When I was in my first/second year at university, I tried to delve into the topic of info…

When I was in my first/second year at university, I tried to delve into the topic of information security and... honestly? I didn’t even understand who was doing what there. Some threat analysts, some DevSecOps engineers, some pentesters... I sat with 30-pixel eyes and thought: “So, well, I think I went to information security, but who knows where exactly” 😳

In fact, if you are just starting your journey in information security, this is normal. My eyes are wide open, there are a lot of roles, the names are strange, and almost everywhere they write “you need 3+ years of experience and 6 certificates” 🙄 Therefore, I decided to put together a post for you that will bring some order to this chaos. Let's figure out who actually is in information security:

👨‍💻 DevSecOps are the same guys who are responsible for security during the development process. They build in scanners, catch vulnerabilities at the CI/CD stage, and monitor the security of containers and repositories. Tools: SonarQube, Snyk, GitHub Actions, Vault, K8s, and the list goes on. If you are more about the engineering part and are not afraid of Jenkins, you can try yourself in this direction

🫡 AppSec (Application Security) is closer to the code. These guys understand how to write securely, analyze source codes, conduct SAST/DAST, do code reviews, and help developers avoid running into XSS and other types of vulnerabilities. They are often friends with programming languages and love to talk about vulnerability triage, use of various scanners, etc.

🧑‍⚖️ GRC (Governance, Risk, Compliance) is paper information security, as people call it. But don't be so quick to hate. It is these guys who understand risks, security policies, ISO, GOSTs, documentation and in general - they build the foundation. Without them there is chaos. They write the policy, according to which DevSecOps then implements the protection. They are also very good at communicating with customers ( and this is a real skill ). This is exactly where I started. Audit visits, generation of threat models, technical data sheets, etc.

🔎 Pentesters / Red Team - those who break. Dot. Their job is to find vulnerabilities, get inside and show that “you are still vulnerable.” Sometimes they work in the Red Team ( I’ll also talk about teams separately in another post. ), simulate real attacks, use Metasploit, Cobalt Strike, Burp, and a million other tools. Their life is like the TV series Mr. Robot, but without the beautiful effects.

🛡 Blue Team/SOC analysts are advocates. They catch intruders, set up monitoring systems, write rules for SIEM systems, and conduct investigations. It's like sitting on a tower in Tower Defense and making sure no one gets through. They live in Splunk, ELK, Zabbix, Wazuh and other fun things.

⚙️ OT Se curity / IIoT Security is the security of industrial facilities and the Internet of things. When it’s not just data that’s at stake, but physical consequences—from plant shutdown to equipment destruction. The specialists here are proficient in Modbus, SCADA, and like to take readings from a thermal imager, and not just from logs.

🧳Security awareness - yes, there are such! They teach employees how to avoid becoming a victim of phishing, tell them why they need a complex password and why they shouldn’t leak data in chat. These guys make the corporate culture more mature. Without them, the rest are simply putting out fires.

I have not mentioned all directions, but the main tracks. Within these tracks, some directions may intersect or be complemented

I already did it somehow mini review of career map from Positive Technologies. It is beautifully laid out there, who grows where and where. But I remember from myself: at the beginning of the journey, I don’t want a “career map”, but a normal human story - who does what and why is it important 😎

Now, years later, I can say: you don’t have to understand everything right away. Try it. Be wrong. Move from role to role. My own path began in paper security, then led to DevSecOps, and now I’m generally working on several tracks at once ( AppSec, DevSecOps, DevOps and even ICS protection )

So if you’re just starting out and don’t know where you want to go, that’s normal. The main thing is don’t stand. Move. Learn. Read. Experiment 🥂

And if you already work in information security, write in the comments where you started. It will be useful for beginners, but I enjoy reading it 😉

#information_security #career