Expand mobile version menu

Information Technology

Information Security Analyst

salary graphic

AVG. SALARY

$92,350

education graphic

EDUCATION

Bachelor's degree

job outlook graphic

JOB OUTLOOK

Increasing

Interviews

Insider Info

After Justin Funke had performed his first security audit, he knew how much money the president of an online service provider made one year.

As a computer systems security analyst, he had to test the network for any holes and blind spots. And it did not take him long to find some.

"Within 30 minutes, I had the full run of the network and I just can't put into words the look on the president's face when I recited back to him his client list and told him that...I thought he wasn't paying himself enough."

It turned out that this company ran a cable connection directly to its network without a firewall (a system that protects computers and networks from unauthorized use). That is like putting up a large, pulsating neon sign that reads Crackers Welcome.

Thankfully, Funke turned it off before it attracted any unwanted visitors.

Yiman Jiang is the principal partner of a computer consulting firm. She is also an expert in computer security issues.

One time when a virus wormed its way through cyberspace, it took her and her staff more than 10 hours to access a site from which she could download the necessary protocol to fight the virus. In the meantime, there was not a whole lot she could do except for sending a mass email that warned her staff not to open any incoming messages that professed amorous affection in its subject line.

"The best one can do is to take all precautions," she says.

That means running tests and more tests to make sure the system you are protecting is ready to handle any denial-of-service attacks or viruses.

It also means keeping up to date with new software developments. And that is the most difficult aspect of working in the field of computer security because it is changing so rapidly, says Jiang.

New bugs are coming up constantly, and so are new counterattack programs, she says. And once you are up to speed, you have to implement them because the other side may already be working on a way to get around them.

"Once a system is in place, most people tend to think [they] are safe and OK," she says. "But that's not the case at all."

Indeed, computer systems security analysts and crackers are locked in a virtual arms race.

"We will build better defenses, and they will try to find ways to get around those defenses," says Dave Kennedy. He is the director of research services for an Internet security company. "That is just the tension that has always existed between defense and offense."

None of the people interviewed in this story would name the clients for whom they worked.

"We sacrifice a lot of media for our clients' security," says Dean Pothorin. He heads a company that sells firewalls for small and medium businesses.

Both sides would like to know what the other side is doing. "It's a battle of intelligence," says Pothorin. So spies abound, only this time you will not find them lurking around in shadowy corners. Espionage now happens online.

"Members of our staff are very much in tune with what's going on in the hacker community," says Pothorin. "It is one of those communities where you have to be trusted to get into. You can't just show up and say, 'I am here, let's talk.' It takes years and years to get into the underground and understand and realize what's happening. So we got people who are very deep into this stuff, and that's where we get our intelligence from."

Note that there is a difference between "hackers" and "crackers." Hackers are ethical professionals who try to break into their clients' sites to find the security holes. Crackers are just out to break into systems to cause havoc. People often use the term "hacker" when they really mean "cracker."

Demand for computer security analysts is incredibly high. It far outstrips supply, and companies are scrambling for security analysts with experience.

"Generally, I get two or three probes a week from people who want to know whether or not I'm interested in another job," says Kennedy. "And everybody who is an established security information person gets those."

And since they are in such high demand, security analysts can command high salaries.

"There are a lot of information security people who are making well over $100,000 a year," says Kennedy. "I can say that there are maybe a hundred people in my field who are making a quarter-million dollars a year."

But along with high salaries come long working hours. "Programmers are infamous for working 40 to 50 hours straight before taking a break in order to finish their current assignment," says Funke.

But it all depends on your perspective, he says. "Anyone who finds information security as fascinating and exciting as the majority of us in the field soon realizes that time is relative," he says. "If you do not enjoy this work, you won't make it longer than a couple of weeks, guaranteed. The long hours are by choice, not by [necessity]."