Security Incident Responder

Key Facts & Information

Overview	Security incident responders, also called intrusion analysts or incident response engineers, are like the "firefighters" of the cyber world. Companies can take steps to safeguard their computer networks and systems, but sometimes prevention is not enough and cyber attacks still happen. Sensitive data like customer credit card information can be stolen, entire websites could be brought down or altered, or personal contact information can be leaked. When this happens, incident responders must act quickly to find the source of the attack and shut it down. They will also analyze how the attack happened, determine the scope of the damage, and how to prevent it from happening again.
Key Requirements	Analytical skills, attention to detail, problem-solving skills, ability to work under pressure
Minimum Degree	Associate's degree
Subjects to Study in High School	Computer science, algebra, algebra II, pre-calculus, calculus, statistics, English
Median Salary	Security Incident Responder   $70,000 U.S. Mean Annual Wage   $49,630 Min Wage   $15,080 $0 $10,000 $20,000 $30,000 $40,000 $50,000 $60,000 $70,000 $80,000
Projected Job Growth (2014-2024)	Faster than Average (14% to 20%) In Demand!
Interview	Watch this video to see multiple short interviews with security professionals at BlackHat and DEFCON, two major security conferences held in Las Vegas. Nevada. In this interview, Matthew Gardiner of RSA security discusses the skills required to be a member of an incident response team. In this presentation, Steve Winterfeld, Director of Cybersecurity at Nordstrom, discusses how an incident response team might response to a cyber security breach. In this interview, Tenisha Mitchell discusses her role as an incident responder with a Certified Information Security Systems Professional certification.
Related Occupations	Information Security Analyst Penetration Tester Computer Systems Analyst

Education and Training

While it may make you more competitive for a job, a bachelor's degree is not always required for an entry-level incident responder position. An associate's degree in computer science or information technology, and some work experience in a related IT field like network administration, may be sufficient. Incident response is closely related to the field of computer forensics (like a "detective" for cyber crime), so people may transition between the two fields. A bachelor's degree in computer science or a related field may be required for management-level positions, like the manager of a Computer Security Incident Response Team (CSIRT). Since the field of information security changes rapidly and new threats emerge constantly, incident responders must stay up-to-date on all the latest developments in their field.

As the cybersecurity profession continues to expand, some schools are starting to offer cybersecurity-specific degrees. Many professional organizations offer cybersecurity-related certifications, like Certified Ethical Hacker, Certified Intrusion Analyst, or Certified Forensic Examiner, and employers may require these certifications for certain positions. A security clearance may be required for government employees or contractors who work for the government, which means it is important to have a "clean record" with no history of criminal behavior or illegal hacking.

Other Qualifications

Incident Responders should be prepared to work in a fast-paced environment, and able to remain cool under pressure. They will need to react calmly and quickly to mitigate the effects of a cyber attack. They will need great critical thinking and problem-solving skills as they work to detect the source of a cyber attack. Excellent written and oral communication skills are required, as you may be required to explain the impact of a cyber attack, how it happened, and how you stopped it to non-technical employees like managers or government officials.

Nature of the Work

Security incident responders are the first responders in the cyber world. Just like police, firefighters, and emergency medical technicians (EMTs) in the physical world, incident responders are the first ones on the scene in the event of a cyber emergency like a data breach at a major company. Just like a firefighter responding to a burning building, a police officer responding to a bank robbery, or an EMT at the scene of a car crash, their first responsibility is to assess the situation and eliminate any immediate dangers. This may include tracking down the source of an attack (like an outside individual who has hacked into a company's systems) and shutting down their access. After the attack has been stopped, they may switch to more of a "detective" role, to figure out exactly what happened, how it happened, and how future attacks can be prevented.

On a day to day basis, security incident responders may monitor network traffic to search for suspicious activity, to try and preemptively detect cyber attacks before they can do much damage. They may work with other cybersecurity professionals like penetration testers to identify and fix existing vulnerabilities in a system. They will also develop an emergency plan that can be followed in the event of a cyber attack, and train other employees on how to follow this plan. For example, this could include explaining to non-technical employees what immediate steps they should take if they believe they have clicked on a link or downloaded an email attachment that contained a virus, to help stop this virus from spreading to the rest of the company. Due to the speed of modern computers and the internet, computer viruses can spread in a matter of minutes or even seconds, so it is important to react quickly in order to minimize the impact of an attack.

In the aftermath of a cyber attack, a security incident responder may need to report to a company's management or even law enforcement about what happened. For example, the CEO of a company will want to know if personal customer data was stolen (so they can develop a plan to deal with angry customers!). Law enforcement agencies might want information about the source of the attack, so they can try to track down and prosecute cyber criminals, or respond if the attack came from a foreign government.

Work Environment

Security incident responders typically spend the majority of their time working in an office environment, usually in front of a computer. They may have meetings with other IT employees like network administrators, or with non-technical employees like managers when they need to report on the consequences of a cyber attack. Due to the unpredictable nature of cyber attacks, they might not work regular schedules. For example, they might work two very long days or through the night when actively responding to an attack, then have the rest of the week off.

Like other workers who spend long periods typing on a computer, security incident responders are susceptible to eyestrain, back discomfort, and hand and wrist problems such as carpal tunnel syndrome or cumulative trauma disorder, but preventative measures can be taken.

On the Job

• Actively monitor computer systems for suspicious activity
• Evaluate current risks and vulnerabilities of computer systems
• Work closely with other cyber security professionals like penetration testers or forensic analysts
• Develop an emergency response plan that can be followed in the event of a cyber attack
• Train other non-technical personnel and management on how to follow the emergency response plan
• Respond in real-time in the event of a cyber attack to shut it down and prevent further damage
• Report to management and law enforcement in the aftermath of a cyber attack

Companies That Hire Security Incident Responders

• Symantec
• Cisco
• Google
• Amazon
• Vanguard

Explore what you might do on the job with one of these projects...

• Crack the Code: Breaking a Caesar Cipher
• Hacking the Air Gap: Stealing Data from a Computer that isn't Connected to the Internet
• How Secure Are Your Security Questions?
• Preventing SQL Injection Attacks

Ask Questions

Do you have a specific question about a career as a Security Incident Responder that isn't answered on this page? Post your question on the Science Buddies Ask an Expert Forum.

Additional Information

The following organizations offer professional certifications in cybersecurity:

• Global Information Assurance Certification (GIAC)
• EC-Council
• Information Assurance Certification Review Board
• The International Society of Forensic Computer Examiners

Sources

• Bally (March 15, 2017). How to become an Incident Responder Cybertraining 365 Blog. Retrieved August 30, 2017.
• Cyber Security Education (n.d.). Learn how to become an incident responder. Retrieved August 3, 2019.
• Infosec Institute (n.d.). Incident Responders. Retrieved August 30, 2017.
• Cyber Degrees (n.d.). Become an incident responder. Retrieved August 30, 2017.