09 Feb

What are the career paths in the computer security field?

By IT News

Begin your training and certifications now with CED Solutions Security Courses! www.cedsolutions.com (800) 611-1840

cloud-security-key (1)As niche as “security” seems, it actually encompasses a few main types of roles, and a couple of areas of coverage.

These are actually quite different…

Common roles:

  • Enterprise IT security department
    These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP.
  • Security team in development group (either in enterprise or in dev shops)
    Mostly deal with programmer education and training, some security testing (or handling external testing, see below) – this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc.
  • External consultant / auditor / security tester
    This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice…. therefore usually expected (though not necessarily the case 😉 ) to be more up to date than anyone else.
  • Researcher
    This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / viruses / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research – well, I can’t really speak to that, since I don’t know…

Likewise, in all the above there are different areas of expertise, and an expert in one won’t necessarily have anything intelligent to say in any other area:

  • Network security, e.g. routers, firewall, network segmentation and architecture, etc.
  • O/S security, which is of course further subdivided according to O/S flavor (i.e. Windows security expert and Linux security experts might not know much about each other’s stuff).
  • Application security – i.e. how to program securely (which may be necessary to subdivide according to language, technology, etc.), but also application-layer attacks, e.g. Web attacks, etc.
  • Risk management experts – more focused on the business side, less on the technical
  • Compliance officers – some places have these dedicated, and they’re experts on all the relevant regulations and such (note that this is borderline lawyer-like work!)
  • Identity architects – for larger, security conscious orgs, that have complex IdM implementations and the like…
  • Auditing and forensics experts, deal mainly with SIEM/SIM/SOC, and also with investigations after the fact.

On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them – and it is not always shared expertise.

There are probably even more niche-niches that I’m skipping over, but you’re starting to get the picture…. As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks… BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization’s current security posture.

As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You’re currently a systems administrator? Wonderful, you’ve probably worked a bit on security already, start learning more in that field.
You’ve been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc… Learn some more, figure out what you’re missing, and then give me a call ;-).
And so on… On the other hand, if you have no background and want to START in security, that’s tougher – because as I’ve explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there… The important part is to focus on risk management (and, for the technical, threat modeling).

I also strongly suggest reading lots of security books and blogs (I enjoy Bruce Schneier’s stuff), and also try out OWASP for the application side of things.

http://security.stackexchange.com/questions/3772/what-are-the-career-paths-in-the-computer-security-field

Protect your systems and networks with the knowledge gained from the new Cisco Course: Cyber Security Specialist (Feb 23rd to Feb 27th); ISC2 Official CISSP course (Mar 16th to Mar 21st) and attend our Security Certified Ethical Hacking course (Mar 23rd to Mar 27th), our ( Computer Hacking Forensics Investigator course (Mar 30th to Apr 3rd) and Security ESCA/LPT course (May 11th to May 15th) !  (800) 611-1840

www.cedsolutions.com, info@cedsolutions.com

Share this post

Author

Related Posts

22 Jun

Get Into IT Without a Degree: It’s a Lot Easier Than You Might Think

If IT is on your radar but you’re not sure how to get started, you’ll be happy to know... read more

07 Mar

Tech Firms Join The War

Microsoft wades in as Russian malware strikes before military; global leaders reexamine cybersecurity A few hours before Russian tanks began... read more

25 Jan

Windows 10 keyboard shortcuts You Should be Using

You’re familiar with Microsoft, you know it is constantly releasing updates to create a better overall experience — specifically... read more

18 Feb

Stop your phone in its tracks

Your phone knows where you are standing or sitting at this moment. Most people know that. How else could... read more

07 Aug

CED Solutions Offers Cyber Security Certifications

Become a Cyber Security Professional and Save $250 on upcoming CISSP, CEH, CHFI courses starting next week.  The savings... read more

20 Jun

Is Your Company Compliant? A Take on GDPR by a CISO

There’s much talk about the General Data Privacy Regulation (GDPR) that took effect on May 25 and its impact... read more

17 Aug

Trump signed the ‘Forever GI Bill.’ Here are 11 things you should know.

President Trump has just put his signature on a new law that will bring significant changes to education benefits... read more

16 Jan

The Sorry State Of Cybersecurity Awareness Training

Rules aren’t really rules if breaking them has no consequences.  In today’s dangerous cyberworld, corporations often say that cybersecurity is... read more

03 Jan

Military set for cyberwar on ISIS

GRAND FORKS AIR FORCE BASE, N.D. Military chiefs are prepared to give President-elect Donald Trump the options he wants... read more

17 Dec

Combatting Cyber-Attacks In The Oil And Gas Industry

Earlier this week, Yahoo that more than one billion user accounts were compromised and data stolen in a hack by... read more