Security engineer

Security engineers come in multiple types, but the vast majority are hands-on technical folks who build, maintain, and debug information security systems as part of organizational (corporate, government, or nonprofit) projects. Security engineers working in the professional services arms of vendors may also help ensure that software being deployed at clients is done so in a secure fashion.

Security manager

Security managers are typically mid-level management within larger enterprises who have responsibility for some specific area of information security. One security manager, may, for example, be responsible for all of a firm’s security training, and another may be responsible for overseeing all of its Internet-facing firewalls. People in security manager positions typically perform less hands-on, technically detailed security activities than do the folks who report to them.

Security director

Security directors are the people who oversee information security for an organization. In smaller firms, the director is usually the de facto chief information security officer (CISO). Larger firms may have several directors responsible for various subsets of the firm’s information security program; such folks, in turn, usually report to the CISO.

Chief information security officer (CISO)

The CISO is the person responsible for information security throughout an organization. You can think of the CISO role as being that of the chief of staff of the organization’s information-security defensive military. The CISO is a senior, C-level management position. Serving as a CISO usually requires significant management knowledge and experience, in addition to an understanding of information security.

Security analyst

Security analysts work to prevent information security breaches. They review not only existing systems, but study emerging threats, new vulnerabilities, and so on in order to ensure that the organization remains safe.

Security architect

Security architects design and oversee the deployment of organizational information security countermeasures. They often have to understand, design, and test complex security infrastructures and regularly serve as the security team member who is involved in projects outside of the security department as well — for example, helping to design the security needed for a custom application that an organization is designing and building or helping to guide networking folks as the latter design various elements of corporate IT networking infrastructure.

Security administrator

Security administrators are hands-on folks who install, configure, operate, manage, and troubleshoot information security countermeasures on behalf of an organization. These folks are the ones to whom nontechnical professionals often refer when they say “I am having a problem and need to call the security guy or security gal.”

Security auditor

Security auditors conduct security audits — that is, they check that security policies, procedures, technologies, and so on are working as intended and are effectively and adequately protecting corporate data, systems, and networks.

Cryptographer

Cryptographers are experts at and work with encryption, as used to protect sensitive data. Some cryptographers work to develop encryption systems to protect sensitive data, while others, known as cryptanalysts, do the opposite: analyzing encrypted information and encryption systems in order to break the encryption and decrypt the information.

As compared to other information security jobs, cryptographers disproportionately work for government agencies, the military, and in academia. In the United States, many government jobs in cryptography require U.S. citizenship and an active security clearance. Cryptographers are also involved in preparing for the quantum computing era, as discussed in Chapter 18.

Vulnerability assessment analyst

Vulnerability assessment analysts examine computer systems, databases, networks, and other portions of the information infrastructure in search of potential vulnerabilities. The folks working in such positions must have explicit permission to do so. Unlike penetration testers, described in the next section, vulnerability assessors don’t typically act as outsiders trying to breach systems, but as insiders who have access to systems and have the ability to examine them in detail from the start.

Ethical hacker

Ethical hackers attempt to attack, penetrate, and otherwise compromise systems and networks on behalf of — and with the explicit permission of — the technologies’ owners in order to discover security vulnerabilities that the owners can then fix. Ethical hackers are sometimes referred to as penetration testers or pen-testers. While many corporations employ their own ethical hackers, a significant number of folks who work in such positions work for consulting companies offering their services to third parties.

Security researcher

Security researchers are forward-looking folks who seek to discover vulnerabilities in existing systems and potential security ramifications of new technologies and other products. They sometimes develop new security models and approaches based on their research.

As far as ethics are concerned, and as far as the law in many jurisdictions are concerned, a “security researcher” who hacks an organization without explicit permission from that organization is not a security researcher or an ethical hacker, but simply someone breaking the law.

Offensive hacker

Offensive hackers attempt to break into adversaries’ systems to either cripple the systems or steal information. In the United States of America, it is illegal for a business to go on the offensive and attack anyone — including striking back at hackers who are actively trying to penetrate the organization. As such, all legal offensive hacking jobs in the United States are government positions, such as with intelligence agencies and the armed forces. If you enjoy attacking and are not satisfied with just ethical hacking, you may wish to pursue a career with the government or military. Many offensive hacking positions require security clearances.

Software security engineer

Software security engineers integrate security into software as it is designed and developed. They also test the software to make sure it has no vulnerabilities. In some cases, they may be the coders of the software itself.

Software source code security auditor

Software source code security auditors review the source code of programs in search of programming errors, vulnerabilities, violations of corporate policies and standards, regulatory problems, copyright infringement (and, in some cases, patent infringement), and other issues that either must be, or should be, resolved.

