- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / viriiviruses / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / virii / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / viruses / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
From my answer on a similar SO question...:
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
From my answer on a similar SO question...:
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
As niche as "security" seems, it actually encompasses threea few main types of roles, and a couple of areas of coverage. These are actually quite different...
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / virii / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
Likewise, in all the above there are different areas of expertise, and an expert in one wontwon't necessarily have anything intelligent to say in any other area:
On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them - and it is not always shared expertise.
There are probably some othereven more niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.
You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-).
And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest you readreading lots of security books and blogs (I loveenjoy Bruce Schneier's stuff), and also try out OWASP for the application side of things.
As niche as "security" seems, it actually encompasses three main types of roles, and a couple of areas of coverage. These are actually quite different...
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else.
Likewise, in all the above there are different areas of expertise, and an expert in one wont necessarily have anything intelligent to say in any other area:
There are probably some other niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field. You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-). And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest you read lots of security books and blogs (I love Bruce Schneier's stuff), and also try out OWASP for the application side of things.
As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different...
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else. - Researcher
This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / virii / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research - well, I can't really speak to that, since I don't know...
Likewise, in all the above there are different areas of expertise, and an expert in one won't necessarily have anything intelligent to say in any other area:
On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them - and it is not always shared expertise.
There are probably even more niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.
You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-).
And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest reading lots of security books and blogs (I enjoy Bruce Schneier's stuff), and also try out OWASP for the application side of things.