Cybersecurity Assessor Career Path

Author: Jen Stone

I love working as a cybersecurity assessor and recommend it to anyone who thinks in terms of big picture systems, who wants to bridge the communication divide between technical and non-technical teams, and who values data privacy and security.

Gaining the knowledge and experience to be an assessor takes time and commitment. If you start your career path with goal of becoming an assessor, you can put your efforts into the right areas.

First, let’s step back and discuss the role of a security assessor. As an assessor (also called an auditor or analyst), you will evaluate an organization’s policies, procedures, and technical security controls against a defined cybersecurity standard, privacy regulation, or risk framework. You might test controls yourself or examine the results of tests performed by others.

An assessment could result in certification if you are acting as a member of a certifying body (e.g., PCI DSS or HITRUST), or you could produce a report that offers the degree of assurance you have that the entity you’re assessing is in compliance with a regulation or standard that does not offer a certification (e.g., HIPAA or CCPA).

The information I’ve laid out in this article involves becoming a Qualified Security Assessor (QSA) for the PCI Data Security Standard (PCI DSS). I chose this example because PCI QSA is internationally recognized and the steps for achieving this role can be applied as a blueprint to pursuing other cybersecurity assessor jobs.

The requirements for becoming a PCI QSA start with a minimum of one year of experience (each) in the following four areas:

  • Application Security

  • Information Systems Security

  • Network Security

  • IT Security Auditing

This doesn’t typically add up to four years of security experience, because the jobs you can get in each of these areas don’t typically give you necessary knowledge to transfer over to any of the others. For example, knowing how to identify and correct cross-site scripting (application security) doesn’t prepare you to properly manage a patching program (information systems security). This generally results in assessors spending several years of their career in one or two areas, resulting in deep knowledge in those domains, while spending the minimum time in other areas, which might result in a less rigorous understanding.

It’s worth having a solid knowledge base in all four areas, though, because you will be expected to assess security controls related to each of them. If you have a solid understanding of what you’re evaluating, and the implications of each security control in the cyber kill chain, you will be able to help the entities you’re evaluating to gain a more robust cybersecurity stance. Conversely, if you don’t understand what you’re evaluating, you run the risk of missing critical vulnerabilities.

Required Certifications

In addition to experience, you will need a minimum of two industry certifications: one in information security and one in IT audit. PCI refers to these as List A and List B.

List A includes:

  • (ISC)2 Certified Information System Security Professional (CISSP)

  • ISACA Certified Information Security Manager (CISM)

  • Certified ISO 27001 Lead Implementer

List B includes: