In one of my recent posts, Getting Started in Infosec, I called out a variety of roles that exist in Information Security (infosec). In this post, we’re going to take a look into those roles and get a glimpse into what it looks like to work in different positions.
I’d like to give a shoutout and huge thanks to everyone who responded to my Twitter post where I solicited 280-character day-in-the-life descriptions of their jobs.
We’ll start by taking a look at what the more broad job areas are in infosec (aka those I called out in my other post), and then we’ll check out what people said they do in their specific roles. Let’s go!
General Infosec Areas#
This section is not at all exhaustive, but expands upon roles and areas mentioned in my Getting Started in Infosec post.
- Application Security: Testing software for anything that could be exploited (bugs, vulnerabilities) and building in secure functionality
- Static Code Analysis: Performing analysis of code by using static analysis tools (this is ideally an inherent part of developers’ pipelines, not done separately)
Infrastructure (systems, networks, & pipeline) protection:
- Network Security: Architecting networks, implementing security solutions, re-architecting insecurely implemented pieces of the network
- System Administration and Hardening: Protecting users and the company through system set-up, debugging, and maintenence
- Cloud Security: Protecting company and user data floating around in the sky
- DevOps Security: Integrating and maintaining secure infrastructure and pipelines (like static code analysis is ideally done by developers, security is ideally an inherent aspect of DevOps engineering)
- Red Teaming: Accomplishing a specified objective and preventing a system from operating as expected
- Penetration Testing: Finding as many vulnerabilities in a system as possible within a specific timeframe
- Blue Teaming: Defending a system/network; often falls under alternative titles, e.g. incident response
- Incident Response: Identifying and responding to incidents (e.g. attacks, data breaches) discovered on your systems and networks
Day in the Life#
Let’s see how people in the community explained their jobs! I couldn’t include everyone’s answers, so check out the thread for even more jobs and descriptions.
Penetration Testing Consultant:
Consultant: Penetration Tester— Tinker (@TinkerSec) February 19, 2021
I hack, break into, & con targets. As I am able to do so, I show my clients how I did so so they fix the vulns I find.
I test & write the report in:
1 week - Hack into network/app
3 days - Break into building
Then I do it again. And again.
Security Analyst:— Nathan Pavlovsky (@secnate) February 19, 2021
Monitor what is going on in the network environment and react to anything bad going on. Also configure tooling to ensure better detection of bad activity
I am a Security Engineer working in infrastructure and applied cryptography.— Lance R. Vick ( @firstname.lastname@example.org ) (@lrvick) February 19, 2021
I mostly remove single points of failure in high value systems be they code dependencies, humans, or systems.
Custom Linux operating systems, custom hardware security modules and TEEs, etc.
Endpoint Security Engineer - Implement and test security baselines (minimum config guides), develop and test security controls, consult on policy, provide security solutions to business, conduct CI/CD of current processes, identify and create automation of current environment— FileswithThreateningAuras (@IAintShootinMis) February 19, 2021
I'm an Info Sec Engineer. I spend part of my time building tools for our detection analysts to get better insight into our network, and part of my time working on large enterprise projects to keep them in line with the standards established by the Security Architects.— Matthew Gracie (@InfosecGoon) February 19, 2021
Sr. InfoSec Analyst— Marshall Banana (@_mbanana) February 19, 2021
I attend ALL the meetings, threat hunt, do IR, configure security products, ensure the VulnMgmt program is kept up with, tune SIEM alerts, write docs, and help mentor jr. analysts
I also work with GRC to put policies and procedures in place if missing
Application Security (AppSec) Engineer:
Lead AppSec Engineer. I audit + choose tooling for CI/CD, manage vuln discovery programs, automate as much attack surface discovery as I can, and spend the other 25 hours of my day training engineers/QA on secure development practices. Sometimes I even get to hunt bugs.— Kurt Boberg (@lapt0r) February 19, 2021
Security Architect and thanks to lawyers that’s pretty much all you get. Which is unfortunate as architects and engineers are what delivers security. And we need more of them.— Tim Shea ( 🔴✈️ ) (@SecShea) February 19, 2021
Security architect - write up what is sort of the ‘security view’ for technical implementations and general question and answer box. I can’t write up my average day due to current client.— Cassandra Browning (@ActualCassandra) February 19, 2021
Cyber Crime Investigator:
Cyber Crime Investigator— Sin (@sinwindie) February 19, 2021
I'm mostly focused on attribution and intelligence. Identify who caused the problems and get them snatched up by local authorities.
Threat Hunter— Alex Butcher (@alexjbutcher) February 19, 2021
* Learn about new exploits of vulnerabilities, and adversary TTPs
* Create detections for them
* Test them, or work with pentesters to do so
* Examine alerts from existing detections and either raise as security incidents, or refine to tune out false positives
Incident Response Analyst:
-IR Analyst - Public Hospital— Higinio “w0rmer” Ochoa (@0x686967) February 19, 2021
1. Monitor / Report / Triage on events from our many systems including EDR , AV, and Email.
2. Design / Update / Model new policy, workflows and test/update existing.
3. Intelligance gathering, brief creation.
4. Wrangle cats.
Sr Security (Detection) Engineer— rez0 (@rez0__) February 20, 2021
I write detection logic, add features to the detection engine, write normalization config, add features to the normalizer, test detection logic, etc.
