Defining the Career
Vulnerability Assessors (VA) can also be referred to as Vulnerability Assessment Analysts. Another close cousin to a VA is the role of a Penetration Tester (PT). For this career guide, we will be absorbing that role into this career guide while keeping the action of a vulnerability assessment distinct from a penetration test. We will clarify that important distinction further into this section. Depending on the size of a company, a VA can be an internal employee or an outside contractor. The later is commonly referred to as a Security Consultant, which we cover in a separate career guide. The responsibilities of an internal employee in the role of a VA is the focus of this guide. The core responsibilities of this role can be summed up as searching and analyzing systems or applications for security flaws and reporting these flaws in a comprehensive assessment and often prioritized list. The report should clearly document where the flaws are in the security system, give management clear understanding of the flaws, and often make recommendations on necessary changes. Think of the VA’s report along the lines of a home inspector’s report used in the purchase of real estate transaction. Just as the home inspector is hired to go through the entire house with a fine tooth comb and report back his findings of any deficiencies, the VA goes through the company’s cybersecurity system and reports back all defects discovered. The company then takes this report and knows where repairs and improvements are needed to ensure their network and applications remain safe and secure.
While running these vulnerability assessments and preparing these reports are the heart and soul of this career, you should also be familiar with running penetration tests. As we stated earlier, larger companies may have a completely separate position set up for penetration testing, but our research found more times than not this responsibility was given to the VA. An extremely helpful article on the distinction between vulnerability assessments and penetration tests can be found at Danielmiessler.com. The author sums it up succinctly by saying, “The key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.” This same article goes on to explain that customers that are not sure of their security systems will be best served through vulnerability assessments. The client that is confident in their network security but wants to test a specific aspect, such as their customer database, should run a penetration test.
In addition to the vulnerability assessment and penetration test, a VA should be familiar with tools that find these vulnerabilities. A strong grasp of tools that automate and repeatedly scan security systems will also be expected by employers that hire for this role. Keeping these tools running, compiling and analyzing their reports, and making recommendations based on them rounds out this section of defining this career and giving a general overview of possible areas of responsibility. Next, we turn to considering what education and experience are needed to enter this career and ensure you are maximizing your earning potential while positioning you for future career moves.
Education & Experience
Our advice is to get the bachelor’s degree in a cybersecurity or related degree program. We are confident that is not a decision you will regret if you stay in this field. However, the career of a VA is one of the cybersecurity roles that prize experience, certifications, and what we will refer to as “soft skills” more than what degree you hold. Don’t forget this role pays you to think like the guy that wants to break into their network! The soft skills and personality traits of curious, creative, and out-of-the-box are not exactly courses offered in any cybersecurity degree program. This is why we are stressing experience first, then certifications and degree for this career. Most of the technical skills needed for this position will be acquired in the process of completing your bachelor’s degree and work experience. You should have a strong working knowledge of different operating systems such as Windows, UNIX, and Linux. A strong command of programming languages will also be an asset. You should also be able to reverse engineer a broad range of hardware components, software programs, and the process of network scanning tools. This is all part of the ability to think like the “bad guy” and anticipate what loopholes can be exploited in an existing network security system.
This role also requires an understanding of basic malware and viruses. You will need to understand how these threats can infiltrate networks as well as how to detect them. In addition to these technical skills, the following are some of the leading certifications for the industry and career field:
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- GCIH: GIAC Certified Incident Handler
- CISSP: Certified Information Systems Security Professional
- CVA: Certified Vulnerability Assessor
In addition to these certifications, continuing education is another important element of your career. Cybersecurity is a field that demands you stay at the cutting edge of the knowledge base as new techniques and tools are constantly being developed. Utilizing both formal trainings to keep certifications active as well as picking a few reputable training and education sites will help you achieve this goal. Some of the more popular sites for this are Cybrary, The International Council of Electronic Commerce Consultants (EC-Council), InfoSec Institute, Offensive Security, SANS Institute, and Hacker House.
Before we get into employment projections and the earning potential of this career, let us make a note about one possible twist in the career path for this role that is worth mentioning. We have crafted this career guide in a way that wraps a couple of core cybersecurity tasks into one career, that being the vulnerability assessment and the penetration test. The role of a Security Consultant is one that this career can move into after gaining a few years of experience. This consultant career will be considered in a separate career guide, but we thought it worth mentioning in this section on employment as one potential career progression that should result in greater flexibility and increased earning potential for a seasoned VA. Other upward career moves from this role into managerial roles would be that of a Security Architect or a Security Engineer. If you want to steer clear of management but move up in the hacking world, advanced careers would be Forensic Expert or a Cryptographer.
The earning potential of this career was a little tricky to nail down due to the way most employment sites wanted to classify this career. Cyberseek.org reports an average salary of $98,000. Indeed.com reports a median salary of $83,569. Payscale.com reports a median salary of $63,560. Glassdoor.com reports an entry-level position in this career having a salary range of $69,545 – $86,659. Your on-the-job experience will decide where you fall in this salary range. This career places a premium on experience and is willing to pay for it. The employment outlook for this career is very positive just as one would expect with the rapid growth of this industry. The driving force in this growth is the increasing number of industries becoming more and more dependent on the cloud and the need to ensure they are protected with the security threats that come with moving into that realm.
It is truly an exciting time to be evaluating career opportunities in the cybersecurity sector. The rapid growth of this industry is creating a strong demand for a broad spectrum of careers which results in growing salaries and a very positive employment outlook for job seekers. The cybersecurity world encompasses a wide variety of industries and has a wide range of careers. It is critical that you take stock of your interests and strengths so that you can match those up as much as possible with career descriptions and what it takes to not only enter the specific career but to succeed.