Job titles in cybersecurity are absolutely critical. Unless they're meaningless. Or maybe both. That's the message that comes from professionals involved in hiring (and recruiting) people into cybersecurity roles. And it's a message that can be absolutely maddening for those trying to land their next cybersecurity job.
"Titles matter for every human I know," says Deidre Diamond, founder and CEO of CyberSN. She continues, "And in cybersecurity, it matters to a greater capacity because a security engineer could be seven different types of security engineer and analysts can be six types of analyst."
The problem is, Diamond says, that the same title can have different meanings in different organizations.
As a result, "Not only does the title matter, but the job description matters," Diamond explains. And that description may ultimately be the deciding factor in matching positions with candidates.
"I work from functions much more than titles," says Mimi Gross, principle consultant with HYER Technical Solutions. She specializes in helping startup or early-history organizations fill positions. She says that these young companies tend to be far more flexible than more established companies in the job titles they offer because they don't have the established hierarchy organizations tend to develop over time.
For companies that want or need a framework into which job titles can be placed, though, one exists and Diamond says that it can provide guidance.
A NICE framework
The National Initiative for Cybersecurity Education (NICE), Office of the Secretary of Defense, and Department of Homeland Security (DHS) worked together to develop the NICE Framework. The framework is designed to, among other things, provide "a systematic and consistent way to organize the way we think and talk about cybersecurity work."
The NICE Framework is built on a taxonomy that includes seven categories, 33 specialty areas, and 52 work roles.
To see how the framework applies to a specific job title, one can take a single category, Protect and Defend, and within it a single specialty area, Cyber Defense Analysis. Inside the specialty there can be multiple work roles. In this case there's one: cyber defense analyst. The framework then lists the abilities, knowledge, skills, tasks, and capability indicators associated with the particular work role, and repeats that for each work role (or job title) that's been defined.
As with other frameworks and standards defined in NIST documents -- in this instance, NIST Special Publication 800-181 -- NICE is mandated for federal bureaus, agencies, and departments. And like the other standards, NICE can be a useful resource for organizations trying to bring order to their own job titles and work roles.
An architect, an engineer, and an analyst walk into a bar...
Broadly speaking, there are differences in what each of the three main security job categories are expected to do:
A security architect must anticipate all of the moves and tactics hackers will use to break into the computer system. A security architect’s first duty is to thoroughly understand the organization's systems. They have to understand the vulnerabilities and weak points in the system, then recommend ways to improve and update security through both hardware and software. Architects have a critical role in setting and enforcing user policies and protocols.
Security engineers are responsible for testing and screening security software and for monitoring networks and systems for security breaches or intrusions. Where the security architect recommends, the security engineers implement and testing strategies. They also report on incidents and use those reports to prepare for future incidents. Security engineers will also keep track of the organization's state of security, and take the lead in educating other employees on cyber security.
A security analyst's main job is to analyze the security measures of a company and determine how effective they are. While the architect recommends and the engineer implements, the analyst is the day-to-day "operator" of the organization's cybersecurity system. They are responsible for insuring all networks and systems have security in place that works to prevent unauthorized access. Analysts observe moment to moment incidents and direct the hardware and software resources necessary to stop breaches and incursions. Analysts also ensure that all security systems are current with and appropriate to any software or hardware changes in the company.
Between the titles
Asked whether there is significant overlap between the duties that might be expected of those with titles of analysts, engineers, and architects, Diamond says that there is some overlap -- but only some.
"An analyst you wouldn't see as an architect or an engineer, typically, but then again, if they're tier-three as an analyst, they could be an engineer doing like high-level incident response," she says, and warms to the subject, continuing, "You really could be an analyst and do some engineering work. You could be an engineer and do some analyst's work. You can be an architect and do analyst's and engineering work."
There are, however, limits to how far titles can stretch. "You're most likely not going to be an analyst and also do architecture work," Diamond explains, because, "Architecture work is more product-oriented and implementation of products versus actually dealing with a bad actor or alerts." Still, she points out that many engineers and analysts cross into one another's territory if they're very senior.
Both Diamond and Gross say that experience trumps all when it comes to moving into cybersecurity and moving up the career ladder within cybersecurity. While cybersecurity education matters a bit, and certifications matter a bit more, being able to point to experience in the field catches the eye of those recruiting for open positions.
Demonstrating that experience can be a challenge when position titles are so fluid, so both Gross and Diamond say that moving outside the traditional resume can be critical for those building careers in cybersecurity. They recommend activities like writing blog posts, taking part in conferences like local Bsides, and participating in capture the flag activities as way to show expertise.
And when it comes to deciphering the job titles in a particular organization or industry, Gross suggests something she calls "investigative networking." She explains it, saying, "One of the best pieces of advice I ever got from a mentor was that if you ever want money from somebody, ask for advice. And if you ever want advice from somebody, ask for money." Gross modifies it to, "If you ever want a job, ask somebody for advice. And if you want someone to tell you why you're not good for the job, ask for the job."