What sorts of jobs are there, in which organizations, with what sorts of day-to-day responsibilities?
What areas are good for folks coming out of school, vs what are good 2nd careers for experienced folks coming from various disciplines?
What sorts of jobs are there, in which organizations, with what sorts of day-to-day responsibilities?
What areas are good for folks coming out of school, vs what are good 2nd careers for experienced folks coming from various disciplines?
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
Common roles:
Likewise, in all the above there are different areas of expertise, and an expert in one won't necessarily have anything intelligent to say in any other area:
On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them - and it is not always shared expertise.
There are probably even more niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.
You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-).
And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest reading lots of security books and blogs (I enjoy Bruce Schneier's stuff), and also try out OWASP for the application side of things.
For future reference and completeness, I'd also like to add that the UK Cyber Security Challenge site has a nice list of 8 different categories of security roles with explanations about each and sample roles, as defined by the Institute of Information Security Professionals (IISP) (after a study I suppose).
http://cybersecuritychallenge.org.uk/careers/typical-roles/
I quote the content here:
Incident and Threat Managers, Forensics Experts.
One way or another, your job is right at the coal face. You might manage the security of your organisation’s network and keep attackers out. You may work for a company which tests other’s networks to assess their security and advise how to make them less vulnerable to attack. No-one is able to avoid all incidents, so you may also be an incident manager, able to respond quickly in a crisis and manage the impact. There may be difficult choices for the business to make. You will need to work with other managers who may not have your technical understanding of what has happened or what needs to be done to get systems back working but will know about the impact on the business if certain functions are stopped. You might need to do forensic analysis – to see how the attacker got in and what he did. Planning what to do to respond to different incidents, balancing all the different demands will be important to managing a crisis well and you are likely to be an important member of the business continuity planning team. There are some very technical jobs in this area examining new malware, working out countermeasures and much more. Plus, of course, it is not all on networks now as mobile devices are increasingly holding more data and carrying out functions previously only possible on a computer.
Sample Roles in this category: Incident and Threat Management and Response. Incident Manager, Threat Manager, Forensics – computer – mobile and network – analyst, CSIRT, Attack Investigator, Malware analyst, Penetration Tester, Disaster Recovery, Business Continuity.
Risk Analysts and Managers.
To do this you need to understand how different threats will impact on a business and advise about which risks to cover off and which to take. The Board will be listening to your advice and you will need to be able to explain the risks in non-technical language that shows the impact on business clearly. Some risk managers are non-technical and have come up through the business, others come from the technical side of the business. Some people are involved in the audit of networks and ensuring that compliance issues are understood and dealt with. One reply to our survey said that these people “go and speak to our clients about risk and compliance, explaining the law, any changes in legislation and identifying weakness and helping clients to comply”.
Sample roles in this category: Risk Management, Verification and Compliance. Risk Analyst, Risk Assessor, Business Information Security Officer, Reviewer, Auditor.
Policy Makers and Strategists.
These are the people who devise the security policies that will define how a company deals with lots of different security risks. Getting the policy right is a must for an organisation to meet its legal obligations. Getting people to implement policies means showing people why the policies matter and raising awareness of the potential consequences of not following advice. In the private sector you have CISOs (Chief Information Security Officers) leading this work often supported by a team. In Government there are ITSOs (IT security officers) and DSOs (Departmental security officers). The latter are responsible for physical, personnel and information security issues and the IT security officer usually reports to them.
Sample roles in this category: Strategy, Policy, Governance. Strategist, Policy Manager, ITSO, DSO, CISO.
Operations and Security Management.
You may be responsible for protecting your organisation’s data on its networks, laptops or mobile devices. As we all chose different ways to work and the development of new technologies is creating new possibilities daily you will have to keep up to date. You may manage encryption and other protective measures like the rules on Firewalls, security logs and incident reporting.
Sample roles in this category: Operations and Security Management. Network Security Officer, Systems Security Officer, Information Security Officer, Crypto custodians, Information Managers.
Engineering, Architecture and Design.
If you can get the design of a system right then you can make it tough for attackers to get in. But the situation changes daily and if you are to keep up you will need to run fast. You may be dealing with hardware or software, design and development or secure applications. You may be a talented secure software writer – too many of our coders in the past have been driven by the pressure of being first to market and have had insufficient awareness of security. You may design security tools or sell them. Sales and marketing is an essential part of the business.
