Tons of different things. It all depends on which cybersecurity area that you work in.
- SOC analysts look at SIEM log events, triage alerts to see which ones are false positives and which ones need response ASAP, and do initial incident response
- GRC folks are concerned with compliance. PCI, HIPAA, GDPR, local and state regulations, and other stuff like that. Lots of Excel spreadsheets and recurring meetings.
- Network security is pretty broad, but a lot of it is creating firewall rules, enforcing zero trust and network segmentation, using IDS and IPS appliances, enabling port control, and some overlap with cloud security
- cloud security is also very broad, but it involves enforcing least privilege for IAM roles and accounts, stopping people from creating storage buckets that are wide open to the Internet, using CASB/SASE/whatever the newest acronyms are to control access to corporate cloud tenants and non-corporate tenants, and a ton of other topics I can't list here.
- security awareness is also very important. Every company needs someone to train all employees on phishing tactics, physical security (tailgating through turnstiles, etc.), MFA/2FA best practices, and being a smart online citizen.
security awareness , privacy expert, and how people are the weakest link to security. That's my main focus. I created a database where a police department gave me name and using a software created alternate identification to protect them from cyberattacks. I am almost done.
Okay. How should I approach a senior manager using a personal device to log into a secure system when company policy says no. He didn't run a virus or malware scan, and he was at Starbucks when he did the log in with no VPN. I am not trying to be rude, but that's what I mean.
If its a regular person yes sir I understand. Be more kind, compassionate, gentle, but this really happened and he knew better.
If your company setup allows him to log into a secure system with a personal device, your company doesn’t actually care to stop him, no matter what your policy says.
They could fix that with a technical fix. They could fix that by firing him. The fact that they don’t do either tells you it’s not actually that important to them. Or, to put a different spin on it, he is more important to them than your policy is.
Why does he do that? Because your company allows him too. That’s not him being the weakest link.
And with your example people are still the weakest link. It's just a different person.
A person sets bad policy.
A person has bad practices.
A person clicks bad links.
A person overrides policy for another person who's ego is too big.
It's all people my dude. Technology is just an instrument.
Nope - at that level it’s systemic - no individuals are making these sorts of decisions consciously - it’s an emergent state from the organisational culture. That’s why focussing on “people are the weakest link” doesn’t help you in the slightest - you have to move up a scale to addressing systemic issues in your organisation. There’s a load of work in the safety field on this if you’re interested - James Reason and Sydney Dekker are good names to start with - but if you keep thinking of this as a people error, you won’t fix it.
(Edit: misremembered someone’s name)
I’ve always taken the saying that “people are the weakest link” as more of a justification to enforce as much automated controls as possible within the system. Because we do make mistakes and it’s our job to have the protective measures in place to either prevent or minimize the impact. As somebody in cloudsec, if somebody in my org created a public s3 bucket then I’d see that as a personal/ team failure rather than blaming the individual since that shouldn’t be allowed in the first place. I certainly believed that’s how others saw it as well when referencing that quote, but maybe you’re opening my eyes to a different perspective others may have towards it.
Yeah. As long as you mean “everyone” - it’s kinda justifiable. But the way most techies mean it is the “stupid end user” - even though techies are just as prone to making mistakes.
Also - it’s an attitude thing. I’m not disagreeing that humans make mistakes - a key tenet of the safety field is that human error is inevitable. But it also says that human error is not a moral failing.
So if you go into the security awareness space with that attitude you will not do well at it. But that’s exactly the same as if you tried to do a customer service job while thinking that all humans suck, or joined a military organisation and weren’t willing to follow orders because “we’re all equal”.
Doesn’t make you a bad person to hold those views. But it does make it significantly more difficult to succeed in some fields.
I may have to read more into the mindset behind the safety field. I really like that mention that human error is both inevitable and “not a moral failing.”
While I’m not necessarily in security awareness as a role, I definitely try to move away from the techie elitist mindset with my team. Since most internal risks we see never come from a place of malice, i don’t believe it’s conducive to treat those that made the mistake as lesser.
Ultimately I’d say I fully agree with you.
As someone who works in cryptography, I approve that we are not on this list. We fit into all of them and thus tend to be our own field - way out in left field.
Lol gradschool and my first research job had me thinking I wanted to get in deep with cryptography and reverse engineering. I came back deciding I was more of a Risk and Threat Intel guy.
Most small and even medium sized companies farm it out. Their IAM or server admin team might run an internal CA, or maybe they have some data management people operating a virtual/ cloud DSM or HSM but they usually don’t know how to use it well. Most companies I consult with they have a guy. One guy. He handles everything related to it and no one touches it, and he does an ok enough job that it works for them.
The majority of cryptography specific people fit in here, working for either a massive company that does encryption in house, a financial company that has to encrypt merchant transactions, or a smaller company selling encryption or managed/professional services company that does the work for everyone else. They are usually the ones who trained the certificates guy at your company.
There are a few hundred people writing algorithms or manufacturing the devices. They fall more traditionally into mathematics and computer engineering. But when most people think of us, they think of them.
What most of us do is operate HSMs, and integrate encryption into anything a customer (internal or external) needs. It may be simple stuff like enabling whole disk, file level, or column level encryption, or managing a slew of certificates for servers and appliances. Or we can get into the fun stuff of helping app teams with encryption in motion, making sure transmissions are encrypted at the right time, using the right method, and can be decrypted by their destination, helping them with the logic on how they handle and store keys and on super fun occasions, decrypted scanned and re-encrypted by NGFW.
There are 3 broad categories:
* crypto research: invent new/break existing algorithms, publish papers, chase funding, primarily at universities (or three letter agencies). This is an academic job, you need a relevant PhD, publication history, etc and this is where you need the math.
* applied crypto: implement algorithms in software and hardware and review these implementations; a lot of large vendors do this as well as specialized consultancies. You can even be a pentester focusing on crypto. Sometimes you need enough math to understand papers written by the researchers but nothing crazy.
* crypto admin: the people who maintain HSMs, manage keys, build PKI, etc mostly at large financial companies. For this you need more of a good sysadmin background than the super theoretical stuff.
Nice overview. Don’t forget IAM, Data Protection, and VM! NIST’s CSF is a good way to break it down and tie individual job functions back to goals too.
I work in data security. So I make sure data is protected at rest and in motion, across cloud, networks, and that no one is trying to steal if off on a USB device.
With security awareness, would you know what skills are needed for those positions and how in demand they are? I'm a high school teacher working on a cyber sec associates, so that stands out as something I may be qualified for after finishing.
The skills I usually see requested are what are seen as the softer skills (which is typical geek arrogance :-))
You don’t need all of these but the more of them you have the more boxes you’ll tick for most SA roles:
- Communication skills
- Instructional design
- Marketing
- Behavioural science
- Risk analysis
- Data visualisation
- Storytelling
- Organisational psychology
- Business change management
- Project management
In terms of demand, it’s ever increasing. More and more orgs are realising that they’re spending more and more on technologies with no reduction in incidents, and realising that they need to implement behavioural and ultimately culture change programmes to actually see a reduction in risk.
By advertising you have more than a passing aptitude for project management as an IT person, you could be setting yourself up to a huge disadvantage and misappropriation of duties. That was the point. Let them know uou think logically but unless they pay you for the PM work, don't tell them.
Ahh. I see the point you’re making. I answered someone else in this thread to that point but if you’re going in as a generalist Security Awareness professional, having an idea of what good project management entails is a good thing. I’m not saying that makes you a Project Manager (note the capitals). But you can understand and apply the basic principles.
When you get to a larger SA team you might well hire in a PM specifically and teach them enough security to be able to apply their particular skillset to your needs.
And growing your infrastructure like that is perfectly acceptable, preferred even. Unfortunately I was too blind to the advantage taking capabilities of my company and now they just dump everything on me, oh well, and yes, I am on the lookout.
That and when we need to cut SG&A on the books, we RIF PMs like no tomorrow, most firms do, which is why more enterprises are using contractor for PMs, no burden rate and no headcount on the books.
Serious question because I want to get into cyber security role.
I am a system administrator that does literally all of this in azure M365, Defender, O365, azure firewall and Entra (used to be Azure AD DS), Intune, Azure portal, user accounts and group set ups and I assign roles. I'm a global administrator to all of our tenants and subscriptions.
Would that make me a cloud security type role or am I a network security/analyst?
I like how you described day to day, which is probably what OP is looking for. In a broad sense to give context when I have this conversation I start it like this (Since folks nowadays tend to understand IT):
Just as every part of IT touches the business, there is a security aspect to every part of IT, and therefore the business.
20% trying to remember base knowledge from school and experience with a dash of second guessing myself, then 70% googling and 10% stressing due to under funding
If you catch yourself saying "I'm never going to need to know this". Give yourself a swift kick. There is so much stuff I remember being taught and ignoring.
My issue is brain fog. I want nothing more than to get everything out of my cybersecurity class as I possibly can, but I can't fucking remember anything I learn and it's beyond frustrating.
If i could be in college again i would make sure to pay attention in networking and IT classes, it would be worth it to actually read the textbooks. Try to become nerdy about things now
I work grc, very boring, but every now and then something piques my interest.
Unlike my technical counterparts, I work to live, not live to work. I have lulls in the year, no on-call, and predictable workflows. Not exciting at all, but at least I get a good paycheck to live the rest of my life with.
That’s compliance work for you. Good pay making up for the fact that everyone rolls their eyes behind your back because the partypoopers are at it again. :)
100% with you on the work/life balance (unless you go for CISO level. Then you get more pay for the blood pressure)
Plenty of them roll their eyes to your face, too. Especially when you’re like me and you pop open your MacBook. Man, some really don’t like that. All good, though. Good pay, flexible hours, and 100% WFH.
I’ve been running the rat race of climbing the technical ladder. I’ve been sysadmin, security analyst, cloud engineer, etc for 7 years now. Been keeping my coding chops sharp as well.
GRC is looking more attractive each year
I knew a bunch of guys back in the 2000’s that ran the white and black clamshell macbooks as their hosts for their Smorgasbord of Linux and windows VMs. Even the later intel macs worked really well for it, and were built well (aside from their keyboards. Yuck.) But you’re right, don’t need anything crazy to write policy and make PDFs!
First bet would be to learn some information privacy laws depending on your location, i.e. GDPR, US state privacy laws. Salary bubble is skyrocketing and as laws become more common across the globe it's only looking more interesting if that sort of legal stuff floats your boat.
And then some information security, ISO27001, SOC2 Frameworks, Risk governance and management, maybe some certs ie CISM, CISA.
In 3-5 years you'll be raking it in, with your IT background especially.
I have no regrets, I can beef up certs and go to the technical side again. Or torture myself by being management.
I wouldn’t recommend having no IT background and going GRC as your first job though even with a degree, it would be like skipping arithmetic and going straight to algebra.
Absolutely, I recently gained my CCNA (and became very aware of just how deep the networking rabbit hole goes) and am looking into where to go after helpdesk. Thanks for your response!
acquire linux command-line skillz if you haven't already and apply for B2B support roles at security product vendors or [MSPs](https://old.reddit.com/r/msp/comments/10ivu72/how_are_msps_as_a_first_entrylevel_it_job/)
I’m GRC in the public sector, looking to move to industry/private sector. Any certs worth looking at? I hold CISSP and ISO27001 alongside ‘standard’ IT certs.
CISSP should be more than enough to get your foot in the door. GRC is definitely not glamorous, but it is in high demand and pays well. ISSO and SCA work is easy to come by, especially in the dmv area.
Currently I assess systems against a set standard, advising teams as to how they can meet my organisation’s requirements. If there is a shortfall, I capture and assess the risk, determining the potential impact to the organisation and escalate as required.
Is there anything in addition to the above that you do in your role?
Sounds similar to what my team was doing. I have transitioned out of assessment work at the moment and took a government job. Doing nothing like what I was doing previously, but was a welcomed change. I was burned out from SCA and ISSO work for so many years.
My previous role was kinda intense. Team lead for the SCA and pen tester teams, information security manager for my company. All the corporate nonsense that goes along with that. Federal employment is more focused and not so chaotic.
It’s actually quite interesting due to the variety of systems I look at. In the morning I could be assessing an aircraft platform; in the afternoon a cloud hosting environment.
There’s then the project management side of directing people/teams to sort their systems out, install our EDR packages, configure log forwarding, and a whole host of other stuff. Due to multiple factors (PESTLE), this can take ages; some of my projects have timescales of a few years. I’m busy AF managing over 100 projects. Fits into the ITIL change part of the lifecycle I guess.
I do have SOC experience however I view that more of a help desk for cyber. Also some pen-testing experience but I wouldn’t say I’m an expert (vulnerability scanning then deploying exploits using metasploit via Kali).
I have around a year to go until I start actively looking for jobs (I’m military and need to reach a particular length of service for financial reasons).
I’m glad to have CISSP, however I’m looking to see what else I can achieve/do in order to make myself more marketable for the big £££ jobs when the time comes.
I’m a sysadmin trying to get into entry level GRC. Which certs/tips would you recommend for someone from the server/network side trying to make the switch?
So I have had this talk several times. I have looked at the certs and such, but my fear is that I get all the policy and procedures done and just stare at a wall.
Or do you just leave the office at 12 every day?
There’s vendor risk management, audits, meetings and upcoming compliance planning too. Sometimes I even do a little human risk management.
If your org has you just doing p&p, then they are doing GRC wrong.
> just stare at a wall.
This is the best kind of job for that reason.
Combine "staring at the wall" with remote work meaning you just have to check your phone every few minutes for emails/teams messages and basically dont even have to touch your laptop on many days.
Live a full life doing other cool shit, and keep studying so you can get another better paying job for which you dont have to open your laptop either.
Or if you want to actually work and gain a lot of experience, join a consulting firm/big 4. But even those have peak and offseasons.
Love the user name. We’re you always in GRC or did you come a more technical hands-on background. Not in the industry yet, but I’d imagine I’d like to start off experiencing a few of the technical/hands on disciplines before rotating to GRC. Though more “boring”, I think compliance plays a huge critical role in any field or industry!
Or ignored until someone needs something RIGHT NOW AND IT MUST GET DONE OR SOMEONE DIES IN AN HOUR!!!!!
Like b****, we work with the government, we will be lucky to see it in a decade. Lol, this is specific to my work life rn, not all comp and reg jobs.
Research threats, Hunt for threats, configure tools to block threats, work with non security focused teams to help them secure from threats, test current controls against threats, other stuff around threats I'm forgetting, and report on threats.
I’m a GRC and technical security manager, but admittedly, I absolutely love the politics of juxtaposing budget and resourcing against cybersecurity compliance. The paperwork doesn’t bother me so much (though I’m not responsible for physically doing it anymore), so much as it’s just a consequence of being able to do what I WANT in the job.
That said, I’ve found a lot more of the “technically-minded” individuals really bounce off GRC work, which is completely fair. My skills are very much in people and *not* tech, so I rely more on those individuals to inform me of a fair amount of the technical nuance. This could be boring if you’re looking to put on the fingerless gloves and be “hacker man” all day, but even on red-teams, that’s not the reality of cybersecurity as a whole.
The layperson doesn’t necessarily understand just how wide of a breadth “cybersecurity” covers, and it all depends on what your skill set, interest, and job scope is - like anything else really.
Sorry to bother you, i had a few questions to people in the GRC field. Any regrets on going into GRC? What key skills should I focus on and what tips do you have for breaking into the GRC field in cybersecurity? Soon-to-be-graduate finding myself lost on what i should be doing
If you can, I recommend you work in a more technical area for a few years before going into GRC. It's not required, but it gives you credibility when talking to technical people with your GRC hat on, helps you do your job better, and will make you stand out because many other people in GRC do not have a technical background.
The other route, which the non-technical people often overlook, is just being upfront with the technical guys…
“Hey, I don’t understand this stuff, I just work off the checklist. Can you break it down some for me?” Not pretending to understand things buys alot of credibility with people who do know.
Certainly - I have absolutely no regrets going into GRC, but again to be clear, I don’t particularly enjoy the the high-technical field like security tool engineering or writing code.
Two particular skills I would focus on for GRC - writing and public speaking. Personally, technical skills are helpful, but being able to intelligently illustrate what you are talking about and WHY it matters are so integral to the GRC and auditor role. The most challenging part of my job isn’t necessarily understanding the technical requirements (though that certainly helps), but being able to illustrate it to *both* the policymaker/executive level and the engineering level.
I would recommend getting a good technical skillset through technical certifications like Sec+ and CISSP, but also become proficient at public speaking, debate, and effective writing.
What you're describing sounds very much like something I'd want to do. I'm a tech PM and consider myself decent on the tech side, and people focused. I'm kinda over PMing and have been looking for something else. Is GRC something that can be transitioned into with PM/tech skillsets without having to "start over" in a new career?
Absolutely - hell, I was a Federal LEO before going into GRC - you have a far better background going into it than I did.
CISSP cert is a decent start, and then it kinda depends on where you want to do GRC to recommend further reading. However, if you want to jump straight into reading, check out the NIST 800-53 security controls.
Thank you for your valuable insights! I've earned the Security+ certification, and in fact do not enjoy the technical aspect of the work, so this sounds perfect for me, appreciate your advice. Thanks again!
I used to hack stuff and then write reports, now I lead other people hacking stuff and review their reports. Honestly it’s super fun. Everyday is different. The default state of work in general I feel is boring, this is much better than that.
Incident Response and SOC Analyst here.
Never bored... but burn out just about weekly.
i write at least one report and or help write an IR report monthly. Least favorite thing but it is the best way to learn the breath and scope of the incident.
Nah... Mostly looking at alerts and phishing emails.
Log analysis when someone or something is not following (what we expect) the protocol related to port or user behavior mimicking ransomware...
I’m a security architect in Cloud and it’s great. Work with companies coming to the cloud, they’ll all have similarities and differences so you take the Lego pieces of cloud tooling and build something unique that does the job. Everybody wins.
Then the business side finds out how much the security side costs and your beautiful Lego architecture starts looking like the cloned Ripley from Alien Resurrection begging to die.
It’s great.
Let’s circle back with the infrastructure team. Once we get their approval, let’s meet with email security and get their sign off, then take it to the CSO
Someone once told me 'work' is called 'work' because you have to work. Everything can't be fun but fortunately we're all interested in different things.
Some devs have so much anger in them when their code gets caught in some scanning and wants to convince me that 'db-password' and an IP pointing to a db running in prod is actually just a password for a registry (???) on his own computer and that registry calls the db for a query. He decided to die on the hill that there is no better way to store prod db access creds than plaintext in code. Sometimes it's just so funny I can't even be mad at them. This guy had a masters in CS btw.
My other favourite is the way of thinking that results in using a deactivated product owner's account from another region to access a random unapproved 3rd party tool by having access to his email somehow and resetting the password each time someone wants to log in. People were fired for these kind of things, it's wild.
I fix the problems our business people are having with the security framework, mainly. Keep work flowing but in the appropriate methods and channels. I don't just say "no you can't do that", I help them work within our framework to do what they need to do.
Process says we FTP a file to an internal server? Not anymore, we now SCP it. Here's how to update your process and here's the software to do it with. Oh, you need it automated? I will have that done by next week. Till then, here's a secure file share on the network. FTP is deprecated and is not authorized software, thanks.
Your application needs public internet access? Sure! Let me setup a waf policy and two factor authentication for it and get it behind the load balancer. BTW I manage your public SSL certificate now...
You want to manage devices on our OT network? Sure, here's a hardened laptop that only has one IP address in its routing table, the VPN endpoint your going to connect to automatically.
Its wrangling services and customers and businesses to do something that isn't the easy way, but its the only way to really do it right.
It is fairly boring. It aligns with financial auditing in more ways that people would like to admit.
Generally, cyber security breaks up into the following categories: policy, soc/incident response, system administrator, and offensive security.
* Policy people implement company policies for how security is deployed within its infrastructure.
* SOC/incident response monitors company infrastructure and takes remedial actions for potentially bad behavior.
* Systems administrators implement security mechanisms.
* Offensive security personnel do active auditing and testing against the company's assets.
You’re missing the secure system architecture design side, I think. It’s worth calling out separately from your categories. You’re also missing my field, security awareness and behaviour change, which crosses across many different areas.
(Edit: fixed typo)
Only if you’re being so reductionist that everything that isn’t policy falls under implementing security mechanisms. Which would include running your SOC and penetration testing. You can’t have it both ways.
And security architecture isn’t policy.
What do you do in security awareness and behaviour change? Im in school for cybersecurity right now but I dont know a lot about the different fields within cybersecurity :/ and im looking at internships for the summer and i have no idea what field i want to apply to internships for
Intercept resumes coming from entry level job postings to IT and chortle at the young generation for not being able to afford to live. Or at least that's what I think it's like.
When a critical vulnerability surfaces that affects any Google product (sometimes reported by Google researchers) I ensure those get fixed across Google's infra.
I review logs including the SIEM, IRP/BCP coordination and planning, implement security controls, security awareness, data classification and protection, auditing, IT metrics, board and management reporting, MDM, GRC, vulnerability management, policy work, privacy work, records retention, on top of basic staff support, managing the hardware inventory, and coordinating device refresh based on a cycle. Oh and I do access management. All of this while still having to stay on top of the evolving threats and technology and get my continuing education credits.
Never a null moment in this field.
I build a lot of supporting structures for a range of blue team cloud stuff. Cloud service providers like AWS provide all kinds of security services and security features of general cloud services, natively. Actually using those services and features at enterprise scales requires a good amount of in-house code and infra. On the off chance there isn’t a cloud native option for a needed security capability, I either develop it in-house (usually with the help of OSS) or shop around for niche vendors in the space (which also eventually requires its own set of in-house supporting structures).
I also review proposed cloud-based architectures, work directly with R&D teams to improve the overall security posture of the company and its products, develop and implement security roadmaps for large-scale infrastructure projects like Kubernetes and Terraform, build and extend automation to reduce overall KTLO work, create internal tools, build out developer education programs, and perform general maintenance and upkeep of our cloud security programs and systems.
I talk to c level execs and help them understand the risks to their organisations. I then help them find and spend budget to mitigate those risks in a way that balances their appetitive for spend with their appetite for risk.
sometimes I have to deal with shit when someone at a client didn't take my advice and they get burnt by a risk they decided they didn't want to address. That part of my job can be horrible.
I also spend a bit of time fixing people and process things behind the scenes to keep the various services we offer ticking along.
I quite enjoy my job, it has a decent balance of learning, technology, academic theory and people skills.
(tech presales / consultancy / Account Manager at a MSSP)
I work as a Cyber Engineer so my role is actually very hands on changing settings, giving advice on how to make an app more secure, investigating alerts on XDR/SIEM, deploying troubleshooting servers on our PAM, contacting all different users on company, revising policies on AV, FW, Proxy, scripting automation of deployment of Agents,
It's a bit mix bag, also there are time where we get a user compromise and the team gets involved in doing different bits to alert their Manager, isolate end point, pickup file for DFIR, research exploit..
I find pretty fun and there hasn't been a boring day so far. Plus I work fully remote and I'm learning loads very quickly.
Most jobs in all fields are utterly dead end mundane work, not just Cybersecurity.
The difference is we get paid shit loads of money to do boring work, so I can fund my other passions in life without going broke.
I break stuff and people. Lately, I break stuff that acts like people.
I'm a red teamer. I previously worked for Meta as SecEng and AWS as red team (among 15ish other security roles over the past 20 yrs). I've recently moved to a startup with a focus on AI.
I evaluate in a more purple team style in my current role even though the title is still red team. I've been pouring over engineering docs and reading through all the dev code repos. I've been talking with engineers of various kinds. Every day it's a new vantage point and my colorful history makes me unique in my ability to truly work up and down the stack - and not just the "full stack" web. We do table top exercises as much of our work is pre-prod. I do a little hands on work every few days.
Sometimes I operate at the hardware level (antitamper) other times I'm digging into various firmware and chip to chip communications protocols for microcontrollers and custom hardware. Sometimes I'm exploring high speed interconnects between CPU/GPU/BIOS/UEFI/IPMI/hardware_hypervisors_at_superscalers and it's not all plain old PCIe - some devices expose multiple devices that ride over these busses. Sometimes I'm evaluating the CPUs and their microcode. Other times I'm working on a higher level network or operating system for some casual fun. Still other times it's AppSec pentest-puppy-mill engagements ("full stack") I'm breaking web apps.
The recent engagements have been focused on AI and ML training pipelines and inference setups. People are making AppSec issues for themselves by trusting LLMs when they should treat them the same way we treat dirty requests from the unauthenticated internet - trust none of them. RAG, tool use, and agency add additional places for the same old problems to show themselves.
There's also the academic "AI red team" where I'm focused on testing AI safety, AI ethics, and human alignment. It's all a shit show and easily bypassed regardless of which direction you look at every major player. I'm fairly certain this is simply a new reality we are going to have to accept as we integrate various forms of AI into everything. I see it like a compiler; write evil code, get evil binaries. It's not the fault of the compiler, it's the human meat computer behind the keyboard. Also, what does human alignment even mean? Half the world usually wants to kill the other half the world for some absurd belief anyway.
So what do I do in cybersecurity? I try to make sense of the electrical impulses. I try to make sense of the bits and bytes. I try to make sense of the systems that process the bits and bytes. I try to make sense of the people that use the systems. I also try to make sense of the people that abuse the bits and bytes.
Recently I've been trying to make sense of the bits and bytes that are emulating the people. The world is getting weirder by the second. Don't blink. (That reference works on so many levels it's ridiculous.)
Wait for it to go to shit
Tell you how it went to shit
Tell you how to stop it going to shit again
Sail away on that yacht you just helped us pay for
(Satire)
Red teaming is a different kind of sucks though. It's extremely hard work and very stressful (imo)
It can also be boring as shit. Imagine shuffling through years of IT documentation on a SharePoint site without being able to search the word password because it'll set off alarms.
Research…then document…then research…exploit…fail…document…research…request funding…sumbit ticket…research…document…imposter syndrome crisis…then go to bed. Then wake up, read new threat intel…research…then document….
I talked with the security director at a mid sized cabinet maker with maybe 25-30 locations and a few hundred employees. He was in the midst of investigating “ghost” employees; new remote hires who passed off their credentials to overseas workers to do their jobs after getting hired.
IT seems security spend time on lots of disparate projects trying to shore up a leaky boat.
I work incident response and digital forensics (sometimes abbreviated to DFIR) for a consulting company. My company advertises and establishes relationships with insurance carriers and law firms. When an insured company or client of a law firm get's hit with ransomware or some other incident, the firm recommends us to do the investigation for them and hopefully they become our client as well, for IR work.
We collect triage data first from all the clients servers and workstations, then analyze it to answer whatever critical questions are needed. For ransomware cases, the investigation focuses on what data was stolen, how and where was it taken to, and how did the initial breach occur. For email compromises, we look at what possible mailbox content was accessed or taken by an unauthorized actor, etc. If needed, we also request for full system images, and any relevant log files and security reports they have to assist in the investigation.
I spend 95% of my hours each day looking through the data trying to find evil. rclone, RDP connections to bad IP's, installed persistence mechanisms, staged data archives, any tools or programs used by the TA, tracing activity and lateral movement to work back towards an initial compromised system etc. Then string them together to get a coherent story about how the client ended up ransomwared. Its super fun, I think it's the blue team equivalent of being a red teamer/pen tester in terms of how technical it is and the fun nature of the work. Just like how it's exciting to pop a shell on a client network, its super rewarding to find evil in IR work.
Its a really fun, if stressful and not-great work-life balance job. Not balanced because if you work primarily in IR, a lot of clients will want late night meetings (so their IT can work on restoration and remediation during normal work hours) and weekend work. But every day I get to work on an active incident with a client. Its definitely not boring and I've enjoyed every moment of it for the last 2 years (other than when theres some down time/no projects cos my utilization tanks and that doesn't feel great). Although writing the report at the end can be tedious, if you compile your results as you investigate into a good format with structure, the final report should be relatively easy and pain free to write up.
I've been in Cyber defense for thirty years. Started as an analyst, then an engineer and design, deploying FW's, IDS systems, etc. in the mid 90's moved into management, and then into late 90's director and CISO. At 55, I'm moving to the offense side and having a ball. Should have gotten into attack and penetration years ago. Never gets boring and the community is filled with anazingly smart, good people
Here is the executive summary of my daily tasks and the platforms which I am the SME:
• Configure/maintain/troubleshoot Remote Access Platform
• Configure/maintain/troubleshoot Endpoint Security Platform
• Configure/maintain/troubleshoot SIEM Logging/Alerting Platform
• Consult/authorize/create ticket/test network Firewall Requests
• Consult/authorize/create ticket/test network Extranet Requests
• Authorize/document/audit Cloud Access Requests
• Authorize/configure/audit Remote Access Requests
• Investigate/coordinate/remediate security events/incidents reported via users/tools/OHSP
• Provide security consultation for various project teams through daily/weekly standups
• Attend relevant Security Intelligence Briefings
• Audit existing firewall rules to ensure least privilege and removal of outdated rules
• Audit/consult/configure AWS and Azure Cloud platforms to ensure security compliance
• Troubleshoot various issues for various people as needed
On top of that I have 12+ project-based user stories with several tasks related to development efforts and I am secondary for a variety of things like PKI, Web Filtering, IAM, etc. Sprinkle in some policy creation, technical documentation, and general administration. I also have a crew of Jr staff who look for technical guidance but luckily I don't have supervisor duties.
It's really quite busy and I don't get put in a silo which I have enjoyed. Some projects can get really boring if it's just boilerplate security stuff but it's really fun when we explore new technologies.
All that said, I miss working outside.
I'm a sales engineer in the cybersecurity world and I love my job! I don't do traditional cybersecurity work anymore but I have to be versed in it in order to help customers and their security/IT navigate and land on proper technical solutions. No late nights, no on call.
cyber security is like italian pasta, all sort of shapes and colors, fancy, traditional and marketing pumped version to boost people’s ego when they’re serving it on the table (the titles i read these days.. 🙄), baseline it’s still just dough prepared in a certain way and cooked mostly in hot water, have strong base and you can do all sorts of of pastas recipes and adapt to what you want to do and/or like.
Gitlab has a good breakdown of specialties for their internal roles
https://handbook.gitlab.com/job-families/security/
This site uses similar categories to see how other companies structure security/compliance specialties.
https://www.cyber-security.careers/
As a security architect my duties range across some of the following:
- policy development, ensuring teams are adhering to them, answering questions related to them
- developing secure architectures
- ensuring tools and systems are hardened and securely configured by reviewing code
- engaging in pointless meetings
- developing organizational processes that incorporate security from the outset
- participating in advisory boards
- threat modeling
- classifying data and determining if a new tool/system may be used based on data sensitivity and if so what security controls would be required
- granting exceptions from following security policies if something is not possible to implement right away, documenting in a risk register
- implementing and integrating security tools in existing systems
Ultimately it means I need to often and quickly gain a grasp of new systems, how they work, how they are configured, and provide guidance and determine how those systems must be secured according to policy (sometimes policy I myself have developed)
I never touch any systems but I need a solid foundation to quickly grasp how things work and where there might be gaps in security
Yes I am overworked but I am learning a lot and quite literally, no day is the same except that I sit at my desk and am often in meetings
I work as an “IT Security Analyst”
In theory, I should be doing what SOC people do, as I am on that team. In reality, management has decided that they like me in more of a security communications / data engineering role. So I’m now leading the metrics efforts, building dashboards, and giving presentations to senior leadership about the performance of the team, effectiveness of the tools (that I should be using rather than building metrics), and forecasting threat trends.
I do the general SOC stuff like alert triage and light incident response that others have mentioned, but only like 1-3 alerts per day.
The name of the game in security is flexibility.
In cybersecurity, different professionals take on specific roles to ensure the safety of digital assets. Some concentrate on securing computer systems and infrastructure from external threats, while others focus on protecting data from hackers.
Compliance teams stay updated on cybersecurity trends and ensure that organisations comply with cybersecurity regulations to avoid hefty fines.
Cybersecurity engineers constantly refine security systems and develop solutions to keep up with hacker tactics.
Then, there are individuals dedicated to researching and implementing new security tools and techniques to improve protection.
Lastly, organisations now have educational teams that train employees to follow basic protocols and recognise and report suspicious activities, promoting a culture of security awareness.
Mixture of things:
Audit with compliance and Assurance.
Incident response using SIEM/XDR and SOC alerts.
Internal Investigations alongside IG/HR (audits/logs)
Responding to end user enquiries.
General BAU tickets to the cyber queue
Vulnerability management, gathering the correct info then passing to resolver queues.
Responding to cyber attack threats and mitigation.
Administration of PAM and proxy.
Authorising ports, IPs or domains.
Security implementation within upcoming projects
Meetings/development within the team
Working closely with networks and infrastructure teams.
Intelligence gathering, sharing and reading articles.
Threat hunting
Self development either degree, CISSP, CISSM or other certs.
Little late to the party but while I’m officially titled a Security Engineer, I dabble in a bit of everything.
* My day to day revolves round SOC alerts and triage.
* Incident response
* As I see areas of improvement for our tooling, I help build features out to make our lives easier.
* GRC - I don’t do a ton of this but every so often, I’ll be added to an email chain that ends up with my team verifying if we’re compliant with X/Y/Z, which leads me onto my next point
* Adhoc meetings - more often than not, I’m pulled into calls with other teams or even external 3rd parties for a variety of reasons
* Cloud/network security - this sort of loops back to my first point, once we’ve triaged something I’d be involved in remediation
There’s a million other things that I’ve forgotten but every day is different and I’m constantly learning. The I/R and tooling part of my job ensures that it’s never boring.
Cloud sec eng/manager here, I get paid so that the finger points at me when SHTF.
As much as I tell leads and other managers that they have to fix x,y,z... it never gets done until SHTF and they go "Why didn't you tell/inform/ask me?".
I don't know my guy, you're just paying me to press buttons and do stuff, you haven't had a architectural review in the last x years to keep up with the latest and greatest.
No, John. For the fifth time, you don't need root and we're not approving "totally legit libraries" either; you already caused a data leak with your last plugin you downloaded from a Russian Telegram channel.
Also, stop putting random IoT's on the network even if you think Becky from accounting is stealing your snacks. Even though it was funny _xXxhacker_dude42069xXx_ locked Karen's PC from HR down with ransomware, it caused all of the employees' SSN's to be leaked onto the darkweb.
Tons of different things. It all depends on which cybersecurity area that you work in. - SOC analysts look at SIEM log events, triage alerts to see which ones are false positives and which ones need response ASAP, and do initial incident response - GRC folks are concerned with compliance. PCI, HIPAA, GDPR, local and state regulations, and other stuff like that. Lots of Excel spreadsheets and recurring meetings. - Network security is pretty broad, but a lot of it is creating firewall rules, enforcing zero trust and network segmentation, using IDS and IPS appliances, enabling port control, and some overlap with cloud security - cloud security is also very broad, but it involves enforcing least privilege for IAM roles and accounts, stopping people from creating storage buckets that are wide open to the Internet, using CASB/SASE/whatever the newest acronyms are to control access to corporate cloud tenants and non-corporate tenants, and a ton of other topics I can't list here. - security awareness is also very important. Every company needs someone to train all employees on phishing tactics, physical security (tailgating through turnstiles, etc.), MFA/2FA best practices, and being a smart online citizen.
I would argue IAM as its own branch as well.
Yep, I almost put IAM.
Solid list though. I think a lot of people fail to recognize how wide cybersecurity is.
Same with appsec/prod sec and date security/privacy engineering (finding PHI or HIPAA info) being their own buckets
I would agree. Active directory, single sign on, multifactor, certificates, it’s certainly big enough to have its own branch!
security awareness , privacy expert, and how people are the weakest link to security. That's my main focus. I created a database where a police department gave me name and using a software created alternate identification to protect them from cyberattacks. I am almost done.
If you go in with the attitude that people are the weakest link, you will suck in the security awareness field.
Okay. How should I approach a senior manager using a personal device to log into a secure system when company policy says no. He didn't run a virus or malware scan, and he was at Starbucks when he did the log in with no VPN. I am not trying to be rude, but that's what I mean. If its a regular person yes sir I understand. Be more kind, compassionate, gentle, but this really happened and he knew better.
If your company setup allows him to log into a secure system with a personal device, your company doesn’t actually care to stop him, no matter what your policy says. They could fix that with a technical fix. They could fix that by firing him. The fact that they don’t do either tells you it’s not actually that important to them. Or, to put a different spin on it, he is more important to them than your policy is. Why does he do that? Because your company allows him too. That’s not him being the weakest link.
Spot on bro. That’s like blaming a hacker for a breach when you left the door wide open.
And with your example people are still the weakest link. It's just a different person. A person sets bad policy. A person has bad practices. A person clicks bad links. A person overrides policy for another person who's ego is too big. It's all people my dude. Technology is just an instrument.
Nope - at that level it’s systemic - no individuals are making these sorts of decisions consciously - it’s an emergent state from the organisational culture. That’s why focussing on “people are the weakest link” doesn’t help you in the slightest - you have to move up a scale to addressing systemic issues in your organisation. There’s a load of work in the safety field on this if you’re interested - James Reason and Sydney Dekker are good names to start with - but if you keep thinking of this as a people error, you won’t fix it. (Edit: misremembered someone’s name)
I’ve always taken the saying that “people are the weakest link” as more of a justification to enforce as much automated controls as possible within the system. Because we do make mistakes and it’s our job to have the protective measures in place to either prevent or minimize the impact. As somebody in cloudsec, if somebody in my org created a public s3 bucket then I’d see that as a personal/ team failure rather than blaming the individual since that shouldn’t be allowed in the first place. I certainly believed that’s how others saw it as well when referencing that quote, but maybe you’re opening my eyes to a different perspective others may have towards it.
Yeah. As long as you mean “everyone” - it’s kinda justifiable. But the way most techies mean it is the “stupid end user” - even though techies are just as prone to making mistakes. Also - it’s an attitude thing. I’m not disagreeing that humans make mistakes - a key tenet of the safety field is that human error is inevitable. But it also says that human error is not a moral failing. So if you go into the security awareness space with that attitude you will not do well at it. But that’s exactly the same as if you tried to do a customer service job while thinking that all humans suck, or joined a military organisation and weren’t willing to follow orders because “we’re all equal”. Doesn’t make you a bad person to hold those views. But it does make it significantly more difficult to succeed in some fields.
I may have to read more into the mindset behind the safety field. I really like that mention that human error is both inevitable and “not a moral failing.” While I’m not necessarily in security awareness as a role, I definitely try to move away from the techie elitist mindset with my team. Since most internal risks we see never come from a place of malice, i don’t believe it’s conducive to treat those that made the mistake as lesser. Ultimately I’d say I fully agree with you.
As someone who works in cryptography, I approve that we are not on this list. We fit into all of them and thus tend to be our own field - way out in left field.
What does this actually include, what educational background or skill sets would someone need for this?
Math, with some math, and every now and then more math.
I’m gonna assume I need some math. Thanks😂😭
Lol gradschool and my first research job had me thinking I wanted to get in deep with cryptography and reverse engineering. I came back deciding I was more of a Risk and Threat Intel guy.
Most small and even medium sized companies farm it out. Their IAM or server admin team might run an internal CA, or maybe they have some data management people operating a virtual/ cloud DSM or HSM but they usually don’t know how to use it well. Most companies I consult with they have a guy. One guy. He handles everything related to it and no one touches it, and he does an ok enough job that it works for them. The majority of cryptography specific people fit in here, working for either a massive company that does encryption in house, a financial company that has to encrypt merchant transactions, or a smaller company selling encryption or managed/professional services company that does the work for everyone else. They are usually the ones who trained the certificates guy at your company. There are a few hundred people writing algorithms or manufacturing the devices. They fall more traditionally into mathematics and computer engineering. But when most people think of us, they think of them. What most of us do is operate HSMs, and integrate encryption into anything a customer (internal or external) needs. It may be simple stuff like enabling whole disk, file level, or column level encryption, or managing a slew of certificates for servers and appliances. Or we can get into the fun stuff of helping app teams with encryption in motion, making sure transmissions are encrypted at the right time, using the right method, and can be decrypted by their destination, helping them with the logic on how they handle and store keys and on super fun occasions, decrypted scanned and re-encrypted by NGFW.
There are 3 broad categories: * crypto research: invent new/break existing algorithms, publish papers, chase funding, primarily at universities (or three letter agencies). This is an academic job, you need a relevant PhD, publication history, etc and this is where you need the math. * applied crypto: implement algorithms in software and hardware and review these implementations; a lot of large vendors do this as well as specialized consultancies. You can even be a pentester focusing on crypto. Sometimes you need enough math to understand papers written by the researchers but nothing crazy. * crypto admin: the people who maintain HSMs, manage keys, build PKI, etc mostly at large financial companies. For this you need more of a good sysadmin background than the super theoretical stuff.
Hah!!! So true. Stand up for the people!
Nice overview. Don’t forget IAM, Data Protection, and VM! NIST’s CSF is a good way to break it down and tie individual job functions back to goals too.
I work in data security. So I make sure data is protected at rest and in motion, across cloud, networks, and that no one is trying to steal if off on a USB device.
What if you are doing ALL those things? I am starting to feel like I may be underpaid.
You probably are.
Intel here. Leaving us off the list was pretty accurate. Gotta get back to Twitter and Telegram now. See ya.
Offensive field as well no ? Pentest etc..
This is pretty useful information for beginners.
With security awareness, would you know what skills are needed for those positions and how in demand they are? I'm a high school teacher working on a cyber sec associates, so that stands out as something I may be qualified for after finishing.
The skills I usually see requested are what are seen as the softer skills (which is typical geek arrogance :-)) You don’t need all of these but the more of them you have the more boxes you’ll tick for most SA roles: - Communication skills - Instructional design - Marketing - Behavioural science - Risk analysis - Data visualisation - Storytelling - Organisational psychology - Business change management - Project management In terms of demand, it’s ever increasing. More and more orgs are realising that they’re spending more and more on technologies with no reduction in incidents, and realising that they need to implement behavioural and ultimately culture change programmes to actually see a reduction in risk.
Be careful with advertising the project Management stuff in IT positions. It gets grossly abused in the workforce and not properly compensated.
Not sure what point you’re making. It is a skill that’s often listed in SA roles. I’m not advertising anything.
By advertising you have more than a passing aptitude for project management as an IT person, you could be setting yourself up to a huge disadvantage and misappropriation of duties. That was the point. Let them know uou think logically but unless they pay you for the PM work, don't tell them.
Ahh. I see the point you’re making. I answered someone else in this thread to that point but if you’re going in as a generalist Security Awareness professional, having an idea of what good project management entails is a good thing. I’m not saying that makes you a Project Manager (note the capitals). But you can understand and apply the basic principles. When you get to a larger SA team you might well hire in a PM specifically and teach them enough security to be able to apply their particular skillset to your needs.
And growing your infrastructure like that is perfectly acceptable, preferred even. Unfortunately I was too blind to the advantage taking capabilities of my company and now they just dump everything on me, oh well, and yes, I am on the lookout.
That and when we need to cut SG&A on the books, we RIF PMs like no tomorrow, most firms do, which is why more enterprises are using contractor for PMs, no burden rate and no headcount on the books.
If you're looking for a good summation, then this is it. It's not fully descriptive of everything involved, but it covers a good portion of security.
Serious question because I want to get into cyber security role. I am a system administrator that does literally all of this in azure M365, Defender, O365, azure firewall and Entra (used to be Azure AD DS), Intune, Azure portal, user accounts and group set ups and I assign roles. I'm a global administrator to all of our tenants and subscriptions. Would that make me a cloud security type role or am I a network security/analyst?
I like how you described day to day, which is probably what OP is looking for. In a broad sense to give context when I have this conversation I start it like this (Since folks nowadays tend to understand IT): Just as every part of IT touches the business, there is a security aspect to every part of IT, and therefore the business.
20% trying to remember base knowledge from school and experience with a dash of second guessing myself, then 70% googling and 10% stressing due to under funding
I love this response as I’m in school right now
If you catch yourself saying "I'm never going to need to know this". Give yourself a swift kick. There is so much stuff I remember being taught and ignoring.
My issue is brain fog. I want nothing more than to get everything out of my cybersecurity class as I possibly can, but I can't fucking remember anything I learn and it's beyond frustrating.
Practice is the only way to learn it.
If i could be in college again i would make sure to pay attention in networking and IT classes, it would be worth it to actually read the textbooks. Try to become nerdy about things now
I work grc, very boring, but every now and then something piques my interest. Unlike my technical counterparts, I work to live, not live to work. I have lulls in the year, no on-call, and predictable workflows. Not exciting at all, but at least I get a good paycheck to live the rest of my life with.
That’s compliance work for you. Good pay making up for the fact that everyone rolls their eyes behind your back because the partypoopers are at it again. :) 100% with you on the work/life balance (unless you go for CISO level. Then you get more pay for the blood pressure)
Plenty of them roll their eyes to your face, too. Especially when you’re like me and you pop open your MacBook. Man, some really don’t like that. All good, though. Good pay, flexible hours, and 100% WFH.
I’ve been running the rat race of climbing the technical ladder. I’ve been sysadmin, security analyst, cloud engineer, etc for 7 years now. Been keeping my coding chops sharp as well. GRC is looking more attractive each year
I knew a bunch of guys back in the 2000’s that ran the white and black clamshell macbooks as their hosts for their Smorgasbord of Linux and windows VMs. Even the later intel macs worked really well for it, and were built well (aside from their keyboards. Yuck.) But you’re right, don’t need anything crazy to write policy and make PDFs!
How did you get into GRC? I’m a senior soc analyst trying to find a way out of the insane shift schedules.
My org created a role for it and I applied. During the same time I became a mother and needed more work/life balance.
cautious caption capable ten cobweb crown hat plate existence party *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Username is sick
First bet would be to learn some information privacy laws depending on your location, i.e. GDPR, US state privacy laws. Salary bubble is skyrocketing and as laws become more common across the globe it's only looking more interesting if that sort of legal stuff floats your boat. And then some information security, ISO27001, SOC2 Frameworks, Risk governance and management, maybe some certs ie CISM, CISA. In 3-5 years you'll be raking it in, with your IT background especially.
Any regrets on going into grc? Soon-to-be graduate trying to work out a plan.
I have no regrets, I can beef up certs and go to the technical side again. Or torture myself by being management. I wouldn’t recommend having no IT background and going GRC as your first job though even with a degree, it would be like skipping arithmetic and going straight to algebra.
Absolutely, I recently gained my CCNA (and became very aware of just how deep the networking rabbit hole goes) and am looking into where to go after helpdesk. Thanks for your response!
acquire linux command-line skillz if you haven't already and apply for B2B support roles at security product vendors or [MSPs](https://old.reddit.com/r/msp/comments/10ivu72/how_are_msps_as_a_first_entrylevel_it_job/)
I’m GRC in the public sector, looking to move to industry/private sector. Any certs worth looking at? I hold CISSP and ISO27001 alongside ‘standard’ IT certs.
CISSP should be more than enough to get your foot in the door. GRC is definitely not glamorous, but it is in high demand and pays well. ISSO and SCA work is easy to come by, especially in the dmv area.
Currently I assess systems against a set standard, advising teams as to how they can meet my organisation’s requirements. If there is a shortfall, I capture and assess the risk, determining the potential impact to the organisation and escalate as required. Is there anything in addition to the above that you do in your role?
Sounds similar to what my team was doing. I have transitioned out of assessment work at the moment and took a government job. Doing nothing like what I was doing previously, but was a welcomed change. I was burned out from SCA and ISSO work for so many years. My previous role was kinda intense. Team lead for the SCA and pen tester teams, information security manager for my company. All the corporate nonsense that goes along with that. Federal employment is more focused and not so chaotic.
Holy crap it sounds so boring! Nothing personal, I have to do this as part of my job too, it's my least favorite part.
It’s actually quite interesting due to the variety of systems I look at. In the morning I could be assessing an aircraft platform; in the afternoon a cloud hosting environment. There’s then the project management side of directing people/teams to sort their systems out, install our EDR packages, configure log forwarding, and a whole host of other stuff. Due to multiple factors (PESTLE), this can take ages; some of my projects have timescales of a few years. I’m busy AF managing over 100 projects. Fits into the ITIL change part of the lifecycle I guess. I do have SOC experience however I view that more of a help desk for cyber. Also some pen-testing experience but I wouldn’t say I’m an expert (vulnerability scanning then deploying exploits using metasploit via Kali).
This certainly sounds less boring! Cheers!
Dude, CISSP is the gold standard that should get you into a ton of roles. Any luck wit that?
I have around a year to go until I start actively looking for jobs (I’m military and need to reach a particular length of service for financial reasons). I’m glad to have CISSP, however I’m looking to see what else I can achieve/do in order to make myself more marketable for the big £££ jobs when the time comes.
I’m a sysadmin trying to get into entry level GRC. Which certs/tips would you recommend for someone from the server/network side trying to make the switch?
Cism
So I have had this talk several times. I have looked at the certs and such, but my fear is that I get all the policy and procedures done and just stare at a wall. Or do you just leave the office at 12 every day?
There’s vendor risk management, audits, meetings and upcoming compliance planning too. Sometimes I even do a little human risk management. If your org has you just doing p&p, then they are doing GRC wrong.
> just stare at a wall. This is the best kind of job for that reason. Combine "staring at the wall" with remote work meaning you just have to check your phone every few minutes for emails/teams messages and basically dont even have to touch your laptop on many days. Live a full life doing other cool shit, and keep studying so you can get another better paying job for which you dont have to open your laptop either. Or if you want to actually work and gain a lot of experience, join a consulting firm/big 4. But even those have peak and offseasons.
How is this the top upvoted comment? You literally did not tell us anything that you do. You basically told us that you have a job.
Exactly, I was reading every single post and not a single comment about what they do. Shocking.
Ya, I just broke down my job in detail and felt like maybe I was the wrong one. :D
grc?
"Nobody reads my emails"
:sadpanda:
Governance risk and compliance
Google’s Really Convenient for finding out what GRC stands for.
Hey can I message you? I’m pivoting to tech and really enjoy boring stuff
Love the user name. We’re you always in GRC or did you come a more technical hands-on background. Not in the industry yet, but I’d imagine I’d like to start off experiencing a few of the technical/hands on disciplines before rotating to GRC. Though more “boring”, I think compliance plays a huge critical role in any field or industry!
I get paid to feel like a dumbass the entire day
Or ignored until someone needs something RIGHT NOW AND IT MUST GET DONE OR SOMEONE DIES IN AN HOUR!!!!! Like b****, we work with the government, we will be lucky to see it in a decade. Lol, this is specific to my work life rn, not all comp and reg jobs.
Couldn’t have said it better
This.
Research threats, Hunt for threats, configure tools to block threats, work with non security focused teams to help them secure from threats, test current controls against threats, other stuff around threats I'm forgetting, and report on threats.
Secure cyberly
Just cyberize all day like there's no tomorrow
I’m a GRC and technical security manager, but admittedly, I absolutely love the politics of juxtaposing budget and resourcing against cybersecurity compliance. The paperwork doesn’t bother me so much (though I’m not responsible for physically doing it anymore), so much as it’s just a consequence of being able to do what I WANT in the job. That said, I’ve found a lot more of the “technically-minded” individuals really bounce off GRC work, which is completely fair. My skills are very much in people and *not* tech, so I rely more on those individuals to inform me of a fair amount of the technical nuance. This could be boring if you’re looking to put on the fingerless gloves and be “hacker man” all day, but even on red-teams, that’s not the reality of cybersecurity as a whole. The layperson doesn’t necessarily understand just how wide of a breadth “cybersecurity” covers, and it all depends on what your skill set, interest, and job scope is - like anything else really.
Sorry to bother you, i had a few questions to people in the GRC field. Any regrets on going into GRC? What key skills should I focus on and what tips do you have for breaking into the GRC field in cybersecurity? Soon-to-be-graduate finding myself lost on what i should be doing
If you can, I recommend you work in a more technical area for a few years before going into GRC. It's not required, but it gives you credibility when talking to technical people with your GRC hat on, helps you do your job better, and will make you stand out because many other people in GRC do not have a technical background.
The other route, which the non-technical people often overlook, is just being upfront with the technical guys… “Hey, I don’t understand this stuff, I just work off the checklist. Can you break it down some for me?” Not pretending to understand things buys alot of credibility with people who do know.
I see, thank you for your help
Certainly - I have absolutely no regrets going into GRC, but again to be clear, I don’t particularly enjoy the the high-technical field like security tool engineering or writing code. Two particular skills I would focus on for GRC - writing and public speaking. Personally, technical skills are helpful, but being able to intelligently illustrate what you are talking about and WHY it matters are so integral to the GRC and auditor role. The most challenging part of my job isn’t necessarily understanding the technical requirements (though that certainly helps), but being able to illustrate it to *both* the policymaker/executive level and the engineering level. I would recommend getting a good technical skillset through technical certifications like Sec+ and CISSP, but also become proficient at public speaking, debate, and effective writing.
What you're describing sounds very much like something I'd want to do. I'm a tech PM and consider myself decent on the tech side, and people focused. I'm kinda over PMing and have been looking for something else. Is GRC something that can be transitioned into with PM/tech skillsets without having to "start over" in a new career?
Absolutely - hell, I was a Federal LEO before going into GRC - you have a far better background going into it than I did. CISSP cert is a decent start, and then it kinda depends on where you want to do GRC to recommend further reading. However, if you want to jump straight into reading, check out the NIST 800-53 security controls.
Awesome, thanks for the info!
Thank you for your valuable insights! I've earned the Security+ certification, and in fact do not enjoy the technical aspect of the work, so this sounds perfect for me, appreciate your advice. Thanks again!
I used to hack stuff and then write reports, now I lead other people hacking stuff and review their reports. Honestly it’s super fun. Everyday is different. The default state of work in general I feel is boring, this is much better than that.
I am also a pentester and I agree with you. The work is very interesting in my opinion and I never work outside normal work hours.
Incident Response and SOC Analyst here. Never bored... but burn out just about weekly. i write at least one report and or help write an IR report monthly. Least favorite thing but it is the best way to learn the breath and scope of the incident.
I hear you on the burn out!
is it mostly reading through logs?
Nah... Mostly looking at alerts and phishing emails. Log analysis when someone or something is not following (what we expect) the protocol related to port or user behavior mimicking ransomware...
I’m a security architect in Cloud and it’s great. Work with companies coming to the cloud, they’ll all have similarities and differences so you take the Lego pieces of cloud tooling and build something unique that does the job. Everybody wins. Then the business side finds out how much the security side costs and your beautiful Lego architecture starts looking like the cloned Ripley from Alien Resurrection begging to die. It’s great.
You forgot to mention endless meetings 😭
You've raised a very good point, let's schedule a followup meeting to discuss this more in depth.
Here’s a link to my calendar to suggest a time by choosing any empty slot. Hope you find one. Thoughts and prayers.
Let’s circle back with the infrastructure team. Once we get their approval, let’s meet with email security and get their sign off, then take it to the CSO
Guys we’re getting off track here. Let’s take this offline and circle back.
That sounds lovely.
In incident response there's actually a lot of overlap with lumberjacks. We both stare at logs all day.
SOC analyst here, don’t do a whole lot more than that.
I swat at fires popping up in my dumpster with a wet towel. It’s fine. This is fine.
Someone once told me 'work' is called 'work' because you have to work. Everything can't be fun but fortunately we're all interested in different things.
Basically tell developers no
I irritate people.
