- Career vs. Job
- Developing Job Roles
- SOC Job Roles
- NICE Cybersecurity Workforce Framework
- Role Tiers
- SOC Services and Associated Job Roles
- Soft Skills
- Security Clearance Requirements
- Pre-Interviewing
- Interviewing
- Onboarding Employees
- Managing People
- Job Retention
- Training
- Certifications
- Evaluating Training Providers
- Company Culture
- Summary
- References
This chapter is from the book
This chapter is from the book
This chapter is from the book
SOC Job Roles
The expected career path for any job role in a SOC will depend on how the organization assigns responsibilities and pay scale to a job role. Roles in networking, software development, system engineering, and security intelligence can lead to entry-level SOC-related work. Entry-level SOC job roles such as junior analyst, consultant, or tester can lead to job titles such as senior architect or security administrator as responsibilities and pay scales increase. Know that there isn’t a set standard for job roles or how roles feed into other roles, meaning the role of analyst at one organization could require the same experience as the role of architect at another organization. One organization might require specific certifications, degrees, or experience to meet the requirements of a job role, while the same job role at another organization will have different requirements. Consider industry and SOC job role, pay scales, and expected experience as you develop your strategy for recruiting for any job role in your SOC.
The job roles covered in the sections that follow make up common SOC-related career paths. These roles range from entry-level to senior-level job titles. The specifics of the work will depend on the type of service offered by the SOC. I will attempt to group similar job roles and explain skills based on what I have encountered in SOCs around the world. Use the recommended skills and certifications listed as reference points for what training and certifications you could pursue if you work in one of these job roles.
Security Analyst
The security analyst role evaluates various types of data and plans and implements security measures to protect computer systems, networks, and data. Reviewing data can mean evaluating live network traffic or a copy of evidence such as event logs generated by security and network tools. In regard to a security operations center, a SOC analyst can be responsible for reviewing security logs and responding to events based on the services offered by the SOC. The skills associated with a security analyst can include reading logs and event data from various types of tools, implementing changes to security tools, such as configuring firewall rules, responding to incidents based on suspected events, and developing playbooks for the organization to standardize its responses to different events.
Table 4-1 outlines the responsibilities, skills, and certifications associated with the security analyst role. The security analyst role is ideal for the incident management SOC service but can also be part of the vulnerability management and research and development (R&D) services. Similar job titles include security engineer, security administrator, security specialist, and security consultant.
TABLE 4-1 Security Analyst Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Evaluate security measures and controls for vulnerabilities |
Penetration and vulnerability testing, information security knowledge |
CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester GPEN: GIAC Certified Penetration Teste CISM: Certified Information Security Manager |
Establish plans and protocols to protect digital files and information systems against unauthorized access, modification, or destruction |
Host security tools (antivirus, anti-malware, VPN), data loss prevention technologies, encryption concepts, identity management, access control |
ECSA: EC-Council Certified Security Analyst Vendor NAC certification Vendor Data Loss certification Identity Management certification (e.g., Microsoft Active Directory) |
Maintain data and monitor security access |
TCP/IP, computer networking, routing and switching |
GSEC: GIAC Security Essentials GCIH: GIAC Certified Incident Handler GCIA: GIAC Certified Intrusion Analyst CISM: Certified Information Security Manager |
Perform security assessments and recommend security controls |
Firewall and intrusion detection/prevention protocols |
CISSP: Certified Information Systems Security Professional Vendor product certifications |
Anticipate security alerts, incidents, and disasters and reduce their likelihood |
Windows, UNIX, macOS, and Linux operating systems |
Operating system certifications |
Manage network and security systems |
Network protocols and packet analysis tools. Windows, UNIX, macOS, and Linux operating systems |
Vendor network certification (e.g., Cisco CCNA/CCNP/CCIE) Operating system certifications |
Analyze security breaches to determine their root cause and impacted parties |
Digital forensics and threat hunting |
EC Council Computer Hacking Forensic Investigator certification |
Recommend and install tools and countermeasures |
Understand industry frameworks, security tools, and security process |
ISC2 CISSP CompTIA CySA+ |
Provide training to employees in security awareness and procedures |
Developing training programs |
SANS Security Awareness Professional (SSAP) |
Penetration Tester
The penetration tester role is focused on identifying vulnerabilities and testing those vulnerabilities in a similar manner to how an adversary would. Assessment officers and others that are responsible for identifying vulnerabilities tend to leverage automated tools and focus on identifying potential vulnerabilities but do not validate how realistic the vulnerability may or may not be. Penetration testers invest additional time validating that vulnerabilities exist using the same tools used by adversaries. Penetration testers attempt to exploit the vulnerability and then document the results. A penetration tester must be knowledgeable in how to identify vulnerabilities as well as common tactics used to exploit a vulnerability to achieve the same outcome a potential adversary could obtain. This skillset is commonly referred to as red team skills.
