8 new roles today’s security team needs

There’s an estimated 500,000 unfilled cybersecurity positions in the United States today, including 166,000 jobs for information security analysts—the profession’s most common job title.

And those figures are likely to increase.

According to PwC’s Global Digital Trust Insights 2021, 51% of responding executives said they plan to add full-time security personnel in the upcoming year, with 22% increasing their staffing by 5% or more.

Enterprise teams continue to need security analysts and security engineers, and penetration testers—all roles that are staples in many security departments. Now, though, organizations are looking to expand their security ranks with other positions, carve out new roles, and add new titles.

Here, experts offer their thoughts on eight roles that they see as key for IT security in 2021.

Identity and access management engineer

Enterprise security leaders are increasingly focused on developing robust identity and access management (IAM) practices, a focus fueled by the continuing high levels of remote access, demand to work from anywhere at any time and expanding multicloud environments.

In fact, the 2020 State of Identity Security in the Cloud report from the Cloud Security Alliance found that 94% of responding enterprise leaders listed privilege and permission management for human identity as a high or extremely high priority and 77% listed it as high or extremely high for machines.

As such, security leaders are carving out niche roles and giving them titles like IAM engineer or IAM analyst.

Jeff Weber, executive director for staffing firm Robert Half Technology, expects demand for these specialists to continue growing.

“In the coming months, demand will be driven by the incorporation of security requirements within the application lifecycle,” he says, adding that his firm is seeing CISOs upskilling staff members who have shown solid problem-solving and analytical skills with the required technical experience to fill these roles.

Manager of third-party risk

CISOs have watched threats come into their operations through partners and vendors, prompting them to pay more attention to the risks associated with third parties. That in turn has given rise to roles that are focused purely on this issue, according to security leaders, recruiters and executive advisors.

Benoit-Kurtz, for example, has an IS analyst on her team focused on both internal risks and managing third-party risks, as the skills needed for both are just about the same. However, she expects to need someone managing third-party risk full time as the demands and complexity of the work increases.

Titles for these roles vary, as do whether it’s a full-time position or new responsibilities added to existing positions on the security team. Either way, experts say the focus on the role is the same: review the security policies and procedures of third parties and enforce the standards set according to contracts.

“You have to make sure you’re managing that risk and you [as a security team] understand the providers’ responsibilities,” says Annalea Ilg, CISO of the IT service management company Involta.

DevSecOps security engineer

“Applications still remain the weakest link in preventing breaches,” says Owanate Bestman, director of Bestman Solutions, a London-based technology and security professional recruitment firm. “DevSecOps is the most acclaimed methodology today used to address this. Applicants with experience of DevSecOps are in demand.”

He says security leaders want application security engineers with a strong understanding of DevOps methodology, knowledge of DevOps pipeline tools, the ability to work with development teams (or actual experience doing so), strong knowledge of web application risks and, of course, security qualifications.

Given that list, it’s not surprising that demand outstrips supply, says Sushila Nair, vice president and security offer leader with NTT DATA Services and a board member with ISACA’s Greater Washington, D.C., chapter.

“DevSecOps is not new but it’s difficult to get application security engineers who can be embedded into your Scrum teams,” Nair says, adding that the challenge is finding talent with the right mix of security knowledge and application development experience.

Threat hunter

The complexity and sophistication of the threats bombarding organizations today have CISOs carving out roles to identify and counteract them.

“We need people to be almost like a security analyst threat manager, where they’re looking at all the threat analysis tools, logs from firewalls, and other monitoring tools; people who understand what the threats are and can communicate that back to those involved,” says Southard. “They should be able to look at a log and look at an alert and detect something suspicious and detect some pattern of behavior that’s not normal, know whether it’s a false positive or an incident of concern, and whether it indicates a risk that’s an emergency or something that’s minor.”

Nair likewise listed threat hunting as a key role, saying, “We need practical analyst skills. SolarWinds and other advanced attacks have further fueled the recognition that we need to hunt for attackers. With silent, persistent attacks, tools often fail to alert us and so we need to know how to hunt for intruders on our network.”

Vulnerability risk analyst

Similarly, Southard sees the need for people who can track and manage vulnerabilities within the enterprise. “That’s putting boots to the ground to fix any vulnerabilities.”

She says she identified the need for this role mid-2020, as the confluence of continuing remote access to corporate systems from various devices, the constant roster of vulnerabilities to address, and the growing number of threats facing organizations.

Southard acknowledges that most security teams, including her own, have staffers addressing vulnerabilities. But, she says, that work sometimes comes after other priorities.

So, she created a new position in early 2021 to better guarantee attention to vulnerability management, seeing the addition as a best-in-class step that gives someone the time and authority to make this work a priority and even work with vendors to remediate problems to the standards set by her organization.

“It will ensure that addressing vulnerabilities has priority, and it shows others like regulators that we’re serious about getting these vulnerabilities fixed,” she adds.

Cloud security architect

This is one of the most in-demand roles, according to security leaders, recruiters, and consultants.

“Much of skills sought is regulatory motivated: to ensure that the business exploits the benefits of cloud platforms whilst mitigating regulatory and compliance risks,” Bestman says.

He says hiring managers want people who have experience working with a cloud platform and ideally someone with platform-specific training or certification. They also want people with a strong understanding of security protocols.

“It’s having the capability to develop security blueprints for cloud architecture, knowing what security tools you need to secure your cloud estate,” Nair says, adding that the best people in these positions can evaluate tools considering the financial implications of their choices as well as the security impact.

It’s a lot to ask for, but Bestman says he sees the number of security architects with cloud experience growing, with more of them taking cloud certifications to increase their market worth.

Incident response manager

In 2020 Southard added an incident response manager to her department. She says security teams, including her own, need at least one staff member who is responsible for keeping up with how to best handle all sorts of incidents and is ready to go if something happens.

Her new incident response manager—a job sometimes called incident response analyst—has spent the past 17 years working in similar positions. That experience was important to Southard. “We want someone who has lived through an incident,” she says.

Southard says she created the position to ensure that the security department can respond as quickly as possible and can coordinate all the various tasks that could come into play.

“This gives us a one point of contact to triage, to pull people together, and to figure out the type of incident it is,” she explains, adding that such managers should know how to handle incidents ranging from phone system outages to a breach that exposes personally identifiable information—and the differing levels of concern such incidents require.

CISO

The CISO position isn’t new, but neither is it a universal role.

IDG’s 2020 Security Priorities study found that just 42% of small to medium-sized businesses had either a CISO, CSO, or other top security executive, compared to 80% of enterprise organizations. And even some of the largest organizations still don’t have a C-level cybersecurity position. One study from security vendor Bitglass, for example, found that 38% of the 2019 Fortune 500 did not have a CISO, and among those only 16% had another executive (such as a vice president of security) listed as responsible for cybersecurity strategy.

That’s a mistake, experts say.

Even when an organization is committed to security, the CISO role is critical for “managing up and across and setting the tone at the top. It’s critical for an organization to be able to truly obtain a depth in defense strategy,” says Stephenie Southard, CISO of BCU, a credit union in Vernon Hills, Ill.

As an officer, the CISO is positioned to work with the C-suite on strategy and, thus, is more likely to be successful in defining and implementing the security posture that’s aligned to organizational risk. A CISO, with the clout of the executive title, is also better positioned to get others to adhere to security requirements.

“Not having a CISO in your organization, even if it’s a virtual CISO who does it part time, sets the wrong tone,” adds Stephanie Benoit-Kurtz, director of cybersecurity at Station Casinos (a position that reports to a CISO) and lead faculty chair for cybersecurity programs at the University of Phoenix.