Woman in front of servers looking at laptop

A security incident responder could...


Monitor computer systems for suspicious activity Computer in front of servers with live network statistics on screen Be the first one to respond in the event of a cyber attack Combatting cyber attack
Develop an emergency plan for a company to follow during a cyber attack Cyber attackers Report to management and law enforcement about the consequences of a cyber attack Group discussing and reviewing materials in a meeting
Find out more...

Key Facts & Information

Overview Security incident responders, also called intrusion analysts or incident response engineers, are like the "firefighters" of the cyber world. Companies can take steps to safeguard their computer networks and systems, but sometimes prevention is not enough and cyber attacks still happen. Sensitive data like customer credit card information can be stolen, entire websites could be brought down or altered, or personal contact information can be leaked. When this happens, incident responders must act quickly to find the source of the attack and shut it down. They will also analyze how the attack happened, determine the scope of the damage, and how to prevent it from happening again.
Key Requirements Analytical skills, attention to detail, problem-solving skills, ability to work under pressure
Minimum Degree Bachelor's degree
Subjects to Study in High School Computer science, algebra, algebra II, pre-calculus, calculus, statistics, English
Median Salary
Security Incident Responder
  $99,730
U.S. Mean Annual Wage
  $49,630
Min Wage
  $15,080
Projected Job Growth (2014-2024) Much Faster than Average (21% or more) In Demand!
Interview
  • Watch this video to see multiple short interviews with security professionals at BlackHat and DEFCON, two major security conferences held in Las Vegas. Nevada.
  • In this interview, Matthew Gardiner of RSA security discusses the skills required to be a member of an incident response team.
  • In this presentation, Steve Winterfeld, Director of Cybersecurity at Nordstrom, discusses how an incident response team might response to a cyber security breach.
  • In this interview, Tenisha Mitchell discusses her role as an incident responder with a Certified Information Security Systems Professional certification.
Related Occupations

Education and Training

While it may make you more competitive for a job, a bachelor's degree is not always required for an entry-level incident responder position. An associate's degree in computer science or information technology, and some work experience in a related IT field like network administration, may be sufficient. Incident response is closely related to the field of computer forensics (like a "detective" for cyber crime), so people may transition between the two fields. A bachelor's degree in computer science or a related field may be required for management-level positions, like the manager of a Computer Security Incident Response Team (CSIRT). Since the field of information security changes rapidly and new threats emerge constantly, incident responders must stay up-to-date on all the latest developments in their field.

As the cybersecurity profession continues to expand, some schools are starting to offer cybersecurity-specific degrees. Many professional organizations offer cybersecurity-related certifications, like Certified Ethical Hacker, Certified Intrusion Analyst, or Certified Forensic Examiner, and employers may require these certifications for certain positions. A security clearance may be required for government employees or contractors who work for the government, which means it is important to have a "clean record" with no history of criminal behavior or illegal hacking.

Other Qualifications

Incident Responders should be prepared to work in a fast-paced environment, and able to remain cool under pressure. They will need to react calmly and quickly to mitigate the effects of a cyber attack. They will need great critical thinking and problem-solving skills as they work to detect the source of a cyber attack. Excellent written and oral communication skills are required, as you may be required to explain the impact of a cyber attack, how it happened, and how you stopped it to non-technical employees like managers or government officials.

Nature of the Work

Security incident responders are the first responders in the cyber world. Just like police, firefighters, and emergency medical technicians (EMTs) in the physical world, incident responders are the first ones on the scene in the event of a cyber emergency like a data breach at a major company. Just like a firefighter responding to a burning building, a police officer responding to a bank robbery, or an EMT at the scene of a car crash, their first responsibility is to assess the situation and eliminate any immediate dangers. This may include tracking down the source of an attack (like an outside individual who has hacked into a company's systems) and shutting down their access. After the attack has been stopped, they may switch to more of a "detective" role, to figure out exactly what happened, how it happened, and how future attacks can be prevented.

On a day to day basis, security incident responders may monitor network traffic to search for suspicious activity, to try and preemptively detect cyber attacks before they can do much damage. They may work with other cybersecurity professionals like penetration testers to identify and fix existing vulnerabilities in a system. They will also develop an emergency plan that can be followed in the event of a cyber attack, and train other employees on how to follow this plan. For example, this could include explaining to non-technical employees what immediate steps they should take if they believe they have clicked on a link or downloaded an email attachment that contained a virus, to help stop this virus from spreading to the rest of the company. Due to the speed of modern computers and the internet, computer viruses can spread in a matter of minutes or even seconds, so it is important to react quickly in order to minimize the impact of an attack.