Table 4-2 outlines the responsibilities, skills, and certifications associated with the penetration tester role. A penetration tester is ideal for the vulnerability management SOC service but can also work in the compliance, risk management, and R&D services. Similar job titles include security analyst, security engineer, threat researcher, ethical hacker, red team member, and tester.
TABLE 4-2 Penetration Tester Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Perform penetration tests and assessments of web-based applications, networks, and computer systems |
Exploitation, assessment, and audit skillsets; technical writing; legal and compliance understanding |
CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester GPEN: GIAC Certified Penetration Tester |
Conduct physical security assessments of servers, systems, and networks |
Vulnerability and physical security assessment capabilities Lock picking |
A+ and other hardware certifications |
Design and create new tools and tests for penetration testing and assessments |
Network servers, networking tools, security tools and products |
OSCP and PEN-200 from offensive security CEPT: Certified Expert Penetration Tester |
Probe targets and pinpoint methods that attackers could use to exploit weaknesses and logic flaws |
Computer hardware and software systems; vulnerability management and exploitation tactics |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Employ social engineering to uncover security holes |
Web-based applications and behavior science |
OSCP: Offensive Security Certified Professional |
Incorporate business goals into security strategies and policy development |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.) |
CISSP: Certified Information Systems Security Professional CISM: Certified Information Security Manager |
Research, document, and review security findings with management and IT teams |
Vulnerability analysis and reverse engineering |
CCFE: Certified Computer Forensics Examiner |
Improve security services, including the continuous enhancement of existing methodology material and supporting assets |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.) |
CISSP: Certified Information Systems Security Professional |
Provide feedback, support, and verification as an organization fixes security issues. |
Communication and writing |
College degree |
Assessment Officer
An assessment officer is responsible for identifying potential vulnerabilities or gaps in corporate policy, compliance requirements, or general security best practices as defined in popular frameworks. Unlike a penetration tester, an assessment officer works within specific scopes as defined by policies, compliance, or frameworks, meaning he or she must be aware of the latest requirements and continuously validate the organization is meeting those requirements. Any vulnerabilities out of scope of such requirements will be overlooked by the assessment officer because the focus of an assessment officer is auditing rather than general security validation. An assessment officer’s skills are focused on business and operations with a strong understanding of industry frameworks, compliance, and laws associated with cybersecurity as it relates to the organization.
Table 4-3 outlines the responsibilities, skills, and certifications associated with the assessment officer role. An assessment officer is ideal for the compliance and risk management services but can also work in the vulnerability management service or assist other services such as incident management and R&D. Similar job titles are compliance officer, policy officer, security officer, and infosec officer.
TABLE 4-3 Assessment Officer Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Incorporate business goals into security strategies and policy development |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.) |
CISSP: Certified Information Systems Security Professional CISM: Certified Information Security Manager |
Conduct physical security assessments of servers, systems, and networks |
Vulnerability and physical security assessment capabilities; lock picking |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Interview employees, obtain technical information, and assess audit results |
Management and strong communication skills |
College degree or special communication skills training CISM: Certified Information Security Manager |
Understand industry data security regulations |
Understand HIPAA, PCI DSS, etc. |
Specific industry data security certification and experience |
Develop and execute tests based on regulations being audited |
Critical-thinking skills |
College degree and/or programming certification |
Research, document, and review security findings with management and IT teams |
Critical-thinking skills |
College degree and/or programming certification |
Understand organization policies and procedures |
Critical-thinking skills and experience with SOC policies and procedures |
College degree |
Provide feedback, support, and verification as an organization fixes security issues |
Critical-thinking, project management, and communication skills |
College degree |
Incident Responder
An incident responder is a cyber first-responder or a higher-tier resource responsible for responding to a security incident. This role involves providing rapid initial response to IT security threats, incidents, and cyberattacks on the organization. The role can also include some penetration and vulnerability testing, network management, intrusion detection, security audits, network forensics, and maintenance of IT security systems. The primary responsibility may be monitoring traffic for any unusual activity or unauthorized access attempts and initiating the appropriate response when a potential event is identified. The response can include patching systems, initiating segmentation, isolating systems, alerting all associated parties, and assisting with returning impacted systems back to an operational state. The incident responder can work through the entire lifecycle of the incident or handle one part of the incident while higher-tier responders or other teams take over responsibilities, depending on the severity of the incident and how the SOC runs the incident management practice.
Table 4-4 outlines the responsibilities, skills, and certifications associated with the incident responder role. An incident responder is ideal for the incident management service but can also work in the situational and security awareness service or vulnerability management service. Similar job titles include incident response engineer, computer network defense, IT network defense, incident analyst, intrusion detection specialist, and network intrusion analyst.
TABLE 4-4 Incident Responder Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Actively monitor systems and networks for intrusions |
Windows, UNIX, macOS, and Linux operating systems |
Operating system certifications CompTIA CySA+ |
Identify security flaws and vulnerabilities |
Computer hardware and software systems; vulnerability management and exploitation tactics |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Perform security audits, risk analysis, network forensics, and penetration testing |
Exploitation, assessment and audit skillsets; technical writing; legal and compliance understanding; TCP/IP-based network communication |
GCFE: GIAC Certified Forensic Examiner GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Perform desktop security assessments and update/patch potential vulnerabilities |
Computer hardware and software systems; vulnerability assessments |
GPEN: GIAC Certified Penetration Teste CEH: Certified Ethical Hacker |
Develop a procedural set of responses to security problems |
Operating system installation, patching, and configuration |
CISSP: Certified Information Systems Security Professional CISM: Certified Information Security Manager |
Establish protocols for communication within an organization and dealing with law enforcement during security incidents |
Critical-thinking, project management, and communication skills |
College degree |
Create a program development plan that includes security gap assessments, policies, procedures, playbooks, training, and tabletop testing |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
CISSP: Certified Information Systems Security Professional College degree |
Produce detailed incident reports and technical briefs for management, administrators, and end users |
Critical-thinking, project management, and communication skills |
College degree |
Liaison with other cyberthreat analysis entities |
Critical-thinking, project management, and communication skills |
College degree |
Handle case management duties of an incident and be involved with lessons-learned post-incident meetings |
Case management experience and tools |
CompTIA CySA+ CISM: Certified Information Security Manager College degree |
Systems Analyst
A systems analyst is responsible for monitoring and interpreting different forms of data. Data can include logs from security tools, alerts from networking equipment, or other event data. A systems analyst might also be responsible for analyzing various types of artifacts, including files and programs, the goal being to determine whether there is any potential risk to the organization and discover the purpose of the artifact (meaning why it was created). For example, a word document might have a rootkit included, so the purpose of the document is to trick a user into running it and installing the rootkit.
Systems analysts that work in the incident management service spend time monitoring SIEM/SOAR/XDR systems, looking for potential threats within hundreds of thousands of event data points. A system analyst either addresses events directly or passes them to a member from the incident management service group. Systems analysts that work in the analysis service have isolated labs dedicated to containing potentially threating artifacts and learning what artifacts do. Common duties for analysts involved with the analysis service include performing static analysis, such as scanning or disassembling artifacts, and performing dynamic analysis, such as running artifacts in a sandbox to learn their behavior.
Table 4-5 outlines the responsibilities, skills, and certifications associated with the systems analyst role. A systems analyst is ideal for the analysis service or incident management service but can also work in the digital forensics and risk management services. Similar job titles include operations analyst, business systems analyst, business intelligence analyst, and data analyst.
TABLE 4-5 Systems Analyst Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Actively monitor systems and networks for intrusions |
Windows, UNIX, macOS, and Linux operating systems |
CCE: Certified Computer Examiner |
Identify security flaws and vulnerabilities |
Computer hardware and software systems; vulnerability management and exploitation tactics |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Perform security audits, risk analysis, network forensics, and penetration testing |
Computer hardware and software systems; vulnerability management and exploitation tactics TCP/IP-based network communications |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Perform malware analysis and reverse engineering |
Computer hardware and software systems |
GCFA: GIAC Certified Forensic Analyst |
Experience working with SIEM and SOAR orchestration and automation |
DevOps and playbooks skills |
Certification in DevOps |
Reverse engineer/disassemble malware and other artifacts |
Disassemblers, debuggers, and other static-analysis tools |
GIAC Reverse Engineering Malware (GREM) |
Develop sandboxes and analyze software behavior |
Sandboxes and other dynamic analysis tools |
GIAC Reverse Engineering Malware (GREM) |
Analyze logs and other data sources |
Security tool logs (firewall, IDS/IPS, etc.), SIEMs, and SOAR |
CCNA Cyber Ops, CompTIA Cybersecurity Analyst (CySA+) |
Liaison with other cyberthreat analysis entities |
Forensic software applications (e.g. EnCase, FTK, Helix, Cellebrite, XRY, etc.) |
CREA: Certified Reverse Engineering Analyst |
Understand assembly language and how computer systems operate (RAM, ROM, storage, etc.) |
IDA Pro, Ghidra, RAM/ROM dumps |
GIAC Reverse Engineering Malware (GREM) |
Security Administrator
A security administrator is responsible for managing IT-related security and safety issues within a company. Tasks can include developing policies and procedures as well as overseeing that policies are followed by employees. Security administrators also oversee the implementation of solutions that prevent cyberthreats and protect data’s confidentiality, integrity, and availability. Tasks include administering security controls to reduce the risk associated with potential vulnerabilities.
Table 4-6 outlines the responsibilities, skills, and certifications associated with the security administrator role. Security administrators are ideal for compliance, risk management, and situational and security awareness services. Similar job titles include security manager, information security manager, network security administrator, systems security administrator, information systems security officer, and IT security administrator.
TABLE 4-6 Security Administrator Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Protect systems against unauthorized access, modification, and/or destruction |
Windows, UNIX, and Linux operating systems; system security capabilities |
CompTIA Security+ (popular base-level security certification) |
Perform vulnerability and networking scanning |
Computer hardware and software systems; vulnerability management and exploitation tactics TCP/IP-based network communications |
CCNA: Cisco Certified Network Associate CEH: Certified Ethical Hacker |
Monitor network traffic for unusual or malicious activity |
Strong understanding of firewall technologies |
ECSA: EC-Council Certified Security Analyst CompTIA CySA+ |
Configure and support security tools such as firewalls, antivirus software, and patch management system |
TCP/IP, computer networking, routing and switching |
CISSP: Certified Information Systems Security Professional |
Implement network security policies, application security, access control, and corporate data safeguards |
Network protocols and packet analysis tools |
CISM: Certified Information Security Manager CISSP: Certified Information Systems Security Professional |
Train employees in security awareness and procedures |
Critical-thinking, project management, and communication skills |
College degree |
Perform security audits and make policy recommendations |
Intermediate to expert IDS/IPS knowledge; vulnerability evaluation; security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.). |
CISSP: Certified Information Systems Security Professional College degree |
Develop and update business continuity and disaster recovery protocols |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
College degree |
Security Engineer
This role is similar to a security analyst, with responsibilities of performing security monitoring, security and data/log analysis, and forensic analysis. The goal of this role is to detect security incidents and launch a response. A security engineer can also have responsibilities for identifying which security technologies are used by an organization, maintenance of existing security technologies, development and maintenance of security policy, and developing methods to improve policies.
Table 4-7 outlines the responsibilities, skills, and certifications associated with the security engineer role. A security engineer can work in the incident management, analysis, digital forensics, and R&D services, depending on the specific skills and experience the engineer has acquired. Similar job titles include security analyst, security administrator, security architect, security specialist, and security consultant.
