Understanding the Information Security Industry
SecOps, Incident Response, Vulnerability Management, Risk Analysis…where do I start?
The information security industry is very large and there are many different career paths to be considered. Googling “jobs in information security” likely results in something like this:
For someone whose interest has been piqued but who hasn’t really been exposed to any of the available career paths, seeing something like what’s in the screenshot above can be overwhelming. How can you successfully kickstart your career if all of the options have you confused with where you should begin?
The number of positions in the industry seems endless but here are some of the most common ones that you’ve probably come across in your searches:
Cyber Threat Intelligence Analyst
Incident Response Analyst
CISO (Chief Information Security Officer)
ISO (Information Security Officer)
Outside of maybe the engineering role and the CISO/ISO, the majority of these positions are ones you can start your career off in.
There’s much more to it though.
There are various branches of the InfoSec industry: infrastructure security, endpoint security, application security, intrusion detection/prevention, incident response, vulnerability management, risk and compliance, and data protection/privacy.
Determining what positions most interest you is one thing, but figuring out which area you want to work in is just another aspect that can add to your stress and anxieties of getting started in the InfoSec world.
To help you make sense of where you might want to start, this article will walk you through the high-level security teams that exist in most organizations today and what members of those teams do in their roles.
When many read the term security operations, they think of what’s called a SOC, or Security Operations Center. A SOC is essentially the hub of a security program. The teams that make up an organization’s SOC are the ones actively monitoring and responding to alerts and performing investigations.
CompTIA defines a SOC as, “a team of experts that proactively monitor an organization’s ability to operate securely.”
What a lot of people getting started in the industry don’t realize is a SOC is only one aspect of Security Operations.
The term Security Operations, SecOps for short, actually refers to the overall security program, which includes the SOC but also the infrastructure aspect of Security: security tools and technology, endpoint security, infrastructure security, vulnerability management, etc. The SOC, while important, is just one piece of the overall program that an organization should have in place.
I mention this because a common misconception of the InfoSec industry is that we’re all actively investigating and responding to alerts all day, every day. That’s far from the truth. In my role as a security engineer, I don’t even receive alerts and only get involved in “all hands on deck” type incidents (malware, ransomware, etc.).
Much of the day-to-day alerts are investigated and handled by the SOC, while the rest of the members of the SecOps team are doing tasks that pertain to asset security, vulnerability management, and security tool administration or implementation.
In addition to the various aspects of a SecOps program, like sports, there is a defensive and offensive aspect to security.
The defensive (blue team) aspect focuses on defending an organization; pretty much all those activities I mentioned earlier. While the SOC is actively working to defend their company, the other parts of the SecOps program are indirectly helping to defend against cyber threats as well via the physical, technical, and administrative controls they implement and maintain.
Offensive security, or red team, on the other hand, focuses on testing the defensive strategies and technology in place by using ethical hacking skills to get past the controls. Red teamers’ responsibility is to essentially mimic a malicious actor so the organization can continuously strengthen its security controls based on the results of the red team’s testing.
In more recent years, a third “team” has been coined the purple team. While not all organizations have a dedicated purple team or even a red team, the purple team is focused on web application security.
With the rise of DevOps and the shift to the cloud, organizations’ threat landscapes have increased due to the fact that they’re one misconfiguration away from a cyberattack on public-facing applications.
As a result, many organizations are hiring security professionals specializing in web application security. These individuals are responsible for assessing, analyzing, and reporting on web application vulnerabilities, and working with the respective IT teams to remediate critical findings to ensure the security of the apps.
While this isn’t a comprehensive overview of all of the teams and roles that make up a SecOps program, these functions are in place at most organizations today. Of course, there is no single security program. Every company will approach security differently therefore the functions may differ but, for the most part, all organizations should have some level of asset security, detection and response capabilities, security engineering, and vulnerability management. Key word being should…
Risk & Compliance
So far, we’ve covered the operational side of information security but there is also a whole, less technical, side to information security. After all, information security doesn’t just mean protecting the network and systems within an organization. We also need to ensure we have security policies in place, we’re managing risk, and assessing compliance against policies and regulations.
The risk and compliance function of the InfoSec program also usually encompasses the security awareness program and data security and privacy. The security awareness program involves educating staff on the company’s policies and performing simulations to help them better identify security threats.
The data security function focuses on ensuring the organization is effectively protecting their sensitive data and the data they process by properly classifying the data and employing policies and controls to prevent unauthorized access, disclosure, and modification.
Depending on how the organization’s risk and compliance department is structured, there may be dedicated teams for these functions I’ve mentioned, like a risk management team, a data privacy team, and a compliance team. Smaller organizations with small security teams, however, may have one information security team that is responsible for it all, in addition to the security operations functions we discussed above.
While the organization’s structure may differ, the roles of the individuals on these teams generally stay the same from company to company. Although specific industry regulations may result in additional compliance requirements for one company compared to another, in general, risk and compliance analysts are responsible for assessing and managing risk and performing audits to ensure compliance with the policies in place.
I’m not going to go too in-depth on risk management because there is a lot more to it than just “assessing risk”, but if you’re interested in learning more, you can check out my previous article on the topic, Intro to Risk Management.
At a high level, risks exist in any organization in their people, processes, and technology. Risk management is the practice of assessing the risks that exist, prioritizing those risks in terms of the threat they pose to the organization, and taking steps to reduce or mitigate them.
The compliance function can go hand in hand with risk management as non-compliance poses risk to organizations. Because of this, oftentimes the risk and compliance departments are combined into one and the teams work closely to achieve both.
While the risk function focuses on reducing the overall risk an organization has, the compliance piece is more about ensuring we’re doing what we say we’re doing. It essentially helps answer the question: Are our people, processes, and technology aligned with the policies we have in place and regulations that are applicable to the organization?
Compliance analysts help to answer these questions through assessments of business and operations processes, and the technology that makes up the infrastructure. They aid in ensuring the procedures in place achieve the objectives of company policies and more importantly, don’t violate those policies or industry regulations.
Depending on the type of organization, the compliance department might also perform periodic internal audits as a way to prepare for external audits. We can compare it to preparing for a test: most of us wouldn’t go into an exam without having properly prepared and studied for it. Similarly, organizations need to prepare for audits before they happen. Performing internal audits helps to find gaps or violations so they can be fixed before the external audit occurs.
The information security industry is about a mile wide and 10 miles deep. There is so much to it that even I, someone who has an industry-recognized certification and multiple years of experience, don’t know it all. It’s why there is no single information security expert. There is too much to it that any one person can’t know everything there is to know about the topic.
This is why it’s important to explore the various functions and find one you’re most passionate about. While you can have a passion for the topic as a whole, everyone will also have one or two areas that speak to them the most. For me, that’s threat intelligence and engineering.
For those getting started in the industry, I can’t stress how important it is to explore your options. That is the only way you’re going to get an idea of which areas you like and don’t like so you can decide on the next steps of your information security journey.
As I mentioned earlier, this isn’t a comprehensive overview of all of the functions in the security industry, but it should be enough to give you an understanding the industry as a whole and the areas that may interest you.