When I meet new people and tell them I work in Cyber Security, they assume I’m a hacker. There are some great movies glorifying hacking (and some bad movies too) so even non-tech people have heard about it. The truth is that being a hacker in the world of cybersecurity is like being a star in sports. Every sport has stars; hockey has Sidney Crosby, basketball has LeBron James, football has Tom Brady, and baseball has Bryce Harper. In cyberwar, hackers are just part of a team of professionals who all perform one or more cybersecurity roles to get the job done.
Cybersecurity Roles are Confusing
There are many different job titles and roles available in security.I’ve worked as a Security Consultant where I did a lot of systems administration work. I’ve seen jobs posted with the title of Security Consultant, but the description is hacker work. Other postings for Security Consultant jobs were for a sales role or strictly working on policy and advising leadership. Another popular job title in information security is a Security Architect. I’ve seen Security Architect jobs doing code review and working with programmers. Some postings for Security Architect were strictly designing security systems. Other postings for Security Architect were jobs involving systems administration work like managing servers and user accounts and network administration tasks like managing firewalls and routers/switches.
Cyber Security Job Descriptions are Confusing
The point is that if you look at job titles, analyzing job opportunities can get confusing. It is discussed ad nauseam that human resources and information technology departments do not effectively communicate at many organizations. Many people have tried to define job titles and standardize them, but I don’t think that works all the time. To target the right jobs, it is easier to create roles that jobs fit into instead of relying on the job title given. When looking at the tasks performed in job descriptions, they can be split into several different roles that stick within their area or combine several. Most likely, each job will require performance in two or more roles.
Cybersecurity Roles: It Takes a Band to Have a Star
I have come up with five main types of cybersecurity roles to try to make it simple. There are the Hackers, the Defenders, the Auditors, the Engineers, and the Writers. I love music and I like to compare the five types of roles as a rock band. Hackers are the lead singers, the superstars. Defenders are the lead guitar, in front but not as known. Engineers and Auditors are the bass/drums, they keep the rhythm going but stick to the background. Writers are the songwriters, they write the music and are relatively unknown. Each role is an important part
Hackers
Hackers are the face of cybersecurity. You might not know their identity, but you know about their work. Everybody wants to be them, everyone wants to do what they do. They are featured in movies, television, and they are wizards who can do anything in a moment’s notice. Hackers make all the headlines too. The mysteriousness behind what they do and how they do it draws people in even more. Hackers may wear white, grey, or black hats and can be broken down into penetration testing and security research roles. You can read more about them in my article describing the 3 different types of hackers.
Defenders
Defenders are also featured sometimes, just like a lead guitarist. They get solos and play the catchy tunes that everyone hums in the shower. They aren’t as popular or well-known as hackers but they can steal parts of the show. Defenders are sometimes on television or movies, but usually are misrepresented. Some of them portray defenders as evil geniuses that stop the heroes and others portray them as completely inept. Defender roles can be broken down into analysis, forensics, or incident response.
Engineers
Engineers form the backbone of security organizations. They are the builders, the creators of software and environments. Engineers are like a good bass line in a rock song, building the steady rhythm and beat of a song. Almost every job in cyber security requires at least a little piece of the engineering role. Engineers manage security policies on appliances as well access control lists on routers and switches. They may design networks and control items like load balancing, DNS, or routing and switching as well as the physical or virtual architecture of the appliances. The 3 main engineer roles are network security engineer, security appliance engineer and software security engineer.
Auditors
Auditors is another relatively unknown field. They are like the drums in the background and help keep the tempo of a song. Auditors work with organizations to make sure they are sticking to the rules. They might work from within the company or from a third party. An auditor might work for a regulatory body like a government agency or a law office providing advice to organizations. The 4 different types of auditor roles are scanning, compliance, risk assessment and validation.
Writers
Writers create the world that the song exists in. Is it alt rock, is it punk rock, is it hard rock? They set the tone, the beat, and write the words. Writers do the same things for organizations and governments. They create the regulatory laws that everyone must follow. Writers create organizational policies that internal employees must adhere to. They control the definition of important terms like privacy, customer rights and corporate responsibility. There are three items that writers can produce, and that is regulation, organizational policy, and a company’s security program.
Cyber Security Job Descriptions reviewed
To use the Security Consultant examples from above, let us look at the Security Consultant job title. When I was a Security Consultant, I did a lot of the security appliance engineering role, mixed with a little analyzing defender role. The second type of consultant performs the roles of penetration testing hacker, mixed with scanning auditor roles. The third type of Security Consultant would be a mix of compliance auditor and organizational policy roles.
More Cybersecurity Roles Explained
With the Security Architect example, the first job posting was a mix of the software security engineering and compliance auditing roles. The second Security Architect posting was the mostly security appliance engineer with a little of the compliance auditor role. The third Security Architect job was a mix of the security appliance engineer and network security engineer.
There are three reasons for organizing jobs into role types.
- If you were like me and had prior IT experience, it makes it easier to transition to a similar type of work inside security.
- If you know that you enjoy certain tasks, it makes it easier to figure out which roles would be a fit for you.
- It helps to practice skills associated with the role so you make yourself a more attractive candidate.
Uses these categories to leverage your existing skills
When I started out my career, I enjoyed fixing systems and building servers. I wanted to transition into cyber security and built my resume around solid system administration skills. I applied to jobs with different roles like network security engineer, analyzing defender, and security appliance engineer. I didn’t have much success until the security consultant job. Since it was mostly a security appliance engineer role, they felt my skills were suitable despite having zero security experience.
What are you interested in, or good at right now?
If you are someone who enjoys CTF challenges and Hack the Box, then it’s easy to realize that hacking is for you. Outside of hacking, it might be difficult to understand where your skills fit. You can still pinpoint where your interests lie. If you are
Hone the skills for the roles you want to do
If you are someone just starting your career, it might be difficult to understand everything all at once. Learning about the different types of roles you can perform in cyber security makes it easier to figure out what you want to do. It is easier to figure out what skills to practice, and potential certifications to attain to be a more attractive candidate.
Cyber security workforce chaos
The world of cybersecurity is massive and growing. Different companies have different names for the same types of roles. We can’t even agree whether to call it cybersecurity, IT security, InfoSec, etc. Organizing the roles performed on the job helps to make it easier to understand what type of jobs to apply for. If you only apply for the jobs you want to do, you save your time on the job application and interviewing.
NICE Cybersecurity Workforce Framework
The National Institue of Standards and Technology (NIST) are a United States government organization. They provide great standards to follow that are helpful for the cybersecurity space. They have a division called National Institute for Cybersecurity Education (NICE). They produced the NICE cybersecurity workforce framework which is very involved. Many people find this confusing, and it is not widely adopted by the community. I personally feel that it is too complicated and too specific.
Always apply to all the jobs that you are interested in.
- An employer is willing to train individuals up to the job posting requirements.
- The employer can hire you in a junior rank or paygrade to the one posted.
- The posting requirements can also be wrong due to miscommunications.
I like to say that you have a 0% chance at getting a job you don’t apply for, and a >0% chance for the ones you do.
Future articles expanding the depth
Over the next few months, I intend to have individual posts for all 5 of the roles. I plan on going into detail about the skills required to perform those roles well. These posts will include some job titles that include the use of those roles too. Ultimately, I intend to also include resources to study and practice that role too.