Security consultant

There are many different types of security consultants. Some, like me, advise corporate executives on security strategy, serve as expert witnesses, or help security companies grow and succeed. Others are hands-on penetration testers. Others may design or operate components of security infrastructure, focusing on specific technologies. When it comes to security consulting, you can find positions in just about every area of information security.

Security expert witness

Security expert witnesses are typically people with many years of experience in the area of security about which they are asked to testify, and who are trusted by a judge to provide “expert opinions” vis-à-vis matters being litigated.

Security specialist

The title security specialist is used to refer to people serving in many different types of roles. All the various roles, however, tend to require at least several years of professional experience working in the information security field.

Incident response team member

The incident response team consists of the de facto first responders who deal with security incidents. Team members seek to contain and eliminate attacks, while minimizing the damage from them. They also often perform some of the analysis into what happened — sometimes determining that nothing requires any corrective activity. You can think of incident responders as roughly the equivalent of cybersecurity firefighters — they deal with dangerous attacks, but sometimes get called in to verify that there is no fire.

Forensic analyst

Forensic analysts are effectively digital detectives, who, after some sort of computer event, examine data, computers and computing devices, and networks to gather, analyze, and properly preserve evidence and deduce what exactly happened, how it was possible to happen, and who did it. You can think of forensic analysts as roughly the equivalent of law enforcement and insurance company inspectors who analyze properties after a fire to determine what happened and who might be responsible.

Cybersecurity regulations expert

Cybersecurity regulations experts are knowledgeable in the various regulations related to cybersecurity and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters.

Privacy regulations expert

Privacy regulations experts are knowledgeable in the various regulations related to privacy and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters.

Career path: Senior security architect

In the United States, security architects typically earn well over $100,000 — and, in some markets, considerably more — making this type of position quite attractive. While every person’s career path is unique, one typical framework for becoming a senior security architect might be to follow a career path similar to the following:

1. Do one of the following:
   • Earn a bachelor’s degree in computer science.
   • Earn a degree in any field and pass an entry-level certification exam in cybersecurity (for example, Security+).
   • Obtain a technical job while without a degree and demonstrate proficiency in the relevant technologies used as part of the job.
2. Work as a network administrator or systems administrator and gain hands on security experience.
3. Obtain a slightly more focused credential (for example, CEH).
4. Work as a security administrator — preferably administering a range of different security systems over a period of several years.
5. Earn one or more general security certifications (for example, CISSP).
6. Become a security architect and gain experience in such a role.
7. Earn an advanced security architecture certification (for example, CISSP-ISSAP).
8. Become a senior level security architect.

Do not expect to become a senior-level architect overnight; it often takes a decade or more of relevant experience to achieve such a position.

Career path: CISO

In the United States, chief information security officers typically earn $150,000 or more (a lot more in certain industries), but the jobs can be quite stressful (which might explain why many CISOs leave their positions after just a couple of years) — CISOs are responsible for corporate information security — which often involves dealing with emergencies, and often involves few accolades when things go well, but tremendous criticism when things go amiss. While every person’s career path is unique, one typical framework for becoming a CISO might be to follow a career path similar to the following:

1. Earn a bachelor’s degree in computer science or in information technology.
2. Do one of the following:
   • Work as a systems analyst, systems engineer, programmer, or in some other related hands-on technical position.
   • Work as a network engineer.
3. Migrate toward security and work as a security engineer, security analyst, or security consultant — taking on various different roles within an organization, or as a consultant to organizations, thereby exposing oneself to various different areas of information security.
4. Obtain general certifications in information security (for example, CISSP).
5. Migrate toward management of security by becoming the manager of a security operations team. Ideally, over time, manage multiple information security teams, each that deals with different areas of information security that the others.
6. Do one of the following:
   • Earn a master’s degree in cybersecurity (ideally with a focus on information security management).
   • Earn a master’s in computer science (ideally with a focus on cybersecurity).
   • Earn a master’s in information systems management (ideally, with a focus on information security).
   • Earn an MBA.
7. Do one of the following:
   • Become a divisional CISO (de facto or de jure).
   • Become the CISO of a relatively small business or nonprofit organization.
8. Obtain an advanced information security credential focused on information security management (for example, CISSP-ISSMP).
9. Become the CISO of a larger business.

The path to becoming a CISO can easily take a decade, or even decades, depending on the size of the organization in which the CISO serves.

CISSP

The Certified Information Systems Security Professional (CISSP) certification, initially launched in 1994, covers a broad range of security-related domains, delving into details in some areas more than in others. It provides employers with the comfort of knowing that workers understand important aspects of more than just one or two areas of information security; as components of information security are often highly interconnected, broad knowledge is valuable, and becomes absolutely necessary as one ascends the information-security management ladder.