TABLE 4-7 Security Engineer Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Configure and install firewalls and intrusion detection/prevention systems |
IDS/IPS, penetration testing, and vulnerability testing |
CISM: Certified Information Security Manager CISSP: Certified Information Systems Security Professional CEH: Certified Ethical Hacker |
Perform vulnerability testing, risk analyses, and security assessments |
Firewall and intrusion detection/prevention protocols |
CCNP Security: Cisco Certified Network Professional Security CEH: Certified Ethical Hacker |
Develop or work with automation scripts to handle and track incidents |
Secure coding practices, ethical hacking, and threat modeling |
GSEC: Security Essentials GCIH: GIAC Certified Incident Handler GCIA: GIAC Certified Intrusion Analyst |
Investigate intrusion incidents, conduct forensic investigations, and launch incident responses |
Windows, UNIX, macOS, and Linux operating systems |
CISSP: Certified Information Systems Security Professional CompTIA CySA+ CCFE: Certified Computer Forensics Examiner |
Collaborate with colleagues on authentication, authorization, and encryption solutions |
Critical-thinking, project management, and communication skills; encryption technology concepts |
Systems Security Professional College degree |
Evaluate new technologies and processes that enhance security capabilities |
Critical-thinking, project management, and communication skills |
College degree |
Deliver technical reports and formal papers on test findings |
Communication and technical writing skills |
College degree |
Supervise changes in software, hardware, facilities, telecommunications, and user needs |
Critical-thinking, project management, and communication skills |
College degree |
Define, implement, and maintain corporate security policies |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
CISSP: Certified Information College degree |
Analyze and advise on new security technologies and program conformance |
Critical-thinking, project management, and communication skills |
College degree |
Recommend modifications in legal, technical, and regulatory areas that affect IT security |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
CISSP: Certified Information CISM: Certified Information Security Manager Systems Security Professional College degree |
Security Trainer
A security trainer is responsible for implementing standardized training programs based on the organization’s policies and the current threat landscape. Security trainers develop and schedule training needs based on feedback from interviewing leadership and employees. Responsibilities include developing the training material, coordinating and monitoring enrollment, schedules, costs, and equipment, and delivering training metrics to leadership. Other duties include researching industry training concepts, training people to deliver training content, and updating content as needed.
Table 4-8 outlines the responsibilities, skills, and certifications associated with the security trainer role. A security trainer is ideal for the situational and security awareness service but can also work in the risk management and R&D service groups. Similar job titles include training instructor, information assurance analyst, training analyst, security service training manager, and security training and development manager.
TABLE 4-8 Security Trainer Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Develop a schedule to assess training needs |
Experience with technologies and best practices for instructional manuals and teaching platforms |
Certification from talent and training associations |
Ensure strict adherence to company philosophy/mission statement/sales goals |
Understanding policies, procedures, and industry guidelines, standards, and frameworks |
CISSP: Certified Information Systems Security Professional |
Deliver training to customers or other trainers |
Excellent verbal and written communication skills |
College degree |
Manage security awareness program based on threat research |
Strong project management skills with the ability to supervise multiple projects |
College degree |
Deliver technical reports and formal papers on test findings |
Identity and access management principles |
College degree |
Test and review created materials |
Critical-thinking, project management, and communication skills |
College degree |
Maintain a database of all training materials |
Basic database and program management skills |
College degree |
Security Architect
A security architect oversees the implementation of network and computer security for an organization. This role is typically a senior-level employee responsible for creating security structures, defenses, and responses to security incidents. Additional responsibilities may include providing technical guidance, assessing costs and risks, and establishing security policies and procedures for the organization.
Table 4-9 outlines the responsibilities, skills, and certifications associated with the security architect role. The security architect is ideal for the risk management service but can be part of other services such as compliance, situational, and security awareness, and research and development. Similar job titles include information security architect, IT security architect, and senior security analyst.
