High demand and a limited pool of people with the right skills and experience make information security staffing a perennial challenge.
Further complicating things is the fact that information security teams have not yet adapted to their changing role in digitizing companies. Digitization requires security staff to play a more diverse range of roles to meet a wider spectrum of demand from the rest of the firm.
In this new digital age, an organization’s success or failure will depend on its ability to take smart risks with new technologies. Thus, having the right kind of security staff not only protects organizations’ most valuable assets in such a threat-filled environment but also helps with the implementation of business strategies and, ultimately, enables growth.
As innovation and security become increasingly linked, senior IT managers must change how they hire and develop information security staff. Job titles and spans of responsibilities will vary, but focusing on the critical role requirements will help determine changes to existing security roles or adding some completely new roles. So far, CEB analysis shows 10 new roles that are starting to emerge in companies around the world.
Product security specialists/managers
Context: As more and more industries embrace digitization in the form of internet-connected products and services, incorporating the right security controls is essential to meeting external customer needs and regulatory requirements, as well as avoiding costly data breaches.
Key responsibilities: Design security for the company’s products and services by supporting product teams in the R&D phase and stewarding security capabilities in customer-facing products and services. In certain industries, this role may take the shape of designing and maintaining security for operational technology and related areas (e.g., SCADA systems and telephony).
Skills profile: This role requires a blend of traditional security skills with non-traditional skills such as customer experience, financial analyses, market research, project management, and product development.
Sales and customer support
Context: Sales professionals aren’t typically equipped to handle clients’ growing data security and privacy concerns, which results in extended sales cycle times and client dissatisfaction.
Key responsibilities: Explain your company’s security efforts to clients, build or modify controls in response to client needs, or otherwise support the sales process. At times, this may extend to dedicated security support for small clients and end customers to improve goodwill.
Skills profile: This role requires a good understanding of the security processes and the sales lifecycle, along with excellent communication skills.
Security service manager
Context: The shift of the IT operating model to a product-focused approach, has led to a rising number of executive teams mulling over whether to sell information security services. In this model, Security creates simplified self-service risk management processes with consultative support for high risk activities.
Key responsibilities: Ensure the end-to-end delivery of security as a service to the rest of the business.
Skills profile: Running a service, whether it is a traditional IT service or security, is like running a business, so security service managers need a mix of entrepreneurship, business savvy, and communication and marketing competencies.
Security marketing and communications manager
Context: As the pace of change in attack methods increases, security’s tools will always lag behind, which means employees’ behavior is more important now than ever.
Cybersecurity’s rising prominence in the organization also means that CIOs and CISOs are almost permanently discussing security efforts and priorities with a diverse range of colleagues and people outside the firm. All of which means, there is far more support required for creating presentation materials with clear, concise messages.
Key responsibilities: Increasing security’s brand and driving awareness throughout the organization.
Skills profile: To ensure messages resonate with non-security audiences, security staff need to think like marketers when creating communications campaigns. A brand requires consistency in practice, terminology, and customer experience. This means communicating the security value proposition proactively and continually.
Dedicated application developers
Context: As IT functions move toward iterative development methods, Security’s traditional stage-gate reviews and cumbersome governance processes will likely erode all the benefits of speed hard won elsewhere. IT leaders can’t simply add more staff to support the growing number of DevOps and Agile projects.
In fact, the most progressive teams now look to eliminate the need for developers to think about security altogether. These teams make good security the fastest, easiest, default option for project teams by automating adherence to as many standards as possible using patterns loaded directly into environment builds, such as containers. When developers access these containers the standards are already built in, ensuring automatic and seamless adherence to technical security requirements.
Key responsibilities: Automate security governance processes by building secure code, APIs, and security features into containers.
Skills profile: This role requires core application developer skills as well as experience in developing APIs and microservices. It is usually a good stretch opportunity for application developers looking to add new skills and responsibilities.
This role also requires deep collaboration with the IT infrastructure, enterprise architecture, and applications teams to define and design the automation required for pre-set build environments (such as containers) that embed the correct technical standards and governance rules in their platforms, networks, and hardware.
Context: With nearly 20% of information security teams now reporting that they have a dedicated hunter on their staff, the role is becoming mainstream.
Key responsibilities: Use advanced techniques to detect cybersecurity threats that may otherwise go undetected.
Skills profile: It is important to differentiate this role from a traditional security operations center (SOC) analyst. While the SOC analyst monitors and responds to threats using defined processes and techniques, hunters actively seek out indicators of compromise for which monitoring capabilities do not (yet) exist.
It requires advanced analytic skills to be able to make connections and extract patterns from data to predict attacks and to inform timely control and response decisions. Many information security teams have shown an interest in hiring data scientists for this role and then supporting them with security expertise.
Threat actor profiler
Context: Many advanced attacks are carried out by relatively few, skilled attackers.
Key responsibilities: Create profiles of threat actors (such as cyber units of nation state armies, or organized crime gangs) by compiling information about the attacker’s characteristics such as location and background to preempt advanced actors.
Skills profile: This role would be a step beyond a traditional forensics role. Strong candidates would have both technical security and criminal justice experience.
Context: Most security teams have made significant gains in improving their business engagement skills and advising business partners on risk trade-offs. However, security staff now need to offer their unique expertise beyond managing information risk. For example, the most progressive chief information security officers (CISOs) today advise the board and business leaders on digital opportunities and how can they securely implement a digital business strategy.
Key responsibilities: Provide security expertise to internal stakeholders on a range of issues, including informing company strategy by considering the entire ecosystem of information, systems, security, threats, and business trends. At some companies, this may also entail evaluating capital investments in new security ventures and products.
Skills profile: This role requires a deep understanding of the company’s business model and industry knowledge, coupled with typical business consultant skills such as problem analysis, storytelling, and communication skills.
Security vendor management officer or vendor manager
Context: Information security teams spend roughly 25% of their budget on security tools, 9% on outsourced security services, and 8% professional services.
As Security tries to reduce time and effort on operational – level activities and adapt to the rapidly maturing market for managed security services, the latter two categories of spend are likely to increase rapidly. Mature security functions are professionalizing the management of all these categories of vendors.
Key responsibilities: Manage the portfolio of security products and solutions to ensure the vendors are held accountable for delivering high-quality security services at a good price. Serve as a liaison between business leaders, other IT groups, and the vendors to drive business alignment, streamline vendor governance and communication, resolve issues, and maintain the overall health of the vendor relationship.
Skills profile: This role doesn’t need deep security expertise but does require candidates who have experience in evaluating new capabilities and negotiating contracts, and who are able to understand vendor roadmaps and commercial and service strategies.
Chief of staff for information security
Context: As the information security function grows in size and complexity, many CISOs are creating a chief of staff role. Nearly 35% of information security functions in large companies now report having a formal or informal chief of staff role.
Key Responsibilities: Help the CISO decrease the time they spend on day-to-day process tasks to focus more on high-value activities.
Skills Profile: Because the chief of staff is charged with maximizing the effective operation of the information security function by focusing on work flow, scheduling, staffing, budget, communications, and events, he/she will need an eye for detail as well as strong process skills. But they should also be able to influence and communicate effectively to be a leader in the organization.