Security Job Titles Revisited

So I had an another thought along the lines of Security Job Titles. I threw out a tweet regarding the “Team Lead” title. There are a number of people that I’ve discussed this with at my day job and the opinion varied between a manager-in-training and the most technical of the team. While I think my coworkers are pretty knowledgeable, they don’t necessarily know what goes on outside our company so I thought I’d ask what others thought: “Team lead: top techy on the team or manager in training…and why?” Here are a few of the answers I’ve gotten from followers on Twitter:

While they left off the “…and why?”, I can understand the line of thinking. Others were definitely in a similar mindset but provided some additional detail:

  • @securityninja – “For us it is generally management as well as lead techy, we are line managers for the team and all others in it”

Two people came close to what I would assume when someone tells me that they are the “Team lead”:

  • @rogueclown – “manager in training. i’m surely biased, but i’d still like to spend my time dealing with cranky computers, not managing people.”
  • @georgiaweidman – “id say the one with the best skills for managing regardless of whether job title is tech or business side. case by case basis”

There were also those that pointed out that someone else shouldn’t choose for the individual and I completely agree:

  • @jjarmoc – “either, sometimes both. But forcing good techies into management roles is often a mistake.”
  • @DSchwartzberg – “I believe it’s up to the individual. Why-because any role you take can be what you make of it. Criticism comes with the outcome”

I think that when it comes down to it, the title is going to vary based on the company. Some organizations may see it as the most technically capable person on that team, where others may see it as a mid-level management layer to keep the day to day operations going. One suggestion I can offer is to split the title in two: Tech Lead / Team Lead. One for the most seasoned/knowledgeable, the other for the area manager.

The one thing that I’m getting out of all this is that a job title can’t tell you what a person is capable of or what they do day-to-day. Leave me a note and tell me what you think. Are job titles a convoluted jumble of words or something you should fight for and own as part of your career?

Security Job Titles

I was seeing job postings the other day through one of my email blasts that I receive and it got me thinking. Who comes up with these job titles? When I worked for a small CPA firm and I was allowed to choose my own title, I chose “LAN Administrator”. It fit my job fairly well, I was responsible for the servers, the network, the PCs, etc. I moved to the helpdesk, and for a while I was a “Helpdesk Analyst”. A title that also makes complete sense. After a year or so though, HR decided to change our titles in IT. I got changed from the “Helpdesk Analyst” to a “Systems Software Engineer Analyst”. I had never engineered anything but a good case of loathing for users at that point.

When I moved to the Security Administration area, my title changed to a “Systems Software Engineer Specialist”. Again, complete and utter nonsense. I was a security administrator. Create accounts, grant rights, revoke rights, delete accounts, rinse, repeat. The only thing I was specializing in was creating copy/paste emails to send to users who were impatiently waiting to get Microsoft Visio.

Within a couple years I get promoted to a “IT Security Specialist”. Hmm…ok, at least this is a little closer. We were no longer called “IT Security” but working in Information Security, I at least had “security” in my title! Then HR comes in and says they are going to change things again. They were going to have “HR Titles” and “Internal Titles” because HR titles needed to match other jobs in the industry while our internal titles would closer match what we actually do. I was skeptical and it turns out it was warranted. It took them until I was promoted again to finally take hold. My HR title became “IT Security Sr Specialist”, while my internal title became “Vulnerability Management Senior Specialist”. While I’m trying to get more into the Vulnerability arena, it’s a very small part of what I do. I still do governance of the Security Administration area, I do some vulnerability scans, some security awareness, and a host of other “who can we get to do this” tasks. Someone who is a level above me at our company is listed as a “IT Security Sr Tech Specialist” yet my job is much more technical than that person.

I considered consulting our HR group on this issue but I didn’t think I would get very far, so I reached out to my friend @HackerHuntress and asked for her opinion on my confusion. She talks with job seekers as well as hiring managers on a daily basis. Her response cemented my opinion that job titles are really not geared towards what a user does and more on being able to gauge a salary band the user can fit into.

I asked her a couple questions including if she saw the title discrepancy and if so where, any tricks for our friends out there trying to find a job and deciphering the job postings, and if she thinks HR would ever get in the game and match titles to what we actually do. Her response was very informative in that she has seen the job title game played mostly at companies with internal security practices. (Think F-500 companies that do their own security but don’t do security as a service). Her comment to this was “Most companies, though, go the “security specialist” or “security analyst” route. In my experience a security analyst can be anything from a firewall engineer to a QSA.” She doesn’t hold out any hope that HR will ever get to the point that they are lining up with what the security individual is doing because most don’t know what the user’s responsibilities even are.

On the topic of how to assist our friends still looking for jobs, she said to talk to recruiters & hiring managers. Getting as close to the person as you can who is doing the hiring will help you in determining what you are getting into at that company. You may be listed as the ‘Security Guru’ in a large company but if all you’re doing is making sure everyone is swiping their ID badge as they walk in, it may not be the job for you.

Secureholio
-Chief Cook & Bottle Washer

Stupid users or stupid us? Yes.

Today while working I noticed that I was starting to drift into the “stupid users!” thoughts. What causes us to do this? Yes I understand that you may not know how to reboot your system, although the methods haven’t changed much in the last decade or so, but that’s not the point. We as IT Professionals can start to run down this path of “Well what do you mean you don’t know how to configure your local firewall!? It’s on your computer!” Many times we work inside of a larger organization who’s main business is something other than IT. You’re going to be dealing with people who are very smart in what they know. They may be someone who is a banker, or a doctor, or a lawyer. They are very good at determining what is going on in their profession. What they are not proficient at is knowing how configuration files should look, or how to write a batch script, or why when they go to a website all of the sudden you want to reload their computer.

All they know is that something inside the box you gave them is holding up their work. They want it fixed and they want it fixed now. You getting frustrated at them is not going to make them any happier. Now I don’t want anyone to get the wrong idea, because after working on the helpless desk for over five years I know that sometimes you can’t just keep taking the beating they’re giving to you. The idea is to get them working, off the phone, and out of your life as fast as possible. You may not know how to fight a court case, underwrite an insurance policy, or treat a patient, but they do. If you can work together and get the problem solved faster it’s going to go a lot easier on everyone.

Let’s all try to stop calling them “stupid users” and maybe they’ll stop calling us “stupid IT”.

You’re wrong…and so am I

This is going to be a short post.

Watching the echo chamber in the last couple days as well as watching “Builder vs Breaker” from BsidesChicago on Ustream makes me realize…we’re all wrong. There are so many diverse views from all areas of the world in our profession, you’re going to have someone that disagrees with your “facts”. You could say “the sky is very blue right now” while living in the US, but someone in Europe could say “Actually it’s currently black and the stars are really out tonight”.

No matter what you believe someone believes the opposite and is willing to debate with you, and this goes for pretty much anything:

  • Certifications are good / Certifications are bad
  • Pentests are needed / Pentests only find known vulnerabilities
  • Company A / Company B

What we need to realize is that we are going to have differing opinions and we need to listen to others even when we think they’re dead wrong. You may just realize that your “facts” weren’t as solid as you thought.