do non/less technical roles exist in the security field?

chickenlicken09

Hey,

I was curious to know if all jobs in the i.t security area are technical roles? I would be interested to know if there are any non
technical roles( or at least knowing the foundations) paths in the area. I guess some people here working in security can advise if this is possible.
Im sure there are many titles in the security field which require say 50/50 tech and business/auditing for example.

Thanks

--chris--

Policy & procedure creation, auditing, risk management are all considered security imo.

All of those benefit from technical experience, but they dont really require in depth knowledge like an engineer of a system or network would.

MSP-IT

Look no further than business risk, policy, certification and accreditation. Unfortunately for us that enjoy the technical aspects of security, these (at least within my organization) pay the most.

cyberguypr

Some less technical folks go the governance, risk, and compliance route.

chickenlicken09

cheers, its interesting to see the different paths available. How long it would take to get their is another question

JoJoCal19

Absolutely. InfoSec can be divided into technical and non-technical. I work in non-technical side of GRC (governance, risk, and compliance). Then there is audit, and management. One area that straddles the line (in my opinion) is IAM (identity access management). IAM can be technical and/or non-technical depending on the company and how they have it set up. Like --chris-- said, having some technical knowledge certainly helps in the non-technical side, but it's not required.

colemic

Also - keep in mind that in general, the higher up the org chart you go, the further you are removed from the technical job functions. Agree w/ the other regarding risk, compliance, and to a degree, auditing -although technical background is required, it is not really the meat and potatoes of the job. IMO, soft skills, analysis, and understanding risk mgmt/mitigation are more the skills required for auditing)

chickenlicken09

ok heres a question im not sure i can answer if im asked it in an interview setting! Why do you want to work in i.t security?
I have not worked in the industry before but find it more interesting than sys admin/network admin route. Also i think there will be more job stability
in this area in years to come, which is important. I will study for my security+ soon as all the topics i find interesting in general. Is this showing enough interest? Bear in mind i have worked in admin/support area for 4 years and im looking to change and forge a career in this area. Hope this makes sense

chickenlicken09

colemic wrote: »

Also - keep in mind that in general, the higher up the org chart you go, the further you are removed from the technical job functions. Agree w/ the other regarding risk, compliance, and to a degree, auditing -although technical background is required, it is not really the meat and potatoes of the job. IMO, soft skills, analysis, and understanding risk mgmt/mitigation are more the skills required for auditing)

would these areas still require one to know ids/ips tools for example?

colemic

Although it would depend on the uniqueness of the position, in general, for auditing I would say that you should be familiar with the tools and what they do, but not in-depth snort rule writing, for example.

JoJoCal19

eddo1 wrote: »

ok heres a question im not sure i can answer if im asked it in an interview setting! Why do you want to work in i.t security?

My answer is always "Information security is constantly evolving and with each new day, there is something new to learn with new threats, new vulnerabilities, new technologies, new ways to do things, etc. And for a person like myself who has a desire to keep learning, sharpening my skills, bettering myself, and challenging myself, information security meets those needs better than any other profession."

cyberguypr

Following Colemic's point, think of it as CISSP level knowledge: a mile wide but an inch deep. Gotta know what they do, pros/cons, usage scenarios, etc. but no need to know every intricate detail.

RouteMyPacket

CISSP = King of not being able to do anything but tell you something is wrong.

I know some are competent Engineers but nothing I hate more than your typical CISSP type who is clueless and simply emails audit results around saying what should be looked into.

"Hey, Verizon ran another audit scan last night and here are the results. We need to look into why the outside interface of the firewall is bla bla bla"

Translation: "Verizon did the work, so here you go, please look into it and get it fixed and tell me when it's done"

colemic

OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?

broli720

@RouteMyPacket not everyone can be technical. The people that actually win proposals and work need those soft skills which is why those positions are paid the most. Being able to interact and have a good working relationship with external and internal customers is critical. Everyone has their role to play.

chickenlicken09

JoJoCal19 wrote: »

My answer is always "Information security is constantly evolving and with each new day, there is something new to learn with new threats, new vulnerabilities, new technologies, new ways to do things, etc. And for a person like myself who has a desire to keep learning, sharpening my skills, bettering myself, and challenging myself, information security meets those needs better than any other profession."

Yeah great answer.

macsmalls

Hey guys, I'm glad you brought this topic up. This is the path in IT I'm trying to take (a bit less technical). I have a bachelor's in Financial Econ, and just finished my Masters in IT: Information Assurance. I also have experience utilizing risk management concepts as well as creating policies & procedures as well as amending existing policy in work roles for startups and small businesses but not have actually worked in IT.

I have over 10 years of experience in a healthcare oriented role where fraud detection, soft skills (customer service) and regulatory adherence are just as important as the actual work. I don't have any certs and am looking to pick up at least ITIL v3 foundation and Sec+ soon, with the CISSP later down the line once I've actually got those 5 years of experience in the field. What work roles (job titles) should I be looking for to start out?

I built my computers when I was a kid for hobby and to save money, am comfortable troubleshooting and am familiar with a variety of software. For instance, I have used infosec tools Snort, Wireshark, Tripwire for network monitoring and analysis, but like I said I've never held an actual IT title.

I've been doing research and this forum has been major major help but any input from one of you guys would also be much appreciated! If I should create my own thread, let me know as well... I don't mean to thread-jack and hopefully answer(s) to my question could help someone else too!

GoodBishop

*waves GRC flag*

chickenlicken09

whats grc flag?

macsmalls

eddo1 wrote: »

whats grc flag?

Governance, Risk, Compliance

chickenlicken09

is it a hard area to break into, grc?

JoJoCal19

eddo1 wrote: »

is it a hard area to break into, grc?

Apparently much easier to "break into" than technical security.

TeKniques

Yes, these roles exist. My 0.2 is to not neglect the technical aspect of security, because as an IT Auditor I almost always have to use my technical background to know what I'm looking for and how to engage in interviews with technical personnel.

colemic wrote: »

OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?

In my opinion - a lot of technical people think they should be the ones making policy because they are doing "the work". Or in this case, I'm assuming he's thinking that the role the CISSP holds is more of a wasted role and Verizon could of just emailed him instead. Regardless, what I notice about a lot of technical people is that while they are good at what they do, more times then not they do not understand the business aspect of security and lack a lot of those 'soft' skills. For example, just the other day I was talking to a co-worker (technical employee) that he was fed up with his previous job because he wanted to make a bunch of domain wide changes to active directory and found it very annoying that management asked him to write up a good business case to justify the changes.

Keroseen

colemic wrote: »

OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?

Don't feed the trolls.

N2IT

Pretty much.

I think sometimes being on this forum can be counter productive at times. All the CISSP I have met really knew their stuff. Our lead security architect had one certification which was ......... the CISSP. He was very technical but had transitioned into a managerial role. Smart guy and really did a lot of good things for the company.

I've yet to meet a CISSP who I would consider a joke.

Now PMP's on the other hand........ well let's just say I stop studying for the exam after working with several PMO's with PMP's

--chris--

N2IT wrote: »

Pretty much.

I think sometimes being on this forum can be counter productive at times. All the CISSP I have met really knew their stuff. Our lead security architect had one certification which was ......... the CISSP. He was very technical but had transitioned into a managerial role. Smart guy and really did a lot of good things for the company.

I've yet to meet a CISSP who I would consider a joke.

Now PMP's on the other hand........ well let's just say I stop studying for the exam after working with several PMO's with PMP's

I wont pile on the PMP issue, as I am certain those who earned it worked very hard for it...but I too worked with a ding-bat PMP at my last place.