More about a career in Secure Operations
You manage systems and networks to ensure they deliver the expected services to their users and other systems, but with the particular responsibility of ensuring that this is done securely. You follow formal secure operating procedures and monitor security controls. Wherever - as is normally the case - users interact with systems to read or process data, you ensure that the controls which authenticate them and authorise their access are working properly. When there are updates to existing systems or new ones to install, you plan the implementation carefully to minimise disruption to existing services, and assure yourself that the changes will not create new vulnerabilities or disrupt services.
Your work is mostly guided by the agreed standards and procedures. But, in the event of concern about a failure of the security controls, you focus on rapidly investigating the situation with colleagues in other specialisms. If there is a confirmed incident, you support the incident response by closing access to some parts of the system or network, ensure that any failure in the controls is addressed, and check that other controls are working as they should. You may also need to quickly reconfigure parts of the network to isolate it for deeper investigation by colleagues in digital forensics.
This is all fairly technical work, and you have a good understanding of server-level software such operating systems, system processes and directories. If your systems are running in the cloud, you will have developed a good understanding of the cloud platforms in use. If there's also substantial local hardware, you know how to monitor its operation and, in particular, to manage maintenance, upgrades and repairs. You work collaboratively with other specialists and, possibly, users, if you provide support.
Your primary responsibility is to keep the services operating reliably and securely, serving the needs of the business. This means you have a fair understanding of the relationship between systems and their role within the business; this is so you can, when necessary, prioritise support for those systems that are most crucial to business operations.
You're very organised and rigorous in managing, possibly even rejecting, any requests for access to the live systems from other teams who may want to test or investigate them, especially developers.
Depending on the size of the organisation and the extent to which information systems and cyber security services are run in-house, you may either be part of a structured secure operations team or solely responsible for this. In either case, you may work shifts across a long day, or work at any time if there's a technical problem or a suspected security incident.
Given how much technology for which you're responsible, you stay on top of changes. You assess new technologies and explore whether they could make your current systems more effective, efficient or secure. You certainly understand both the updating of technology already in use, and how to manage the upgrading of it.
Work in this specialism involves managing an organisation’s information systems and networks according to security standards and requirements, so as to protect the organisation’s information and processes against attacks and accidental security incidents.
You may need to:
- manage identification, authentication and authorisation controls, including directories
- monitor system performance, including security incident metrics
- ensure that system processes, such as backups, are effective and in compliance with agreed protocols
- manage discrete development and test environments
- manage the transition to operation of new components and systems so as to minimise the risk to the security of other systems and current services
- ensure that updates (patches) to externally supplied software and hardware are applied quickly but safely
- support users in viewing and processing data according to agreed access controls
- manage the recovery of services after a security incident has been resolved
As a senior Secure Operations practitioner, you may also:
- be responsible for the overall performance and security of live systems
- plan the work of other practitioners
- set and monitor compliance with operational standards, particularly ones concerned with security
- select and implement performance and security monitoring tools
- monitor the effectiveness of the operations and identify changes which will improve performance
- work with managers in other teams to ensure effective cyber security across the organisation
- recruit, train and assess practitioners
In most organisations, the management of the security of information system operations is integrated with the overall management of the systems. In other organisations, there may be practitioners focusing almost purely on security, perhaps in a separate Security Operations Centre (SOC).
In a small organisation, there may be only one person managing the operations of its systems, including its security - particularly if those systems are largely or entirely cloud-based.
In larger organisations, where the security of operations is integrated into system management, there may be a team of system operators, system administrators and operations centre managers. This provides several levels of responsibility, from junior system operators to senior operations managers.
If the security of the systems is handled by a separate team, perhaps in a SOC, there will be fewer system management roles; most of the team will focus on other specialisms such as Network Monitoring & Intrusion Detection, or Incident Response. In this type of structure, there may only be one or, at most, two levels of responsibility in Secure Operations.
- understanding, complying with and monitoring the effectiveness of formal procedures
- attention to detail
- logical thinking
- maintaining detailed records of actions
- understanding business and user needs
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- configuring and managing processes on servers and network security devices
- selecting and creating methods for measuring system performance
- change management
- monitoring system performance and security
- scripting in operating systems
For senior practitioners
- IT helpdesk management
- establishing and monitoring compliance with procedures
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs).
E1 – Secure Operations Management
- establishes processes for maintaining the security of information throughout its existence including establishing and maintaining Security Operating Procedures in accordance with security policies, standards and procedures
- coordinates penetration and other testing on information processes
- assesses and responds to new technical, physical, personnel or procedural vulnerabilities. Engages with the Change Management process to ensure that vulnerabilities are mediated
- manages the implementation of Information Security programmes, and co-ordinates security activities across the organisation
E2 – Secure Operations & Service Delivery
- securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM). Implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management
- undertakes routine technical vulnerability assessments
- maintains security records and documentation in accordance with Security Operating Procedures
- administers logical and physical user access rights; monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.)
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
A Secure Operations practitioner may start their career as a system operator or administrator, with a fairly narrow set of responsibilities of which maintaining the security of the system is one. This makes it a good entry point into a cyber security career.
With additional training in cyber security, previous roles in the operational management and supervision of other kinds of technological systems can also provide useful transferable skills for starting in this specialism. Such roles include:
- CNC machine operator
- manufacturing robot supervisor
- telecoms network operator
- broadcast or cable TV engineer
- similar types of role in other sectors
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Secure Operations role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially, but you do need to have most of the Core knowledge.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualisation, and security in database systems.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. And, if the responsibilities include Industrial Control Systems:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers.
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
The collection, analysis and reporting of digital evidence in support of incidents or criminal events.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
For Secure Operations practitioner roles, titles include:
- Cyber Security Engineer
- Cyber Engineer
- Cyber Security Analyst (although this also covers wide-ranging, generalist cyber security roles)
- Infrastructure Support Engineer
- System Operations Engineer - Cyber Specialist
- Security Operations - Technical Specialist
For senior practitioner roles, titles include:
- IS Operations & Security Manager
A Secure Operations practitioner might earn between £36,000 and £49,000 a year.
A senior Secure Operations practitioner might earn between £45,000 and £90,000.
These ranges are calculated from a survey of online job vacancies advertisements in March 2021. Most of these advertisements did not include salary figures, so the sample size is small and may not be representative of the salaries for such roles in all sectors or all regions.