The CISSP is intended to be pursued by people with several years of experience in the information security field — in fact, while you can take the CISSP exam without experience, you won’t actually receive the credential until you work in the field for the required number of years. As a result, folks possessing CISSP credentials, who always have several years of experience under their belts, often command higher salaries than do both uncertified peers and other counterparts who hold other certifications.

The CISSP credential, issued by the highly regarded (ISC)2 organization, is both vendor neutral and more evergreen than many other certifications. Study materials and training courses for CISSP exam are widely available, and tests are administered in more locations, and on more dates, than are most other, if not all other, cybersecurity certifications. Multiple add-ons to the CISSP are available for those interested in proving their mastery of information security architecture (CISSP-ISSAP), management (CISSP-ISSMP), and engineering (CISSP-ISSEP).

(ISC)2 requires that holders of the CISSP credentials accept to abide by a specific Code of Ethics and that they perform significant continuing education activities in order to maintain their credentials, which must be renewed every three years.

The CISSP is not intended to test hands-on technical skills — and it does not do so.

People looking to demonstrate mastery of specific technologies or areas of technology — for example, penetration testing, security administration, auditing, and so on — may want to consider pursuing either a more technically focused, general certification or some specific product and skill certifications.

CISM

The well-regarded Certified Information Security Manager (CISM) credential from the Information Systems Audit and Control Association (ISACA) has exploded in popularity since its inception about two decades ago. Emanating from an organization focused on audit and controls, the CISM credential is, generally speaking, a bit more focused than is the CISSP on policies, procedures, and technologies for information security systems management and control, as typically occurs within large enterprises or organizations.

As with the CISSP, to earn a CISM, a candidate must have several years of professional information-security work experience. Despite the differences between the CISSP and CISM — with the former delving deeper into technical topics and the latter doing similarly for management-related topics — the two offerings also significantly overlap. Both are well respected.

CEH

The Certified Ethical Hacker (CEH), offered by the International Council of E-Commerce Consultants (EC-Council), is intended for people with at least two years of professional experience who are intent on establishing their credibility as ethical hackers (in other words, penetration testers).

CEH is a practical exam that tests candidates’ skills as related to hacking: from performing reconnaissance and penetrating networks to escalating privileges and stealing data. This exam tests a variety of practical skills, including attack vehicles, such as various types of malware; attack techniques, such as SQL injection; cryptanalysis methods used to undermine encryption; methods of social engineering in order to undermine technical defenses via human error; and how hackers can evade detection by covering their tracks.

EC-Council requires CEH credential holders to acquire a significant number of continuing education credits in order to maintain a CEH credential — something quite important for an exam that tests practical knowledge — especially when you consider how rapidly technologies change in today’s world.

Security+

Security+ is a vendor-neutral general cybersecurity certification that can be valuable especially for people early in their careers. It is offered and administered by the well-respected, technology-education nonprofit, CompTIA. While there is, technically speaking, no minimum number of years of professional experience required in order to earn a CompTIA Security+ designation, from a practical perspective, most people will likely find it easier to pass the exam after working in the field, and gaining practical experience, for a year or two.

The Security+ exam typically goes into more technical detail that either the CISSP or the CISM, directly addressing the knowledge needed to perform roles such as those related to entry-level IT auditing, penetration testing, systems administration, network administration, and security administration; hence, CompTIA Security+ is a good early-career certification for many folks. Anyone earning the Security+ designation since 2011 must earn continuing education credits in order to maintain the credential.

GSEC

The Global Information Assurance Certification Security Essentials Certification (GSEC) is the entry-level security certification covering materials in courses run by the SANS Institute, a well-respected information-security training company.

Like Security+, GSEC contains a lot more hands-on practical material than the CISM or CISSP certifications, making this certification more valuable than the aforementioned alternatives in some scenarios and less desirable in others. Despite being marketed as entry-level, the GSEC exam is, generally speaking, regarded as more difficult and comprehensive than the test required to earn a Security+ designation. All GSEC credential holders must show continued professional experience or educational growth in the field of information security in order to maintain their credentials.

Verifiability

The issuers of all major information security credentials provide employers with the ability to verify that a person holds any credentials claimed. For security reasons, such verification may require knowledge of the user’s certification identification number, which credential holders typically do not publicize.

If you earn a certification, be sure to keep your information in the issuer’s database up to date. You do not want to lose your certification because you did not receive a reminder to submit continuing education credits or to pay a maintenance fee.

Ethics

Many security certifications require credential holders to adhere to a code of ethics that not only mandates that holders comply with all relevant laws and government regulations, but also mandates that people act appropriately even in manners that exceed the letter of the law.

Be sure to understand such requirements. Losing a credential due to unethical behavior can obviously severely erode the trust that other people place in a person and can inflict all sorts of negative consequences on your career in information security.