If you love information security and thrive on excitement and technical challenges, becoming an incident responder might be the path for you. Indeed, the explosion of cyberthreats means that incident responders -- sometimes referred to as "the firefighter" of the cybersecurity world -- are needed more than ever.
A skills shortage plagues the cybersecurity industry. According to ISACA's "State of Cybersecurity 2019" survey, 62% of organizations take three months or longer to fill open positions, while 59% of respondents said that fewer than half of applications they receive are sufficiently qualified for security positions. Technical skills -- which are of paramount importance in incident response -- are in the highest demand: The survey found that 62% of respondents reported that "most" or "all" of their open positions were in technical roles.
Against this backdrop, the incident responder field is booming. There are a number of benefits an incident response job offers as a career choice for job seekers. First, these jobs are in high demand and are well-paid. There's job security, given the scarcity of qualified candidates (particularly those with deep technical skills) as suggested by the data outlined above. And the incident responder role provides a perfect starting point for future career growth: Moving from incident response to virtually any other security position -- or security-adjacent position -- is a natural step. In short, an incident responder role gives you maximum flexibility for advancing in your career down the road.
There are some downsides: It's high-stress; the hours can be long, sometimes involving work over holidays, weekends or off hours; and it can be frustrating at times. No matter how careful your company is, things can go south in unexpected ways. Yet, despite these drawbacks, the advantages outlined above make it a good starting point for someone looking to transition into cybersecurity from another field, particularly a technical field, or for someone looking to lay a solid foundation for a long future in cybersecurity.
This article is part of
To break into this growing field, it's important to understand as much about the incident response profession as possible. With that in mind, here's an in-depth look the duties, job requirements, certifications, career paths, adjacent careers and salaries.
Incident responder responsibilities and duties
A critical member of an incident response team, an incident responder defends an organization's network against cyberthreats, counteracting network security issues and using forensics to identify root causes. Incident responders also work to educate users and prevent cyber-vulnerabilities, threats and incidents.
Per the NIST's National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (as outlined in NIST Special Publication 800-181), here's an adapted list of tasks an incident responder may be called upon to do in the course of the day:
- perform forensic collections, intrusion correlation and tracking, threat analysis and direct system remediation as incidents unfold to help incident response teams and others resolve cyberdefense incidents as swiftly as possible;
- make assessments of incidents in terms of scope, urgency and potential impact and coordinate and advance remediation tasks;
- use incident data to spot vulnerabilities and recommend rapid remediation;
- analyze various logs -- individual host, network traffic, firewall and intrusion detection systems -- to locate and remediate possible network security threats;
- analyze and report on cyberdefense trends;
- provide ongoing analysis of potential incidents and threats and educate stakeholders and users;
- serve as technical expert and liaison to law enforcement personnel and explain incident details as required; and
- manage enterprise cyberdefense incident response efforts.
The specific responsibilities of an incident responder will vary from organization to organization, but it's helpful to understand the duties of the job at a high level. The NICE Framework is meant to promote a common language and expectations around the cybersecurity workforce, and the document as well as the interactive version (search Cyber Defense Incident Responder in Work Roles) can be helpful in understanding the background, knowledge and duties of an incident responder.
The NICE Framework also lists the duties of related roles such as Cyber Defense Analyst and Threat/Warning Analyst. These have specific tasks, skills, knowledge and abilities, but an incident responder may need to call on some of these as many organizations incorporate elements from these roles into incident responder positions.
Incident responder job requirements
To become an incident responder, potential employers may look for specific college degrees and certifications, but experience will be important as well.
Employers may look for the following educational background:
- a degree in computer science, electrical engineering, information assurance or cybersecurity;
- a general security certification, such as Certified Information Systems Security Professional or Certified Information Security Manager (CISM); or
- an incident response-specific certification such as the SANS Institute's Global Information Assurance Certification (GIAC) Certified Incident Handler (GCIH) or EC-Council's EC-Council Certified Incident Handler (ECIH).
Incident response also requires a thorough technical foundation, particularly a detailed knowledge of the tradecraft (i.e., attack techniques and methodologies) used by potential attackers, as well as the technology landscape of the organization the responder will be working within. Meaning, the responder should understand how an organization might be attacked so that they can spot those attacks and also understand how to find those attacks and recover from them in their employers' environments. To this point, experience is likely even more important than education. Being able to demonstrate competence in the skills, knowledge and abilities of the job counts for a lot with potential employers.
The NICE Framework mentioned above can also give you a sense of what job requirements employers are looking for. You can also search for job listings on LinkedIn, Glassdoor and other sites to see real-life lists of job requirements (as well as responsibilities and duties).
This information can be particularly useful for someone looking to pivot into cybersecurity from another technical or IT position, because incident response is a good stepping stone to enter into the field. Likewise, those recently entering the workforce, who are interested in a career in cybersecurity will likely find this information helpful, as working in incident response can be one of the most optimal paths to tee up a future career in the cybersecurity sector.
