If you like problem solving, have a technical mind and are interested in IT, a career in the fast-growing cyber security field may be for you
Cyber security analysts help to protect an organisation by employing a range of technologies and processes to prevent, detect and manage cyber threats. This can include protection of computers, data, networks and programmes.
Broadly, you can work in one of the following areas:
- consulting, offering advisory services to clients
- working to protect the security of the organisation you work for.
Job titles vary and may include information security analyst, security analyst, information security consultant, security operations centre (SOC) analyst and cyber intelligence analyst.
As a cyber security analyst, you'll need to:
- keep up to date with the latest security and technology developments
- research/evaluate emerging cyber security threats and ways to manage them
- plan for disaster recovery in the event of any security breaches
- monitor for attacks, intrusions and unusual, unauthorised or illegal activity
- test and evaluate security products
- design new security systems or upgrade existing ones
- use advanced analytic tools to determine emerging threat patterns and vulnerabilities
- engage in 'ethical hacking', for example, simulating security breaches
- identify potential weaknesses and implement measures, such as firewalls and encryption
- investigate security alerts and provide incident response
- monitor identity and access management, including monitoring for abuse of permissions by authorised system users
- liaise with stakeholders in relation to cyber security issues and provide future recommendations
- generate reports for both technical and non-technical staff and stakeholders
- maintain an information security risk register and assist with internal and external audits relating to information security
- monitor and respond to 'phishing' emails and 'pharming' activity
- assist with the creation, maintenance and delivery of cyber security awareness training for colleagues
- give advice and guidance to staff on issues such as spam and unwanted or malicious emails.
- Starting salaries for cyber security analysts typically fall between £25,000 and £35,000.
- With several years of experience, you can expect to earn between £35,000 and £50,000.
- In higher level leadership or managerial roles, you may receive salaries up to, and in excess of, £70,000.
Income figures are intended as a guide only.
Working hours are typically 35 to 40 hours per week, Monday to Friday. You may need to work outside of 9am until 5pm depending on projects and the specific nature of the work.
Some companies may require you to work on a shift basis, which can include evenings, nights and weekends. You may need to work as part of a 24/7 call-out rota, to allow for quick responses to cyber security incidents.
Job sharing and part-time work are not common. However, some companies offer flexible working arrangements.
Short-term contract work is possible, particularly through recruitment agencies or if you work on a self-employed basis as a consultant.
What to expect
- Work is likely to be office-based and you will typically be using a computer for extended periods of time. However, if you are a consultant then you may need to travel at times to meet with clients.
- Self-employment is an option; you could set up a cyber security company or work as an independent cyber security consultant. Most of those working independently as a consultant will have built up experience by working in the field. You could also work as a contractor through an agency.
- Some roles will require you to be security cleared, particularly if they're for a government agency or private organisation which handles highly-sensitive information. You may also be restricted in terms of what you can say about your work.
- There are a higher proportion of roles in bigger cities and the majority of roles are in the South East of England (including London). In Scotland, roles are mainly found in Edinburgh and Glasgow. In Wales, roles are typically found in Cardiff, Swansea and Newport. However, as a consultant working for a company you'll have to travel within the UK and possibly internationally. Independent consultants can be based anywhere and travel to meet clients.
- Women and ethnic minority groups are underrepresented in the profession. However, there are organisations which aim to promote greater workforce diversification, such as the Cyber Challenge Foundation. Other examples of initiatives aimed at attracting women into the industry include WISE (Women into Science, Technology, Engineering and Mathematics), the Women's Security Society and Women in International Security (WIIS).
It's possible to enter the cyber security profession without a degree by starting in an entry-level IT position. You could then work your way up to a cyber security role.
You could undertake an apprenticeship in cyber security, where you'd combine employment and study to work towards a recognised qualification.
Many employers recruiting for a graduate position require, or prefer, a degree in a science, technology, engineering or mathematics (STEM) subject. Exact requirements vary between employers. More relevant degree subjects include:
- cyber/information/network security
- computer science
- software/electrical/network engineering
- other IT/security/network-related degrees.
As you gain experience, your degree subject will be less important, and employers will be more interested in what you've done professionally.
It's also possible to enter the profession with a non-technical/unrelated degree. Some graduate schemes or graduate roles welcome graduates from any degree discipline.
You could choose to undertake further study in a relevant subject area. The National Cyber Security Centre - NCSC-certified degrees lists certified Masters degrees in cyber security and closely related fields. Some employers may sponsor you to undertake a relevant Masters course.
