As niche as "security" seems, it actually encompasses a few main types of roles, and a couple of areas of coverage. These are actually quite different and in most cases they depend on what someone is more interested in and how much are they willing to go to perfect it.

Common roles:

1. Enterprise IT security department

These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, may be some enterprise-wide initiatives, and an occasional Incident Response. Also probably give a security Point of View on purchasing 3rd party products and in any outsourcing of security knowledge.

2. Security team in development group (either in enterprise or in dev shops)

Mostly deal with programmer education and training, some security testing (or handling external testing) - this includes both pen testing and reviewing code, maybe defining security features. Some organizations will have the security team also managing risks, participating in threat modeling, etc.

3. External consultant / auditor / security tester

This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case) to be more up to date than anyone else.


This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits /attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research is rich with all sorts of positive approaches that push you in the direct direction.

Likewise, in all the above there are different areas of expertise, and an expert in one won't necessarily have anything intelligent to say in any other area:

Network security, e.g. routers, firewall, network segmentation and architecture, etc.

O/S security, which is of course further subdivided according to O/S flavor (i.e. Windows security expert and Linux security experts might not know much about each other's stuff).

Application security - i.e. how to program securely (which may be necessary to subdivide according to language, technology, etc.), but also application-layer attacks, e.g. Web attacks, etc.

Risk management experts - more focused on the business side, less on the technical

Compliance officers - some places have these dedicated, and they're experts on all the relevant regulations and such (note that this is borderline lawyer-like work!)

Identity architects - for larger, security conscious organisations, that have complex implementations and the likes.

Auditing and forensics experts, deal mainly with SEM/SIM/SIEM.This in detail is explained as one segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM),When SEM and SIM are combined, they become Security Information and Event Management (SIEM).

On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them - and it is not always shared expertise.

There are probably even more niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or personel does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.

As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.

You used to be network engineer? Great, start with focusing on network security, and go from there.

You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.

You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give IFIS a call and we help you in choosing a career in computer security.

And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).

I also strongly suggest reading lots of security books, blogs and also try out OWASP for the application side of things.