In the aftermath of a cyber attack, a security incident responder may need to report to a company's management or even law enforcement about what happened. For example, the CEO of a company will want to know if personal customer data was stolen (so they can develop a plan to deal with angry customers!). Law enforcement agencies might want information about the source of the attack, so they can try to track down and prosecute cyber criminals, or respond if the attack came from a foreign government.

Work Environment

Security incident responders typically spend the majority of their time working in an office environment, usually in front of a computer. They may have meetings with other IT employees like network administrators, or with non-technical employees like managers when they need to report on the consequences of a cyber attack. Due to the unpredictable nature of cyber attacks, they might not work regular schedules. For example, they might work two very long days or through the night when actively responding to an attack, then have the rest of the week off.

Like other workers who spend long periods typing on a computer, security incident responders are susceptible to eyestrain, back discomfort, and hand and wrist problems such as carpal tunnel syndrome or cumulative trauma disorder, but preventative measures can be taken.

On the Job

  • Actively monitor computer systems for suspicious activity
  • Evaluate current risks and vulnerabilities of computer systems
  • Work closely with other cyber security professionals like penetration testers or forensic analysts
  • Develop an emergency response plan that can be followed in the event of a cyber attack
  • Train other non-technical personnel and management on how to follow the emergency response plan
  • Respond in real-time in the event of a cyber attack to shut it down and prevent further damage
  • Report to management and law enforcement in the aftermath of a cyber attack

Companies That Hire Security Incident Responders

Explore what you might do on the job with one of these projects...

Log in to add favorite
Science Fair Project Idea
We use passwords every day for our email and other computer accounts. How secure is the password that you use? How hard would it be for someone to guess your password? How hard is it to write a computer program to guess a password? You can see for yourself by writing a simple password guesser in the computer language Python. We will get you started with some ideas, a little sample code, and a few passwords for your computer program to try and guess. Read more
Log in to add favorite
Science Fair Project Idea
You might think that one sure-fire way to keep your computer safe from hackers is to disconnect it from the internet entirely. But did you know that even without internet, a computer can transmit data using light, sound, vibrations, or even heat? In this project, you will investigate how a spy or hacker can steal data from an "air-gapped" computer that has no internet connection. You can even use Google's Science Journal app to demonstrate how the data can be picked up by a nearby smartphone. Read more
Log in to add favorite
Science Fair Project Idea
When you hear the word "encryption," you might think about modern computers and things like email and online bank accounts. But did you know that encryption has been around for thousands of years? In this project you will learn about the Caesar cipher, a simple type of encryption that replaces each letter of the alphabet with another letter, and demonstrate how a modern computer can crack this ancient code in just a few seconds. Read more
Log in to add favorite
Science Fair Project Idea
Many websites ask you to answer "security questions," like "What is your mother's maiden name?," to recover your account if you ever forget your password or login ID. However, sometimes the answers to those questions are easy to find online. Does this pose a risk to the security of important accounts like email and online banking? Are people even aware that this information about them is available online? In this project, you will investigate how secure people think security questions are, and… Read more
Log in to add favorite
Science Fair Project Idea
How many websites do you have accounts with that store personal information like your name, email, phone number, or mailing address? If the people running these websites are not careful, hackers could gain unauthorized access to, and even change or delete, your information. They can do this using something called SQL injection, which involves entering malicious code into text fields on a website. In this project you will learn how SQL injection works and figure out how to prevent it. Read more
Log in to add favorite
Science Fair Project Idea
When you delete a file, by accident or on purpose, is the information really gone? Can you get it back? If you accidentally deleted your five-page report for school, you are hoping it is not gone. On the other hand, if you do not want someone to get their hands on the goofy and unflattering pictures you and your best friend took while staying up late the other night, you probably hope it is gone for good! It might be nice to know for sure either way. Try this project to find out. Read more

Ask Questions

Do you have a specific question about a career as a Security Incident Responder that isn't answered on this page? Post your question on the Science Buddies Ask an Expert Forum.

Additional Information

The following organizations offer professional certifications in cybersecurity:

Sources

Free science fair projects.