The mind-map below is my attempt at inventorying and classifying the plethora of roles that exist within the field of cybersecurity. Beyond this map, I’ve provided some additional context, gotcha’s and other notes related to the map itself.

infosec roles

Notes on the Map

Alright, so you’ve seen the map and I expect many will have questions or things about it they wish to challenge. Let me try to address some areas of improvement and provide additional context around my thinking…

  • It’s very possible something on the map is not where it should be, could be reclassified or something is missing. If you think so, I’d love to hear about it so I can make edits to the map!

  • Though these roles can exist independently, many of us in the industry know that you are likely to “wear many hats”, especially if you work for smaller organizations. As such, many people who see this map may identify as two or even more things here that may even exist in multiple different categories.

  • I like to consider “Vulnerability Management” both an offensive security role as well as a blue- ish security operations role. Maybe I’m biased having gotten my start in VM, but I think most in the field of offensive security would at least agree that identifying vulnerabilities (recon / enumeration) is a big part of the offensive methodology. Thus, I consider VM the starting point for offensive ops. I also definitely consider it in many ways an “operations” role.

  • There are a bunch of things (on the right-side of the map) that I had trouble classifying into their own group. Maybe there is a good category to shove them in but for now they float.

  • By “Cybersecurity Training”, I merely mean the act of teaching other security professionals infosec topics. Compared to “User Awareness Training” which is about teaching non-security personnel how to maintain security awareness.

  • “Security Engineering” is a role that could easily be applied to just about anything. For the purpose of this map, I’m considering “engineering” to be related to the build, integration and deployment of security tooling - with an emphasis on build. Again, it’s easy to apply the “engineering” title to other disciplines but I think this is a decent way of viewing things.

  • “Product Security” (or Product / Platform security) is where I’ve decided to lump in individual, specialized security disciplines (e.g. things like - Windows, Linux, ICS, Juniper, etc…) - Essentially, those who are specialized in securing specific products or platforms. I’ve left it as orange to designate it too as an “engineering” discipline.

Outro

Alright, I hope this helps give you a better idea of the different roles within infosec! In addition to this, I recommend you check out Daniel Miessler’s piece on “Rainbow Teams” or even look at how ISC2 defines the various security domains.

Finally, for any suggestions, corrections, comments or anything else, I always appreciate feedback!