In terms of showing employers that you have what it takes to become an incident responder, it helps to have proven professional training and experience that aligns as closely as possible.
Having a perfect background is the best-possible scenario. However, you may be able to adapt your current role to optimally prepare for a career change. For example, if you are a network administrator and wish to demonstrate understanding of network intrusion detection system (IDS) tools, one effective way to do that is to look for opportunities in your current job to gain experience in that area. If that's not possible, you'll need to look for some other way to demonstrate competence. Maybe you could spend some spare time authoring community rules for Snort as a way to demonstrate: A, that you understand how IDS works; B, that you are sufficiently competent in it to accomplish what the employer may need you to do; and, C, that you have experience with it roughly equivalent to (or more in depth than) having used it on the job.
Incident responder certifications
An incident response-related certification can help you stand out among job candidates. This can be either a general security certification such as CISSP, CISM or Security+; a certification pertaining to an adjacent professional space such as the Certified Information Systems Auditor or Certified Ethical Hacker; or even technology-specific or vendor-specific certifications like Cisco's Cisco Certified Network Associate or Cisco Certified Internetwork Expert -- particularly the security track.
Of those certification programs geared directly to incident responders, the two most well-known are probably the GCIH and ECIH.
For the job seeker looking to move into the field of incident response from a field outside of information security, you may want to focus on gaining applicable job experience first and look to obtain specialized incident handler certifications afterward. Why? Because these certifications can be expensive to pay for out of pocket if your employer isn't covering the cost.
Incident responder career paths
Experience in an incident responder position can prepare you to move higher up in the incident response hierarchy or vertically into other areas of information security -- particularly other technical roles. CyberSeek, an online tool funded by NIST to help analyze the cybersecurity space, provides a career pathway tool to help you understand and cultivate cybersecurity talent. This tool indicates that logical next steps for incident responders are penetration and vulnerability tester (i.e., ethical hacker), consulting roles and security analyst. From there, cybersecurity manager, security engineer and security architect are all potential future careers.
Note that the CyberSeek tool is an idealized view of theoretical career path, not a hard-and-fast rule or an exhaustive list of potential next steps on a given person's career journey. Because incident response requires a thorough technical foundation, the CyberSeek ideas are just starting points for what is possible in career advancement for the incident response professional. Almost any cybersecurity-focused career is open to the talented, ambitious responder who wishes to move into adjacent careers.
Adjacent and related careers
If you wish to move into another role after serving some time as an incident responder, there are a number of related careers for your career path trajectory. That direction will depend quite a bit on where your interest lies. For example, if you're interested in software development, you might choose to focus on those skills and go into a position such as application-focused penetration tester, software security architect or application-focused security architect. If you are more interested in the techniques employed by attackers, you may choose to go on to become a malware analyst, threat intelligence researcher or other career that uses these skills. If you are particularly interested in the business processes supporting a given environment, you might choose to go on to be a technology auditor.
High turnover for incident responders
There are important things to note here. The first is that there is a relatively high turnover. There are several reasons for this. First, the scarcity of resources noted earlier applies to other aspects of security as well; in other words, there is tremendous opportunity for mobility. This itself limits how long many practitioners stay in a given responder position. For example, it's the rare person who will say no to a more lucrative position. Second, incident responders need to be on the clock when attackers are -- late nights and working off-hours or holidays and weekends comes with the territory. This, coupled with the stress of always being in the middle of a live event, can lead to turnover and undermine longevity in the role.
Regardless of whether you choose to stay in incident response well into your security career or whether you choose to pivot to another security position after a few years, it's useful to take the relatively high turnover into account as you think through and chart your future career progression.
The important part isn't what specific career you choose to transition into after working as an incident responder, but instead that you optimally position yourself to successfully move into a career you like once you've decided which direction you want to grow in. This means paying attention to what portions of the job you like and what opportunities arise where you can use those skills more.
The last point to address, without which any discussion about the incident responder job market would not be complete, is compensation. Having an awareness of this is not only valuable for you as a potential job changer as you consider if the profession is right for you, but it's also useful as you negotiate starting salary with potential employers. Getting data about this is always challenging. Salaries will vary depending on where you live, the industry you're in, other aspects of the particular job you're applying for (night shift vs. day shift, etc.). Variability is to be expected.
That said, there is some generic data out there that can help you guide discussions and negotiations. For example, data from ZipRecruiter cited a national average per-year salary of $93,404, though (as of the time of this writing) it cited positions between $51,000 at the low end and $122,500 at the high end. This is supported by data from CyberSeek's Career Pathway tool: It cited a $99,000/year salary as the average.
As with finding out real-life duties, checking job-related sites such as Glassdoor can also be helpful in finding out salaries at a given company or in your specific geographic area.
At the end of the day, incident response can be a great career choice: It can be lucrative, it's fast-paced, it's intellectually challenging and it can open doors. By understanding what the job entails, by demonstrating competence and building skills that align with the job and by putting your hat in the ring for open positions, now is a fruitful time to go about breaking into the profession.