Head of Countermeasures and Production Support.— Rubix1138 (@XavierAshe) February 19, 2021
Countermeasures is a team that owns the security policy in all of security tools. They make sure that the tools properly block and detect threats, while processing exceptions for the business.
Technical Meets Business
Formerly a technical writer in data security. I was documenting encryption software + took care of all the surrounding texts ranging from API docs to marketing brochures, website content, or large scary white papers. I didn't even have to write code to work in security tech.— Karen Sawrey (@krnswry) February 19, 2021
Technical Writer and Evangelist:
Technical Writer / Technical Evangelist - I work with technical (developer, front-end, engineering manager) teams and set up my own labs to test and develop documentation enabling administrators, analysts, and developers better use the platform, develop integrations, and more.— superruserr 🇦🇺🇩🇪 (@superruserr) February 19, 2021
With a TE position, you work directly with the users and actually provide scripts (configuration scripts like YAML), actual snippets, etc.— superruserr 🇦🇺🇩🇪 (@superruserr) February 19, 2021
Documentation work can be best practice/SME work, narrative style, or procedural.
This is especially the case with non-UI software.
Privacy and Security Attorney:
Privacy and data security attorney.— Jacob Tewes (@FlyingLawyer) February 19, 2021
I help companies balance infosec and privacy risks when they work together, set up their own shops in ways that minimize or mitigate those risks, and help them clean up the mess when bad things happen.
Cyber Audit: Audit policy, implementation, Controls. Participate in implementation for compliance consulting. Advise on CyberSec trends and methods. Connect Org policy and cyber goals to actual day to day of Ops and SecDesk through findings and consulting. Liason to sr Mgmt, etc— dvorakative 🦋 (@dvorakative) February 19, 2021
Software Engineering Consultant:
SE / Consultant at a Cisco Partner. Design / Sell / Deploy / Fix / Support networks, network security, endpoint security & network management solutions. Create / maintain micro services in AWS / Python. Create / use LAN automation tooling w/ ansible. Train admins. Help sales.— Richard Atkin (@UKRichA) February 19, 2021
CEO at pentest company. I divide my time between arguing with clients about whether they need a pentest to double check their security efforts and arguing with clients about why the vuln is in fact a critical and therefore they cannot pass compliance until fixed.— Scarab (@5C4R48) February 19, 2021
Founder/CEO of sw product. Keep the wheels on today while trying to map the course for the next year across product roadmap and scaling the org.— Lord CyberBottom 🦄, 7th Duke of DNS, Earl of Pwn (@brysonbort) February 19, 2021
Chief Information Security Engineer (CISO):
CISO of Americas for a mega sized int Corp.— Phoenix (@APhoenixinflame) February 19, 2021
I limit security risk, develop security strategy, and infuse security concepts in to our organization while fighting to justify budget and headcount. We have 2 SOCs, a threat hunting team, an DFIR dept, etc and I oversee all of it.
Chief Security Officer (CSO):
Chief Security Officer for a large utility. My main role is defending the company from cyber attacks. I do this by ensuring all our IT/OT is secure, by educating, by setting high standards for reporting. My day is filled with influencing, setting direction, making decisions.— Jon (@samuriinbred) February 19, 2021
Director of Security:
Director of Security. I work across the organization to implement and maintain both infrastructural and corporate security as well as work with potential customers to assure delivery of a secure product. Take away the buzzwords and I’m a jack of all trades with a senior title.— aloria (@aloria) February 19, 2021
Director of Threat Research:
Sr director threat research. I work at a vendor leading a team of consummate bad asses who work to protect millions of people from threats every day. My day is spent talking about that and watching the threat landscape.— 📬 Sherrod DeGrippo (@sherrod_im) February 19, 2021
Director of Identity Access Management (IAM):
Director of IAM products at a Fortune 100 co.— Jamie Wallace (@jamiemw) February 19, 2021
Spend my day coaching team, planning more secure + better UX, & reviewing program status.
Security Operations Center (SOC) Manager:
SOC Manager - I lead a team of individuals in monitoring and responding to threats inside our clients environments. I attend a copious amount of meetings and work to ensure that my team is taken care of and empowered to do their jobs.— De-CERT (@Dehyphencert) February 19, 2021
I’m an engineering manager of the privacy engineering team. I make sure people work together amicably and also provide the vision of the team. I sit in meetings a lot, and do a lot of coaching/mentoring. I moonlight as a bugfixer and a project manager.— shh (@worldwise001) February 20, 2021
Life as a line manager often means you spend most of the time doing management, but sometimes you jump in and don your technical/engineer hat to do some things. Like I’m still on the oncall rotation and that’s very eng heavy.— shh (@worldwise001) February 20, 2021
I manage a small team of IT support and governance staff for a global software Dev and hosting co. I am juggling 3 external audits, controls development, advising dev teams in secure coding and privacy by design for cloud eng, web and mobile apps, sales q's from clients, vuln mgt— av (@avbsec) February 19, 2021
There are so many types of jobs in infosec, and there are more roles than any of us could name. Hopefully this post helped you get an idea of what kinds of opportunities and roles exist, and maybe even gave you some ideas of what you’d like to try out.
One more big thanks to everyone who shared job descriptions, this was a really fun post to do with the community!