IA Roles and the Private Sector Equivalents?

I have been working in the DOD space since birth doing mostly technical security ops roles such as CND Analyst (SOC analyst), CTI Analyst (threat intel) and such. I have been looking at IA roles such as ISSO, ISSE, and ISSM but I am having a hard time matching these IA roles to the private sector equivalents. I have been thinking about moving into a risk management related role in the private sector but still want to stay close to my technical side if possible. I have looked at some risk related positions online and they all appear to be primarily non-technical. Is there category of roles that I can do where I can still be kinda hands on doing a bit of technical stuff but still performing a primarily risk management role?

Find more posts tagged with

Comments

JDMurray

ArabianKnight said:

I have been thinking about moving into a risk management related role in the private sector but still want to stay close to my technical side if possible.

I'm sure the RM members here will chime in with more details, but I'll start by saying that risk management (and GRC) roles seem to be among the most non-technical roles in cybersecurity. If you work in (cyber)security operations and you want to stay technical then Incident Response, Threat Hunting, Red Teaming, and security engineering (SIEM, SOAR, systems and network security, etc.) are the most technical.

UnixGuy

As JD said, GRC isn't a technical role, but to be a good GRC pro (or a competent CISO) you do need technical background but your day to do is reporting and and evidence/planning/frameworks/etc , you wont be looking at firewalls or attacks or pentesting.

if you want a bit of technical work, why are you looking at GRC/Risk?

scasc

A few places do still offer audit based roles which are hands on in the sense you may have read only access to the platform to then obtain the data you need to deduce risk based on configuration/non-compliance etc. Pretty niche but it does exist. The only other thing is getting a first line role in the risk/consultancy team of an organisation and working with the techies but again this wont be hands on based more technical advisory.

Otherwise its all non-tech based in GRC and auditing.

ArabianKnight

I am seeing lots of job descriptions for IA roles that want knowledge of or exp with technical stuff. Quite frankly, I am tired of playing catch-up with the fat guy with the ponytail and flip-flops (Simpsons reference) that has 20+ certs and seems to know everything, no offense to anyone with lots of certs but I just dont have the capacity or desire for that level of learning. Looking for something less technical but still in the infosec space.

scasc

No offence taken to the comic guy reference

. Just trying to point you in the right direction based on your initial comment in wanting to still be hands on. However that doesn’t seem to be the case anymore.

JDMurray

ArabianKnight said:

Looking for something less technical but still in the infosec space.

There is a lot of InfoSec work that is not very technical at all. There are many threads on here about Business Continuity Planning (BCP), Governance/Risk Management/Compliance (GRC), and people management that mentioning how there is a lack of deep technical understanding required in these fields.

UnixGuy

ArabianKnight said:

Looking for something less technical but still in the infosec space.

Then GRC is what you're after. Another option would be management. I have a video about GRC (youtube in my signature).

I did consulting, then management, and now im back to consulting. I use my technical knowledge but my role isn't technical at all. I'm out and about talking to clients, presenting, building relationships, writing reports (70% of the job!), and I don't have enough hair to grow a pony tail.