Information Security Analyst Career, Education & Salary

Dr. Shawn Murray is president and CAO at Murray Security Services and was previously assigned to the United States Missile Defense Agency as a senior cybersecurity professional. His previous assignments include work with the US Army Cyber Command in Europe, the US Air Force, and with the commercial industry in various roles in information assurance and cybersecurity.

Dr. Murray has traveled the globe performing physical and cybersecurity assessments on critical national defense and coalition programs and has prepared reports for the House Armed Services Committee and has testified on cybersecurity and privacy issues for leaders in Congress. He is the lead cyber consultant at the Pikes Peak Small Business Development Center (SBDC) and sits on the national SBDC cyber working group.

Dr. Murray has worked with SBA, the Colorado Attorney General’s office, NSA, FBI, CIA, and the US Defense and State Departments on various cyber initiatives. He has over 20 years of IT, communications, and cybersecurity experience. He has presented as a featured or keynote speaker for numerous conferences across the globe. He enjoys teaching and presenting as a guest lecturer on cybersecurity, business and computer science courses at his Cyber Academy and for several universities. He has several industry-recognized certifications, including the C|CISO, CISSP, and CRISC. He holds several degrees, including an applied doctorate in computer science with a concentration in enterprise information systems.

Dr. Murray is a distinguished fellow at the Information Systems Security Association and a past president of their International Board of Directors. He is also co-chair of the ISSA AIM committee (Apprenticeship, Internship, and Mentorship).

ForensicsColleges.com: What’s something you wish the public knew about information security analysts?

Dr. Murray: From a cybersecurity professional’s perspective, when communicating with the general public, one thing I wish they knew about information security analysts is that we are not just “computer geeks” or “hackers.”

We are problem-solvers with a broad skill set: While technical knowledge is foundational, information security analysts spend a significant amount of time on critical thinking, risk assessment, communication, and understanding human behavior. We’re constantly analyzing complex systems, identifying vulnerabilities, and devising strategies to protect information, which often involves more than just coding or patching.

Our job is inherently proactive and defensive: The public often only hears about cybersecurity when a breach occurs. They might think of us as the people who clean up messes after a hack. In reality, a massive part of our role is preventing those messes from happening in the first place. We’re building digital fortresses, monitoring for suspicious activity, and educating users to strengthen defenses before an attack.

We are advocates for your digital safety: Our ultimate goal is to protect sensitive information—whether it’s your personal data, financial details, or critical infrastructure. We genuinely care about safeguarding your digital life and the systems that underpin society. When we recommend security measures (like strong passwords or two-factor authentication), it’s not to be inconvenient; it’s because we understand the very real risks and are trying to protect you.

It’s a constant, evolving battle: The threat landscape changes daily. New vulnerabilities, new attack methods, and new technologies emerge all the time. This means our work is never done; we are continuously learning, adapting, and innovating to stay ahead of malicious actors. It’s a dynamic and intellectually challenging field.

Human error is a significant factor: While we focus on technical controls, a large percentage of security incidents stem from human mistakes or social engineering. We wish the public understood that they are a crucial part of the security chain. Their awareness and adherence to basic security practices can be more impactful than the most advanced technology.

In essence, I wish the public saw information security analysts as dedicated professionals who are constantly working to keep them safe in the digital world, not just as reactive tech support or mysterious figures who deal with “computer stuff.” Understanding this would foster greater trust, encourage better security habits, and ultimately lead to a safer online environment for everyone.

ForensicsColleges.com: Do you have any advice for new or aspiring information security analysts?

Dr. Murray: As a seasoned information security professional, my advice for aspiring information security analysts boils down to a few key pillars:

1. 1. Build a Rock-Solid Foundation (Technical & Theoretical)
   • Understand the “Why” and “How”: Don’t just learn tools; understand the underlying principles of how networks work (TCP/IP, routing, firewalls), operating systems (Windows, Linux, macOS), and applications. Dig into the “why” behind vulnerabilities and controls.
   • Networking is King: Seriously, master networking. So many security issues stem from misconfigured networks or a lack of understanding of network traffic. Get your CompTIA Network+ or CCNA as examples.
   • Operating System Fluency: Be comfortable navigating and troubleshooting in Windows, Linux, and even macOS environments. Learn command-line interfaces (Bash, PowerShell) – they’re essential.
   • Scripting is Your Superpower: Learn Python, PowerShell, or Bash. Automation is crucial in security operations. Being able to write scripts to parse logs, automate tasks, or even build simple tools will set you apart.
   • Embrace the Cloud: Cloud computing (AWS, Azure, GCP) is no longer a niche; it’s the norm. Understand cloud security concepts, shared responsibility models, and how to secure cloud environments.
   • Cybersecurity Frameworks and Best Practices: Familiarize yourself with frameworks like NIST CSF, ISO 27001, and CIS Controls. These provide a structured approach to managing security risks and will be a common language in any professional setting.
2. 2. Cultivate a Hacker Mindset (Ethically!)
   • Think Like the Adversary: This is paramount. To defend effectively, you need to understand how attackers operate. Learn about common attack vectors (phishing, malware, social engineering, web application vulnerabilities), penetration testing methodologies, and red teaming.
   • Get Hands-On (Safely): Set up your own home lab (virtual machines with Kali Linux, Windows servers, vulnerable applications). Practice exploiting vulnerabilities in a controlled environment. Participate in Capture The Flag (CTF) competitions, Hack The Box, and TryHackMe platforms. This practical experience is invaluable.
   • Stay Curious: The threat landscape is constantly evolving. Malicious actors are always finding new ways to exploit weaknesses. You need to have an insatiable curiosity to learn about new threats, technologies, and defensive techniques. Read security blogs, threat intelligence reports, and follow experts on social media.
3. 3. Develop Essential Soft Skills (Very Important!)
   • Communication (Written & Verbal): This is often overlooked but is absolutely critical. You’ll need to explain complex technical concepts to non-technical stakeholders (management, legal, other departments). You’ll write incident reports, risk assessments, and security policies. Practice clear, concise, and impactful communication.
   • Problem-Solving and Critical Thinking: Security incidents rarely present themselves with a clear-cut solution. You’ll need to analyze disparate pieces of information, connect the dots, and develop effective remediation strategies.
   • Adaptability and Resilience: You will encounter setbacks, frustrating issues, and constant changes. The ability to adapt to new threats, technologies, and organizational priorities is vital. Don’t be afraid to admit when you don’t know something; embrace it as an opportunity to learn.
   • Teamwork and Collaboration: Cybersecurity is a team sport. You’ll work closely with other security analysts, IT operations, developers, and business units. Effective collaboration is key to successful security programs.
4. 4. Strategic Career Moves
   • Certifications (Strategically): Start with foundational certifications like CompTIA Security+ to demonstrate a baseline understanding. As you gain experience and identify a niche, pursue more specialized certifications (e.g., Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), GIAC certifications, CISSP for more senior roles). Don’t collect certifications just for the sake of it; choose ones that align with your career goals and demonstrate practical skills.
   • Internships and Entry-Level Roles: Practical experience trumps theoretical knowledge. Seek out internships, Security Operations Center (SOC) analyst roles (often entry-level and a fantastic learning ground), or IT support roles where you can gain exposure to systems and networks.
   • Network, Network, Network: Connect with other cybersecurity professionals on LinkedIn, attend industry conferences (even virtual ones), and participate in local security meetups. Networking can lead to mentorship, job opportunities, and invaluable insights. Join a professional organization like a local chapter of the Information Systems Security Association (ISSA).
   • Build a Portfolio/Online Presence: Document your personal projects, CTF achievements, or interesting security findings. A GitHub repository with your scripts or a personal blog can showcase your skills and passion.

In essence, becoming a successful information security analyst requires a blend of deep technical knowledge, a proactive and curious mindset, strong communication skills, and a commitment to continuous learning. It’s a challenging but incredibly rewarding field where you directly contribute to protecting individuals and organizations in the digital age.

ForensicsColleges.com: What does the future of the information security analyst role look like to you?

