An incident response career path might be the answer for anyone who loves information security and thrives on excitement and technical challenges. The explosion of cyberthreats means that incident responders -- sometimes referred to as the firefighters of the cybersecurity world -- are needed more than ever.
A skills shortage plagues the cybersecurity industry. According to ISACA's "State of Cybersecurity 2022" report, 62% of organizations consider themselves somewhat or significantly understaffed, while 60% of respondents said they had difficulty retaining qualified cybersecurity professionals in 2021 -- a 7% increase over 2020. More than 60% of respondents said their organizations have unfilled cybersecurity positions, and almost half said filling a vacancy takes three to six months. Technical skills -- which are of paramount importance in incident response -- are in the highest demand. And 50% of respondents said most or all of their open positions were in technical roles, which declined from 62% in 2019.
Against this backdrop, the incident responder field is booming. Incident response jobs offer a number of benefits as a career choice for job seekers. These jobs are in high demand and are well paid. Given the scarcity of qualified candidates -- particularly those with deep technical skills -- incident responders have job security. The incident responder role also provides a perfect starting point for future career growth. Moving from incident response to virtually any other security or security-adjacent position is a natural step.
The downsides of being an incident responder, however, include high stress and long hours that can involve working on holidays, weekends or off hours. It can also be frustrating. No matter how careful an organization is, things can go south in unexpected ways.
To break into this growing field, it's important to understand as much about the profession as possible. With that in mind, here's an in-depth look at incident responder duties, job requirements, certifications, career paths, adjacent careers and salaries.
Incident responder responsibilities and duties
A critical member of an incident response team, an incident responder defends an organization's network against cyberthreats, counteracting network security issues and using forensics to identify root causes. Incident responders also educate users and prevent cybersecurity vulnerabilities, threats and incidents.
What does an incident responder do in the course of a day? The specific responsibilities of an incident responder vary from organization to organization, but it's helpful to understand the duties of the job at a high level. The following is an adapted list of tasks from NIST's National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity:
- Perform forensic collections, intrusion correlation and tracking, threat analysis and direct system remediation as incidents unfold to help incident response teams and others resolve cyberdefense incidents as swiftly as possible.
- Make assessments of incidents in terms of scope, urgency and potential impact, and coordinate and advance remediation tasks.
- Use incident data to spot vulnerabilities and recommend rapid remediation.
- Analyze various logs -- individual host, network traffic, firewall and intrusion detection systems (IDSes) -- to locate and remediate possible network security threats.
- Analyze and report on cyberdefense trends.
- Provide ongoing analysis of potential incidents and threats, and educate stakeholders and users.
- Serve as technical expert and liaison to law enforcement personnel, and explain incident details as required.
- Manage enterprise cyberdefense incident response efforts.
Incident responder job requirements
Potential employers often look for specific college degrees and certifications from incident responder job candidates, but experience is important as well.
Employers may look for the following educational background:
- a degree in computer science, electrical engineering, information assurance or cybersecurity;
- a general security certification, such as CISSP or Certified Information Security Manager (CISM); or
- an incident response-specific certification.
Incident response requires a thorough technical foundation, particularly a detailed knowledge of attack techniques and methodologies used by malicious actors, as well as the technology landscape of the organization the responder will work within. Responders should understand how an organization might be attacked so they can understand how to detect and recover from them. To this point, experience is likely more important than education. Being able to demonstrate competence in the skills, knowledge and abilities of the job counts for a lot with potential employers.
The NICE Framework offers a sense of what job requirements employers look for. Also, search for job listings on LinkedIn, Glassdoor and other sites to see real-life lists of job requirements, responsibilities and duties. This information can be particularly useful for someone looking to pivot into cybersecurity from another technical or IT position. Similarly, those entering the workforce and interested in a career in cybersecurity will find this information helpful, as working in incident response can be a steppingstone to a future career in cybersecurity.
In terms of showing employers you have what it takes to become an incident responder, it helps to have proven professional training and experience that align as closely as possible to the employer's needs. Having a perfect background is the best-possible scenario. You may also be able to adapt your current role to prepare for a career change. For example, if you are a network administrator and want to demonstrate understanding of network IDS tools, look for opportunities in your current job to gain experience in that area. If that's not possible, look for other ways to demonstrate competence. Maybe spend some spare time authoring community rules for Snort as a way to demonstrate that you understand how IDSes work; that you are sufficiently competent in them to accomplish what the employer may need you to do; and that you have experience with them roughly equivalent to -- or more in depth than -- having used them on the job.
