Cybersecurity job titles are all over the map. Some companies have their own definition of what a security engineer does, while another company requires a whole other set of skills and experience. Cybersecurity roles and responsibilities for specific job titles can vary from organization to organization, leaving many hiring managers, HR recruiters and job seekers speaking different languages about the same job!
NICE Cybersecurity Workforce Framework attempts to standardize cyber job titles—in a 144 page document. Few companies have HR recruiters who have even heard of NICE, let alone know what any of these job title definitions are. The Bureau of Labor Statistics put most of cybersecurity’s many different roles and responsibilities under the giant umbrella of “information security analyst,” defined as people who “plan and carry out security measures to protect an organization’s computer networks and systems.”
Defining these roles and responsibilities should not be complicated. While there will always be slight differences between different jobs at different organizations, having standardized terms make it easier to search for talented cyber pros. Here you can find a list of 45 Cybersecurity Job Categories and many more subcategories that will help you use the right language to create a job description cybersecurity professionals will want to apply to.
Before you dive into the list, though, let’s go over some of these categories and what they mean.
When it comes to C-level leadership roles, the titles are pretty self-explanatory. Chief Information Security Officer (CISO) and Chief Security Officer (CSO) are the people who oversee all of cybersecurity and then some. When it comes to keeping the company safe from cyber threats, the buck stops there.
Similar to the CISO and CSO are roles like Security Director, which can have different names and areas of focus depending on the type of company and its size. For example, a CISO may have a Cloud Security Director and an Information Security Director reporting to them. Other leadership roles that bring with them more responsibility and higher compensation include Privacy Officer, Compliance and Risk Manager, and Security Product Manager.
For many years, corporate leaders looked at cyber leadership roles as purely technical, but with the speed of today’s attackers and the importance of aligning with the business, Board of Directors and strategies throughout the organization, well-rounded leaders are more important than ever. As Harvard Business Review notes, “Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead. And that means companies need to hire and develop security executives who have the skills to do so.”
Technical roles include both people who configure, maintain and tune the systems for securing information as well as those who defend, detect, and respond to attacks.
Security engineers may build or monitor the environments and protections to minimize attacks before they can happen. Application Security Engineers are focused on securing software applications. Then there are Security Analysts who monitor and may actively hunt for threats and Incident Responders who review and remediate identified threats. There are Penetration Testers who look for vulnerabilities much like an attacker would and Cryptographers who focus on encryption.
As we’ve said before, it’s not just the title that matters. Hiring managers must vet candidates based on whether they have the right skill set for the job. Having the wrong title on your job description could prevent you from finding that person. When people search for potential jobs, they start first with their own title and then run through similar, frequently used titles that closely match their skills. If they aren’t looking for your job title, they may never see the opening at your company.
In turn, some great candidates may work at a company that used uncommon or unconventional titles. If your organization vets professionals using resume search software, it may miss highly qualified people.
There are a number of cybersecurity roles that focus on the executing and integrating security measures across the organization through policies and programs. Many of these are considered GRC (Governance, Risk and Compliance) roles. This can include Security Auditors, Cybersecurity Attorneys, Cyber Insurance Specialists, Security Awareness Trainers, and Customer Support Representatives.
Attackers depend on human error to infiltrate organizations, which is why it’s so important to have liaisons between human resources and technical roles within cybersecurity. Too often the job of ensuring every employee understands the importance of security practices falls onto the wrong department—IT may be charged with finding cyber insurance or HR may show a short security protocol video during onboarding never to be mentioned again. Non-technical cybersecurity roles are needed to keep large organizations focused on protecting its data.
Using a common language is essential in any profession, whether it’s technical or creative, and cyber is no different. As cyber hiring consultants, we’ve worked to use a common language so that it’s easier for people to find the kinds of jobs they’re looking for, and for companies to understand the skills potential hires would bring. Getting familiar with cybersecurity roles and responsibilities for each job title will help your company do the same as well.