do non/less technical roles exist in the security field?

chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
Hey,

I was curious to know if all jobs in the i.t security area are technical roles? I would be interested to know if there are any non
technical roles( or at least knowing the foundations) paths in the area. I guess some people here working in security can advise if this is possible.
Im sure there are many titles in the security field which require say 50/50 tech and business/auditing for example.

Thanks

Comments

  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    Policy & procedure creation, auditing, risk management are all considered security imo.

    All of those benefit from technical experience, but they dont really require in depth knowledge like an engineer of a system or network would.
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    Look no further than business risk, policy, certification and accreditation. Unfortunately for us that enjoy the technical aspects of security, these (at least within my organization) pay the most.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Some less technical folks go the governance, risk, and compliance route.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    cheers, its interesting to see the different paths available. How long it would take to get their is another question icon_smile.gif
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Absolutely. InfoSec can be divided into technical and non-technical. I work in non-technical side of GRC (governance, risk, and compliance). Then there is audit, and management. One area that straddles the line (in my opinion) is IAM (identity access management). IAM can be technical and/or non-technical depending on the company and how they have it set up. Like --chris-- said, having some technical knowledge certainly helps in the non-technical side, but it's not required.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Also - keep in mind that in general, the higher up the org chart you go, the further you are removed from the technical job functions. Agree w/ the other regarding risk, compliance, and to a degree, auditing -although technical background is required, it is not really the meat and potatoes of the job. IMO, soft skills, analysis, and understanding risk mgmt/mitigation are more the skills required for auditing)
    Working on: staying alive and staying employed
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    ok heres a question im not sure i can answer if im asked it in an interview setting! Why do you want to work in i.t security?
    I have not worked in the industry before but find it more interesting than sys admin/network admin route. Also i think there will be more job stability
    in this area in years to come, which is important. I will study for my security+ soon as all the topics i find interesting in general. Is this showing enough interest? Bear in mind i have worked in admin/support area for 4 years and im looking to change and forge a career in this area. Hope this makes sense icon_smile.gif
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    colemic wrote: »
    Also - keep in mind that in general, the higher up the org chart you go, the further you are removed from the technical job functions. Agree w/ the other regarding risk, compliance, and to a degree, auditing -although technical background is required, it is not really the meat and potatoes of the job. IMO, soft skills, analysis, and understanding risk mgmt/mitigation are more the skills required for auditing)


    would these areas still require one to know ids/ips tools for example?
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Although it would depend on the uniqueness of the position, in general, for auditing I would say that you should be familiar with the tools and what they do, but not in-depth snort rule writing, for example.
    Working on: staying alive and staying employed
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    eddo1 wrote: »
    ok heres a question im not sure i can answer if im asked it in an interview setting! Why do you want to work in i.t security?

    My answer is always "Information security is constantly evolving and with each new day, there is something new to learn with new threats, new vulnerabilities, new technologies, new ways to do things, etc. And for a person like myself who has a desire to keep learning, sharpening my skills, bettering myself, and challenging myself, information security meets those needs better than any other profession."
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Following Colemic's point, think of it as CISSP level knowledge: a mile wide but an inch deep. Gotta know what they do, pros/cons, usage scenarios, etc. but no need to know every intricate detail.
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    CISSP = King of not being able to do anything but tell you something is wrong.

    I know some are competent Engineers but nothing I hate more than your typical CISSP type who is clueless and simply emails audit results around saying what should be looked into.

    "Hey, Verizon ran another audit scan last night and here are the results. We need to look into why the outside interface of the firewall is bla bla bla"

    Translation: "Verizon did the work, so here you go, please look into it and get it fixed and tell me when it's done"
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?
    Working on: staying alive and staying employed
  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    @RouteMyPacket not everyone can be technical. The people that actually win proposals and work need those soft skills which is why those positions are paid the most. Being able to interact and have a good working relationship with external and internal customers is critical. Everyone has their role to play.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    JoJoCal19 wrote: »
    My answer is always "Information security is constantly evolving and with each new day, there is something new to learn with new threats, new vulnerabilities, new technologies, new ways to do things, etc. And for a person like myself who has a desire to keep learning, sharpening my skills, bettering myself, and challenging myself, information security meets those needs better than any other profession."

