Vulnerability Assessor
Vulnerability Assessor
It’s a role for folks who love picking systems apart. In the final analysis, you’ll be expected to
identify weaknesses that may be completely invisible to other IT experts. Just as importantly,
you’ll have to prioritize these findings and make practical, business-focused recommendations.
It’s a fact of life that companies may not be able to handle all of their IT security problems at
once.
● Identify critical flaws in applications and systems that cyber attackers could exploit
● Conduct vulnerability assessments for networks, applications, and operating systems
● Conduct network security audits and scanning on a predetermined basis
● Use automated tools (e.g. Nessus) to pinpoint vulnerabilities and reduce time-consuming
tasks
● Use manual testing techniques and methods to gain a better understanding of the
environment and reduce false negatives
● Develop, test, and modify custom scripts and applications for vulnerability testing
● Manually validate report findings to reduce false positives
● Compile and track vulnerabilities over time for metrics purposes
● Write and present a comprehensive Vulnerability Assessment
● Review and define requirements for information security solutions
● Supply hands-on training for network and systems administrators
● Develop and maintain a vulnerability assessment database
For a clear sense of the difference between Vulnerability Assessors and Penetration Testers,
check out Daniel Miessler’s article, The Difference Between a Vulnerability Assessment and a
Penetration Test:
In Miessler’s words, Vulnerability Assessors are list-orientated and Pen Testers are
goal-orientated.
Requirements for Vulnerability Assessor jobs will depend on the company and its mission. For
example, a position as a Tier 2 Vulnerability Assessor with the DHS is going to require a BS or
MS and 6-12 years of in-depth experience with malware, forensics, and incident detection. But if
you’re starting out in a junior-level position, you may only need an AS and a few years of
security-related experience in an IT job.
Do some market research, talk to your mentors, and reach out to experts in the field before you
make any decisions. You can also get your feet wet with a Bootcamp. For example, the capstone
project in Springboard’s 6-month Cybersecurity Career Track camp includes a comprehensive
risk and vulnerability assessment. And Evolve Security offers a Penetration Testing option. Or
you can network at the DIMVA Conference on Detection of Intrusions and Malware &
Vulnerability Assessment.
Degree Requirements
The degree requirement will depend on the company and the nature of the job. For a smallish
company, an associate or bachelor’s degree in Computer Science, Cyber Security or the
equivalent is nice to have in your back pocket. Once you start looking at the super-charged
options (e.g. classified government work, jobs in large companies, senior-level positions, etc.)
you’ll need a BS or an MS.
Work Experience
Experience requirements vary according to the level of job difficulty. The general standard for a
cyber security specialist job is 2-3 years of related work experience in the field. However,
senior-level openings often specify 5-7 years—and sometimes even higher.
Hard Skills
Employers can be picky when it comes to technical skills. We have pulled out some general
requirements, but we recommend you check current job listings to see where the market is
heading.
Soft Skills
Here’s the thing about Vulnerability Assessors and Pen Testers – they don’t necessarily play by
the rules. That’s why they’re so good at their jobs. This is not to say employers will be happy to
see a criminal record, but they will be interested in knowing if you are curious, creative, and
off-the-wall in your approach. Your job, after all, is to think like a bad guy.
Other important soft skills include attention to detail, a puzzler’s brain, and strong oral and
written abilities. In addition to drafting reports, you will be educating IT teams about better
security practices.
Mile2 has a specific vulnerability assessment certification (CVA), but CISSP and penetration
testing certs are often cited as must-haves in the job listings.