What makes a good security analyst: The character traits you need

security analystOf all the skillsets IT decision-makers are looking to hire for, cybersecurity is easily the most challenging. According to Global Knowledge’s 10th annual IT Skills and Salary Survey, 31% of IT decision-makers have a difficult time finding qualified cybersecurity talent. And when it comes to hiring a security analyst, the challenge goes beyond simply finding candidates with the right technical skills.

An analyst’s personal experience and biases can be just as valuable or detrimental to their success in the job. Here are three work traits that make the difference between a good security analyst and a bad one.

A distrust of the information presented

Bad analyst: All too often, analysts fall into a trap of treating security tools as infallible authorities. For many detection tools, including those relying on signatures or algorithms, assumptions and false positives are the norm. An analyst who treats the output verbatim — unmodified and unquestioned — can barely call themselves an analyst. Simply put, a security analyst that doesn’t analyze is a bad security analyst.

Good analyst: An experienced security analyst continually thinks about what is implicit to the information available to them — not just explicitly delivered. By knowing what should be there and proving its presence or absence, the analyst methodically and rapidly moves through analysis work. This singular difference—the ability to maximize testable assertions and minimize assumptions — is the key to success in a lot of technical work. Tracking the assertions they make during the course of their work allows good analysts to rapidly rewind an investigation if an assertion is proven false, to the place where that assertion was made. Thus, the analyst gets back on the correct path with minimal time lost.

The thrill of the hunt

Bad analyst: Bad security analysts will take an investigation only so far as their technical skills allow, and then declare the job done. For these analysts, every security problem can be resolved by taking a machine offline, scanning it for malware, and then bringing it back online—no questions asked. Whether through laziness or inexperience, bad analysts go out of their way to make the evidence fit a narrative of least-effort.

Good analyst: Good security analysts are excited by a lack of information. They obsess over leaving no stone unturned as they follow multiple lines of investigation, many of which are likely to lead to dead-ends. Good analysts understand this and don’t succumb to the fallacy of sunk cost, but instead can quickly roll back the line of investigation as needed.

At every step of the work, good analysts look at the information they have and, instead of simply moving on to see what else can be found, will assert that if the findings so far are correct, then other pieces of evidence must also exist. Then they seek to find the corroborating evidence that will prove that assertion.

Understanding that human motivation lies behind every piece of evidence

Bad analyst: Bad security analysts fail to consider human and organizational factors, and attempt to solve every problem from a security perspective. At their most competent, these analysts can be considered “security purists,” in that they refuse to accept that measured risks are a daily part of doing business. As a result, they spend hours trying to find an agnostically technical answer for a problem that could be resolved by simply picking up the phone and talking to someone.

Good analyst: A good analyst’s skill set is not limited to domain-specific security skills. Instead, good analysts are “T-shaped” people. Although they specialize in one domain of expertise, a surrounding, supportive set of skills enables them to place their knowledge and skills into a large, interconnected context. Good analysis work comes from being able to approach problems from multiple angles to uncover previously hidden evidence and insights.

By asking an analyst to walk you through a particularly tough investigation they have conducted, the methodology, the challenges, the results and consequences, one can identify where that analyst falls on the spectrum of the three characteristics listed above. And if you are an analyst yourself, remember: Real-world security analysis doesn’t occur in a technical bubble. In fact, the core character trait that makes a security analyst good is the habit of analyzing how you do the work, as much as doing the work itself.