IT security is a broad field, just like the general “IT” field is broad. If you want to get “into security,” there are various paths to follow. I’ve been playing with this list for a little bit, and want to move it from a text file on my desktop to a more permanent filed place on here. The following groupings are not meant to be all-encompassing as there are dozens of smaller focused positions and different job titles out in the world. But this should be a pretty good, and close-to-complete view of security.
- Penetration Testing and Vulnerability Assessment (system, network, web, application, cloud, mobile, physical)
- Incident Response, Malware Analyst
- Forensics (memory, disk, network, mobile)
- Risk and Compliance Analysts (includes GRC)
- Security Auditor
- Architect, Policy, and Design
- Security Researcher (reversing, exploit dev)
- Security Operations Engineer, Security Manager/Analyst (network, identity, application)
- Access/Identity Management
- SOC Operator/Analyst
- Application Security/SDLC (static analysis, mentor, tester)
- Management (CISO, Manager)
Yeah, I keep “Generalist” as a spot on here, because it’s still something to be considered. While not usually a job title, if you like everything about security (or are just undecided if you want to focus somewhere), you can have generalist security professionals just like you can have generalist IT professionals. It’s not flashy, but knowing a decent amount about many things can still provide value.
I’m sure I’ve missed some major roles, but many other smaller ones probably fit into these as sub-roles. Also, the Management slice might often be more about managing people and departments and less about IT or security; more like a category of management rather than a category of security. That will all depend on the organization.
There are also types of security jobs as well. For instance, you could be a pen tester consultant, sales engineer, or even a part of a permanent red team inside a large organization. Also, things change if you’re working for an actual security company (hello enabler!) or part of a security team for a company whose main line of revenue lies elsewhere (hello cost!). So these slices should also be taken into consideration against all of the above categories.
- External security consultant
- Employee at a security company (including sales engineers)
- Employee of a non-security enterprise (i.e. part of an internal team)
Why am I even bothering with this exercise? Well, I’m currently filtering through the local job market for a role to land in. I’ll give more details about that in a future post.