    Yeah great answer.
  • macsmallsmacsmalls Registered Users Posts: 4 ■□□□□□□□□□
    Hey guys, I'm glad you brought this topic up. This is the path in IT I'm trying to take (a bit less technical). I have a bachelor's in Financial Econ, and just finished my Masters in IT: Information Assurance. I also have experience utilizing risk management concepts as well as creating policies & procedures as well as amending existing policy in work roles for startups and small businesses but not have actually worked in IT.

    I have over 10 years of experience in a healthcare oriented role where fraud detection, soft skills (customer service) and regulatory adherence are just as important as the actual work. I don't have any certs and am looking to pick up at least ITIL v3 foundation and Sec+ soon, with the CISSP later down the line once I've actually got those 5 years of experience in the field. What work roles (job titles) should I be looking for to start out?

    I built my computers when I was a kid for hobby and to save money, am comfortable troubleshooting and am familiar with a variety of software. For instance, I have used infosec tools Snort, Wireshark, Tripwire for network monitoring and analysis, but like I said I've never held an actual IT title.

    I've been doing research and this forum has been major major help but any input from one of you guys would also be much appreciated! If I should create my own thread, let me know as well... I don't mean to thread-jack and hopefully answer(s) to my question could help someone else too!
  • GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
    *waves GRC flag*
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    whats grc flag?
  • macsmallsmacsmalls Registered Users Posts: 4 ■□□□□□□□□□
    eddo1 wrote: »
    whats grc flag?

    Governance, Risk, Compliance
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    is it a hard area to break into, grc?
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    eddo1 wrote: »
    is it a hard area to break into, grc?

    Apparently much easier to "break into" than technical security.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • TeKniquesTeKniques Member Posts: 1,262 ■■■■□□□□□□
    Yes, these roles exist. My 0.2 is to not neglect the technical aspect of security, because as an IT Auditor I almost always have to use my technical background to know what I'm looking for and how to engage in interviews with technical personnel.
    colemic wrote: »
    OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?

    In my opinion - a lot of technical people think they should be the ones making policy because they are doing "the work". Or in this case, I'm assuming he's thinking that the role the CISSP holds is more of a wasted role and Verizon could of just emailed him instead. Regardless, what I notice about a lot of technical people is that while they are good at what they do, more times then not they do not understand the business aspect of security and lack a lot of those 'soft' skills. For example, just the other day I was talking to a co-worker (technical employee) that he was fed up with his previous job because he wanted to make a bunch of domain wide changes to active directory and found it very annoying that management asked him to write up a good business case to justify the changes.
  • KeroseenKeroseen Member Posts: 24 ■□□□□□□□□□
    colemic wrote: »
    OK, I'll bite... why do you associate your example's incompetence/lack of knowledge with the CISSP certification? And why do you think that is a characteristic of the 'average' CISSP?

    Don't feed the trolls.
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    Pretty much.

    I think sometimes being on this forum can be counter productive at times. All the CISSP I have met really knew their stuff. Our lead security architect had one certification which was ......... the CISSP. He was very technical but had transitioned into a managerial role. Smart guy and really did a lot of good things for the company.

    I've yet to meet a CISSP who I would consider a joke.

    Now PMP's on the other hand........ well let's just say I stop studying for the exam after working with several PMO's with PMP's
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    N2IT wrote: »
    Pretty much.

    I think sometimes being on this forum can be counter productive at times. All the CISSP I have met really knew their stuff. Our lead security architect had one certification which was ......... the CISSP. He was very technical but had transitioned into a managerial role. Smart guy and really did a lot of good things for the company.

    I've yet to meet a CISSP who I would consider a joke.

    Now PMP's on the other hand........ well let's just say I stop studying for the exam after working with several PMO's with PMP's

    I wont pile on the PMP issue, as I am certain those who earned it worked very hard for it...but I too worked with a ding-bat PMP at my last place.
Sign In or Register to comment.