Digital transformation (DX) has wholly altered the cybersecurity sphere, and the roles within the space have followed suit.
As businesses embrace more private and public cloud applications and services to accelerate business processes, integrate Internet-of-Things (IoT) devices for improved operational efficiencies and business intelligence, and rely on DevOps processes that demand faster and more frequent releases, they find themselves facing a sprawling digital attack surface that is constantly evolving and expanding. In addition, areas of this extended perimeter often pose greater risk, as they are harder to protect against attacks that employ tactics and techniques that speed their velocity, increase their sophistication, and make them more insidious.
This grand change not only impacts what is expected of the CISO but also expands the demands and expectations placed on other members of the cybersecurity team who report to the CISO. And as the pile of educational, qualification, and experience requirements pile up, so does the difficulty in recruiting and hiring candidates who meet them. As research shows, there are a number of factors involved when it comes to candidate recruitment—and an effective and compelling job description typically tops the list.
This grand change not only impacts what is expected of the CISO but also expands the demands and expectations placed on other members of the cybersecurity team who report to the CISO.
The days of managers quickly finding a job description online and copying and pasting bullet points from it are gone. Hiring leaders must thoughtfully craft a job description to attract candidates who align with educational, qualification, and experience requirements, but also help filter candidates based on cultural fit and undervalued soft skills. With many organizations pressed to find enough security talent and moreover talent with the skill sets they require, it is difficult to overemphasize the importance of a job description.
In addition to the above, an effective job description must reflect the nuanced changes that have taken place due to digital transformation (DX). DevSecOps, for example, requires skill sets and experience outside of the traditional security realm. The same can be said of cloud security and compliance with regulatory and security standards and their nuanced requirements. Consider security administrators. While employers still require candidates with extensive endpoint protection skills and experience, they must have a broader skill and experience portfolio than just endpoint protection.
With the above DX challenges in mind, the following takes a look at six cybersecurity roles and the changes that have occurred for each.
Average U.S. Salary: $150,942
Feeder Roles: Cybersecurity Administrator, Cybersecurity Consultant, Penetration and Vulnerability Tester
A few years ago, cybersecurity architects did not exist in most organizations. Rather, any architecture elements associated with security were handled by network architects or general architects who handled everything IT related. But as the threat landscape evolved and the breadth and depth of requisite security tools grew, the role of the cybersecurity architect expanded in scope. Mapping the topology of an organization’s endpoint protection requirements across servers, storage systems, and end-user desktops and laptops no longer sufficed.
Suddenly, security architects found themselves on the firing line and accountable for an ever-expanding attack surface and a dramatically larger set of security tools to protect previously air-gapped operational technology (OT) systems, DevOps environments, headless IoT devices, and much more. Traditional security approaches in many of these instances proved inadequate, and security architects were charged in designing security systems to protect this new attack surface.
The emergence of new regulatory and industry compliance requirements also necessitated a new model for compliance tracking and reporting. Without the right security architecture in place, demonstration of compliance can quickly become a huge manual snarl that consumes valuable resources and time—and the end result of log pulls and reconciliation may even fail to meet compliance requirements. To solve these challenges and ensure that compliance tracking and reporting enables rather than inhibits the business, CISOs, CIOs, CFOs, and other C-suite executives who are involved in compliance look to security architects to design security systems that are effective, efficient, and simple to use.
As the attack surface expands, so does the number of point security solutions organizations use. But this increases security complexity and places additional demand on security teams that are already stretched—due to both a shortage of cybersecurity professionals and specific skill-set gaps. To offset these challenges, security architects are under pressure to reduce the complexity of security architectures and find ways to improve staff productivity.
All of the above also means that security architects must possess more than an outstanding list of cybersecurity skills; they must also possess soft-skill strengths to translate business requirements into technological configurations. This requires great problem-solving, collaboration, analytical, and negotiating skills—to name just a few.
For CISOs who are recruiting a security architect, a great job description is a critical starting point. Download a sample cybersecurity architect job description.
Average U.S. Salary: $99,999
Feeder Roles: Penetration and Vulnerability Tester, Cybersecurity Specialist, Incident Analyst, Cyber-crime Analyst
The cybersecurity analyst role, also referred to as information security analyst, not only is the position with the most job openings in the profession but also sits among the U.S. Bureau of Labor Statistics list of the top 20 fastest growing occupations.
The increase in demand for these professionals largely parallels the growth in responsibilities and workload these employees are expected to take on due to DX pushing the confines of the attack surface. This is exacerbated by an advanced threat landscape that is harder to defend against, coupled by a shortage of qualified security talent.
Instrumental in planning, implementing, upgrading, and monitoring the network for security breaches, cybersecurity analysts are under pressure to find effective and efficient ways to detect and respond to cyberattacks that are coming in higher volumes and velocity as well as greater sophistication.