TABLE 4-9 Security Architect Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Plan, research, and design robust security architectures for any IT project |
Risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack concepts |
CISSP: Certified Information Systems Security Professional |
Perform vulnerability testing, risk analyses, and security assessments |
Computer hardware and software systems; vulnerability management and exploitation tactics |
GPEN: GIAC Certified Penetration Tester CEH: Certified Ethical Hacker OSCP and PEN-200 from offensive security CPT: Certified Penetration Tester CEPT: Certified Expert Penetration Tester |
Research security standards, security systems, and authentication protocols |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
CISM: Certified Information Security Manager CISSP: Certified Information Systems Security Professional |
Develop requirements for LANs, WANs, VPNs, routers, firewalls, and related network devices |
Security controls such as firewall, IDS/IPS, network access control, and network segmentation |
CISM: Certified Information Security Manager |
Design public key infrastructures (PKIs), including use of certification authorities (CAs) and digital signatures |
Security and encryption technologies |
CISM: Certified Information Security Manager EC-Council Certified Encryption Specialist (ECES) |
Review and approve installation of firewall, VPN, routers, IDS/IPS scanning technologies, and servers |
Security concepts related to DNS, routing, authentication, VPN, proxy services, and DDOS mitigation technologies |
GSEC: GIAC Security Essentials GCIH: GIAC Certified Incident Handler GCIA: GIAC Certified Intrusion Analyst |
Provide technical supervision for security team(s) |
Critical-thinking and communication skills |
College degree |
Define, implement, and maintain corporate security policies and procedures |
Network security architecture development and definition |
CISSP: Certified Information Systems Security Professional College degree |
Oversee security awareness programs and educational efforts |
Critical-thinking and communication skills |
College degree |
Update and upgrade security systems as needed |
Windows, UNIX, macOS, and Linux operating systems |
A+ Security CISSP: Certified Information Systems Security Professional |
Cryptographer/Cryptologist
A SOC that uses encryption to secure information or to build a system will assign these requirements to a cryptologist. A cryptologist researches and develops stronger encryption algorithms. A cryptologist may also be responsible for analyzing encrypted information from malicious software to determine the purpose and functions of the software.
Table 4-10 outlines the responsibilities, skills, and certifications associated with the cryptographer/cryptologist role. Cryptologists are ideal for digital forensics and analysis services but can work in other services based on the need for implementing, understanding, or identifying crypto.
TABLE 4-10 Cryptographer/Cryptologist Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Protect information from interception, copying, modification and/or deletion |
Computer architecture, data structures, and algorithms |
The cryptologist field is new and only has programs in universities and special learning programs. Certification programs include cryptology aspects, but dedicated certifications are not available at this point in time. |
Evaluate, analyze, and target weaknesses in cryptographic security systems and algorithms |
Linear/matrix algebra and/or discrete mathematics |
EC-Council Certified Encryption Specialist (ECES) |
Develop statistical and mathematical models to analyze data and solve security problems |
Probability theory, information theory, complexity theory, and number theory |
EC-Council Certified Encryption Specialist (ECES) College degree in math and cryptologist certification |
Investigate, research, and test new cryptology theories and applications |
Principles of symmetric cryptography and asymmetric cryptography |
EC-Council Certified Encryption Specialist (ECES) College degree in math and cryptologist certification |
Probe for weaknesses in communication lines |
Principles of symmetric cryptography and asymmetric cryptography |
EC-Council Certified Encryption Specialist (ECES) College degree in math and cryptologist certification |
Ensure financial data is securely encrypted and accessible only to authorized users |
Network Access Control concepts Data loss prevention technologies, encryption concepts, identity management, access control |
Operating system certifications Vendor security certifications Authentication vendor certifications |
Ensure message transmission data is not illegally accessed or altered in transit |
Principles of symmetric cryptography and asymmetric cryptography |
EC-Council Certified Encryption Specialist (ECES) College degree in math and cryptologist certification |
Decode cryptic messages and coding systems for military, political, and/or law enforcement agencies |
Principles of symmetric cryptography and asymmetric cryptography |
EC Council Computer Hacking Forensic Investigator Certification College degree in math and cryptologist certification |
Advise colleagues and research staff on cryptical/mathematical methods and applications |
Principles of symmetric cryptography and asymmetric cryptography |
College degree in math and cryptologist certification |
Forensic Engineer
Many organizations will experience a breach, and they will need to understand how the breach occurred. Digital forensics is the art of collecting evidence regarding a security incident. Evidence can be used for legal actions, to remediate the vulnerability used to cause the breach, or as part of a lessons-learned exercise. Forensic engineers require specific skillsets focused on collecting data without creating changes to what they are collecting. These engineers may also have legal knowledge to assist with investigations that lead to legal actions.
Table 4-11 outlines the responsibilities, skills, and certifications associated with the forensics engineer role. This role is ideal for the digital forensics service but can also work in the analysis and incident management services. Similar job titles include forensic scientist, forensic consultant, and digital forensics engineer.
