Starting a new role in cybersecurity can feel like jumping into the deep end — but in the best possible way. My first 90 days as a Security Analyst have been a mix of learning, collaboration, and hands-on experience that have helped me grow faster than I expected.
🌐 Understanding the Landscape
My first week was all about learning how everything connects: FedRAMP, NIST 800-53, and the way each control family plays a role in building a compliant and secure environment.
I quickly learned that being a security analyst isn’t just about identifying gaps — it’s about understanding context, asking the right questions, and translating technical findings into meaningful recommendations.
Some of my early focuses included:
- Getting comfortable with assessment workflows and templates
- Reviewing System Security Plans (SSPs) to understand control implementations
- Reading through Security Assessment Reports (SARs) from previous engagements
🧩 Diving into Control Testing
By the end of my first month, I started assisting in testing Planning (PL) and Awareness and Training (AT) controls for active clients.
I learned how these controls form the backbone of a strong security posture — because even the most technical systems rely on people and preparation.
Some memorable work included:
- Verifying that annual security awareness training was completed and logged in compliance trackers (AT-3)
- Reviewing updated role-based training records for users with privileged access (AT-2)
- Evaluating how the Security Planning Policy outlined roles, responsibilities, and control inheritance (PL-1, PL-8)
- Ensuring SSPs clearly mapped each control to its implementation statements (PL-2)
🤝 Collaboration and Communication
One of my biggest takeaways has been how collaborative compliance work really is. Every day involves working with cloud engineers, security officers, and project managers.
We’re all looking at the same system, but from completely different angles — and that’s what makes strong assessments possible.
🤝 Learning the Rhythm of Collaboration
No two assessment teams are the same, and that’s what makes this field so dynamic.
I worked closely with technical assessors, client points of contact, and project leads to make sure our testing stayed consistent and traceable.
A few lessons that stood out:
- Clear determination statements save time during peer review.
- Version control and standardized templates keep control documentation uniform.
- Every email, meeting, and tracker update contributes to the bigger compliance picture.
🧠 Lessons Learned
Three key lessons stand out from my first 90 days:
- Ask questions early and often.
No one expects you to know every control by heart on day one. - Document everything.
Future-you will thank present-you when you revisit controls later. - Stay curious.
Whether it’s understanding an AWS configuration or writing a new interview guide, curiosity is what turns tasks into learning moments.
🚀 Looking Ahead
As I move into my next quarter, I’m setting new goals:
- Continue improving my testing efficiency with Excel macros and automation tools
- Strengthen my understanding of FedRAMP-specific nuances
- Share more insights and templates here on my blog for other analysts starting out
Every day, I’m reminded that cybersecurity isn’t just about protecting systems — it’s about protecting people and the trust they place in technology.
And that’s exactly why I love this work.
Thanks for reading — and if you’re starting your own journey as a security analyst, know that it’s okay to learn as you go. The best analysts never stop learning.
— Emma Deel