3

I have a general understand of these 3 roles, but no working experience (actually I work in security R&D). For example (I know some details may vary in different companies):

[Specialist] - design solution /implement security programs for own company; work with vendors to use existing tool/software.

[Consultant] - provide security advise/solution to 3rd party, work with vendors.

[Architect] - design security architecture for own company

I want to know the connections/difference between them from the following angels:

  1. what are their required skills (e.g., technical 60%, project management 20%, customer 20%, or other equivalent)

  2. If I want to move to a architect role in the future, which one is more helpful, specialist or consultant?

  3. For specialist and consultant, which one may have higher average income?

TJCLK
  • 818
  • 8
  • 23
  • Potential duplicate: https://security.stackexchange.com/questions/140959/difference-between-a-security-analyst-and-a-security-engineer . – schroeder Sep 12 '18 at 10:58
  • 1
    Unfortunately, there are no set definitions for these roles, and as you say, they depend on the company and the country. Also, "consultant" is usually an outside contractor, so you cannot compare that role to the others. An Architect role depends entirely on the size of the company and the systems that need architecting. So, overall, these questions have no refined answer. – schroeder Sep 12 '18 at 16:30

1 Answers1

3

Quick disclaimer: these types of job descriptions will vary from company to company and sometimes even between departments or HR staff. This is just my general impression after working in this field for quite some time now.

The required skill distribution (tech vs non-tech) largely depend on the project you are working on and your carreer step but generally you need a good technical background, ideally with experience in software dev, networking and other relevant fields. And project management skills should be a must for anyone working in the IT field. Customer - or interpersonal in general - skills will most likely be more important for consultants, as they are usually external entities with lots of customer contact.

As for payment, from my experience internal security staff gets paid more than consultants. But YMMV and - as with most of this topic - it largely depends on your company/potential future employers.

Consultant

Generally, you're providing IT security knowledge for a client because that client has no or not enough relevant knowledge themself. You're an external who is adding value to a project. As for the skill set, it depends on the phase of the project and the type of the project. For example, you might work for a client during the conception phase of a new e-commerce website. In that phase you need a good technical background and overview (know about secure design principles, methods to achieve the relevant parts of CIA and so on). Your main responsibilities will be to aid solution architects, business analyists and the likes to create a secure-by-design concept and try to catch potential vulnerabilities before they even come into existance.

Another example would be that you work during the implementation phase of said project. Then you will - depending on your statement of work with the client - also have a look on the actual implementation of the concept you supported. Then you need deeper technical understanding, know how the specific programming language works, know its pitfalls. E.g. if it's a C++ project, you need to know that buffer overflows exist and how to avoid them. If it's a JSP website, you need to know how XSS (and other OWASP-Top 10s) work and how to mitigate those vulns.

Architect

This position is most of the times internal and you could basically also act as the internal version of a external consultant. But just like any position, this can be fullfilled either by internal staff or external staff. Generally, this is more in line with the common positon of CISO or internal IT security department. In that position, you should have a complete overview of your company's IT infrastructure and the protection mechanisms that are in place like IDS/IPS, firewalls, network configuration (DMZ/Bastion topography) and so on. You will be the one who tries to think like an adversary, anticipate which parts of your landscape are the "low hanging fruits" and where attackers might have a valid surface.

You also help design and secure other parts of your company's needs like knowledge sharing infrastructure, identity and access management and so on.

Specialist

TBH, I only heard this term as a "catch-all". It's kinda similar to when TV stations interview a "$RANDOMTOPIC expert" for a short segment. I have never met an "IT Security Specialist" in the wild and most of the time anybody has at least some field in which s/he specializes.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20