A career in information security is very rewarding. The growth of cloud services; the digital revolution, agile development and the ever increasing cyber-threat means there is no shortage of opportunities and challenges for the hungry mind.
If you find security interesting, the question is, “What type of security role do you want?”.
If you have a resource gap in your organisation, the question is often, “Who do I need to recruit?”
This article presents three role categories: a builder, a breaker or a contributor. The options are of course generalisations and don’t cover all possible scenarios. The purpose is to provide information to assist in matching candidates with a role they are suited to.
There is an ever changing list of security systems that we need builders to configure and install. Firewalls and intrusion detection systems are more traditional while cloud application security brokers and automation are more recent. Most are represented in some way in larger enterprises and many will be make up the majority of any “Security Transformation” programme.
Just like any technology, specialist engineers are required to successfully deploy a new capability and will be required to maintain or repair. You will want to be a builder if you want to work hands on with technology on a daily basis.
Your career progression will be into a design role, pre-sales and potentially managing like minded individuals. A technology focus will initially make relationships largely technical in nature, but a move into pre-sales will require the ability to establish good business relationships.
The key limitation is a technology centric role will make you less aware of other business pressures and less able to move laterally within an organisation.
If you find security interesting, the question is, 'What type of security role do you want?'. If you have a resource gap in your organisation, the question is often, 'Who do I need to recruit?”
Breakers are now widely employed to test the security of information systems. Penetration testing is mandated in standards such as PCI DSS (Payment Card Industry Data Security Standards) and is often provided as proof that a given deployment is secure.
Many organisations will invest in penetration testing if nothing else when they are building information systems making testers highly sought after. Work is typically focussed on breaking web services but can extend to hiding in toilets to try and gain entry to an organisation’s office.
Career progression will be an increased focus on security research and conference presentations. Breakers rarely have to don a suit and are more often seen bent over a long black, late in the morning, having worked through the night because that’s when they are at their best.
Understanding the mindset of an attacker is a great foundation for any security role but this does not necessarily foster strong empathy, meaning breakers don’t move on to be builders. There can be associated consulting services but they tend to present as a review, highlighting what could be done better more than how to do it.
Contributors is the catch all for everything else. Security analysts, consultants, architects and managers. As a contributor you are more focussed on contributing to a wider business solution and consequently your focus can be broader rather than deeper.
Security analysts might review security events but they will originate from a variety of devices that a security consultant helped design. Security architects contribute to wider solution or enterprise architecture and managers focus on the making a range of security functions work within the business while managing budgets, people and risk. Smaller organisations will experience increased overlap in these roles which can be both an opportunity and a risk.
As an analyst, becoming a manager may be a significant opportunity but each role requires different background and focus. A review against ISO standards may be a valuable output from an analyst but if a Security Manager is doing this instead of budgeting for the next financial year, wider issues may present. Contributors need to build better working relationships across an organisation. Heavy metal tshirts may be popular at a hackers conference but could be considered disrespectful at a risk meeting.
Whether a builder, breaker or contributor, you can elect to be external or internal. The current market is certainly demanding a large number of external roles suggesting a focus on tactical initiatives.
Organisations are seeking independent advice to explain where they are and what they should do or specialist assistance within a specific project. An agile security specialist will be welcomed into most organisations with open arms. As agile practices are adopted, organisations need to ensure security is designed up front and built in from day one.
Working as an external resource provides you with the independence to make recommendations without worrying about career related factors (providing of course that the person paying for your times is happy with it). Relationships are critical.
Roles certainly exist for internal positions but the style of work is different. Internally you have an organisational mandate so are less influenced by commercial relationships but you have to keep turning up each day.
Recommendations from internal security practitioners need to be something that is appropriate and deliverable more than an ideal based on best practice.
There are currently a large number of opportunities to work in information security. As organisations mature in New Zealand, the seniority of these roles is also lifting in line with other markets such as the United States and Europe.
There is also the opportunity to work offshore where opportunities are more specialised and better remunerated. While this article divides the roles into build, break and contribute, you can move between them and between internal and external roles. The important thing is that the employer is clear what they are looking for and the employee is clear on the expectations and implications.
Simon Burson is the security manager for Paymark.
Send news tips and comments to firstname.lastname@example.org
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.