Similarly, the role of cybersecurity analysts has become much more proactive. While they are still expected to perform forensics analysis of attacks, intrusions, and breaches after they occur, they also are expected to proactively predict attack vectors and methods. Now, more than before, organizations look to security analysts to proactively make suggestions that can improve the overall security posture based on knowledge of new security technologies as well as new vulnerabilities and exploits—known and unknown. As part of this process, cybersecurity analysts must be able to effectively communicate with senior security and even business leaders on these matters. In sum, recommendations must be both retrospective and prospective, with the latter focused on helping to predict attacks and intrusions before they happen.
It is vital to understand that this kind of analysis has been rated the most time-consuming activity a cybersecurity professional can undertake, according to a new report from (ISC)2. One of the outcomes of these new job expectations for cybersecurity analysts is that they must embody strong soft skills, such as time management, analytical skills, and organizational skills
And with the demand for cybersecurity analysts already high and continuing to grow, CISOs should prepare to make initial offers as competitive as possible, bolstering employment packages with attractive perks and benefits that prove to be special differentiators. CISOs can get a head start recruiting cybersecurity analysts by downloading a cybersecurity analyst job description that reflects recruiting best practices.
Average U.S. Salary: $119,229
Feeder Roles: Cybersecurity Consultant, Penetration and Vulnerability Tester, Cybersecurity Analyst
Cybersecurity engineers are integral to assessing and improving an organization’s overall cybersecurity posture. Yet, CISOs struggle to find and retain these critical mid-tier hires amidst an increasingly dire talent shortage and widening skills gap. The U.S. Bureau of Labor Statistics predicts an 18% increase in jobs for cybersecurity engineers through 2024, a rate much higher than other job sectors.
What is more, whereas security and network leaders have nearly always expected these jack-of-all-trades professionals to come with a broad spectrum of technical experience that reaches across operating systems and penetration testing and into digital forensics and encryption, the scope of the security engineer role is expanding further. Specifically, driven by the evolving threat landscape, the role of cybersecurity engineers is expanding beyond just hands-on intervention into strategic risk management and the implementation of the overall security mission.
When it comes to hard skills, the cybersecurity engineer is expected to keep pace with the rapidly changing threat landscape and the new security tools that must be deployed to address the expanded digital attack surface. Here, while cybersecurity engineers are expected to have traditional skills around antivirus software, intrusion detection, firewalls, and content filtering, they also are expected to understand forensics analysis and planning and implementation of security policies, standards, and procedures.
In addition to the above, cybersecurity engineers must also communicate cybersecurity and compliance issues to peers and management and collaborate cross-functionally—both within the security group and across the organization. Part of this process includes communicating issues related to general cybersecurity governance and what is required to meet compliance mandates. For the latter, this means functional knowledge of regulatory and industry standards such as the European Union’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and others as well as security frameworks such as the National Institute of Standards and Technology (NIST).
And with growing concerns about the supply chain (largely driven by DX), cybersecurity engineers build systems that account for attacks routed through third parties. These systems must control and monitor network access for users, devices, and applications based on business requirements.
Due to higher expectations in terms of skills, experience, and training, coupled with a smaller pool of qualified cybersecurity engineers, CISOs are having a harder time finding cybersecurity engineers who meet their requirements. CISOs can differentiate their advertisements for cybersecurity engineers by downloading a sample cybersecurity engineer job description.
Average U.S. Salary: $117,145
Feeder Roles: Cybersecurity Specialist, IT Auditor, Incident Analyst, Cyber-crime Investigator
It is no secret that consistent, meticulous penetration testing and razor-sharp intrusion detection, which brings to light hidden and unexpected threats, are critical to maintaining an organization’s cybersecurity posture. Annual or biannual shotgun-style penetration testing is no longer sufficient, and those who choose to keep these duties in-house will find this a much easier role to hire for than other mid-tier positions (e.g., cybersecurity analysts or cybersecurity engineers).
Unsurprisingly, the work of these “ethical hackers” has evolved in line with the vast and varied nature of new hazards and the rapid transformation of the tactics and techniques employed in cyberattacks. Due to the volume, velocity, and sophistication of malware and botnets, penetration and vulnerability testing must be developed as an ongoing cybersecurity methodology. And with DX extending the attack surface into new areas such as IoT devices, OT, and the cloud, the charter for penetration and vulnerability testing is larger than ever.
This has dramatically transformed the role of penetration and vulnerability testers, who must understand how to probe for vulnerabilities from on-premises data centers to multiple clouds, from standard endpoint devices to headless IoT devices at the edge of the network, and from the campus to edge branch networks. In this new digital era, penetration and vulnerability testers must not only be able to work well in standard “red” and “blue” team environments but also possess the soft skills to communicate the implications of vulnerabilities, exploitation scenarios, and potential business outcomes to key stakeholders.
Unfortunately, for CISOs seeking to recruit and hire penetration and vulnerability testing professionals, the undertaking is hard—and becoming more difficult. Those at the top of their profession make over $153,000, according to the U.S. Bureau of Labor Statistics, which also forecasts a 28% growth in the job role through 2026. CISOs can get a penetration and vulnerability tester job description.
