Perhaps the most quoted scene of Lord of the Rings is when Gandalf the Grey stands up against the giant Balrog and yells, “You shall not pass!”; challenging the monster, inevitably causing it to fall into darkness.
As a cyber security compliance analyst, you are Gandalf the Grey, and the Balrog is the whole of noncompliant cyber security policies. Letting these policies through will be detrimental to the organization that you work for and for the assets that you have to protect. Compliance isn’t always easy to achieve, but it’s always a necessity in the cyber security industry.
So, then, how do you become a compliance analyst? Let's get into what compliance analysts are, what they do, salaries, roles, and how you can learn to become a compliance analyst.
What is a compliance analyst?
Before digging into the role of a compliance analyst, let’s talk about what the word compliance actually means. In cyber security terms, compliance is the act of adhering to rules that have been put in place through industry regulations and government legislation.
These overarching “rules” of cyber security are primarily upheld through routine audits. Audits are inspections that organizations perform to ensure that cyber security standards are being held by any entities that are involved in the industry. A good example of a routine audit is the Payment Card Industry Data Security Standard (PCI DSS). This risk management security standard has been implemented to reduce identity theft and fraud through credit card transactions.
While it’s not required by law to comply with PCI DSS, merchants who fail to do so are unable to conduct transactions with VISA or MasterCard customers; this has an obvious, negative impact on sales. For the sake of security and profits, companies need compliance professionals who can help them remain cyber security compliant; this is where the compliance analyst comes in.
What does a compliance analyst do?
Compliance analysts contribute to security designs through acquisitions and/or system developments to deliver and maintain a compliant system. Put simply, compliance analysts help companies remain compliant with regulations, thus preparing them for audits. By figuring out which regulations affect “Company X,” compliance teams can then develop a plan to meet the necessary standards. They research, educate, and project-manage to ensure that all members of a cyber security team are on the same page.
Compliance analysts either work in-house or as consultants for businesses that don’t need a full-time analyst.
Contrary to how it may sound, a compliance analyst doesn’t just spend their days checking-off long lists of regulatory boxes. Their assessments are a crucial component to an organization’s success. For example, Yahoo was fined $35 million because they were found non-compliant for failing to disclose a massive security breach promptly. While this incident was going to cost them regardless, having an effective compliance analyst to ensure a timely disclosure of the breach would have saved them millions of dollars.
As illustrated with the Yahoo breach, compliance analysts have the potential to make a dramatic impact on a company’s well-being, but compliance doesn’t guarantee security. Risk assessment is another major component of the compliance analyst role. If a company can remain compliant but is unable to mitigate risks, it can end up losing money to threat actors instead of to auditors. Compliance analysts aren’t just sticklers for rules, every once in awhile they have to roll up their sleeves and use their wizardry to protect cyber security from imminent threats.
How much does a compliance analyst make?
According to ZipRecruiter, the average compliance analyst in the US makes around $63k.
Aside from the obvious factors of location and experience, the type of company that you work for can play a major role in your offer. If you do a quick Google search, you’ll see that companies in nearly every industry are hiring. You may work as a compliance analyst for a traditional cyber security organization, or you could just as easily be hired by your favorite clothing company or even a local hospital.
Cyber security compliance affects all industries. The Bureau of Labor Statistics projects the employment of cyber security and information security analysts to grow by 31%(!) by 2029. This is much faster than almost any other profession in any industry across, the country, so you’ll have a lot of choices when deciding what kind of company you’d like to work for.
These numbers alone show that compliance job opportunities and careers as compliance officers are a great idea both for now and in the future.
For a deeper dive into cyber security careers, read our Ultimate Guide to Cyber Security Careers.
What skills do you need to be a compliance analyst?
Although the job of a compliance analyst tends to have more of a business focus than other cyber security roles, technical prowess is a must. To help a company achieve compliance, an analyst must understand the cyber security concepts that they are analyzing.
