What are the career paths in the computer security field?
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
Common roles:
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / viruses / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
Likewise, in all the above there are different areas of expertise, and an expert in one won't necessarily have anything intelligent to say in any other area:
- Network security, e.g. routers, firewall, network segmentation and architecture, etc.
- O/S security, which is of course further subdivided according to O/S flavor (i.e. Windows security expert and Linux security experts might not know much about each other's stuff).
- Application security - i.e. how to program securely (which may be necessary to subdivide according to language, technology, etc.), but also application-layer attacks, e.g. Web attacks, etc.
- Risk management experts - more focused on the business side, less on the technical
- Compliance officers - some places have these dedicated, and they're experts on all the relevant regulations and such (note that this is borderline lawyer-like work!)
- Identity architects - for larger, security conscious orgs, that have complex IdM implementations and the like...
- Auditing and forensics experts, deal mainly with SIEM/SIM/SOC, and also with investigations after the fact.
On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them - and it is not always shared expertise.
There are probably even more niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.
You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-).
And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest reading lots of security books and blogs (I enjoy Bruce Schneier's stuff), and also try out OWASP for the application side of things.
For future reference and completeness, I'd also like to add that the UK Cyber Security Challenge site has a nice list of 8 different categories of security roles with explanations about each and sample roles, as defined by the Institute of Information Security Professionals (IISP) (after a study I suppose).
http://cybersecuritychallenge.org.uk/careers/typical-roles/
I quote the content here:
Incident and Threat Managers, Forensics Experts.
One way or another, your job is right at the coal face. You might manage the security of your organisation’s network and keep attackers out. You may work for a company which tests other’s networks to assess their security and advise how to make them less vulnerable to attack. No-one is able to avoid all incidents, so you may also be an incident manager, able to respond quickly in a crisis and manage the impact. There may be difficult choices for the business to make. You will need to work with other managers who may not have your technical understanding of what has happened or what needs to be done to get systems back working but will know about the impact on the business if certain functions are stopped. You might need to do forensic analysis – to see how the attacker got in and what he did. Planning what to do to respond to different incidents, balancing all the different demands will be important to managing a crisis well and you are likely to be an important member of the business continuity planning team. There are some very technical jobs in this area examining new malware, working out countermeasures and much more. Plus, of course, it is not all on networks now as mobile devices are increasingly holding more data and carrying out functions previously only possible on a computer.
Sample Roles in this category: Incident and Threat Management and Response. Incident Manager, Threat Manager, Forensics – computer – mobile and network – analyst, CSIRT, Attack Investigator, Malware analyst, Penetration Tester, Disaster Recovery, Business Continuity.
Risk Analysts and Managers.
To do this you need to understand how different threats will impact on a business and advise about which risks to cover off and which to take. The Board will be listening to your advice and you will need to be able to explain the risks in non-technical language that shows the impact on business clearly. Some risk managers are non-technical and have come up through the business, others come from the technical side of the business. Some people are involved in the audit of networks and ensuring that compliance issues are understood and dealt with. One reply to our survey said that these people “go and speak to our clients about risk and compliance, explaining the law, any changes in legislation and identifying weakness and helping clients to comply”.
Sample roles in this category: Risk Management, Verification and Compliance. Risk Analyst, Risk Assessor, Business Information Security Officer, Reviewer, Auditor.
Policy Makers and Strategists.
These are the people who devise the security policies that will define how a company deals with lots of different security risks. Getting the policy right is a must for an organisation to meet its legal obligations. Getting people to implement policies means showing people why the policies matter and raising awareness of the potential consequences of not following advice. In the private sector you have CISOs (Chief Information Security Officers) leading this work often supported by a team. In Government there are ITSOs (IT security officers) and DSOs (Departmental security officers). The latter are responsible for physical, personnel and information security issues and the IT security officer usually reports to them.
Sample roles in this category: Strategy, Policy, Governance. Strategist, Policy Manager, ITSO, DSO, CISO.
Operations and Security Management.
You may be responsible for protecting your organisation’s data on its networks, laptops or mobile devices. As we all chose different ways to work and the development of new technologies is creating new possibilities daily you will have to keep up to date. You may manage encryption and other protective measures like the rules on Firewalls, security logs and incident reporting.
Sample roles in this category: Operations and Security Management. Network Security Officer, Systems Security Officer, Information Security Officer, Crypto custodians, Information Managers.
Engineering, Architecture and Design.
If you can get the design of a system right then you can make it tough for attackers to get in. But the situation changes daily and if you are to keep up you will need to run fast. You may be dealing with hardware or software, design and development or secure applications. You may be a talented secure software writer – too many of our coders in the past have been driven by the pressure of being first to market and have had insufficient awareness of security. You may design security tools or sell them. Sales and marketing is an essential part of the business.
Sample roles in this category: Engineering, Architecture & Design. Architect, Designer, Development, Secure coding, software design and development, applications development. Security tools, Implementation.
Education, Training and Awareness.
Training is an ongoing need for most of us in business nowadays. As new technologies come on line staff need to understand how to use them effectively to enable the business to survive and suceed securely so new risks are managed. The experts need to be kept up to date too so they understand new attack vectors, new ways of managing security, new ways of assessing and communicating risk. Some sales jobs are closely aligned to this work as they educate customers about what they need in their business. There are a number of training companies that deal with all levels of training and the best work hard to keep their material up to date. One of the respondents in our survey described his job as: “To raise awareness in Cyber Security related matters both internally and as a service to other organisations. To produce, accredit and provide Cyber Security training courses internally and to other organisations as a service”.
Sample roles in this category: Education, Training and Awareness. Security Programme Manager.
Research.
There are many areas of research, some highly technical and others much more policy orientated. Some create complex models to help us understand situations that are changing faster than we can comprehend without technical help. Others are thinking about the technologies of the future and how they may help us manage security better. Respondents to the survey described the jobs as “To investigate new technologies to manage risk and to learn to manage risk with new technologies. Most people in security research concentrate on the former, crypto, firewalls etc yet the latter, securing Internet 2.0 is far more important”; “Looking for the next ‘big thing’”; “Researching the way attacks are conducted in the real world. Tracking of various types of malware and how they change thereby making it possible to prevent major strikes against customers. Invent new products based on what is seen in the real world and work with developers to produce these products.”
Sample roles in this category: Research. Security Researcher.
Lawyers specialising in advice and prosecution for Internet crime and data protection.
Advice and prosecution of data security and Internet crime. It is not easy to prosecute the perpetrators of these crimes and companies need help to understand their responsibilities and to put the evidence together. Since the data losses of recent years there have been some significant changes in the law. For example organisations which don’t sufficiently look after people’s data on their systems may be fined up to £0.5million, so many want to have their security policies audited to ensure they are fit for purpose.
Sample roles in this category: Lawyer for advice and prosecution on data protection and Internet crime.
The SANS Institute offers a brochure on the topic for $5.00: The 20 Coolest Jobs in Information Security. That web page lists the titles along with a few sample descriptions.