SecureSet Career Series: Compliance Analyst

Moderator

Published in

Command Line

7 min readNov 6, 2018

Lord of the Rings is chock-full of memorable scenes and unforgettable characters. Who could forget the preciousness of Gollum/Sméagol? Perhaps the most quoted and replayed scene of the trilogy is when Gandalf the Grey stands up against the giant, flaming Balrog in The Fellowship of the Ring. “YOU SHALL NOT PASS!” he screams, challenging the monstrous creature, inevitably causing it to fall into darkness.

As a cybersecurity compliance analyst, you are Gandalf the Grey, and the Balrog is the whole of noncompliant cybersecurity policies. Letting these policies through will be detrimental to the organization that you work for and for the “hobbits” that you have to protect. Compliance isn’t always easy to achieve, but it’s always a necessity in the cybersecurity industry. Do you have the wizardry required to do the job?

What does a compliance analyst do?

Before digging into the role of a compliance analyst, let’s talk about what the word compliance actually means. In cybersecurity terms, compliance is the act of adhering to rules that have been put in place though industry regulations and government legislation.

These overarching “rules” of cybersecurity are primarily upheld through routine audits. Audits are inspections that organizations perform to ensure that cybersecurity standards are being held by any entities that are involved in the industry. A good example of a routine audit is the Payment Card Industry Data Security Standard (PCI DSS). This security standard has been implemented to reduce identity theft and fraud through credit card transactions. While it’s not required by law to comply with PCI DSS, merchants who fail to do so are unable to conduct transactions with VISA or MasterCard customers; this has an obvious, negative impact on sales. For the sake of security and profits, companies need professionals who can help them remain cybersecurity compliant; this is where the compliance analyst comes in.

Compliance analysts contribute to security designs through acquisitions and/or system developments to deliver and maintain a compliant system. Put simply, compliance analysts help companies remain compliant with regulations, thus preparing them for audits. By figuring out which regulations affect “Company X,” they can then develop a plan to meet the necessary standards. They research, educate and project-manage to ensure that all members of a cybersecurity team are on the same page. Compliance analysts either work in-house, or as consultants for businesses that don’t need a full-time analyst.

Contrary to how it may sound, a compliance analyst doesn’t just spend their days checking-off long lists of regulatory boxes. Their assessments are a crucial component to an organization’s success. For example, Yahoo was recently fined $35 million dollars because they were found noncompliant for failing to disclose a massive security breach in a timely manner. While this incident was going to cost them regardless, having an effective compliance analyst to ensure a timely disclosure of the breach would have saved them millions of dollars.

As illustrated with the Yahoo breach, compliance analysts have the potential to make a dramatic impact on a company’s well-being, but compliance doesn’t guarantee security. Risk assessment is another major component of the compliance analyst role. If a company can remain compliant but is unable to mitigate risks, they can end up losing money to threat actors instead of to auditors. Compliance analysts aren’t just sticklers for rules, every once in awhile they have to roll up their sleeves and use their wizardry to protect cybersecurity from imminent threats.

Skills you’ll need to moderate.

Although the job of a compliance analyst tends to have more of a business focus than other cybersecurity roles, technical prowess is a must. In order to help a company achieve compliance, an analyst must understand the cybersecurity concepts that they are analyzing. When functioning as auditors, a compliance analyst can’t just rely on other cybersecurity professionals to give them all of the information that they need; doing so may jeopardize the accuracy of their assessment. While other professionals can certainly help in an assessment, they may not have the same industry or legal expertise as the compliance analyst.

If you’ve read our other career series blogs, you’ve probably noticed that “communication skills” are regularly listed as a skill you’ll need to succeed in a variety of cybersecurity roles; this is especially true for the compliance analyst. On any given day, a compliance analyst can speak with other cybersecurity professionals, auditors, state and federal agency representatives, GDPR, NIST and HIPAA representatives, business executives and really anyone who’s involved in the organization that’s being analyzed. A compliance analyst must be able to communicate effectively and act as an interpreter between different stakeholders to translate compliance requirements in an understandable way. If you’re a people person, this is the cybersecurity role for you.

