Twenty-five years ago, when cybersecurity was emerging as a specialty, most practitioners were transitioning from IT operational roles. As the Internet expanded and firewalls went up, security duties became increasingly demanding and businesses created dedicated security positions.
About the author
Raymond Pompon is Director at F5 labs.
Those doing these early cybersecurity jobs ended up knowing a bit about everything and evolved into generalists. Since then, with so many new avenues of technology, most of these generalists either specialized or went into management.
New recruits don’t have time to acquire the historical knowledge of generalists. Instead they will choose from a wide variety of security specializations to match their capabilities and interests.
The diversity of cybersecurity jobs
The three primary cybersecurity job roles are engineering defenses, testing security, and responding to cyberattacks. In smaller organizations, all these roles may land on a single person or be tacked onto non-security work.
Foundational cybersecurity skills are necessary for all these roles including:
- Knowledge of common cyberattacks
- How to perform a risk analysis
- How to manage risk through using controls
- Knowledge of compliance regulations and how they work
- Knowing how to explain risk and compliance in business terms
Cybersecurity engineers, testers, and responders build specific skills on top of this foundation, many of which can be acquired in industry training classes and cybersecurity boot camps.
Many cybersecurity engineers come from traditional IT jobs, such as network engineers or system administrators. They use various tools, usually technical, and play a big part in engineering administrative controls.
Job titles include:
- Director of security
- Security architect
- Network security engineer
- Security software developer
- Security systems administrator
- Technical director
- Security analyst
How cybersecurity engineers fit into the organization
Cybersecurity engineers are the most common roles in cybersecurity. Most are found within the IT organization, so they report up through the IT chain of command to the head of technology. However, being embedded in IT can diminish the effectiveness of their security functions. The key problem is the divergent missions: IT is about implementation and maintenance, while security requirements can sometimes mean slowing down an implementation to lower risk. This contributes to the security team’s reputation as the “Department of No”. Since the head of IT is in charge, they have veto power over security, which can be a problem as well.
Cybersecurity engineer key skills
Because of the obscure nature of some cyberattacks, a cybersecurity engineer needs to understand the organization’s technology and the technical IT infrastructure.
They also need a firm grasp on how the specific technical controls in their area function. For example, engineers working in networking should understand firewall features and limitations as well as the specifics of the implemented solution within their organization.
And they should understand the business and cultural aspects of rolling out and maintaining controls, even simple ones.
Testers are one of the most glamorous jobs in security, as these are the folks who hack things or find the problems and look for the gaps and mistakes before an attacker does.
Job titles include:
- Penetration tester/Red teamer
- Vulnerability researcher
- Exploit developer
- Ethical hacker (sometimes known as “white hat” hacker)
- Security research engineer
- Internal, third-party, or external auditor
How cybersecurity testers fit into the organization
Cybersecurity testers are often outsourced, often for their independence. Be warned that the healthy competition between engineers and testers can fester into an adversarial relationship, even more so if the tester is external.
When cybersecurity testers are full-time within an organization, they can be attached to IT like cybersecurity engineers. Although, sometimes they can be part of a different department, such as legal or compliance. Application security testers are sometimes linked to quality assurance departments, under an organization’s development arm.
Cybersecurity tester key skills
The role of a cybersecurity tester is to question everything, including assumptions. One way to help do this is to learn threat-modeling techniques such as STRIDE.
Testers may need to use their technical knowledge in unexpected ways, such as chaining together low-severity vulnerabilities to breach a system.
Testers often require specialized tools and techniques, which are sometimes self-developed, so, they should also have some programming skills (if hacking) or statistical knowledge (if auditing).
They will also need to communicate their findings, explain risks in business terms, and document the testing work they do, with detailed citations of evidence such as screenshots, source code, and compliance regulations.
Cybersecurity responders plan for and minimize security incidents. They sometimes detect attacks and stop them. And sometimes help clean up the messes and get systems back online. Many of them investigate what the attackers did, who they were, and help find the clues to go after them, and some even work on finding digital evidence from non-cybercrimes.
Job titles include:
- IT forensics technician
- Security operations center analyst
- Forensic, intrusion, or malware analyst
- Incident responder
- Disaster recovery or business continuity manager
How cybersecurity responders fit into the organization
Responders are commonly outsourced in smaller organizations. When they are internal, they can be found in IT, if focused on recovery and repair, or in legal, if focused on forensics. Sometimes they are found within the general business continuity organization under operational risk.
Cybersecurity responder key skills
Responders are often under acute stress, whether dealing with ransomware that’s shut down the entire organization, gathering evidence that can affect someone’s future, or performing post-incident forensics in a potentially litigious situation.
Responders need to wrangle resources for cyber incidents, such as appropriate cyber insurance, intrusion detection tools, and forensic and malware analysis tools. They should also develop government, legal, and law enforcement contacts and resources to assist with incidents.
They may need to report on incidents in various settings, including boardrooms, conferences, and legal depositions. Therefore, presentation and writing skills are helpful.
Final thoughts about cybersecurity skills and specializations
Many different standards and practices in cybersecurity can contradict each other and some may find the categories overlap too much.
We began by saying that cybersecurity career entrants should specialize. But if they become too specialized, they may find it harder to communicate outside their silo, and the real world doesn’t always adhere to clearly delineated categories. Neither do actual career paths.