Lately there has been some articles and conversations around the security profession, particularly the ‘how to get started’ aspect. My good friend, Aamir Lakhani wrote a great article on getting started in cyber security (https://www.doctorchaos.com/getting-started-with-a-career-in-cyber-security-and-information-security/)https://www.doctorchaos.com/getting-started-with-a-career-in-cyber-security-and-information-security/)
I thought I would add some additional considerations for aspiring security professionals by describing the two primary aspects of operational security. There are certainly more facets than fulfilling a defense or offense role within a security program or portfolio of services that are provided for the supported business. For instance, there are the following security program positions to consider:
Executive management, such as a Chief Information Security Officer role
Risk management – the operational identification of business or operations risk and how to best manage it within resource constraints Security compliance management for assuring alignment to organizational and industry standards or requirements.
This short article will focus on the two primary roles individuals typically fulfill within a security organization: the defensive position and the offensive position.
As a side note, many organizations are resource challenged when it comes to adequately trained and experienced personnel. The actual role a person plays can be one, the other, or at times both. For instance, when determining risk and how to best minimize it within an organization, the security professional must think in terms of offense and defense when creating risk treatment options.Leveraging an offensive or defensive role depends on the availability of resources, the security posture or situation at any given moment, and the approach used to assign responsibilities and tasks within the security organization.
Defensive security can be thought of as the things in the background to provide a program with the adequate framework, controls, goals, and business interaction to deliver the security program portfolio. Think in terms of a security strategy, policies, standards, and guidelines. Also think in terms of communicating the security strategy to the business, or providing some assurance of compliance with the stated security program requirements. Technical and non-technical controls are formulated in response to organizational to deliver security services according to the needs of that organization.Defensive security also entails designing and implementing a secure architecture that integrates with the IT infrastructure and enables the business. Technical solutions are interlaced to provide a cohesive and layered approach for protecting critical IT assets and business processes. For instance, industries….all industries require all of the following skills.
The organizational structure, maturity, and availability of resources drives the fulfillment of the following roles. I know there was a caveat about not having all roles defined, but for a primer on offense vs. defense this is just too thin. I would need to expand this out quite a bit. Give me another day to think about this…even if I state this is a view of offense/defense from a technical perspective it will probably need some serious fleshing out or rewrite.
The hardest thing is that you told me not to do too much to it, but it really needs a ton of work. HAVING SAID THAT…I really like the concept of describing roles within a security organization as offense or defense. It is simply tough to call a particular role one or the other. For instance…is a CISO a defensive player or offensive player? What about the person monitoring the SIEM for intrusion activities? Defensive players turn into offensive players rapidly when shit hits the fan.
Before you start typically you need to architect your security with the goal of reducing risk to the business. This position will usually work closely with Security Management or could be the same role as Security Management. These positions plan out what (TECHNOLOGIES) security controls to implement and how they relate to the overall system architecture. These controls can be technical, process or people and should address he Confidentiality, Integrity and Availability of the company assets. Security architecture is typically the technical overlay to an IT structure.
Security Technology Management and Monitoring
Once the technology controls are chosen at some point they need to be installed, configured and then managed on an ongoing bases. These positions typically are responsible for your security technology such as Next Generation Firewalls, E-mail security, Endpoint security, Web Filtering, etc. Depending on the size of the company, positions may be available specifically for the ongoing management and monitoring of these technology controls. These positions usually work in what’s called a Security Operations Center (SOC). This is simply not true…many organizations have the advisory approach for security controls. The security team creates the requirements and the IT staff actually implements accordingly. Think firewall admin or management vs. monitoring. The SOC is a monitoring and response function, not necessarily consisting of a group of people that implement the technologies. Smaller organizations – maybe. Also, many orgs outsource SOCs. I think the statements throughout the following are pretty pointed vs. describing the nature of the role and how it interplays with a security program.
Deep technical knowledge in many technologies is ideal, but companies at a minimum want you to have good understanding of NG Firewalls from major vendors like Checkpoint, Cisco, Fortinet, Palo Alto. What about hunter/killer teams, incident response/forensics, SIEM knowledge, etc…?
Technical: These positions are very technical in nature and a solid understanding of technology in general is usually required.
These positions can range from entry level to senior level positions.
Security Engineer, IT security Engineer, Security Analyst, Security Operations Engineer, Security Operations Analyst.
These our probably the most common as they are sought after in most companies across all industries. Companies looking for SOC positions will usually have a more mature security program.
Incident Response and Forensics
Application Security/Secure Coding (Developer)
Security Analytics /Data Science
Network/System/Application Ethical Hacking
Hacker using laptop. Lots of digits on the computer screen.
Keep in mind in all of these positions these days it is very useful to have good programming skills or at least a good understanding of it.
At a minimum scripting skills using languages such as Python should be a skill in your tool belt.
Keep in mind there are many other job positions out there that we did not even discuss.