You'll need to have:
- a passion for cyber security and a keen interest in IT
- excellent IT skills, including knowledge of computer networks, operating systems, software, hardware and security
- an understanding of the cyber security risks associated with various technologies and ways to manage them
- a good working knowledge of various security technologies such as network and application firewalls, host intrusion prevention and anti-virus
- the ability to work as part of a team and to build strong relationships with staff and other relevant individuals
- verbal communication skills, including presentation skills, with an ability to communicate with a range of technical and non-technical team members and other relevant individuals
- written communication skills, for example to write technical reports
- time-management and organisational skills to manage a variety of tasks, prioritise workload and meet deadlines
- excellent attention to detail, analytical skills and an ability to analyse complex technical information in order to identify patterns and trends
- an ability to work under pressure, particularly when dealing with threats and at times of high demand.
You'll usually need relevant pre-entry work experience to get a job. However, there are a number of graduate schemes and internships (at student and graduate level) in cyber and information security which don't require pre-entry experience. Employers will expect you to demonstrate a passion for, and an understanding of, the cyber/information security field.
If it's an option on your course, you could undertake a 12-month industrial placement in a cyber security role. You could also contact an organisation which employs cyber security analysts and ask to undertake a period of work experience or shadowing. However, there may be restrictions on what you're allowed to do and see.
Making connections with those in the industry and attending relevant cyber and information security events could help you to access opportunities, which may not always be advertised.
You can join BCS, The Chartered Institute for IT as a student member for a small fee to access networking opportunities, mentoring and industry information. Other organisations you can join as a student include the Institute of Information Security Professionals (IISP).
The Cyber Security Challenge UK, a series of competitions designed to test your cyber security skills, is another source of opportunities including virtual areas designed to support and enhance cyber talents through gamification. This initiative has been set up to try and attract more individuals to this type of work.
Cyber security professionals are employed by a variety of organisations across both the public and private sector. You may be working on the security of your organisation and/or offering security services or consultancy to other companies.
These are just a few examples of the types of organisations you could work for:
- professional services
- security consultancy
- information technology
- financial service institutions
Look for job vacancies at:
There are also vacancies advertised on more general (non-specialist) job search sites. Keep an eye on LinkedIn and social media pages of potential employers as they may advertise roles this way.
There are graduate scheme opportunities related to cyber and information security. Do your research well in advance so you don't miss out on application windows.
Where no suitable job is advertised, you can make a speculative application to a company using a CV and cover letter. Seek support from your careers service and, ideally, have your application checked before sending it off.
Once you're working in the field, it's important to keep up to date with developments. You may be able to access industry information, events and networking opportunities through, for example:
Some employers, such as those offering graduate training schemes, may fund you to complete an MSc in information/cyber security while you're on the programme.
A part of GCHQ, NCSC lists bodies which they have certified to assess information assurance professionals. The GCHQ Certified Training (GCT) scheme offers courses at different levels: an 'awareness' level for those new to cyber security and an 'application' level which is more in-depth.
There are also various industry-related qualifications, such as:
- Systems Security Certified Practitioner (SSCP) - an entry-level, IT certification for those with at least one year of experience.
- The Certified Professional (CCP) scheme - the UK government's approved standard of competence for cyber security professionals. The scheme also provides those working in cyber security with a clearly defined career development path. There are different levels you can apply to - practitioner (entry level), senior practitioner and lead practitioner.
- Certified Information System Security Professional (CISSP) - you'll typically need at least four years of experience for this.
For those wanting to develop leadership, management and supervisory capabilities, there are a number of different certifications. These include the Certified Information Security Manager (CISM) for practitioners with five years of relevant work experience.
Other relevant courses include Certified Ethical Hacker (CEH), Cloud Security, Cyber Incident, Planning and Response (CIPR) and General Data Protection Regulation (GDPR) awareness.
Cyber security consultants can apply for the NCSC's Certified Consultancy scheme to receive certification. CCP certification is currently a prerequisite for this.
Cyber security is a fast-growing field and there is currently a skills shortage. Career prospects are good for people with the right combination of skills and experience.
You'll typically start in an entry-level or junior cyber security role. After building up several years of experience you could progress into roles such as senior cyber security analyst or consultant.
After significant experience in the field, you may be able to progress into higher level leadership and managerial roles, eventually progressing to become a director or head of cyber security. Achieving relevant certifications is helpful for your development and progression as many employers specify these as role requirements.
Self-employment is an option, but most people first gain experience in the field. You could set up a cyber security company or work as an independent cyber security consultant.