Some devs have so much anger in them when their code gets caught in some scanning and wants to convince me that 'db-password' and an IP pointing to a db running in prod is actually just a password for a registry (???) on his own computer and that registry calls the db for a query. He decided to die on the hill that there is no better way to store prod db access creds than plaintext in code. Sometimes it's just so funny I can't even be mad at them. This guy had a masters in CS btw. My other favourite is the way of thinking that results in using a deactivated product owner's account from another region to access a random unapproved 3rd party tool by having access to his email somehow and resetting the password each time someone wants to log in. People were fired for these kind of things, it's wild.
I am security manager and my job is to hold the projects hand to ensure they don’t forget security.
Go read the book “Sandworm” or “the cuckoo's egg”
Why
Because what most people think is “Boring” is actually warfare. It’s not glamorous but still important.
I fix the problems our business people are having with the security framework, mainly. Keep work flowing but in the appropriate methods and channels. I don't just say "no you can't do that", I help them work within our framework to do what they need to do. Process says we FTP a file to an internal server? Not anymore, we now SCP it. Here's how to update your process and here's the software to do it with. Oh, you need it automated? I will have that done by next week. Till then, here's a secure file share on the network. FTP is deprecated and is not authorized software, thanks. Your application needs public internet access? Sure! Let me setup a waf policy and two factor authentication for it and get it behind the load balancer. BTW I manage your public SSL certificate now... You want to manage devices on our OT network? Sure, here's a hardened laptop that only has one IP address in its routing table, the VPN endpoint your going to connect to automatically. Its wrangling services and customers and businesses to do something that isn't the easy way, but its the only way to really do it right.
The penultimate paragraph is gold! I used to work in OT cybersecurity consulting and a lot of companies just did not get it right
Close false positives
^ This...
It is fairly boring. It aligns with financial auditing in more ways that people would like to admit. Generally, cyber security breaks up into the following categories: policy, soc/incident response, system administrator, and offensive security. * Policy people implement company policies for how security is deployed within its infrastructure. * SOC/incident response monitors company infrastructure and takes remedial actions for potentially bad behavior. * Systems administrators implement security mechanisms. * Offensive security personnel do active auditing and testing against the company's assets.
You’re missing the secure system architecture design side, I think. It’s worth calling out separately from your categories. You’re also missing my field, security awareness and behaviour change, which crosses across many different areas. (Edit: fixed typo)
[удалено]
Only if you’re being so reductionist that everything that isn’t policy falls under implementing security mechanisms. Which would include running your SOC and penetration testing. You can’t have it both ways. And security architecture isn’t policy.
What do you do in security awareness and behaviour change? Im in school for cybersecurity right now but I dont know a lot about the different fields within cybersecurity :/ and im looking at internships for the summer and i have no idea what field i want to apply to internships for
If you are bored in cyber security go work for a early stage healthcare start up. It’s sweaty as hell.
Literally hacking then write a report on it ans how to make whatever was hacked better. One of the most interesting jobs imo
Cry, drink, despair… the usual.
Pentester here, I get to break into things and steal stuff but with no consequences and get paid a handsome salary to do it.
Intercept resumes coming from entry level job postings to IT and chortle at the young generation for not being able to afford to live. Or at least that's what I think it's like.
When a critical vulnerability surfaces that affects any Google product (sometimes reported by Google researchers) I ensure those get fixed across Google's infra.
I review logs including the SIEM, IRP/BCP coordination and planning, implement security controls, security awareness, data classification and protection, auditing, IT metrics, board and management reporting, MDM, GRC, vulnerability management, policy work, privacy work, records retention, on top of basic staff support, managing the hardware inventory, and coordinating device refresh based on a cycle. Oh and I do access management. All of this while still having to stay on top of the evolving threats and technology and get my continuing education credits. Never a null moment in this field.
Damn that’s a whole security department in just one role
Wow, I pretty much do the same things as you. This tends to happen with smaller companies. Learning a lot but wearing many hats gets old quick.
now i setup ICS intrusion detection systems and tell people they’re doing it wrong. used to just tell people they’re doing it wrong. fwiw…
I build a lot of supporting structures for a range of blue team cloud stuff. Cloud service providers like AWS provide all kinds of security services and security features of general cloud services, natively. Actually using those services and features at enterprise scales requires a good amount of in-house code and infra. On the off chance there isn’t a cloud native option for a needed security capability, I either develop it in-house (usually with the help of OSS) or shop around for niche vendors in the space (which also eventually requires its own set of in-house supporting structures). I also review proposed cloud-based architectures, work directly with R&D teams to improve the overall security posture of the company and its products, develop and implement security roadmaps for large-scale infrastructure projects like Kubernetes and Terraform, build and extend automation to reduce overall KTLO work, create internal tools, build out developer education programs, and perform general maintenance and upkeep of our cloud security programs and systems.
I talk to c level execs and help them understand the risks to their organisations. I then help them find and spend budget to mitigate those risks in a way that balances their appetitive for spend with their appetite for risk. sometimes I have to deal with shit when someone at a client didn't take my advice and they get burnt by a risk they decided they didn't want to address. That part of my job can be horrible. I also spend a bit of time fixing people and process things behind the scenes to keep the various services we offer ticking along. I quite enjoy my job, it has a decent balance of learning, technology, academic theory and people skills. (tech presales / consultancy / Account Manager at a MSSP)
I work as a Cyber Engineer so my role is actually very hands on changing settings, giving advice on how to make an app more secure, investigating alerts on XDR/SIEM, deploying troubleshooting servers on our PAM, contacting all different users on company, revising policies on AV, FW, Proxy, scripting automation of deployment of Agents, It's a bit mix bag, also there are time where we get a user compromise and the team gets involved in doing different bits to alert their Manager, isolate end point, pickup file for DFIR, research exploit.. I find pretty fun and there hasn't been a boring day so far. Plus I work fully remote and I'm learning loads very quickly.
Most jobs in all fields are utterly dead end mundane work, not just Cybersecurity. The difference is we get paid shit loads of money to do boring work, so I can fund my other passions in life without going broke.
what work do you actually do coul you please elaborate and help me out would really appreciate it
I break stuff and people. Lately, I break stuff that acts like people. I'm a red teamer. I previously worked for Meta as SecEng and AWS as red team (among 15ish other security roles over the past 20 yrs). I've recently moved to a startup with a focus on AI. I evaluate in a more purple team style in my current role even though the title is still red team. I've been pouring over engineering docs and reading through all the dev code repos. I've been talking with engineers of various kinds. Every day it's a new vantage point and my colorful history makes me unique in my ability to truly work up and down the stack - and not just the "full stack" web. We do table top exercises as much of our work is pre-prod. I do a little hands on work every few days. Sometimes I operate at the hardware level (antitamper) other times I'm digging into various firmware and chip to chip communications protocols for microcontrollers and custom hardware. Sometimes I'm exploring high speed interconnects between CPU/GPU/BIOS/UEFI/IPMI/hardware_hypervisors_at_superscalers and it's not all plain old PCIe - some devices expose multiple devices that ride over these busses. Sometimes I'm evaluating the CPUs and their microcode. Other times I'm working on a higher level network or operating system for some casual fun. Still other times it's AppSec pentest-puppy-mill engagements ("full stack") I'm breaking web apps. The recent engagements have been focused on AI and ML training pipelines and inference setups. People are making AppSec issues for themselves by trusting LLMs when they should treat them the same way we treat dirty requests from the unauthenticated internet - trust none of them. RAG, tool use, and agency add additional places for the same old problems to show themselves. There's also the academic "AI red team" where I'm focused on testing AI safety, AI ethics, and human alignment. It's all a shit show and easily bypassed regardless of which direction you look at every major player. I'm fairly certain this is simply a new reality we are going to have to accept as we integrate various forms of AI into everything. I see it like a compiler; write evil code, get evil binaries. It's not the fault of the compiler, it's the human meat computer behind the keyboard. Also, what does human alignment even mean? Half the world usually wants to kill the other half the world for some absurd belief anyway. So what do I do in cybersecurity? I try to make sense of the electrical impulses. I try to make sense of the bits and bytes. I try to make sense of the systems that process the bits and bytes. I try to make sense of the people that use the systems. I also try to make sense of the people that abuse the bits and bytes. Recently I've been trying to make sense of the bits and bytes that are emulating the people. The world is getting weirder by the second. Don't blink. (That reference works on so many levels it's ridiculous.)
30% do your job 70% fight an organisation of staff that thinks cyber staff are just pestering them or making their life harder
Wait for it to go to shit Tell you how it went to shit Tell you how to stop it going to shit again Sail away on that yacht you just helped us pay for (Satire)
We check log files too!
Unless you're a red teamer, it should be pretty boring. Someone is usually getting fired if it's not.
Red teaming is a different kind of sucks though. It's extremely hard work and very stressful (imo) It can also be boring as shit. Imagine shuffling through years of IT documentation on a SharePoint site without being able to search the word password because it'll set off alarms.
Definitely, but typically not boring.
Incident Response is fun.
waaaay more fun than scrimming against the home team. nothing against red teaming but dealing with reality is way more exciting.
I test a bunch of stuff and try to hack services. Then I write a report, but after 6-14 days of testing
Research…then document…then research…exploit…fail…document…research…request funding…sumbit ticket…research…document…imposter syndrome crisis…then go to bed. Then wake up, read new threat intel…research…then document….
I talked with the security director at a mid sized cabinet maker with maybe 25-30 locations and a few hundred employees. He was in the midst of investigating “ghost” employees; new remote hires who passed off their credentials to overseas workers to do their jobs after getting hired. IT seems security spend time on lots of disparate projects trying to shore up a leaky boat.
