©Shutterstock/GorodenkoffNo one, single career path called “cybersecurity” exists. The profession has many nuances, and different paths along which people’s careers can progress.
Security engineer
Security engineers come in multiple types, but the vast majority are hands-on technical folks who build, maintain, and debug information security systems as part of organizational (corporate, government, or nonprofit) projects. Security engineers working in the professional services arms of vendors may also help ensure that software being deployed at clients is done so in a secure fashion.Security manager
Security managers are typically mid-level management within larger enterprises who have responsibility for some specific area of information security. One security manager, may, for example, be responsible for all of a firm’s security training, and another may be responsible for overseeing all of its internet-facing firewalls. People in security manager positions typically perform less hands-on, technically detailed security activities than do the folks who report to them.Security director
Security directors are the people who oversee information security for an organization. In smaller firms, the director is usually the de facto chief information security officer (CISO). Larger firms may have several directors responsible for various subsets of the firm’s information security program; such folks, in turn, usually report to the CISO.Chief information security officer (CISO)
The CISO is the person responsible for information security throughout an organization. You can think of the CISO role as being that of the chief of staff of the organization’s information-security defensive military.The CISO is a senior, C-level management position. Serving as a CISO usually requires significant management knowledge and experience, in addition to an understanding of information security.
Security analyst
Security analysts work to prevent information security breaches. They review not only existing systems, but study emerging threats, new vulnerabilities, and so on in order to ensure that the organization remains safe.Security architect
Security architects design and oversee the deployment of organizational information security countermeasures. They often have to understand, design, and test complex security infrastructures and regularly serve as the security team member who is involved in projects outside of the security department as well. For example, security architects would design the security needed for a custom application an organization is designing and building; they also help guide networking folks as the latter design various elements of corporate IT networking infrastructure.Security administrator
Security administrators are hands-on folks who install, configure, operate, manage, and troubleshoot information security countermeasures on behalf of an organization. These folks are the ones to whom nontechnical professionals often refer when they say “I am having a problem and need to call the security person.”Security auditor
Security auditors conduct security audits — that is, they check that security policies, procedures, technologies, and so on are working as intended and are effectively and adequately protecting corporate data, systems, and networks.Cryptographer
Cryptographers are experts at and work with encryption, as used to protect sensitive data.Some cryptographers work to develop encryption systems to protect sensitive data, while others, known as cryptanalysts, do the opposite: analyzing encrypted information and encryption systems in order to break the encryption and decrypt the information.
As compared to other information security jobs, cryptographers disproportionately work for government agencies, the military, and in academia. In the United States, many government jobs in cryptography require U.S. citizenship and an active security clearance.
Vulnerability assessment analyst
Vulnerability assessment analysts examine computer systems, databases, networks, and other portions of the information infrastructure in search of potential vulnerabilities. The folks working in such positions must have explicit permission to do so. Unlike penetration testers, vulnerability assessors don’t typically act as outsiders trying to breach systems, but as insiders who have access to systems and have the ability to examine them in detail from the start.Ethical hacker
Ethical hackers attempt to attack, penetrate, and otherwise compromise systems and networks on behalf of — and with the explicit permission of — the technologies’ owners in order to discover security vulnerabilities that the owners can than fix.Ethical hackers are sometimes referred to as penetration testers or pen-testers. While many corporations employ their own ethical hackers, a significant number of folks who work in such positions work for consulting companies offering their services to third parties.
Security researcher
Security researchers are forward-looking folks who seek to discover vulnerabilities in existing systems and potential security ramifications of new technologies and other products. They sometimes develop new security models and approaches based on their research.As far as ethics are concerned, and as far as most jurisdictions are concerned, a security researcher who hacks an organization without explicit permission from that organization is not a security researcher or an ethical hacker, but simply someone breaking the law.
Offensive hacker
Offensive hackers attempt to break into adversaries’ systems to either cripple the systems or steal information.In the United States of America, it is illegal for a business to go on the offensive and attack anyone, including striking back at hackers who are actively trying to penetrate the organization. As such, all legal offensive hacking jobs in the United States are government positions, such as with intelligence agencies.
If you enjoy attacking and are not satisfied with just ethical hacking, you may wish to pursue a career with the government or military. Many offensive hacking positions require security clearances.
Software security engineer
Software security engineers integrate security into software as it is designed and developed. They also test the software to make sure it has no vulnerabilities. In some cases, they may be the coders of the software itself.Software source code security auditor
Software source code security auditors review the source code of programs in search of programming errors, vulnerabilities, violations of corporate policies and standards, regulatory problems, copyright infringement (and, in some cases, patent infringement), and other issues that either must, or should be, resolved.Software security manager
Secure development managers oversee the security of software throughout the software’s lifecycle, from initial business requirements gathering all the way through disposal.Security consultant
There are many different types of security consultants. Some advise corporate executives on security strategy, serve as expert witnesses, or help security companies grow and succeed. Others are hands-on penetration testers.Others may design or operate components of security infrastructure, focusing on specific technologies. When it comes to security consulting, you can find positions in just about every area of information security.
Security specialist
The title security specialist is used to refer to people serving in many different types of roles. All of the various roles, however, tend to require at least several years of professional experience working in the information security field.Incident response team member
The incident response team consists of the de facto first responders who deal with security incidents. Team members seek to contain and eliminate attacks, while minimizing the damage from them. They also often perform some of the analysis into what happened — sometimes determining that nothing requires any corrective activity.You can think of incident responders as roughly the equivalent of cybersecurity firefighters — they deal with dangerous attacks, but sometimes get called in to verify that there is no fire.
Forensic analyst
Forensic analysts are effectively digital detectives, who, after some sort of computer event, examine data, computers and computing devices, and networks to gather, analyze, and properly preserve evidence and deduce what exactly happened, how it was possible to happen, and who did it.You can think of incident responders as roughly the equivalent of law enforcement and insurance company inspectors who analyze properties after a fire to determine what happened and who might be responsible.
Cybersecurity regulations expert
Cybersecurity regulations experts are knowledgeable in the various regulations related to cybersecurity and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters.Privacy regulations expert
Privacy regulations experts are knowledgeable in the various regulations related to privacy and help ensure that organizations comply with such regulations. They are often, but not always, attorneys who have prior experience working with various compliance-type matters.Understanding the expected tasks of each cybersecurity role can help you determine which career path is right for you.