Incident responder certifications
Certifications can help you stand out among job candidates. In some cases, this could be a general security certification, such as CISSP, CISM or Security+. In others, a certification pertaining to an adjacent professional space, such as Certified Information Systems Auditor or Certified Ethical Hacker, may be useful or technology-specific or vendor-specific certifications, such as Cisco Certified Network Associate or Cisco Certified Internetwork Expert -- particularly the security tracks.
Other certifications are geared directly toward incident responders. The two most well known are Global Information Assurance Certification Certified Incident Handler, based on the course "SANS SEC504: Hacker Tools, Techniques and Incident Handling," and EC-Council Certified Incident Handler. Mile2's "Certified Incident Handling Engineer" course culminates in a certification accredited by the National Initiative for Cybersecurity Careers and Studies, an online training cybersecurity training portal from CISA.
Job seekers looking to move into incident response from a field outside information security may want to focus on gaining applicable job experience first and then obtain specialized incident handler certifications. Certifications can be expensive to pay for out of pocket if your employer doesn't cover the cost.
Incident responder career paths
Experience in an incident responder position can prepare you to move higher up in the incident response hierarchy or vertically into other areas of information security -- particularly other technical roles.
CyberSeek, an online tool funded by NIST, Lightcast and CompTIA that analyzes the cybersecurity space, provides a career pathway tool to help you understand and cultivate cybersecurity talent. This tool indicates that logical next steps for incident and intrusion analysts are penetration and vulnerability tester (i.e., ethical hacker), consulting roles and security analyst. From there, cybersecurity manager, security engineer and security architect are all potential future careers.
The CyberSeek tool is an idealized view of a theoretical career path, not a hard-and-fast rule or exhaustive list of potential next steps on a given career journey. Because incident response requires a thorough technical foundation, the CyberSeek ideas are starting points for what is possible in career advancement. Almost any cybersecurity-focused career is open to the talented, ambitious responder who wishes to move into adjacent careers.
Adjacent and related careers
If you wish to move into another role after being an incident responder, a number of related careers exist for your career path trajectory. That direction depends on where your interest lies. If you're interested in software development, for example, you might choose to focus on those skills and go into a position such as an application-focused pen tester, software security architect or application-focused security architect. If you're interested in attacker techniques, consider becoming a malware analyst or threat intelligence researcher. If you're particularly interested in the business processes supporting a given environment, you might choose to become a technology auditor.
High turnover for incident responders
The incident responder career has relatively high job turnover rates. The scarcity of resources noted earlier applies to other aspects of security as well, so the opportunity for mobility is tremendous. This itself limits how long many practitioners stay in a given responder position. For example, it's rare that a person says no to a more lucrative position. Also, incident responders need to be on the clock when attackers are, which can translate into late nights and working off hours or holidays and weekends. This, coupled with the stress of always being in the middle of a live event, can lead to turnover and undermine longevity in the role.
Regardless of whether you choose to stay in incident response well into your security career or choose to pivot to another security position after a few years, it's useful to take the relatively high turnover into account as you think through and chart your future career progression.
The important part isn't what specific career you choose to transition into after working as an incident responder, but that you position yourself to successfully move into a career you like once you've decided which direction you want to grow into. Pay attention to what portions of the job you like and what opportunities arise where you can use those skills more.
Compensation is always important to address. Having an awareness of this is not only valuable as you consider if the profession is right for you, but also as you negotiate starting salary with potential employers. Incident responder salaries vary depending on where you live, the industry you're in and other aspects of the particular job you're applying for, such as night shift vs. day shift. Variability is to be expected.
That said, some generic data can help you guide discussions and negotiations. Data from ZipRecruiter cited a national average annual salary of $109,542, though -- at time of this writing -- it cited positions ranging from $200,000 at the high end to $30,000 at the low end.
Check other job-related sites, such as Glassdoor, to find out salaries at a given company or in your specific geographic area.
At the end of the day, incident response can be a great career choice. It can be lucrative, fast-paced and intellectually challenging, and it can open doors. By understanding what the job entails, demonstrating competence, building skills that align with the job and putting your hat in the ring for open positions, this is a good time to break into the profession.