Perhaps the most quoted scene of Lord of the Rings is when Gandalf the Grey stands against the giant Balrog. Standing above an endless pit, Gandalf yells “You shall not pass!” challenging the monster and inevitably causing it to fall into darkness.
As a cybersecurity compliance analyst, you are Gandalf the Grey, and the Balrog is the whole of noncompliant cybersecurity policies. Letting these policies remain is detrimental to the organization that you work for and the assets you protect. Compliance isn’t always easy to achieve, but it’s always a necessity in the cybersecurity industry.
So, then, how do you become a compliance analyst? Let’s get into what compliance analysts are, what they do, their salaries, their roles, and how you can become one.
What is a compliance analyst?
Before digging into the role of a compliance analyst, let’s talk about what the word compliance actually means. In cybersecurity terms, compliance is the act of adhering to rules that have been put in place through industry regulations and government legislation.
These overarching “rules” of cybersecurity are primarily upheld through routine audits. Audits are inspections that organizations perform to ensure that cybersecurity standards are being held by any entities that are involved in the industry. A good example of a routine audit is the Payment Card Industry Data Security Standard (PCI DSS). This risk management security standard has been implemented to reduce identity theft and fraud through credit card transactions.
While it’s not required by law to comply with PCI DSS, merchants who fail to do so are unable to conduct transactions with VISA or MasterCard customers. This has an obvious negative impact on sales. For the sake of security and profits, companies need compliance professionals to help them remain cybersecurity compliant. This is where the compliance analyst comes in.
What does a compliance analyst do?
Compliance analysts contribute to security designs through acquisitions and/or system developments to deliver and maintain a compliant system. Put simply, compliance analysts help companies remain compliant with regulations, thus preparing them for audits. By figuring out which regulations affect “Company X,” compliance teams can then develop a plan to meet the necessary standards. They research, educate, and project-manage to ensure that all members of a cybersecurity team are on the same page.
Compliance analysts either work in-house or as consultants for businesses that don’t need a full-time analyst.
Contrary to how it may sound, compliance analysts don’t spend their days checking off long lists of regulatory boxes. Their assessments are a crucial component of an organization’s success. For example, Yahoo was fined $35 million because they were found non-compliant for failing to disclose a massive security breach promptly. While this incident was going to cost them regardless, having an effective compliance analyst to ensure timely disclosure of the breach would have saved them millions.
As illustrated by the Yahoo breach, compliance analysts have the potential to make a dramatic impact on a company’s well-being. But, compliance doesn’t guarantee security. Risk assessment is another major component of the compliance analyst role. If a company can remain compliant but is unable to mitigate risks, it can end up losing money to threat actors instead of to auditors. Compliance analysts aren’t just sticklers for rules, every once in a while they have to roll up their sleeves and use their wizardry to protect cybersecurity from imminent threats.
How much does a compliance analyst make?
According to ZipRecruiter, the average compliance analyst in the US makes around $63k.
Aside from the obvious factors of location and experience, the type of company that you work for can play a major role in your offer. If you do a quick Google search, you’ll see that companies in nearly every industry are hiring. You may work as a compliance analyst for a traditional cybersecurity organization, or you could just as easily be hired by your favorite clothing company or even a local hospital.
Cybersecurity compliance affects all industries. The Bureau of Labor Statistics projects the employment of cybersecurity and information security analysts to grow by 31%(!) by 2029. This is much faster than almost any other profession in any industry across, the country, so you’ll have a lot of choices when deciding what kind of company you’d like to work for.
These numbers alone show that compliance job opportunities and careers as compliance officers are a great idea both for now and in the future.
For a deeper dive into cybersecurity careers, read our Ultimate Guide to Cybersecurity Careers.
What skills do you need to be a compliance analyst?
Although the job of a compliance analyst tends to have more of a business focus than other cybersecurity roles, technical prowess is a must. To help a company achieve compliance, an analyst must understand the cybersecurity concepts that they are analyzing.
When functioning as auditors, a compliance analyst can’t just rely on other cybersecurity professionals to give them all of the information that they need; doing so may jeopardize the accuracy of their assessment.