When functioning as auditors, a compliance analyst can’t just rely on other cyber security professionals to give them all of the information that they need; doing so may jeopardize the accuracy of their assessment.
While other professionals can certainly help in an assessment, they may not have the same industry or legal expertise as the compliance analyst.
If you’ve done your research and read some of our other security career explainers, you’ve probably noticed that “communication skills” are regularly listed as a skill you’ll need to succeed in a variety of cyber security roles; this is especially true for the compliance analyst.
On any given day, a compliance analyst can speak with other cyber security professionals, auditors, state and federal agency representatives, GDPR, NIST and HIPAA representatives, business executives, and really anyone who’s involved in the organization that’s being analyzed. A compliance analyst must be able to communicate effectively and act as an interpreter between different stakeholders to translate compliance requirements understandably. If you’re a people person, this is the cyber security role for you.
Lastly, soft skills are extremely important in cyber security. An inquisitive mindset is crucial for compliance analysis. At face value, companies may appear compliant and protected from malicious hackers. It’s up to the compliance analyst to dig deeper than anyone else and figure out what the real state of an organization is. It’s up to you as the compliance analyst, to find the weak points in what others see as a rock-solid cyber security strategy.
How does a compliance analyst fit into a cyber team?
The advancement of cyber threats has led many organizations to develop their own Security Operations Center (SOC). A SOC consists of a cohesive cyber-team made of security engineers, Pen Testers, security analysts, and data scientists. Each member of the team brings a unique skill set that assists in the efforts of preventing, detecting, analyzing, and responding to security threats.
The engineers are the technical experts that build and secure the networks and the detection tools of the company. The data scientists analyze the mass data that a company produces, to discover network insights. Analysts use these discoveries to actively search for anomalies in their network that might indicate malicious activity. When anomalies are spotted, analysts work with the engineers to set traps and contain threats.
These traps can also be set preemptively in what’s known as “active defense.” Pen Testers are white-hat hackers who simulate cyber attacks on their own network to discover its vulnerabilities. They report their findings to the team so that, together, they can fill the network’s security gaps.
You may have noticed that the compliance analyst role wasn’t mentioned as a member of the SOC. While they’re not directly a core component of the SOC, compliance analysts play a major role in supporting security operations.
If a SOC wishes to function at its best, it has to remain compliant. Without compliance, a SOC will be on the receiving end of steep penalties from failed audits. This means heavy fines, a loss of customers, and even SOC members being fired. Compliance analysts support the SOC team in their operations by educating them on compliance mandates, as well as the protocol that is necessary to meet these standards.
With SOCs in a constant fight for compliance with numerous organizations at once, a compliance analyst is a welcome aid to any cyber security team.
Here’s how you become a compliance analyst
Flatiron School provides the most complete, immersive and compressed cyber security programs out there. Our Cybersecurity Analytics teaches the technical and analytical skills necessary to be an effective compliance analyst as well as other analytically focused cyber security career paths. Our Cybersecurity Analytics course is also online.
Our programs are a balance of classroom theory and hands-on lab time. This ensures that our students graduate with the level of skill and confidence needed to leave our academy job-ready.
The evolution from general IT to cyber security analyst can take three to seven years. The Cybersecurity Analytics program gets you there in as little as 12 weeks.
If you’re feeling overwhelmed and lack technical work experience, we’ve got you covered. We offer a free introductory workshop. You’ll get the introduction that you’ll need, to Systems, Networking and Python, to be a rockstar in our programs.
Ready to work your wizardry?
Whether it’s the Balrog, Saruman, or Sauron’s army of orcs and trolls, Gandalf the Grey (or White) wasn’t afraid to stand up to his noncompliant foes. As a compliance analyst, it’s up to you to stand your ground against policies that may prove detrimental to the organization that you represent. Without compliance, it’s nearly impossible for any business that uses the internet to function at a profitable and safe level. If you love problem solving and working with others, this job is perfect for you.