A common trope among cybersecurity practitioners is gatekeeping entry-level positions like junior Security Operations Center (SOC) analysts with statements like, “How are you supposed to secure something if you’ve never managed it?” This is a concept that I highly disagree with.

A frequent misunderstanding in tech, even among some of the most senior engineers who are fantastic technically, is that investigation and analysis are their own specialized skillsets. These skillsets in cybersecurity commonly overlap with engineering but are fundamentally different. There’s an assumption that one must have been an engineer, sysadmin, or network admin before considering a job in cybersecurity.

This is false. In this blog post, I will argue that analysis is a separate, yet overlapping skillset with engineering in the context of cybersecurity and explain why understanding this distinction is important.

NOTE: It’s worth mentioning that individuals with a strong engineering background often excel as investigators, and vice versa. The skills complement each other and overlap, but remain distinct.

Engineering

Being a Systems Administrator (Sysadmin) and working in IT Operations involves some fundamental, yet overlapping skillsets with cybersecurity. For example, a sysadmin might deploy servers, design networks, configure firewalls, and handle day-to-day maintenance. They commonly work with hypervisors, cloud consoles, network switches, and firewalls, requiring knowledge of engineering concepts like BGP/OSPF and managing Active Directory.

While this knowledge is incredibly helpful when transitioning to an analyst role, it doesn’t necessarily aid in performing investigations. Many senior engineers struggle with investigating malware execution on a server, often unsure where to start. Threat actors frequently use esoteric commands and obfuscation methods that engineers may not be familiar with, complicating the investigation process.

In most cases, they might not understand which forensic artifacts contain specific data, potentially misinterpret what the artifacts mean, and often lack the experience to know which questions to ask and answer during an investigation.

Analysis and Investigations

On the other end of the spectrum are SOC Analysts and Incident Responders, who perform investigative roles. Being a good analyst involves knowing how to ask the right questions, finding answers, and making sense of complex data. Analysts must understand attack vectors, threat actor behaviors, and the tools and techniques used in cyber attacks. They use this knowledge to investigate incidents, determine the scope and impact, and develop strategies to mitigate future threats.

Unlike sysadmins, who focus on maintaining and configuring systems, SOC analysts specialize in detecting and responding to security incidents. They analyze logs, monitor alerts, and use forensic techniques to uncover malicious activities. Their expertise lies in identifying patterns, understanding the significance of seemingly unrelated events, and responding swiftly to potential threats. This investigative mindset is crucial for effective incident response and overall cybersecurity defense.

Keep in mind, a junior SOC analyst shouldn’t be making remediation recommendations on their own, which makes an engineering background less crucial early in their career arguing against the need for a systems administration background.

Real World Examples

• As a SOC Analyst, it is unlikely that you will need to know how to properly deploy and manage linux servers at scale securely.
• As an Sysadmin, it is unlikely that you will understand what rarely used LOLBINs do, or what activity is typically observed post exploitation.

Both Skillsets Overlap and Compliment Each Other

The point isn’t that engineers can’t make good analysts or vice versa. In fact, the most skilled cybersecurity professionals often excel in both areas. As an engineer, you often dig through log files to troubleshoot issues and understand what normal activity looks like, making deviations easier to spot. As an analyst, you frequently set up infrastructure and testing environments to observe log generation in various scenarios, gradually gaining engineering experience. This blend of skills enhances both roles, making for a more well-rounded cybersecurity expert.

Closing

Understanding the distinction between analysis and engineering as skillsets is crucial when hiring for cybersecurity roles. While an engineering background can enhance a junior SOC analyst or Incident Responder’s abilities, it isn’t a requirement. Junior SOC Analysts and Incident Responders shouldn’t be solely responsible for making future security recommendations.

I hope this post has helped dispel the notion that a sysadmin or engineering background is necessary for all junior cybersecurity roles.