Are you a Systems Administrator or Systems Engineer?
Security Engineer or Cyber Security Engineer?
Or are you trying to figure out if you’re the Chief Information Security Officer, or Chief Information Officer?
Our industry has a lot of titles, whether it be appointed or self-appointed.
The CISSP exam won’t ask you directly what each of these roles do, but rather pose scenario-based questions that might mention these roles.
Before reading this post, can I please ask you to remember that I’m trying to combine information I found from the Shon Harris 6th Edition book, and the new CISSP CBK 4th Edition book. In addition, I’m also trying to include a little of my own information security and IT experience. After all, the CISSP exam is a combination of both.
If you don’t agree or find something wrong with some of the definitions, let me know. My word isn’t final and gaining input from others in the industry is the best way to learn and share knowledge. I expect this post to go through multiple editions. Thank you!
In my 6 years as a systems administrator, I’ve had to wear many hats. The below was an actual conversation that still makes me laugh.
New Employee: Thanks so much for setting up my new computer. If you’re the systems administrator, should I talk to the network engineer if my Internet is slow?
Me: Absolutely, and since I’m also the network engineer, just let me know if you have that problem.
New Employee: Okay, awesome! What if I need some client IPs whitelisted from the firewall? Who is the security engineer?
Me: Oh, that’s me again. Just let me know!
New Employee: Oh, okay…what if…my database isn’t backing up properly?
New Employee: Oh, alright. Hmmm I see a lot of mouse traps in the office, what if there is a dead mouse that needs to be thrown away? Who is the janitor?
Me: I guess….<sigh> that’s me again…
Systems and Architecture Roles
When you think “The IT Guy” the systems administrator is who you are thinking about. This will probably be the first person you encounter in the IT department who provisioned your computer when arriving on your first day at the company.
This person tells you what programs are on your machine, where to find company files on the network, and the person you’ll get emails about the Internet being unavailable for an hour due to maintenance. It’s a good idea to keep this person as a close friend, as you’ll need them the most when you have a boot sector virus and require a brand-new computer. They’ll also be there when you spill coffee all over your keyboard and need a new one.
When they are not interacting with you face to face, then they are probably working on making sure the servers are patched, updated, and properly functioning.
Systems Engineer/Systems Analyst
A systems engineer can supposedly be the systems administrator’s “superior”. Why? Because engineers are supposed to make a company’s systems all work together in an efficient and cost-effective manner. This means they have to consider company laptops, desktops, servers, and databases and come up with a solution to increase productivity for users as well as optimizing peak system performance. While a systems administrator’s job is to just make sure these systems are maintained without any sort of engineering.
Reality Check: In the real world, I just don’t think most companies can afford nor separate these two roles. Also, systems administrators are no longer sitting around waiting for things to break. Their job has become much more complex as engineering has become a necessity. With cloud networks and faster and newer technology, the systems administrator and the systems engineer role has had to form a synergistic functioning machine. While your systems administrator may come to your desk to replace a keyboard, he may then go back to his office to patch system vulnerabilities.
Network and Security Roles
Slow Internet? VOIP phone not working? Permission denied when trying to access the wireless LAN? You’ll probably need to speak to the network engineers. They don’t go from desk to desk, and they don’t fix your computer. These guys and girls stick to themselves, discussing topics that are a bit out of the league of the casual employee. Let’s put it this way, if you know how to configure the time intervals for an OSPF Link State Advertisement between the DMZ and replication network, you can probably fit in with the network engineers. They deal with all things network, like routing protocols, VLANs, office access points, or bandwidth issues. They try to give users the best quality access and speed to do their work.
This is my job, and I can tell you it’s not like any of the others mentioned so far. Unlike the network engineer, the network security engineer tries to restrict as much access to the Internet as possible. We like to believe that the less access to stuff the user has, the better it is for the company security posture. Network security engineers deal with firewalls, establishing VPNs, implementing log and audit controls, and making sure the room with all the network equipment is locked and secure.
Reality Check: Users are the weakest point in a company, but that doesn’t mean they have to be restricted from doing their work. They’ll need access to databases, and they’ll most likely forget their passwords at the same time. Our job as security professionals is to find a balance between security and user needs.
Double Reality Check: Our jobs depend on user needs. Essentially, we need to make sure marketing, sales, and accounting can all do their jobs in order for the company to operate. If asked to make things more secure yet efficient at the same time, then that’s what we’re going to have to do.
What’s the difference between a security analyst and a security engineer? One engineers and the other analyzes, but doesn’t really explain anything! Let’s try an example:
A security engineer can SSH to an intrusion prevention system, and blacklist IPs that have been sending malicious malware payloads. All this means is that they’ve setup rules to prevent hackers from sending viruses.
A security analyst is the person that will actually look at the IPS virus signatures, and study them. They will study them, analyze them, and perhaps even write scripts or their own signatures to prevent the virus from making it into our network. Like their title, they are analyzing malicious threats, and not so much engineering a solution.
Reality Check: Even in the real world, it seems a security engineer and a security analyst are two different worlds. There is a significant difference between, just Google engineer vs analyst jobs, and you’ll see different requirements.
Information Systems Security Professionals
These are the CISSPs in the company. They usually don’t login to firewalls, or analyze malware. They are there to assist executive management to come up with sound and proper security policies.
They do paperwork. Some are technical.
They make sure all documentation in the company has a classification label like confidential, private, or public. They take their job very seriously, at least they look like they do. They aren’t wearing jeans or polo shirts, but more suits and ties.
They have a big responsibility to make sure company data stays secure, and that the senior management team isn’t blamed for any data loss. This type of job almost almost always requires a CISSP certification.
Information systems security professionals are well versed in the company business objective, and align it with their security policies and goals.