Average U.S. Salary: $70,197
Feeder Roles: Security Administrator, Network Administrator
The realities of the advanced threat landscape necessitate that CISOs embrace the premise that intrusions and resulting breaches and operational outages are inevitable. As a consequence, they are focused on building out greater incident response and event management capabilities. One recent report reveals disturbing year-over-year trends in this area:
The same report found that more than half of surveyed firms admit it takes over a week for them to respond to breaches. All this is ratcheting up the importance of the role of incident response specialists, who are charged with identifying systems under attack, determining the derivation of the attack and which systems were compromised, and containing the fallout of successful intrusions and breaches.
DX makes the job of incident response specialists more difficult by adding attack surface elements such as the supply chain, cloud, IoT devices, and OT systems. Add that some of these are critical infrastructure elements or life-sustaining healthcare devices, and the role suddenly emerges as one not only watched at the highest levels of an organization (e.g., CEO and board of directors), but it becomes one that is seen externally—supply chain partners, customers, the public in general, and even the media.
Due to the nature of incident response and event management, incident response specialists must coordinate with the security and network, IT, finance, HR, and operational teams. But this level of cross-functional collaboration also extends to supply-chain providers, customers, the board of directors, and other third parties. Further, they must stay ahead of the evolving threat landscape—botnets, hivenets, swarmbots, ransomware, polymorphism, and multivector attacks, to name just a few.
Incident response specialists must also exercise a high degree of understanding with new regulations such as the European Union’s General Data Protection Regulation (GDPR) and evolving regulations like the Payment Card Industry Data Security Standard (PCI DSS) and compliance requirements associated with them. As part of this process, they must quickly determine noncompliance implications of an incident, remediating within those parameters and communicating implications and next steps with executive management and the board of directors (or even external third parties).
With heightened awareness around incident response and event management, the role of incident response specialists has never been greater. The U.S. Bureau of Labor predicts 15% growth in incident response specialists through 2024. CISOs need to carefully evaluate their business requirements and map those into the job descriptions for incident response specialists. Download a job description for an incident response specialist that gets your search for candidates off to the right start.
Average U.S. Salary: $95,000
Feeder Roles: Cybersecurity Analyst, Cybersecurity Architect, Cybersecurity Consultant
Initially created in the 1990s as a means to centralize all of the personnel working in a global enterprise to detect incoming cybersecurity attacks, the Security Operations Center (SOC) has evolved tremendously—extending down into midsize organizations and aggregating and reconciling disparate threat feeds into an actionable thread of intelligence. And with this evolution, so has the role of the SOC director or manager changed.
Formerly centered solely on detection, the mission of the SOC now extends to and hinges on response. This involves improving processes and infrastructure and investing in new detection, prevention, and response technologies that can better protect against the massive volume of attacks characterizing the current threat landscape. The number of threats SOC directors and managers must process daily can reach into the millions, drowning most who do not have the right technologies and processes in place. As a result, 80% of SOCs indicate they do not have enough security analysts to run operations.
With this in the foreground, successful SOC directors and managers must be able to monitor events on the network and oversee day-to-day threat awareness data collection. They must also be able to work to better improve their organization’s overall risk posture as well as align security processes to match risk tolerance.
The hard skills a SOC director or manager must possess are dramatically broader than they were a few years ago—ranging from deception and sandboxing technologies to artificial intelligence (AI) and machine learning (ML). Soft skill requirements are also much greater. With the need to communicate across organizational departments, collaborate with business leaders, and foster security relationships with third-party suppliers, SOC directors and managers must exhibit a high degree of communications, analytical, and problem-solving skills.
And with insider threats—both intentional and unintentional—posing serious concerns for many organizations, SOC directors and managers must also play a role in cybersecurity awareness—plugging into those processes to ensure proactive management of insider risks. Indeed, 20% of cybersecurity incidents and 15% of data breaches, according to the latest Verizon Data Breach Incident Report, occurred as a result of insider threats.
CISOs should ensure they have the right skills, experience, and credentials for SOC directors and managers spelled out in their job descriptions by downloading a sample today.
When it comes to hiring top cybersecurity talent, it is not enough to merely understand how success in the age of DX-driven cybersecurity is defined in each job role. Nor does it suffice to simply have a thorough list of updated responsibilities, skills, qualifications, and educational requirements.
In a tight labor market and amidst a pronounced talent shortage, which are both endemic problems in the cybersecurity sphere, it is critical to recognize that quality candidates wield much of the decision-making power. In order to appeal to high performers, it is vital to present the information in a candidate-centric job description that clearly speaks to the future needs and expectations of the candidate and what opportunities and benefits exist for them. As such, CISOs should coordinate with their HR leaders to build unique value propositions that attract hard-to-find candidates. Naturally, writing a great job description that captures these unique value propositions is a critical starting point.