Sample roles in this category: Engineering, Architecture & Design. Architect, Designer, Development, Secure coding, software design and development, applications development. Security tools, Implementation.
Education, Training and Awareness.
Training is an ongoing need for most of us in business nowadays. As new technologies come on line staff need to understand how to use them effectively to enable the business to survive and suceed securely so new risks are managed. The experts need to be kept up to date too so they understand new attack vectors, new ways of managing security, new ways of assessing and communicating risk. Some sales jobs are closely aligned to this work as they educate customers about what they need in their business. There are a number of training companies that deal with all levels of training and the best work hard to keep their material up to date. One of the respondents in our survey described his job as: “To raise awareness in Cyber Security related matters both internally and as a service to other organisations. To produce, accredit and provide Cyber Security training courses internally and to other organisations as a service”.
Sample roles in this category: Education, Training and Awareness. Security Programme Manager.
Research.
There are many areas of research, some highly technical and others much more policy orientated. Some create complex models to help us understand situations that are changing faster than we can comprehend without technical help. Others are thinking about the technologies of the future and how they may help us manage security better. Respondents to the survey described the jobs as “To investigate new technologies to manage risk and to learn to manage risk with new technologies. Most people in security research concentrate on the former, crypto, firewalls etc yet the latter, securing Internet 2.0 is far more important”; “Looking for the next ‘big thing’”; “Researching the way attacks are conducted in the real world. Tracking of various types of malware and how they change thereby making it possible to prevent major strikes against customers. Invent new products based on what is seen in the real world and work with developers to produce these products.”
Sample roles in this category: Research. Security Researcher.
Lawyers specialising in advice and prosecution for Internet crime and data protection.
Advice and prosecution of data security and Internet crime. It is not easy to prosecute the perpetrators of these crimes and companies need help to understand their responsibilities and to put the evidence together. Since the data losses of recent years there have been some significant changes in the law. For example organisations which don’t sufficiently look after people’s data on their systems may be fined up to £0.5million, so many want to have their security policies audited to ensure they are fit for purpose.
Sample roles in this category: Lawyer for advice and prosecution on data protection and Internet crime.
Since this question was originally asked, the industry has been working to come up with an answer.
NIST's National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework outlines a definitive list, and it describes 52 work roles in information security.
Authorizing Official/Designating Representative
Security Control Assessor
Software Developer
Secure Software Assessor
Enterprise Architect
Security Architect
Research & Development Specialist
Systems Requirements Planner
System Testing and Evaluation Specialist
Information Systems Security Developer
Systems Developer
Database Administrator
Data Analyst
Knowledge Manager
Technical Support Specialist
Network Operations Specialist
System Administrator
Systems Security Analyst
Cyber Legal Advisor
Privacy Officer/Privacy Compliance Manager
Cyber Instructional Curriculum Developer
Cyber Instructor
Information Systems Security Manager
Communications Security (COMSEC) Manager
Cyber Workforce Developer and Manager
Cyber Policy and Strategy Planner
Executive Cyber Leadership
Program Manager
IT Project Manager
Product Support Manager
IT Investment/Portfolio Manager
IT Program Auditor
Cyber Defense Analyst
Cyber Defense Infrastructure Support Specialist
Cyber Defense Incident Responder
Vulnerability Assessment Analyst
Threat/Warning Analyst
Exploitation Analyst
All-Source Analyst
Mission Assessment Specialist
Target Developer
Target Network Analyst
Multi-Disciplined Language Analyst
All Source-Collection Manager
All Source-Collection Requirements Manager
Cyber Intel Planner
Cyber Ops Planner
Partner Integration Planner
Cyber Operator
Cyber Crime Investigator
Law Enforcement /CounterIntelligence Forensics Analyst
Cyber Defense Forensics Analyst
While some of the above might not be pure "security" in every organisation (e.g. "Software Developer"), it is possible for each of those to be specialised in whole or in part in security in different organisations.
The SANS Institute offers 20 Coolest Careers in Cyber Security. That web page lists the titles along with a few sample descriptions.