With the use of the Internet increasing daily, so do the risks. Each time a person enters credit card information for a purchase, visits a website, or even enters their password to check their bank balance the risk of their information being compromised is there. And, it’s even more of a risk to do these things from a smartphone or when using shared Internet access at Starbucks or the public library. Fortunately, there are people whose sole job is to find where biggest risks are and, with the help of others, secure those areas so the level of risk a user faces is minimized. If you think you’d like to be one of those people who search for and eliminate those risks, then a job in cyber security as a vulnerability assessor is for you.
What Does a Vulnerability Assessor Do?
A vulnerability assessor actually looks for risk. These people analyze software and computer networks and find the areas where cyber-criminals could get in. Once the vulnerable areas are located, the assessor composes a document called a vulnerability assessment, which is a list of all the areas that need to be addressed. The list is presented to the programmers and security analysts, and they work to shore up the risks that have been identified. Most vulnerability assessors have worked their way up the ranks to this position by first working as administrators, programmers, or in some other security position. Vulnerability assessors need to have a comprehensive understanding of how networks and software works, so having worked in software engineering, programming, or database management is really helpful. Because, in order the find the weaknesses, assessors must be able to take the system apart and put it back together.
What are Their Responsibilities, Common Duties, and Tasks?
Vulnerability assessors are literally tasked with picking apart software systems and networks, finding the weak spots, then coming up with solutions to fix the issues they uncover.
Some of the more common duties for a vulnerability assessor include:
- Analyzing software and applications to find the critical flaws a cyber-criminal could exploit
- Performing vulnerability assessments on operating systems, applications, or networks
- Performing scheduled network security audits
- Reducing time consuming tasks by using automated tools to find vulnerable areas
- Following up the automated checks with manual checks to make sure all identified risks are accurate
- Creating the test code for finding vulnerable areas
- Tracking vulnerabilities and keeping records of what was found
- Composing and presenting vulnerability assessment reports
- Detailing requirements for information security solutions
- Training network and system administrators
- Developing and maintaining the vulnerability assessment database
How to Become a Vulnerability Assessor
Vulnerability assessors are mid-tier employers in the cyber security field. In order to get the relevant experience needed to work as an assessor, many start in cyber security as network administrators, system administrators, and security administrators. While holding these positions, they secure several needed to work as both an administrator and later as an assessor. This is also a good time for an employee to attain an advanced degree. Once the administrator has the needed certifications and work experience, they are ready to move into an assessor position. The process can take up to 10 years, depending on the employees’ current position, education level, geographic location, and overall need for assessors at the time.
Typical Requirements for Hiring
The requirements to work as a vulnerability assessor vary depending on whether the job is in the private or public sector, the geographic location of the job, and how much experience is required by the employer.
However, there are more standard requirements, and they are listed below:
- Minimum of a bachelor’s degree in a computer-related field such as computer science, network administration, or software engineering
- Minimum of two years working in the cyber security field (for entry-level positions) - for higher positions, six to 12 years’ experience is required
- At least one certification in one area such as CISSP, CCSP, SEI, OSEE, ISWP, OSCE, OSCP, CCNA Security, or CCNP Security
- Above average writing skills
- Assessment writing experience
- Security clearances or the ability to obtain clearances
- Passing a drug test and criminal background check
This isn’t an entry-level position as far as cyber security is concerned; many who become vulnerability assessors have worked in previous positions as network administrators, system administrators, or database engineers. And, although it is possible to attain on of these positions with a bachelor’s degree and experience, a master’s degree or higher is strongly preferred.
Along with the technical skills listed above, cyber security vulnerability assessors need the following soft skills to effectively do their jobs:
- Excellent analytical skills
- The ability to address all levels of employees in an organization
- Above-average verbal communication skills
- The ability to work under pressure and within tight deadlines
- The ability to multi-task
- Organizational skills
- A keen eye for detail
- Computer skills: An assessor needs to not only know how to pick apart a piece of software but understand what it’s supposed to do and how it does it from an end-user standpoint. This means an assessor should be able to pick up on the use of unfamiliar software quickly so they can study it and find the weak spots.
The salary for a vulnerability assessor can vary depending on a number of factors such as years of experience, geographic location, and employment industry. The average salary of a vulnerability assessor is $82,000. This is generally thought to be an assessor with three to five years’ experience and working in an industry with a high demand for cyber security specialists. An assessor with five years’ experience working in New York City could earn more than an assessor with 10 or more years’ experience working in Wheeling, WV. On the other hand, an assessor working with the federal government often makes less than one working in the private sector.
Some of the wages for Cyber Security Professionals from different geographic locations are listed below:
- Washington, DC (private sector and federal jobs combined): $110,782
- California: $100,800
- Texas: $98,500
- New York (state): $89,560
Outlook & Jobs
If becoming a vulnerability assessor sounds like the perfect profession for you, the good news is that there is a demand for the position in the job market. According to the US Bureau of Labor Statistics, the need for people in the cyber security and risk assessment fields is expected to increase dramatically. Job growth is projected to be 32% between 2018 and 2028, much faster than average growth for other professions. According to BLS, there are 112,300 people employed in the information security field with roughly 20% of those employees working as assessors and auditors. Projections indicate that 35,000+ more employees will be needed between now and 2028. This increased need is due to the ever-increasing use of the internet for daily tasks such as banking, shopping, and paying bills. Banks, software engineering companies, and private risk assessment firms offer the most opportunities as well as the best income potential. The average salary of a vulnerability assessor is $82,000, with those new to the field making $60,000 and those with more than five years of work experience making as much as $100,000 or more annually. As with many jobs in cyber security, most of the positions are in areas with large financial and technology industries such as Los Angeles, Chicago and New York, as well as Washington, DC; however, any company that handles large volumes of personal information such as hospitals, banks, and insurance companies have a need for cyber security professionals.