that helps security team managers keep pace as many roles evolve. That’s especially true for information security analysts, also referred to as cybersecurity analyst, data security analyst, information systems security analyst or IT security analyst. According to the U.S. Bureau of Labor Statistics (BLS), the outlook for security analyst job seekers is bright. Demand for them is projected to grow 22 percent through 2020, compared to an average of 14 percent for all occupations. 

Duties

The duties outline the tasks and goals for which the information security analyst is responsible. That may vary depending on your company’s needs or industry. Jeremy Wittkop, chief technology officer at InteliSecure, says the infosec industry is shaping itself into, “different disciplines that have different analyst profiles.” He said the two most definitive are information protection (IP), which includes data loss protection (DLP) and data classification. Threat protection (TP) includes security information and event management (SIEM), user and entity behavior analytics (UEBA), point products like anti-virus (AV) and intrusion detection system/intrusion prevention system (IDS/IPS) and penetration testing.

[Related: What it takes to be a malware analyst]

IP analysts require less technical expertise, he said, but, “must have the ability to understand business processes qualitatively in order to assess behaviors against the authorized activities in a given business unit,” says Wittkop. Their role is to analyze if a behavior was authorized or not, “and if it was not, whether they think the behavior was due to ignorance or intentional,” which means a law enforcement or intelligence background can be useful.

TPs are “far more technical,” says Wittkop, and need to be able to, “understand network protocols and system behavior,” which means digital forensics training is useful. “These people are really there to look through logs or behaviors from a systematic perspective in order to find anomalies that they can then investigate,” he says.

Key duties for an information security analyst might include:

• Plan, implement and upgrade security measures and controls
• Protect digital files and information systems against unauthorized access, modification or destruction
• Maintain data and monitor security access
• Conduct internal and external security audits
• Manage network, intrusion detection and prevention systems
• Analyze security breaches to determine their root cause
• Recommend and install appropriate tools and countermeasures
• Define, implement and maintain corporate security policies
• Security awareness training
• Coordinate security plans with outside vendors

Skills and competencies

This section outlines the technical and general skills required as well as any certificates or degrees that a company might expect an information security analyst to have.

[Related: What it takes to become an information assurance analyst]

Key technical skills include:

• Penetration testing of applications and infrastructure – a good way to find vulnerabilities before attackers do
• Social engineering – given that humans are the weakest link in the security chain, an analyst’s expertise can help with awareness training
• Vulnerability and risk assessment – important components of risk management
• Security assessments of network infrastructure, hosts and applications – another element of risk management
• Forensics – investigation and analysis of how and why a breach or other compromise occurred
• Troubleshooting – the skill to recognize the cause of a problem
• DLP, AV and anti-malware – an understanding of the tools used to protect the organization
• TCP/IP, computer networking, routing and switching – an understanding of the fundamentals: the language, protocol and functioning of the internet
• ISO27001 assessment – specifications for a framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s risk management
• C, C++, C#, Java or PHP programming languages – you can’t analyze what you don’t understand
• Cloud computing – the risks and benefits of using a vendor’s remote servers to store, manage and process an organization’s data
• Windows, UNIX and Linux operating systems, on which most of the business world runs

General skills include:

• Excellent report writing and communication
• The ability to work well independently or with a team
• Available to travel, possibly internationally
• Capable of meeting deadlines and budgets

Certifications and education

Company policies regarding certifications and education can vary. Some might be willing to overlook a lack of degree or certification if a person has proven skills. Others use certifications and education as gating factors when hiring.

Possible certification requirements are:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control
• Certified Ethical Hacker
• Global Information Assurance Certification
• Vendor credentials offered by companies such as Microsoft and Cisco

In addition, education requirements range from high school to Master of Business Administration in Information Systems. Most companies require a college degree in computer science, cyber security or a related discipline.

Industry-specific requirements

Certain industries might have unique requirements need to be addressed in the information security analyst job description. In health care, for example, the analyst’s duties might include the ability to assess and participate in compliance policies. That might include meeting internal and external audit requirements and gathering and providing information to internal and external auditors.

Skills specific to health care might include:

• Identity and access management (IAM) solutions – prevention of unauthorized access by internal or external staff
• Endpoint protection technologies and techniques
• Web application firewalls and intrusion prevention
• encryption
• Access control methodologies (MAC, DAC. RBAC)
• IDS/IPS systems, SIEM tools and network scanners

Finance would also have its own unique set of duty and skill requirements. Related duties include:

• Develop and recommend policies, standards and procedures that are in compliance with statutory and regulatory requirements that cover internal and external parties, physical security systems, internet and computer systems
• Monitor and respond to regulatory developments and industry best practices in a timely manner
• Maintain customer information security program compliant with the provisions of the Gramm-Leach-Bliley Act (GLBA) or the Bank Security Act, and prepare annual report on the overall status on the level of compliance
• Perform operational risk assessment (OSA) process for all organization facilities
• Audit activities of security administrators on various software applications

Skills specific to finance would include a strong understanding of GLBA and IS/IT risk assessment, the Federal Financial Institution Examination Council (FFIEC) IT examination handbooks, and National Institute of Standard and Technology (NIST) 800-53 and Cybersecurity Framework.

How to attract the best

Money is always a factor. While the salary for an information security analyst ranges from $50,000 to $177,000, with the average around $88,000, Wittkop said senior analysts with a proven track record, “are often the subject of multiple offers and a bidding war can easily ensue.”

For the best out there, it often comes down to more than money. Attractive perks include flexible work arrangements, growth potential, and training programs.