Roles can be categorized by disciplines and can vary in the degree of specialization. Depending on the size of a Cybersecurity Program and the maturity of its operation there are more a less of the teams below. In some cases there might even be wildly specialized teams that we don't even have on the below list yet. In other cases there might only be one Cybersecurity role in the whole organization.

Digital Forensics & Incident Response (DFIR)

This team is also known as Computer Systems Incident Response Team (CSIRT). It's team members strive to fully contain any size of cybersecurity incident and eradicate any threat from your systems and networks. It also provides forensics for any kind of cybersecurity incident, which includes incidents with external and internal threats. Here are some roles that you would find in such a team:

  • Forensics Analyst/Specialist
  • Reverse Engineer
  • Incident Responder
  • Incident Commander/Manager

Security Operations Center (SOC)

The SOC is the team that watches alerts, investigates them, and responds to them by either escalating to DFIR/CSIRT or by issuing pre-defined/authorized Response Actions. This team usually works 24×7 and therefor has night shifts and often requires work on weekends. It is great as an Entry-Level (SOC Analyst L1) because it exposes you to all kinds of cybersecurity incidents and teaches you things like the cybersecurity kill-chain and the beginning of the IR workflow/process. Here are some roles within this team:

  • SOC Analyst (L1/L2/L3)
  • SOC Lead
  • SOC Manager/Director
  • SOAR Engineer/Architect
  • Threat Intelligence Analyst (Threat Intelligence often ends up being its own team)

Security Engineering

The Security Engineering Team is usually closest to the IT Infrastructure team. Often the team members have worked in IT Infrastructure at some point during their career. This team usually maintains the security tool set. This team also performs security architecture reviews (aka Threat Modelling) for other IT teams. This team is often the starting point for a Cybersecurity program. Here are some roles within this team:

  • Security Engineer
  • Security Architect
  • Security Manager
  • Security Director

In this space you find the paper generating strategists of the cybersecurity profession. Here are some roles you typically find in GRC type teams:

  • Fraud Analyst
  • Auditor
  • Audit/Compliance Manager
  • (Enterprise) Risk Manager
  • (Compliance/Risk) Director
  • Privacy Manager/Director
  • Chief Privacy Officer (CPO) - This person does not always report to the CISO (It might belong to the Legal team instead.)

In an organization that produces digital services and goods, there is usually a team responsible for the security of its products. Depending on the product you would need some of the roles from this list:

  • Software Security Engineer/Architect
  • Hardware Security Engineer/Architect
  • Cryptographer
  • Code Auditor

This team specializes in testing the security posture of the org with the goal to provide valuable insight into present vulnerabilities and weak configurations. Here are some roles within such a team:

  • Penetration Tester
  • Penetration Testing Lead
  • Exploit Coder (writes exploit code for a given vulnerability)
  • Code Tester/Analyst (performs dynamic and static code analysis to find vulnerabilities)

The BOSS of it all. This person gets to translate the complicated matters of cybersecurity to the C-Level and the Board of Directors. This person also acquires and manages budget and headcount. Defines overall Cybersecurity Program and comes up with Vision, Roadmaps and other strategic things. Needs Monk-like ZEN abilities.