What do security professionals actually do?

Whether you’re a new analyst looking to get into the IT security field, or a senior executive looking to understand more about security responsibilities, a common question is this: What do security professionals actually do?

A fully-loaded question

Understanding the roles of security professionals can either be overly simple or intensively complex, depending upon the depth of your investigation. In particular, while security responsibility “generalization” has been expanding to roles outside of ‘pure security’ (i.e. application development, etc.), specialization still occurs and is critical for organizations to be successful.

However, there are various areas that are important for organizations to utilize. Some of these roles could be in architecture and operations (setting up the security posture and maintaining it). Other roles could be in threat hunting or risk management.

How to make sense of it all

Rafeeq Rehman, an Information Security and Cloud Security specialist, has been publishing the CISO MindMap for a number of years. It is designed “…as an effective educational tool but also enables professionals to use this MindMap for designing and refining their security programs“. In a way, it provides a very high level, yet deep, view into the different roles and responsibilities of various security personnel. Rafeeq Rehman has graciously posted the PDF version of this image here.