I have been back in the corporate world for almost three years now. Before this, I spent a few years working in the classroom at Macquarie University. When a full-time job came up, I applied but did not get the job. It is funny how things work out. I honestly believe that sometimes things happen for a reason. I love my current work and my team, and I also get to work with my husband, a concept a little strange for some but something that works for us.
During my time back in the corporate world, I have had a lot of applicants and have interviewed many of them for governance, risk and compliance (GRC) positions. I am very picky, and the interviewee must go through a rigorous process. However, one thing that has surprised me is the lack of understanding of the varying information security positions by graduates. I have often advertised for an Associate Security Consultant for GRC. I get people interested in security operations centre (SOC) or penetration testing roles, who clearly do not understand what GRC is, or that information security extends past penetration testing work. This is not because the candidates are non-intelligent, nor is the candidate trying to get into one area of the company to smooch their way over to another side of the organisation (well, in most cases, it is not the case).
Rather, I would suggest it is to do with the fact that we are not educating students on the complexities of working in information security. I saw it during my time at Macquarie, and I have now experienced it through the many interviews I have had with students wanting to take on an Associate role. How can we expect to fill the gap in information security if we are not educating students on the varying roles within this industry? This article aims to do just that and provide some perspective on the varying roles within information security. This article will focus on penetration testing, SOC positions, GRC and security engineering. I am not suggesting that these are all the roles available for information security, but they are, in my opinion the foundational roles. As such, we should be providing students with an introduction to all these areas so that they may make an informed decision of which area they would like to move into or at least start in.
Please note, this article is a high-level summary, and I am sure that I have left some things out, but as I write, I already realise that this article will be longer than I intended! Like all roles, they vary between organisations, but this article will hopefully give you a better understanding of the focus areas and the day to day responsibilities within each of these roles.
Penetration Testers
One of the most known areas of information security is penetration testing, often referred to as pen testing, ethical hacking or white-hat hacking. In this job, you are paid to simulate a threat actor (hacker) attacking an organisation. The idea is to identify vulnerabilities that can be exploited by a threat actor so the organisation can fix them before someone malicious actually finds and uses them. There are many types of pen tests. Internal pen testing is where the threat actor is already inside the internal network and attempts to gain access to internal resources and data. External pen testing is where the attacker starts from outside the organisation’s network and attempts to gain access to internal resources. Web application pen testing is where someone will try and gain unauthorsed access to a web based application or elevate privileges within the application to gain access to data they are not authorised to access. API testing attempts to subvert API calls used between systems to gain unauthorised access to systems or data, and mobile pen testing, which, as you may guess, is attempting to compromise a mobile app and its data, such as an iPhone or Android application. To be a pen tester, you need a deep understanding of the building blocks of computers, networks and applications. For some people, this comes naturally. My husband has been on computers since the 1980s, and it frustrates me how he just gets and knows all things technology. I will be googling away madly to work out how a certain type of technology works, and he will relay back to me that logically it can only work “this way”, and of course, he is right.
Today, you can go to university and get a degree to help you start your career, but you will likely not pass your interview if you are not honing your skills through outside learning and practice that goes beyond your university syllabus. Capture the flag competitions, hacker conferences like B-Sides Canberra, and hacker meet-ups can help you with this regard. Don’t be afraid to reach out to people via LinkedIn and at conferences. I know this can be hard sometimes but remember, most of the people you see on stage at these events or who write articles on new research or exploits were once new to the hacker culture too, so you may be pleasantly surprised to see what type of response you get. The hacker/infosec community has always been built on openly sharing information.
Security Operations Centre (SOC)
A SOC’s primary goal in its most simplistic form, is to detect, analyse, and respond to security incidents. While pen testing is seen as proactive in finding and closing vulnerabilities before they can be exploited, a SOC is traditionally reactive in that it will respond to a cyber incident once it has occurred. Today’s SOC also undertakes active threat hunting, designed to identify threats before they impact an organisation, but this is an expensive exercise and requires a much higher skillset. Not all SOCs can be proactive in this way. Further, not all organisations can afford or justify the expense of a SOC, so this service is often delegated to an external organisation as a managed service.
A SOC employs people, processes, and technology to monitor and improve an organisation’s security posture. It relies on automatic techniques to collect data from across the organisation, such as from websites, applications, databases, desktops, servers, and networks and monitors these logs for any sign of compromise or nefarious activity. If something is detected, the SOC will then analyse the threat and respond to the threat accordingly.
There are several jobs associated with the SOC, including automation technicians who develop and tune the technology so that a real threat is not hidden in the noise, forensic analysts, where the main goal is to determine how the compromise occurred and what has been affected, and SOC analysts who monitor and investigate alerts.
Security Engineers
A security engineer’s basic function is to design, implement and maintain an organisation’s security systems. In this sense, a security engineer’s role is proactive as the role involves addressing security weaknesses by implementing technical controls to reduce the risk of an attack being successful. Security engineering should form part of any organisation’s design, development, and implementation of technical controls. Depending on the organisation, this may include, for example, ensuring that the roll-out of new technology is undertaken securely.
Often a security engineer will perform various jobs within an organisation, including responding to the findings of penetration and vulnerability reports, creating firewall rules, and managing encryption within the organisation. Most importantly, and in my opinion, a security engineer should have a solid understanding of network design and architecture.
Governance, Risk & Compliance (GRC)
Working in GRC, I admit that I am very biased toward this role. A person working in GRC is expected to understand all the positions mentioned above and how these roles can be leveraged to secure the organisation. In this sense, the primary purpose of GRC is to work with organisations to develop a security strategy that aligns with and supports the business, and then help implement this strategy. As such, GRC is proactive. The consultant will work with the organisation to identify security gaps, either through an information security risk assessment or a gap assessment against a security framework such as ISO/IEC 27001:2013 of NIST’s Cybersecurity Framework. Once a gap is identified, the GRC consultant will work with the business to define the process or policy the organisation will adopt to address the gap, test the process or policy to ensure it works, educate the right people on the new process or policy and then report on how successful or in some cases how unsuccessful the new process or policy has been. The GRC consultant will also advise the use of, and leverage, the other roles above to identify further gaps (penetration testing), implement technical controls (security engineering) and identify and respond to incidents (SOC). The GRC consultant must also translate what I like to refer to as “IT speak” to executives and board members. Hence, they need to have a strong understanding of the puzzle pieces within information security and how they apply to business risk.
The last part of the GRC consultant’s role is to understand any legislative, regulatory or contractual requirements an organisation may have. For example, the Australian Privacy Principles and an organisation’s obligation when reporting to the Office of the Australian Information Commissioner. In terms of technical skills, a GRC consultant does not need to know how to code or conduct configuration reviews but does need to understand the general principles of technology. I started my career in development before moving into internal fraud and corruption investigations, then IT risk, teaching security studies whilst undertaking a major research project in cyber-warfare and now I am pure GRC. Having had this experience has helped provide me with a strong understanding of GRC and how all the puzzle pieces fit together. It has also given me the confidence to talk to executives and boards with the realisation that I know what I am talking about.
As mentioned at the start of the paper, these are not all the information security positions available, but they are the building blocks for me. For example, a skilled pen tester may move over to red team engagements, where they get to write exploits and attempt to penetrate an organisation via physical and social attacks, as well as technological means.
I hope this article at least provides a start to further research for graduates wanting a career in information security or sparks an interest for those graduates sitting on the fence. Goodness knows we are facing a major shortage in the industry.
0 Comments