While other professionals can certainly help in an assessment, they may not have the same industry or legal expertise as the compliance analyst.
If you’ve done your research and read some of our other security career explainers, you’ve probably noticed that “communication skills” are regularly listed as a skill you’ll need to succeed in a variety of cybersecurity roles; this is especially true for the compliance analyst.
On any given day, a compliance analyst can speak with other cybersecurity professionals, auditors, state and federal agency representatives, GDPR, NIST, HIPAA representatives, business executives, and really anyone who’s involved in the organization that’s being analyzed. A compliance analyst must be able to communicate effectively and act as an interpreter between different stakeholders to translate compliance requirements understandably. If you’re a people person, this is the cybersecurity role for you.
Lastly, soft skills are extremely important in cybersecurity. An inquisitive mindset is crucial for compliance analysis. At face value, companies may appear compliant and protected from malicious hackers. It’s up to the compliance analyst to dig deeper than anyone else and figure out what the real state of an organization is. It’s up to you as the compliance analyst, to find the weak points in what others see as a rock-solid cybersecurity strategy.
How does a compliance analyst fit into a cyber team?
The advancement of cyber threats has led many organizations to develop their own Security Operations Center (SOC). A SOC consists of a cohesive cyber-team made of security engineers, Pen Testers, security analysts, and data scientists. Each member of the team brings a unique skill set that assists in the efforts of preventing, detecting, analyzing, and responding to security threats.
The Roles Of Each SOC Team Member
The engineers are the technical experts that build and secure the networks and the detection tools of the company. The data scientists analyze the mass data that a company produces, to discover network insights. Analysts use these discoveries to actively search for anomalies in their network that might indicate malicious activity. When anomalies are spotted, analysts work with the engineers to set traps and contain threats.
These traps can also be set preemptively in what’s known as “active defense.” Pen Testers are white-hat hackers who simulate cyber attacks on their own network to discover its vulnerabilities. They report their findings to the team so that, together, they can fill the network’s security gaps.
You may have noticed that the compliance analyst role wasn’t mentioned as a member of the SOC. While they’re not directly a core component of the SOC, compliance analysts play a major role in supporting security operations.
If a SOC wishes to function at its best, it has to remain compliant. Without compliance, a SOC will be on the receiving end of steep penalties from failed audits. This means heavy fines, a loss of customers, and even SOC members being fired. Compliance analysts support the SOC team in their operations by educating them on compliance mandates, as well as the protocol that is necessary to meet these standards.
With SOCs in a constant fight for compliance with numerous organizations at once, a compliance analyst is a welcome aid to any cybersecurity team.
Here’s how you become a compliance analyst
Flatiron School provides the most complete, immersive, and compressed cybersecurity programs out there. Our Cybersecurity Analytics teaches the technical and analytical skills necessary to be an effective compliance analyst as well as other analytically focused cybersecurity career paths. The Cybersecurity Analytics course is also online.
Our programs are a balance of classroom theory and hands-on lab time. This ensures that our students graduate with the level of skill and confidence needed to leave our academy job-ready.
The evolution from general IT to cybersecurity analyst can take three to seven years. The Cybersecurity Analytics program gets you there in as little as 12 weeks.
If you’re feeling overwhelmed and lack technical work experience, we’ve got you covered. We offer a Free Cybersecurity Prep Course. You’ll get the introduction that you’ll need to Systems, Networking, and Python to be a rockstar in our programs.
Ready to work your wizardry?
Whether it’s the Balrog, Saruman, or Sauron’s army of orcs and trolls, Gandalf the Grey (or White) wasn’t afraid to stand up to his noncompliant foes. As a compliance analyst, it’s up to you to stand your ground against policies that may prove detrimental. Without compliance, it’s nearly impossible for any business that uses the internet to function at a profitable and safe level. If you love problem-solving and working with others, this job is perfect for you.
Disclaimer: The information in this blog is current as of 31 January 2021. For updated information visit https://flatironschool.com/.