SOC analyst

Degree vs. certification: Best path to become a cybersecurity analyst

Greg Belding
March 25, 2022 by
Greg Belding

As with many things in life, there is more than one way to get to where you want to go. Becoming an entry-level cybersecurity analyst is no different. Some experts say a degree is the way to go. Others say certification is the preferable option. But which is the path for you?

This article will detail the different degrees and certifications useful for cybersecurity analysts throughout their careers. 

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

What is a cybersecurity analyst?

Cybersecurity analysts play a pivotal role for organizations. The role combines many information security skill sets and responsibilities into one well-rounded package. The overall goal is developing stronger information security by analyzing and assessing weaknesses and vulnerabilities within an organization’s IT environment — from hardware to software, networks and potentially even devices if needed. Cybersecurity analysts conduct risk analyses, perform vulnerability management activities and use network visibility of networks to identify potential attacks. 

As you can see, it takes more than a baseline level of skill to successfully perform this role. Those in the late stage of their careers may find that their wealth of skills and knowledge will be tested more than those with less experience in this role as they are more likely to take leadership roles in their department or team.

Those that remain in the role can expect to see a significant bump in salary as their skills and experience accumulate. Analysts with less than a year of experience earn $61,000 on average, whereas those with 10-plus years of experience earn an average of $98,000 (and that goes up to $108,000 for those with 20-plus years), according to March 2022 data from Payscale. 

Degrees for cybersecurity analysts

Many experts agree that earning a bachelor’s degree is the minimum level of education required to be a cybersecurity analyst.

One important thing to remember is that there is no one degree that will get you this job, but there are some recurring favorites among cybersecurity analyst candidates. Some popular choices of degrees include a bachelor’s in information security, computer science, math, physical science (of some kind), cybersecurity (although rare, it does exist) and information systems.

Earning a master’s degree demonstrates a more advanced skill set. While not required for entry-level positions, it can help you stand out, particularly when it comes to more senior cybersecurity analyst roles. The following master’s degrees will prove to be the most helpful:

  • Cybersecurity
  • Information security
  • Information systems
  • Computer science
  • Computer systems

It's best that your master's degree be as relevant as possible to cybersecurity. A field like math or physical science may not lead to as many senior-level career opportunities.  The best thing about the master’s degree level is that there are more cybersecurity degrees available.

Cybersecurity analyst certifications

The other side of the debate believes that certifications are what is really required. This may be based on the fact that it takes a substantial amount of experience to be a truly competent and useful cybersecurity analyst.

From my experience, certifications are generally more representative of what you will encounter on the job. There is no one certification that is best, but there are several available depending on your experience level and career goals.

Entry-level security analyst certifications

Security+

Hosted by CompTIA, Security+ is an entry-level information security certification that will expose you to solid, vendor-neutral course material that will help you as a cybersecurity analyst.

This certification exam covers five domains of knowledge: attacks, threats and vulnerabilities; architecture and design; implementation; operations and incident response; and governance, risk and compliance. This certification is among the most requested for the role of security analyst and is the most popular entry-level cybersecurity certification available.

GIAC®️ Security Essentials Certification (GSEC)

GSEC, offered by GIAC, will certify that you have the fundamental skills to work in an entry-level information security or cybersecurity role. Candidates are tested on attack detection and prevention, defense in depth, secure communications, foundational security for Windows and Linux and networking concepts.

This is my choice for the best certification for those in cybersecurity that are still learning the basics, although it is also one of the most expensive.

Certified Ethical Hacker

The CEH or Certified Ethical Hacker, offered by EC-Council, certifies that the holder has the same knowledge and tools that malicious hackers use. Certification holders then take this skill set and can use it legitimately, and with permission from the organization, to test said organization’s security.

This is performed so the organization can identify where their security needs to be tightened before malicious hackers do. The level of understanding of the adversary can go miles in cybersecurity analysis and follows the adage of “know your enemy.”

Mid- and advanced security analyst certifications

CySA+

Cybersecurity Analyst+, or CySA+, is a certification that is for those with at least three to five years of in-the-field job experience, making it out of the league of entry-level cybersecurity analysts. Unlike Security+, CySA+ delves into more up-to-date methods for cybersecurity analysis, including behavior analytics which can be used to better detect, prevent and fight cybersecurity threats. 

If I were to recommend any one certification for a late-career cybersecurity analyst, I would firmly recommend this one. It takes a more advanced skill set to pass this certification, and there is a robust number of performance-based questions that will test real-world cybersecurity skills. 

CISM

Certified Information Security Manager, or CISM, is hosted by ISACA and certifies an advanced level of information security skill necessary for a late-career cybersecurity analyst.

This certification is good for those looking to move into a manager role. The exam covers the following five domains: information security governance, information risk management, information security program development, information security program management, and incident management and response.

CISSP

Hosted by (ISC)2, Certified Information Systems Security Professional, or CISSP, is a cybersecurity certification well-suited for the late-career cybersecurity analyst that wants to move into a management role or round out their skill set. A CISSP certification validates cybersecurity understanding that goes beyond technical threats and into managing a security program for an organization.

Cybersecurity analyst career tips

One of the most important tips is that there is no one way to become a cybersecurity analyst, and there is no one degree or certification that will get you there either. I would say having a degree or certification makes you more likely to get a job as an entry-level cybersecurity analyst than someone with little experience and no degree or certification, but that isn’t saying much. Some can even earn this position on experience alone. Late-career cybersecurity analysts probably have more than one degree or certification at this point in their careers.

The best tip is to sell yourself well. I’m not talking about making up experience you do not have, but rather presenting your resume in a way that shows that, although you are technically entry-level, you have the skills they desire. On your resume, add as many internships as you can and really write up those skills you earned — and don’t forget the degree or certification either!

Degree or certification?

So which one should you pick: degree or certification? Frankly, I would say you want some of both. A bachelor’s degree is always a good option if you have the time and money. Certifications take much less time to earn than degrees, so if you do not have at least Security+ by this point, I would earn that too. 

ChatGPT: Self-paced technical training

ChatGPT: Self-paced technical training

Take our introductory training to teach you how to securely use ChatGPT to investigate SOC & Incident response issues. Book a meeting with our team to learn more.

Besides degrees and certifications, you will want to have a variety of real-world cybersecurity analyst skills and be able to present them as a cohesive cybersecurity analyst skill set on your resume. Organizations will expect more out of a late-career cybersecurity analyst, so do not fail in delivering or they may just pass you up for someone with less experience and ultimately settle for less. You invested your life into your career — let it shine for all organizations to see. 

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.