Discover the Skills of a Cybersecurity Compliance Analyst

Learning Objectives

After completing this unit, you’ll be able to:

• Describe a cybersecurity compliance analyst career.
  
• List key skills relevant to the role of a cybersecurity compliance analyst.
  

A Cybersecurity Compliance Analyst Career

Let’s explore whether you’d be a good fit for the role of a compliance analyst by starting with some questions.

Who are you?

Are you driven to make businesses more secure? Are you passionate about process improvement? Do you thrive on developing innovative insights to solve complex challenges? If you answered yes to these questions, then cybersecurity compliance analysis may be a great fit for you.

What do you like to do?

The work of a compliance analyst involves conducting audits and assessments, and assisting with risk management reviews and third-party assessments. In this role, your goal is to ensure the confidentiality, integrity, and availability (CIA) of an organization’s data and systems. You also work with teams across the organization to identify and mitigate cybersecurity compliance risks, and manage reporting on cybersecurity compliance to both internal and external stakeholders. You document the organization's cybersecurity compliance posture in written reports, manage compliance efforts to meet both internal and external deadlines, and help prioritize the most critical compliance gaps to be addressed first.

What type of organization do you want to work for? 

You might work for an advisory service firm, helping companies develop reports to demonstrate compliance with various laws, regulations, and standards. You may work in the healthcare industry, helping your organization protect patients’ protected health information (PHI) by assisting with compliance and documentation tasks. Or, you may work for the government, participating in the steps of the authorization process to ensure government systems are secure, and documenting security controls in approved templates and forms. Almost every industry that conducts digital business needs cybersecurity compliance analysts.

When are you involved in an organization’s work? 

When in the audit and compliance lifecycle do you get involved? You have a role to play every step of the way—from helping put in place organizational policies that ensure your systems are compliant with applicable laws and regulations, to supporting internal and third-party audits, or inspections, of systems in production to ensure that cybersecurity standards are upheld. You also contribute to security designs during system development and help to maintain a compliant system once it’s been deployed. 

Being involved throughout the entire lifecycle of a system is key. For example, if you work at a merchant that accepts cardholder data, you may have verified during system development that your payment system satisfies the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. But if the system is then improperly deployed, or deployed in a hosting environment with other violations, you have not achieved compliance. Maintaining system controls and preventing configuration creep entails putting in place processes and measures that can be tracked and checked in real time to keep from falling out of compliance.

How are you successful in the role? 

How do you accomplish all of this? To give you a closer look, let’s meet Earl, a cybersecurity compliance analyst. He works at a government organization that specializes in protecting consumer financial interests by creating and enforcing consumer financial protection laws, including laws about how companies must implement cybersecurity protections to protect customer financial data. As a cybersecurity compliance analyst, Earl:

• Provides guidance to help financial companies understand and comply with cybersecurity rules and statutes related to customer financial data. Some of these resources include regulatory guidance, a map of money transmission laws, and guides for financial sector executives, for example.
  
• Conducts examinations of how companies comply with laws related to securing customer financial data. For example, under the Gramm-Leach-Bliley (GLB) Act and the Federal Trade Commission (FTC)’s Safeguards Rule, financial institutions must have measures in place to keep customer information such as names, phone numbers, and credit card account numbers secure. Earl may conduct examinations of these financial institutions to verify they have a written cybersecurity plan that describes their program to protect customer information.
  
• Leads deep dives into systems that accept, store, process and transmit cardholder data at merchants, banks, and credit card processors to evaluate their compliance with regulations to investigate security gaps.
  
• Evaluates how companies’ policies stack up to regulations by analyzing documentation, roles and responsibilities, and processes to ensure systems meet security requirements.
  
• Assesses management and technical controls to ensure specific security compliance requirements are met. Some of these requirements include building and maintaining a secure network and systems, protecting cardholder data, and maintaining a vulnerability management program, to name a few.
  
• Validates the maintenance of secure configurations for systems, such as those that accept, store, process, and transmit cardholder data.
  
• Shares key examination findings to help organizations limit security risks and comply with laws relating to securing customer financial data.
  
• Works in a consultative role to help organizations securely navigate an evolving information technology (IT) environment and stay compliant with applicable laws and regulations.
  

Why should you consider this role?

