Muddling together security responsibilities often leads to tasks falling through the cracks. Instead, organizations should be as clear as possible about which member of the security staff is responsible for which tasks. Moreover, the division of those tasks should reflect the unique capabilities and strengths of each team member.
For instance, SOC personnel should be given tasks that require immediate attention, such as alert handling and incident response. Security engineers, on the other hand, should handle the “bones”: security architecture and engineering matters.
To help you clearly delineate roles, below, we define the most common security roles and the responsibilities each should be tasked with, along with recommendations for how to ensure those designations stay in place even years down the road (hint: automation can really help).
Chief Information Security Officer (CISO)
AKA: CIO, CSO
Whether your organization has a dedicated CISO or a general CIO, this person is responsible for defining your organization’s entire security posture. The CISO (or CIO) should be the one to put together the strategy, programs, policies, and procedures to protect the organization’s digital assets, from information to infrastructure and more. A CISO is sometimes responsible for compliance, as well, which may require additional strategies, programs, policies, and procedures on top of the security-related ones.
Reporting to the CEO or CIO, CISOs have the most direct contact with the rest of the C-suite. That means it’s their job to represent the interests of the security team to the rest of the business. Your C-level security representative should focus on clearly communicating the business case for security, and on developing a complete strategy that covers prevention, detection, and response.
A good CISO will know and understand the information and systems they’re protecting. They’ll know the threat landscape and be able to identify, create, and maintain policies to help mitigate risk, as well as enabling rapid response to incidents.
AKA: SOC Manager, Security Director, SecOps Lead
If you have a security operations center (SOC), this is the person who will oversee it. If you don’t have an official, traditional SOC, this person will still be in charge of directly managing your security team. This role involves creating a vision for hiring, building processes, and developing the technology stack. A security manager should have a background in and significant experience with running a security team, and should be able to provide both technical guidance and managerial oversight.
(Note: Some companies may not have a C-level security team member like a CISO. In that case, the security manager is usually top dog and will own many of the responsibilities outlined above, too. If it sounds like a lot of responsibility… that’s because it is. You’ll want to hire accordingly.)
AKA: Security Architect, SIEM Engineer, Security Device Engineer
Depending on the size, composition, and needs of your organization, you may have a variety of security engineers and/or architects on your team. While the broadest job title is “security engineer,” there may also be people on the team who specialize in SIEM, endpoint security, and other specific areas of security engineering.
Team members in this role are responsible for building security architecture and engineering security systems, as well as working closely with DevOps teams to ensure continuity and speed of releases. They should also be able to document the requirements, procedures, and protocols of the architecture and systems they create.
AKA: Incident Responder, Incident Handler
Security analysts are, in many ways, the foot soldiers of the organization. Their job is to detect, investigate, and respond to incidents. They may also be involved in planning and implementing preventative security measures and in building disaster recovery plans. Depending on the vulnerabilities your organization faces and the nature of your security program, analysts may need to be on-call at various times to handle incidents as they arise.
Analysts may also be responsible for recommending new technologies and installing them, as well as training other team members to use them. Many organizations break security analysts out by level or tiers, where the rank determines the skill level of the analyst. Higher-ranked analysts will handle escalated events or more complicated incidents that junior analysts may not be prepared for and perform proactive hunting for threats that may have escaped their alerting systems.
Building the Strongest, Most Effective Security Team
Delineation of responsibilities matters in any organization, and it’s especially key to making sure security incidents don’t fall through the cracks and that your overall posture is strategic and proactive.
One of the best ways to ensure that your people, processes, and tools are all working together like a well-oiled machine is to implement security automation and orchestration. It can take the pressure off many roles on the security team and help everyone work better together.