Lastly, an inquisitive mindset is crucial for compliance analysis. At face value, companies may appear compliant and protected from malicious hackers. It’s up to the compliance analyst to dig deeper than anyone else, and figure out what the real state of an organization is. It’s up to you as the compliance analyst, to find the weak points in what others see as a rock-solid cybersecurity strategy.

Heroes reap many rewards.

According to Glassdoor, the average base pay for a compliance analyst is $69,601 a year, but the average salary for the role can vary widely. Aside from the obvious factors of location and experience, the type of company that you work for can play a major role in your offer. If you do a quick Google search, you’ll see that companies in nearly every industry are hiring. You may work as a compliance analyst for a traditional cybersecurity organization, or you could just as easily be hired by your favorite clothing company or even a local hospital. Cybersecurity compliance affects all industries. You’ll have a lot of choices when deciding what kind of company you’d like to work for.

A complete picture of a security team.

The advancement of cyber threats has led many organizations to develop their own Security Operations Center (SOC). A SOC consists of a cohesive cyber-team made of security engineers, Pen Testers, security analysts and data scientists. Each member of the team brings a unique skill set that assists in the efforts of preventing, detecting, analyzing and responding to security threats.

The engineers are the technical experts that build and secure the networks and the detection tools of the company. The data scientists analyze the mass data that a company produces, in an effort to discover network insights. Analysts use these discoveries to actively search for anomalies in their network that might indicate malicious activity. When anomalies are spotted, analysts work with the engineers to set traps and contain threats. These traps can also be set preemptively in what’s known as “active defense.” Pen Testers are white-hat hackers who simulate cyber attacks on their own network to discover its vulnerabilities. They report their findings to the team, so that together, they can fill the network’s security gaps.

Where does the compliance analyst fit into the team?

You may have noticed that the compliance analyst role wasn’t mentioned as a member of the SOC. While they’re not directly a core component of the SOC, compliance analysts play a major role with supporting security operations. If a SOC wishes to function at its best, it has to remain compliant. Without compliance, a SOC will be on the receiving end of steep penalties from failed audits. This means heavy fines, a loss of customers and even SOC members being fired. Compliance analysts support the SOC team in their operations by educating them on compliance mandates, as well as the protocol that is necessary to meet these standards. With SOCs in a constant fight for compliance with numerous organizations at once, a compliance analyst is a welcome aid to any cybersecurity team.

Here’s how you get started.

SecureSet Academy provides the most complete, immersive and compressed cybersecurity programs out there. Our HUNT Program teaches the technical and analytical skills necessary to be an effective compliance analyst as well as other analytically focused cybersecurity careers. Our programs are a balance of classroom theory and hands-on lab time. This ensures that our students graduate with the level of skill and confidence needed to leave our academy job-ready. A majority of our students are hired within a few months of graduation (many before getting their diploma). The evolution from general IT to cybersecurity analyst can take three to seven years. The HUNT program gets you there in 12 weeks.

If you’re feeling overwhelmed and lack technical experience, we’ve got you covered. We offer a six-week preparatory workshop called SecureSet PREP. You’ll get the introduction that you’ll need, to Systems, Networking and Python, to be a rockstar in our Programs. Passing PREP with a score of 60% or better will pre-qualify you for our HUNT program, with the ability to deduct your costs from your Program tuition. PREP is a great opportunity for you to establish a sturdy foundation for your cybersecurity career.

Ready to work your wizardry?

Whether it’s the Balrog, Saruman or Sauron’s army of orcs and trolls, Gandalf the Grey (or White) wasn’t afraid to stand up to his noncompliant foes. As a compliance analyst, It’s up to you to stand your ground against policies that may prove detrimental to the organization that you represent. Without compliance, it’s nearly impossible for any business that uses the internet to function at a profitable and safe level. If you love problem solving and working with others, this job is perfect for you. Also, your wizard’s robe and illuminating staff will look great on casual Fridays.

Learn more about how our HUNT program can help you launch your career in cybersecurity. You can also learn about all of our programs at secureset.com. View our next upcoming cohorts at SecureSet.com/hunt.

Check out other entries in our career series: Security Hunt Analyst, Security Pen Tester, Security Engineer, Threat Intel Analyst and Security Consultant.