Читать книгу Penetration Testing For Dummies - Robert Shimonski - Страница 14

In-house security operations versus consulting services for hire (which I discuss in the next section) are generally how pen testers work in the field. Large companies and government agencies generally employ in-house operations engineers who conduct pen tests for the business they work for.

Smaller organizations can’t always afford to keep staff of this kind, and they often don’t have enough work to keep them busy. Sometimes conducting pen tests isn’t a dedicated position but is a task given to a systems administrator, a network engineer, or other IT professional in the organization.

An in-house employee who’s dedicated to securing the organization’s interests, assets, and reputation is often called a security analyst. This is someone employed full-time by a company, firm, or business (public, private, non-profit, government, military, or otherwise) who is responsible for providing security services. That’s a broad term for what can be a very detailed role requiring a variety of security functions, the skills needed, and the tools that are used.

Depending on the organization and the exact role, security analysts might have many other names, such as these (not a complete list):

 Chief Information Security Officer (CISO)

 Security architect

 Security engineer

 Security operations staff

 Risk analyst

 Forensics technician

 Security practitioner

These are obviously more detailed roles within security, but they all work with security, and they all analyze security at some level of degree.

Generally, to become a good security analyst you need to absorb, learn, or train in many other areas so you have a holistic view of the enterprise you are charged with securing. I discuss what you need to know in the later section, “Gaining the Basic Skills to Pen Test.”