Dr. Murray: From the perspective of a seasoned information and cybersecurity professional, I believe that the future of the information security analyst role will be both excitingly dynamic and increasingly challenging, marked by a significant shift from the typical reactive “firefighting” to proactive, strategic defense. Here’s how I see it evolving from my perspective:

1. 1. AI and Automation as Force Multipliers (Not Replacements)
   • Automated Mundane Tasks: AI and machine learning will increasingly handle the routine, high-volume tasks that currently consume a significant portion of an analyst’s time.
   • Initial Alert Triage: AI will filter out noise, prioritize alerts based on context and risk, and even perform initial investigations.
   • Log Analysis: Advanced analytics will rapidly process massive data sets from various sources (SIEM, EDR, network logs) to identify anomalies and suspicious patterns.
   • Vulnerability Scanning & Prioritization: AI will not only identify vulnerabilities but also help prioritize them based on exploitability, potential impact, and real-time threat intelligence.
   • Augmented Human Intelligence: This doesn’t mean analysts are obsolete. Instead, AI will augment their capabilities, allowing them to focus on:
   • Complex Threat Hunting: AI will provide leads and insights, but human analysts will be crucial for deep dives, connecting disparate data points, and identifying novel attack techniques that AI might miss.
   • Incident Response Orchestration: While automated playbooks will handle initial containment, human analysts will manage the more intricate aspects of incident response, including communication, coordination, and strategic decision-making during high-stakes breaches.
   • Strategic Planning and Policy: AI can inform, but human judgment, understanding of business context, and ethical considerations will be paramount in developing security policies, risk management strategies, and overall cybersecurity posture.
2. 2. A Deeper Dive into Specialized Areas

   The “generalist” information security analyst will become less common, or at least, will need a strong foundational understanding to then specialize. We’ll see more analysts focusing on:

   • Cloud Security: As more organizations migrate to cloud environments, analysts specializing in AWS, Azure, and GCP security, including secure configurations, access management, and compliance, will be in high demand.
   • OT/ICS Security: The convergence of operational technology (OT) and information technology (IT) demands analysts with expertise in securing critical infrastructure and industrial control systems.
   • Application Security (DevSecOps): Integrating security into the software development lifecycle from the start will require analysts embedded within development teams, focusing on secure coding practices, vulnerability assessments, and automated security testing.
   • Threat Intelligence & Purple Teaming: Analysts who can deeply understand adversary tactics, techniques, and procedures (TTPs) and then simulate those attacks to test defenses will be highly valued.
   • Data Privacy & Compliance: With evolving regulations (GDPR, CCPA, etc.), analysts specializing in data governance, privacy-by-design, and regulatory compliance will play a crucial role.
   • Identity and Access Management (IAM): As the perimeter dissolves, strong IAM practices become paramount. Analysts focused on robust authentication, authorization, and privileged access management will be essential.
3. 3. Emphasis on “Soft Skills” and Business Acumen
   • Communication is King: With automation handling much of the technical grunt work, analysts will spend more time communicating security risks and strategies to non-technical stakeholders, including senior leadership. The ability to translate complex technical jargon into clear, concise business language will be a differentiator.
   • Strategic Thinking & Risk Management: Analysts will increasingly be involved in understanding business objectives and aligning security initiatives with organizational goals. This includes performing comprehensive risk assessments and developing mitigation strategies that support business operations.
   • Collaboration and Empathy: Cybersecurity is a team sport. Analysts will need to collaborate effectively with IT, legal, HR, and business units. Understanding different perspectives and building strong relationships will be crucial for successful security outcomes.
   • Continuous Learning and Adaptability: The threat landscape, technologies, and regulations will continue to evolve rapidly. A commitment to lifelong learning and the ability to quickly adapt to new challenges will be non-negotiable.
4. 4. The Human Element Remains Critical (and STILL the Weakest Link)

   Despite technological advancements, human error and social engineering will continue to be significant attack vectors. Information security analysts will play a vital role in:

   • Security Awareness Training: Developing and delivering effective training programs that empower employees to be the “first line of defense.”
   • Behavioral Analytics: Analyzing user behavior to detect insider threats or compromised accounts.
   • Building a Security Culture: Fostering a security-conscious mindset throughout the organization, from the C-suite down.

In summary, in my opinion, the future information security analyst will be less of a manual “alert jockey” and more of a strategic security advisor, a proactive threat hunter, and a skilled communicator. They will leverage AI and automation to amplify their impact, allowing them to focus on the truly complex and human-centric aspects of cybersecurity, ensuring organizational resilience in an increasingly hostile digital world. Soft Skills are mandatory at all levels. Analysts will need to be able to communicate outside of technical jargon to be effective.