An overview of cybersecurity teams, if you are new to the field find out where you want to start your career. If you are experienced, find out where you want to go next!
Cybersecurity teams and their structure very much depend on the size and complexity of an organisation. The job function and even the processes each team perform can vary, not necessarily be fixed.
Security Operations Center (SOC) team are the front-line operational team that monitor and respond to security incidents. These are the first responders, without them the organisation will struggle to detect, investigate and prioritise potential threats faced daily.
Incident Response team is also a front-line operational team they will often be handed incidents by the SOC, known as escalations. They perform incident response duties, which can also include forensic analysis and detailed evidence capture to contain and mitigate breaches and reduce the overall impact and harm.
Vulnerability management team focus on identifying and managing most vulnerabilities in the organisation’s IT estate, generally this is software based vulnerabilities. They perform routine vulnerability assessments, coordinate patch management, and ensure the timely resolution of security vulnerabilities.
Application Security team is responsible for ensuring the security of the organisation’s applications. This role can vary significantly from, secure code reviews, cloud configuration reviews to performing detailed application penetration testing. This team is often referred to as a red team.
Security Architecture team design and develops the organisation’s security architecture. They design, assess and recommend security technologies, current and future states, establish security policies, standards, guidelines and frameworks. They provide advisory services to the whole security team and organisation based on extensive experience and technical backgrounds.
Governance, Risk, and Compliance (GRC) team look at establishing and maintaining security policies, standards, and procedures. They coordinate and articulate all the necessary compliance and regulatory needs, perform risk assessments, security audits and help to maintain an organisations different certification needs vital in today’s business world.
Security Engineering/Network team perform the hands-on implementation of all security solutions and technologies. They manage firewalls, intrusion prevention systems (IPS), Web application firewalls (WAF) configurations, and many other network security controls including cloud security. They also help manage VPNs, and other secure remote access capabilities.
Identity and Access Management (IAM) team manage and maintain identities, access controls, and authentication mechanisms. They manage authentication practices, implement role-based access controls (RBAC), and also the important privileged access management.
Reality check time! on paper it can look very structured and organised, in reality different teams will perform a mix of duties. This mixed discipline approach is not ideal, can cause inefficient processes and in the worst situation introduce security risk into the business for a variety of reasons. Some ways of working are usually bourn from old practises that have not matured or are brought in by new inexperienced teams. It is not unexpected to find engineering teams performing no network security, or operations teams building solutions. If you encounter and experience this, understand it is a journey for organisations to slowly mature and make small steps to improve over time.
The positive takeaway is that with the variety of security teams available it is possible to move around and learn different skills.