Why should you consider a cybersecurity compliance analyst career like Earl's? This is a fast-growing field in a crucial industry. As a cybersecurity compliance analyst, you work across the business, getting exposure to implementing and managing the various aspects of a security program—including perimeter defense, access control, encryption, and more. You also make a real impact in raising awareness of the potential for a data incident, and contributing to the organization’s compliance reporting. This role also has lots of room to learn and grow. Last but not least, you can earn competitive compensation. Sounds pretty great, right?

Cybersecurity Compliance Analyst Skills

Like Earl, you’re excited about helping organizations understand, implement, and comply with cybersecurity laws, regulations, standards, and policies. So, what education and skills do you need to pursue this career?

Education

It’s possible to find certain entry-level cybersecurity positions that require applicants to have a course of post-secondary study lasting 2 or 3 years. However, most jobs require a 4-year bachelor's degree in cybersecurity or a related field, such as IT or computer science, a science, technology, engineering, and mathematics (STEM) discipline, or business administration. 

Experience

Typically, employers look for candidates with anywhere from 2 to 8 years of experience analyzing the development of cybersecurity policies and strategies. Experience with risk analysis is also valuable. Cybersecurity compliance analysts also need experience briefing clients and team members on technical, policy, and functional issues. 

Certifications

To help you skill up and get your foot in the door, pursuing a certification is a great idea. Here are some common certifications for cybersecurity compliance analysts (note that some certifications require a certain number of years of experience before they can be obtained).

• The Computing Technology Industry Association (CompTIA) A+ (Plus) Certification
  
• The International Information System Security Certification Consortium (ISC)² Certified Information Systems Security Professional (CISSP). Note that this certificate requires 5 years of experience to complete. If you do not have the requisite experience, you can become an Associate of (ISC)² in the meantime while you gain the required work experience.
  
• The Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). Note that this certificate requires 5 years of experience, but there are some ways to bring that down based on other related work experience and education.
  
• The Global Information Assurance Certification (GIAC) Security Essentials (GSEC) Certification
  
• ISACA Certified in Risk and Information Systems Control (CRISC) Certification
  

Knowledge

As a cybersecurity compliance analyst, having a solid understanding of the basics—such as security frameworks, regulations, and standards—is key. You should have strong familiarity with security governance, compliance, and risk management frameworks such as the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework, ISACA’s Control Objectives for Information Related Technology (COBIT) framework, and PCI DSS, to name a few. It’s also helpful to have knowledge of control assessment techniques, which include questionnaires, on-site visits, and penetration tests. Additional areas of expertise that are helpful, but not required, include data protection, access control, network and endpoint security, incident response and handling, vulnerability management, and firewalls. 

Business Skills

In addition to these technical skills, it’s also critical to hone your business skills. A huge part of being successful as a cybersecurity compliance analyst is effectively communicating and documenting requirements and findings, analyzing security gaps, and thinking strategically. You should know how to consult with various stakeholders in an organization, as well as demonstrate exemplary leadership and organizational skills. You should enjoy working as part of a team, researching answers to questions and problems, and paying close attention to detail. 

Sum It Up

In this module, you’ve been introduced to the goals of cybersecurity compliance analysis. You’ve learned more about the importance of cybersecurity compliance in thwarting cyberattacks and helping your organization follow laws, regulations, and policies to reduce security risk. You’ve also discovered the duties, skills, and qualifications of a cybersecurity compliance analyst. 

In the next module, Cybersecurity Compliance Analyst Responsibilities, you learn how to identify cybersecurity compliance gaps and manage cybersecurity compliance risks. You also learn how to detect changes in cybersecurity compliance posture and respond to and recover from cybersecurity compliance incidents and findings. Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.

Resources

• External Site: PCI: Data Security Standard
  
• External Site: CSBS: State Regulatory Guidance Portal
  
• External Site: CSBS: State Survey of Money Transmission Laws
  
• PDF: CSBS: Cybersecurity 101: A Resource Guide for Financial Sector Executives
  
• External Site: CompTIA: A+ (Plus) Certification
  
• External Site: (ISC)²: CISSP
  
• External Site: (ISC)²: Start Your Cybersecurity Career
  
• External Site: ISACA: CISA
  
• External Site: GSEC Certification
  
• External Site: ISACA’S CRISC® Certification
  
• External Site: NIST’s Cybersecurity Framework
  
• External Site: ISACA’s COBIT framework
  
• PDF: NIST Cybersecurity Workforce Framework