TABLE 4-11 Forensic Engineer Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Conduct data breach and security incident investigations |
Network skills, including TCP/IP-based network communications |
CCE: Certified Computer Examiner |
Recover and examine data from computers and electronic storage devices |
Windows, UNIX, and Linux operating systems |
CEH: Certified Ethical Hacker |
Dismantle and rebuild damaged systems to retrieve lost data |
Windows, UNIX, macOS, and Linux operating systems; digital forensics concepts |
EnCE: EnCase Certified Examiner |
Identify systems/networks compromised by cyberattacks |
Computer hardware and software systems |
GCFE: GIAC Certified Forensic Examiner |
Compile evidence for legal cases |
Operating system installation, patching, and configuration |
GCFA: GIAC Certified Forensic Analyst |
Draft technical reports, write declarations, and prepare evidence for trial |
Backup and archiving technologies; technical writing |
GCIH: GIAC Certified Incident Handler |
Give expert counsel to attorneys about electronic evidence in a case |
Cryptography principles; legal experience; digital forensics experience; strong communication skills |
CCFE: Certified Computer Forensics Examiner |
Advise law enforcement on the credibility of acquired data |
eDiscovery tools; strong communication skills |
CPT: Certified Penetration Tester |
Provide expert testimony at court proceedings |
Forensic software applications (e.g. EnCase, FTK, Helix, Cellebrite, XRY, etc.) |
CREA: Certified Reverse Engineering Analyst |
Stay proficient in forensic, response, and reverse engineering |
Data processing skills in electronic disclosure environments |
CCFE: Certified Computer Forensics Examiner College degree |
Chief Information Security Officer
Also called a CISO, this role is part of high-level management and is positioned as the person responsible for the entire information security division of an organization. A CISO is responsible for all assurance activities related to the availability, integrity, and confidentiality of customer, business partner, employee, and business information in compliance with the organization’s information security policies. A CISO works with executive management to determine acceptable levels of risk for the organization.
Table 4-12 outlines the responsibilities, skills, and certifications associated with the CISO role. It is common for the CISO to be responsible for the risk management service but can also oversee all other SOC services.
TABLE 4-12 Chief Information Security Officer Responsibilities, Skills, and Certifications
Responsibilities |
Skills |
Certifications |
|---|---|---|
Appoint and guide a team of IT security experts |
Practices and methods of IT strategy, enterprise architecture, and security architecture |
CISA: Certified Information Systems Auditor |
Create strategic plan for the deployment of information security technologies and program enhancements |
Security concepts; critical-thinking and communication skills |
CISM: Certified Information Security Manager |
Supervise development of corporate security policies, standards, and procedures |
ISO 27002, ITIL, and COBIT frameworks |
GSLC: GIAC Security Leadership College degree |
Integrate IT systems development with security policies and information protection strategies |
PCI DSS, HIPAA, NIST, GLBA, and SOX compliance assessments |
CCISO: Certified Chief Information Security Officer |
Collaborate with key stakeholders to establish an IT security risk management program |
Network security architecture development and definition |
CGEIT: Certified in the Governance of Enterprise IT |
Anticipate new security threats and stay up to date with evolving infrastructures |
Knowledge of third-party auditing and cloud risk assessment methodologies |
CISSP: Certified Information Systems Security Professional |
Develop strategies to handle security incidents and coordinate investigative activities |
Critical-thinking and communication skills |
CISSP-ISSMP: CISSP Information Systems Security Management Professional |
Act as a focal point for IT security investigations |
Critical-thinking and communication skills |
CISSP: Certified Information Systems Security Professional College degree |
Prioritize and allocate security resources correctly and efficiently |
Critical-thinking and communication skills |
College degree |
Prepare financial forecasts for security operations and proper maintenance coverage for security assets |
Critical-thinking and communication skills; contract experience |
College degree |
Work with senior management to ensure IT security protection policies are being implemented, reviewed, maintained, and governed effectively |
Security frameworks (e.g., ISO 27001/27002, NIST cybersecurity framework, etc.); critical-thinking, project management, and communication skills |
College degree |
Every job role you recruit for will have an associated learning curve to onboard an employee into your SOC environment. Every SOC has its own unique networks, processes, and capabilities that can only be taught while in the job role. The next section looks at role tiers to better understand how job titles can change as employees gain experience and knowledge.
I opened this section with the caveat that a wide variety of different names are used for similar job roles. What you believe a security analyst does, for example, may be different from what others think that job role entails. To help standardize job role concepts, next I’ll cover a U.S. government guide regarding responsibilities associated with cybersecurity industry jobs.