Chris Liu

Tier 1—Trainer-Educator

A Trainer-Educator is not an information security-specific role, but is particularly important in information security. Basic information technology skills are now so widespread and expected that most organizations do not bother teaching these skills. However, even basic information security awareness is frequently not known at all, and technical skills even less so.

Tier 1—Network Administrator

A Network Administrator’s specific job duties will vary based on the size and structure of the organization it is in. The focus will be on the transport infrastructure (routers, switches, firewalls, and wireless access points) used by the organization. In some cases, changing the network wiring will be part of your job duties as well. In smaller organizations, there will often be additional job duties where you are assisting with servers or even end-user workstations. Moving from one Network Administration role to another Network Administration role is generally easy. Having gained the experience, you are now much more attractive to other employers. If you enjoy networking, and have advanced your skills, moving up to a Network Engineer role is often an option.

Tier 2—Lateral: Accounting

accounting is a stable career that can provide some access to information security careers. The positions would tend toward high-level managerial or executive roles, as the need to have a strong technical knowledge at that level is not required. The development of audit skills, understanding of the legal requirements behind information security, and managerial skills provide the fundamental basis for moving into these executive-level positions.

Tier 3—Lateral: Technical Architect

You’re an Information Technology Architect. You’re experienced, you’re skilled, you’re a Subject Matter Expert, you’ve been there and done that. You didn’t just get the T-shirt, you got all the T-shirts and then you wrote the book. Information security is your next frontier, and you want to go where you haven’t gone before. You’ve got security awareness. You learned the hard way and learned from others’ mistakes. You know that information security is different; that it’s not just about getting things done, it’s about making sure that attackers don’t get their things done. You get it. Now you’re ready to break into information security and hit the ground running. If you believe all that, then you’re also going to need humility. This book mostly assumes that if you’re going into information security, you already know the basics or are going to learn it elsewhere. Except this chapter.

Tier 2—Subject Matter Expert

Within the scope of business, there are many different subjects requiring expertise. Individuals who are able to develop their skills to the point that they are the internal expert on a given system, technology, process or standard can provide value to the company and job security for themselves. There is some risk that the individual will not be able to move into other areas, but that may not be an issue for some.

Tier 2—Incident Responder

Whenever there is an information security incident, there must be someone to address the issues that arise. This role is often part of other roles, but at larger organizations, some individuals may be devoted exclusively to incident response. It is common for this role to be done by consultants, as smaller organizations cannot afford to maintain the skills in house. Because of this, those entering this role can expect significant travel to organizations in need of your skills.

Tier 2—Wildcard

When working for a small company, individuals are called upon to help based on the skills that they possess rather than on their named role. As a Wildcard, an individual provides technical skills in a wide range of areas, from back office support of the servers and networking infrastructure to front line end-user support. This role also requires a certain level of business skill, as one must be able to map a business request to a technical solution with only a minimal level of guidance. Because of the wide range of skills required, it attracts individuals who thrive in that kind of environment.

Tier 1—Learn

Unless you are extremely unusual, the first time you learn something, you are unlikely to learn it in any great detail. It is common for Learn to involve a sort of “sketch” of the concept. You may understand it roughly, but it is unlikely that you understand it well enough to have any level of mastery. Once you start doing something with it, however, you can rapidly find where your understanding fails. As long as people are cheap, lazy, or stupid, you’ll have work. The trick—the only trick, really—is don’t be cheap, lazy, or stupid yourself. Learn about new technologies. Invest in and develop new skills. Hold yourself to high standards. Constantly improve. And, finally, always test your understanding. Do all these things with each job, and as you move through your career, you’ll find the job you want and how to get it.

Tier 3—Tiger Team Member—Tiger Team Lead (Red Team)

Tiger Teams, also known as Red Teams, are well staffed and well funded groups activated during particularly nasty incidents and will often be sent into the line of fire. On the positive side, you will be working with the best people in the world as you dig into network and forensics dumps, set traps, isolate attackers, and work to figure not only what happened and prevent it from happening again, but also (in some cases) how to retaliate. But pulling an all-nighter is not just possible, but common. You may find yourself putting a full week’s worth of work in a mere two days, and then have to keep working.

Tier 2—Quality Assurance

Through the role of quality assurance, individuals ensure that processes are supportive of producing a quality product. That product may be physical, information, or virtual. Within the scope of information, quality assurance is responsible for ensuring that the processes associated with the information systems at an organization are supportive of reducing risk to the target level within the organization.