Which Security Professional Do You Need?

Like every other professional field, security professionals are often bunched together as a single role category, when in fact there are many different types and only a few of these would suit your stage and security maturity. Let’s take a look at the five most common roles, their strengths and weaknesses, and what to consider when hiring.

The Executive

Common job titles for this role: chief information security officer (CISO), VP of security, director of security

This is a senior leader in security, someone with many years of experience across a range of roles (though probably in larger organizations). This person is an expert at communicating with both internal and external stakeholders. They may be used to assessing and presenting a risk to fellow/upper senior management, as well as maintaining a complex security program.

This is a role (and title) that commands respect and will make an impact on your organizational chart. However, remember our key characteristics from above. Ensure when hiring this type of person that they are willing (and able) to get their hands dirty and that they have experience with early-stage companies. Without this experience, they may struggle to manage a program without the larger team size, budgets, and selection of tools they are used to.

The Risk and Governance Specialist

Common job titles for this role: head of risk and compliance, security and compliance lead

Risk and governance don’t have a reputation as the most rock and roll of security domains, but don’t underestimate someone with this background, particularly if you are in a highly regulated space like finance, health, or government.

Risk professionals may have a background in finance or audit, and often gravitate towards the more detail-oriented, policy-focused elements of your security program. These are the people who make sure your program is comprehensive and that you meet the letter of the requirements you are held to.

This may mean your risk and governance specialist has less hands-on implementation skills than other types of security roles, so when hiring, be sure to openly discuss the required implementation parts of the role and what support they may need in these more technical areas.

The Engineer

Common job titles for this role: security engineer, application security specialist

Where risk and governance specialists often move into security from audit or finance roles, security engineers often migrate from other engineering specialisms such as network engineering or software development. Some people choose to transition from these roles into security engineering roles consciously or as part of their career development; many end up in security through more unconventional paths—finding an affinity or natural talent for security and falling into it.

Your engineers are a force for good when it comes to the implementation phase of your security program. They are the people who can build controls, configure systems, and understand the architectural complexity of your organization well enough to defend them. They are natural bridges to the engineering teams in your company and often have strong empathy for these groups.

Though they shine in implementation, you may find they have no appetite for policy and governance. While they may be able to get the job done if they needed to, many of them would not enjoy this element of this work and may not want to be engaged in it long term. You may find that providing ad-hoc support with the more governance-heavy part of the role reduces this stress.

The Analyst

Common job titles for this role: security analyst, SOC (security operations team)

These are not the most senior of security professionals as a rule, but they are nonetheless crucial to our companies. Security analysts are the front line of our defensive teams. From carrying out the recurring and triggered security activities to monitoring our defensive tools, analysts keep the wheels turning on the day-to-day security operations that most companies need to stay safe.

As critical as these roles are to our daily security operations, they are often isolated from the larger team and may not have a lot of experience with the overarching program design and management needed to manage the entire organization’s security program. While all of this can be learned with time and coaching, you must be prepared to provide this training and support if you want your analyst to thrive as you push them into a more leadership role.

The Offensive Security Specialist

Common job titles for this role: penetration tester, red team

This is the security role we see in mainstream media, movies, and TV. The ethical hackers that join our team to provide an internal provocateur and find our flaws before our enemies. While more common in outsources or specialist security assurance companies, there is an increasing number of companies that hire these roles internally as part of a continuous assurance program. This not only saves money compared to hiring external specialists, but means that systems can be tested more frequently throughout the year.

While it is undeniable that these roles have an important place in more mature organization security teams, this is rarely the first role that companies hire. Like engineers, they are probably quite capable of getting the more administrative and process requirements done with the right support and coaching, however, this is like asking a fox to play the role of the farmer. While they may be able to pull off the role, they will be fighting their base instincts and not using the skills that make them valuable. Remember, whether the role is in security or elsewhere in your business, asking someone to go against their base tendencies isn’t a sustainable plan, and neither you nor your team member is likely to be happy in the long run.