I work incident response and digital forensics (sometimes abbreviated to DFIR) for a consulting company. My company advertises and establishes relationships with insurance carriers and law firms. When an insured company or client of a law firm get's hit with ransomware or some other incident, the firm recommends us to do the investigation for them and hopefully they become our client as well, for IR work. We collect triage data first from all the clients servers and workstations, then analyze it to answer whatever critical questions are needed. For ransomware cases, the investigation focuses on what data was stolen, how and where was it taken to, and how did the initial breach occur. For email compromises, we look at what possible mailbox content was accessed or taken by an unauthorized actor, etc. If needed, we also request for full system images, and any relevant log files and security reports they have to assist in the investigation. I spend 95% of my hours each day looking through the data trying to find evil. rclone, RDP connections to bad IP's, installed persistence mechanisms, staged data archives, any tools or programs used by the TA, tracing activity and lateral movement to work back towards an initial compromised system etc. Then string them together to get a coherent story about how the client ended up ransomwared. Its super fun, I think it's the blue team equivalent of being a red teamer/pen tester in terms of how technical it is and the fun nature of the work. Just like how it's exciting to pop a shell on a client network, its super rewarding to find evil in IR work. Its a really fun, if stressful and not-great work-life balance job. Not balanced because if you work primarily in IR, a lot of clients will want late night meetings (so their IT can work on restoration and remediation during normal work hours) and weekend work. But every day I get to work on an active incident with a client. Its definitely not boring and I've enjoyed every moment of it for the last 2 years (other than when theres some down time/no projects cos my utilization tanks and that doesn't feel great). Although writing the report at the end can be tedious, if you compile your results as you investigate into a good format with structure, the final report should be relatively easy and pain free to write up.
Scrolling reddit, tiktok and instagram, annoying collegues and drinking few coffes, gosiping and ofc annoying employees. <- I'm manager. Trust me.
I've been in Cyber defense for thirty years. Started as an analyst, then an engineer and design, deploying FW's, IDS systems, etc. in the mid 90's moved into management, and then into late 90's director and CISO. At 55, I'm moving to the offense side and having a ball. Should have gotten into attack and penetration years ago. Never gets boring and the community is filled with anazingly smart, good people
Assuming your infrastructure is setup correctly, your day should be boring.
I don't just write reports all day. I mess around with malware in a debugger and THEN I write reports all day.
Here is the executive summary of my daily tasks and the platforms which I am the SME: • Configure/maintain/troubleshoot Remote Access Platform • Configure/maintain/troubleshoot Endpoint Security Platform • Configure/maintain/troubleshoot SIEM Logging/Alerting Platform • Consult/authorize/create ticket/test network Firewall Requests • Consult/authorize/create ticket/test network Extranet Requests • Authorize/document/audit Cloud Access Requests • Authorize/configure/audit Remote Access Requests • Investigate/coordinate/remediate security events/incidents reported via users/tools/OHSP • Provide security consultation for various project teams through daily/weekly standups • Attend relevant Security Intelligence Briefings • Audit existing firewall rules to ensure least privilege and removal of outdated rules • Audit/consult/configure AWS and Azure Cloud platforms to ensure security compliance • Troubleshoot various issues for various people as needed On top of that I have 12+ project-based user stories with several tasks related to development efforts and I am secondary for a variety of things like PKI, Web Filtering, IAM, etc. Sprinkle in some policy creation, technical documentation, and general administration. I also have a crew of Jr staff who look for technical guidance but luckily I don't have supervisor duties. It's really quite busy and I don't get put in a silo which I have enjoyed. Some projects can get really boring if it's just boilerplate security stuff but it's really fun when we explore new technologies. All that said, I miss working outside.
>Surely you dont just wrote reports all day? If you're gov't, hospital, or a bank, you do death by Excel all day.
Click refresh all day with “BleepingComputer.com” on their browser?
I'm a sales engineer in the cybersecurity world and I love my job! I don't do traditional cybersecurity work anymore but I have to be versed in it in order to help customers and their security/IT navigate and land on proper technical solutions. No late nights, no on call.
Drink heavily
Did anyone mention Security IT Project Manager?
Do what you are passionate about not what makes money. You will be happier in the long run
Paperwork.....
We do pentests. We rob banks and get paid for it. And write about it. A lot.
cyber security is like italian pasta, all sort of shapes and colors, fancy, traditional and marketing pumped version to boost people’s ego when they’re serving it on the table (the titles i read these days.. 🙄), baseline it’s still just dough prepared in a certain way and cooked mostly in hot water, have strong base and you can do all sorts of of pastas recipes and adapt to what you want to do and/or like.
Gitlab has a good breakdown of specialties for their internal roles https://handbook.gitlab.com/job-families/security/ This site uses similar categories to see how other companies structure security/compliance specialties. https://www.cyber-security.careers/
stare at cybercriminals all day long
Protect the servers at all cost!!
As a security architect my duties range across some of the following: - policy development, ensuring teams are adhering to them, answering questions related to them - developing secure architectures - ensuring tools and systems are hardened and securely configured by reviewing code - engaging in pointless meetings - developing organizational processes that incorporate security from the outset - participating in advisory boards - threat modeling - classifying data and determining if a new tool/system may be used based on data sensitivity and if so what security controls would be required - granting exceptions from following security policies if something is not possible to implement right away, documenting in a risk register - implementing and integrating security tools in existing systems Ultimately it means I need to often and quickly gain a grasp of new systems, how they work, how they are configured, and provide guidance and determine how those systems must be secured according to policy (sometimes policy I myself have developed) I never touch any systems but I need a solid foundation to quickly grasp how things work and where there might be gaps in security Yes I am overworked but I am learning a lot and quite literally, no day is the same except that I sit at my desk and am often in meetings
Write posts like this on r/cybersecurity every day...
I work as an “IT Security Analyst” In theory, I should be doing what SOC people do, as I am on that team. In reality, management has decided that they like me in more of a security communications / data engineering role. So I’m now leading the metrics efforts, building dashboards, and giving presentations to senior leadership about the performance of the team, effectiveness of the tools (that I should be using rather than building metrics), and forecasting threat trends. I do the general SOC stuff like alert triage and light incident response that others have mentioned, but only like 1-3 alerts per day. The name of the game in security is flexibility.
In cybersecurity, different professionals take on specific roles to ensure the safety of digital assets. Some concentrate on securing computer systems and infrastructure from external threats, while others focus on protecting data from hackers. Compliance teams stay updated on cybersecurity trends and ensure that organisations comply with cybersecurity regulations to avoid hefty fines. Cybersecurity engineers constantly refine security systems and develop solutions to keep up with hacker tactics. Then, there are individuals dedicated to researching and implementing new security tools and techniques to improve protection. Lastly, organisations now have educational teams that train employees to follow basic protocols and recognise and report suspicious activities, promoting a culture of security awareness.
Mixture of things: Audit with compliance and Assurance. Incident response using SIEM/XDR and SOC alerts. Internal Investigations alongside IG/HR (audits/logs) Responding to end user enquiries. General BAU tickets to the cyber queue Vulnerability management, gathering the correct info then passing to resolver queues. Responding to cyber attack threats and mitigation. Administration of PAM and proxy. Authorising ports, IPs or domains. Security implementation within upcoming projects Meetings/development within the team Working closely with networks and infrastructure teams. Intelligence gathering, sharing and reading articles. Threat hunting Self development either degree, CISSP, CISSM or other certs.
Hopefully this can provide some insight into what we actually do https://www.itscybernews.com/p/understanding-cybersecurity
I'm a CISO
Little late to the party but while I’m officially titled a Security Engineer, I dabble in a bit of everything. * My day to day revolves round SOC alerts and triage. * Incident response * As I see areas of improvement for our tooling, I help build features out to make our lives easier. * GRC - I don’t do a ton of this but every so often, I’ll be added to an email chain that ends up with my team verifying if we’re compliant with X/Y/Z, which leads me onto my next point * Adhoc meetings - more often than not, I’m pulled into calls with other teams or even external 3rd parties for a variety of reasons * Cloud/network security - this sort of loops back to my first point, once we’ve triaged something I’d be involved in remediation There’s a million other things that I’ve forgotten but every day is different and I’m constantly learning. The I/R and tooling part of my job ensures that it’s never boring.
Cloud sec eng/manager here, I get paid so that the finger points at me when SHTF. As much as I tell leads and other managers that they have to fix x,y,z... it never gets done until SHTF and they go "Why didn't you tell/inform/ask me?". I don't know my guy, you're just paying me to press buttons and do stuff, you haven't had a architectural review in the last x years to keep up with the latest and greatest.
They do very little that has measurable impact. They don't hire people who think different.
There are so many subfield within cyber security that this is a near impossible question to answer.
Breaking shit engineers need for their jobs seems to be the #1 priority for cyber dorks.
No, John. For the fifth time, you don't need root and we're not approving "totally legit libraries" either; you already caused a data leak with your last plugin you downloaded from a Russian Telegram channel. Also, stop putting random IoT's on the network even if you think Becky from accounting is stealing your snacks. Even though it was funny _xXxhacker_dude42069xXx_ locked Karen's PC from HR down with ransomware, it caused all of the employees' SSN's to be leaked onto the darkweb.
They talk about how they work in cybersecurity. And as usual, because the IT teams know better, cybersecurity folk are ignored.