Published in


Understanding- Cyber Security Teams and Roles

Want to get started in Cybersecurity but still confused about where to start? What role suits your interest and skill? What team to join in Cyber Security? What are the available Career options?

The below image from ServiceNow clearly depicts the notion of various teams and how they collectively work for a single goal- Secure the Organization.


The Security Team comprises various levels, predefined standards, in-scope items, and rules to ease the functioning, which could vary from organization to organization. Below details will help you to better understand the CyberSecurity teams’ structure, roles, and responsibilities, required skills for individuals, and dependency.

CyberSecurity is a vast domain, here required roles vary from team to team, the skillsets they need, and their respective responsibilities. But majorly, key roles could be broken into below four:

Level 1. Chief Information Security Officer (CISO)
Level 2. Security Manager
Level 3. Security Engineer
Level 4. Security Analyst

Source- SANS Cybersecurity Leadership

Chief Information Security Officer (CISO) AKA: CIO, CSO

CISO is the head of a Security Team. Responsible for defining an organization’s entire security posture. The CISO plans the strategy, programs, policies, and procedures to protect the organization’s digital assets, from information to infrastructure and more.

Security Manager AKA: SOC Manager, Security Director, SecOps Lead

The security manager will run a security team. This role involves creating a vision for hiring, building processes, and developing the technology stack. A security manager will have significant experience with running a security team and will be able to provide both technical guidance and managerial oversight.

Security Engineer AKA: Security Architect, SIEM Engineer, Security Device Engineer, SOC Engineer, Consultant

Organizations have a variety of security engineers and/ or architects. They are people on the team who specialize in SIEM, endpoint security, Penetration Testing, Vulnerability Assessment, Threat Intelligence, and other specific areas of security engineering. This role is responsible for building security architecture and engineering security systems, as well as working closely with various teams to ensure continuity and speed of releases. They document the requirements, procedures, and protocols of the architecture and systems they create.

Security Analyst AKA: Incident Responder, Incident Handler, Analyst, Associate

Security Analysts are the foot soldiers of security. Their job is to detect, investigate, and respond to incidents. They may also be involved in planning and implementing security measures and in building disaster recovery plans. Depending on the nature of a security program, analysts may need to be on-call at various times to handle incidents as they arise. Analysts may also be responsible for recommending new technologies and installing them, as well as training team members to use them.

The number of available roles depend on the Hierarchy, as depicted by the below Pyramid. A team will have a greater number of analysts/incident responders as compared to leads/managers, followed by a director.

Source: Hierarchy of Needs- DayBlink

InfoSec Department Primary Responsibilities

1. Blue Team

Oversee all Information Security engineering functions including- Network Security, Software Development, Log Management, Security Architecture, System Administration, and Identity & Access

2. Cyber Crime

Investigate criminal activity that targets infrastructure, consumers, and employees

3. Identity & Access Management

Process and monitor accounts, roles, identities, and for employees

4. Incident Response

Detect, analyze and respond to security events and incidents, targeting network infrastructure, sensitive data, intellectual property, and employees

5. Legal

Supervise and oversee the review, negotiation, and drafting of major contracts, tender documents, and other legal documents and proceedings

6. Log Management

Log and monitor events across all assets

7. Network Security

Protect enterprise network environment including network traffic and assets

8. Project Management Office

Manage high-level projects and maintain Information Security operational functions

9. Red Team

Identify and exploit security vulnerabilities and study the capabilities of black hat hackers. This function also includes:
• Penetration Testing
• War Games
• Security Product Testing/Evaluation

10. Risk Management

Identify and manage risk associated with corporate infrastructure and connectivity

11. Security & Compliance

Track and maintain all reports and actions needed to achieve compliance against security policies, regulations, and audits

12. Security Architecture

Design, build and maintain the security structures for networks

13. Software Development

Create, execute, and maintain software to identify, protect, detect, and respond to attacks

14. System Administration

Monitor and manage the configuration and operation of network and computer systems

15. Threat Intelligence

Leverage evidence-based knowledge about an existing or emerging vulnerability to proactively mitigate ramifications

16. Vulnerability Management & Remediation

Identify, monitor, and remediate vulnerabilities in systems and networks

The Sliding Scale of Cyber Security

The below scale shows the correlation between the different Cyber Security Teams:

Source: SANS Digital Forensics and Incident Response- CTI SUMMIT 2017

Security Architecture Team

A Security Architecture team works to design, build, test, and implement security systems within an organization’s IT network. The team has a thorough understanding of an organization’s IT systems to foresee possible security risks, identify areas of weakness, and respond effectively to possible security breaches.

Secure Architecture Design looks at the selection and composition of components that form the foundation of your solution, focusing on its security properties. Technology management looks at the security of supporting technologies used during development, deployment, and operations, such as development stacks and tooling, deployment tooling, and operating systems and tooling.

Passive Defense Team

Passive Cybersecurity aims to protect against threats without regular human analysis or interaction. While IT personnel may monitor the system, perform maintenance, install necessary patches, and respond to alerts, they aren’t necessarily active in securing the system.

In a sense, passive cybersecurity is the first line of defense, protecting your organization’s networks from vulnerabilities, reducing the probability of a breach, and giving insight into threat encounters. It provides layers of defense that require more time and effort for threat actors to circumvent.

Active Defense Team

Active Cybersecurity, analysts gather intelligence to prevent future attacks based on knowledge, experience, and real-time information on the external environment and internal networks. While a passive approach puts an alarm on your house, an active approach analyzes when, where, and how a burglar is likely to strike.

Taking an active cybersecurity posture can be difficult for any organization. However, investing in managed security services to augment your team can fill the gaps in your security operations. Just like local and state police departments sometimes need assistance from the FBI, in-house cybersecurity teams can benefit from outside specialists.

Intelligence Team

The Cyber Security Intelligence team investigates methodologies and technologies to help organizations detect, understand, and deflect advanced cybersecurity threats and attacks on their infrastructure and in the cloud. It explores challenging research problems posed by building and combining AI and cognitive methods (e.g., contextual and behavioral analysis, machine learning, reasoning), scalable big data security analytics (e.g., graph mining, deep correlation, and provenance analysis), and next-generation defense mechanisms (e.g., transparent malware analysis, active defense, and cyber deception layers) to gain deep intelligence and insights about cybersecurity threats and attacks as well as threat actors; and protecting AI models against model theft, poisoning and evasion attacks by adaptive adversaries.

Offensive Security Team

Deploys a proactive approach to security through the use of ethical hacking. A red team consists of security professionals who act as adversaries to overcome cybersecurity controls. Red teams often consist of independent ethical hackers who evaluate system security in an objective manner.

They utilize all the available techniques to find weaknesses in people, processes, and technology to gain unauthorized access to assets. As a result of these simulated attacks, red teams make recommendations and plans on how to strengthen an organization’s security posture.

As now, you have a better understanding of various teams and roles in Cybersecurity. Utilize your skills and interests, to match that perfect spot and get started in Cybersecurity. 😎

Best Regards!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyber Security Consultant-Deloitte | CEH | Cyber Threat Intelligence (CTI) | VAPT