Recently, the SANS Institute published what it calls the “Top 20 Coolest Jobs in Information Security.” According to the security training and resources group, these jobs are:

1. Information Security Crime Investigator/Forensics Expert
2. System, Network and/or Web Penetration Tester
3. Forensic Analyst
4. Incident Responder
5. Security Architect
6. Malware Analyst
7. Network Security Engineer
8. Security Analyst
9. Computer Crime Investigator
10. CISO/CSO/Director of Security
11. Application Penetration Tester
12. Security Operations Center Analyst
13. Prosecutor Specializing in Infosecurity Crimes
14. Technical Director/Deputy CISO
15. Intrusion Analyst
16. Vulnerability Researcher/Exploit Developer
17. Security Auditor
18. Security-Savvy Software Developer
19. Security Maven in an Application Developer Organization
20. Disaster Recovery/Business Continuity Analyst/Manager

The SANS list is attached to a gated report, and it only provides descriptions for four of the positions. Some of the jobs look redundant; what is the difference between an “infosecurity crimes investigator” and “computer crimes investigator”? Regardless, I think the real point of this list that security jobs are still both the cool stuff like the stuff we see on the "CSI" TV shows and they’re still a black art that few outside the realm have mastered.

Given that security remains a black art of sorts, the ability to find people with the chops to do these cool jobs is exceedingly difficult. Many people talk a good game about security and say they know what they’re doing, but the truth is that it does take specialists to design, operate, maintain and manage a well-oiled security infrastructure.

So, looking at this list, where can security solution and service providers add value? Where can solution providers provide business managers with alternative resources to hiring?

Disaster Recovery: According to a new CompTIA study, 70 percent of businesses have a disaster recovery plan, which shows that management understand the importance of being able to restore data following a human or act-of-God incident. However, businesses don’t always have the wherewithal or resources to implement plans. Data backup and off-site managed storage is among the more robust offerings in the market and a tremendous opportunity for solution providers.

Security Architect: This is the position of the master designer, the guy who builds the better mousetrap. In olden days of infosecurity, the security designer was the guy who wanted to spend all kinds of money on technology and processes to lock everything down to the point where functionality was lost. Today, a security architect is a guy who builds systems that balance needed functionality and user productivity against threats and budget constraints. A solution provider with solid architect skills can design security systems that provide adequate data and infrastructure protection without breaking the customer’s wallet—and that’s a valuable skill in the eyes of customers.

Computer Crime Investigator: Yeah, this is the cool stuff, and it’s not reserved for cops and the feds. Data collection and rules of evidence are quite specific if you have any hopes of a successful prosecution. Collection of evidence for internal administrative actions—such as terminating an employee for causing a breach or stealing data—falls in this category. Solution providers who can provide this service will score big business in coming years.

Forensic Analyst/Intrusion Analyst: Similar to a crime investigation, forensic analysts examine breaches and security incidents to find the root causes and make recommendations for improvements. For many organizations, there isn’t necessarily enough forensics work for a full-time position. But the need is great enough to contract with an expert solution provider for the service.

Penetration Tester: This is one of the best jobs in security. The sole purpose of a pen tester is to bang away at a network or application until it breaks. This is more than just vulnerability testing where you look for the obvious. Pen testing is everything from attacks with finesse to brute force assaults that don’t stop until holes are found. Again, it’s a solid service opportunity.

Incident Responder: Security breaches are not a matter of “if” but “when.” And when a security breach does happen, it takes skilled professionals to quickly recover from the incident and restore security protections. Solution providers with teams that can parachute into an organization following a breach will find their services highly valued by clients.

Security Auditor: Whether it’s PCI-DSS, Sarbanes-Oxley, SB 1386, FISMA or any of the regulations that make up the growing list of governance and regulatory compliance issues, auditors are needed to check the security measures implemented by organizations to ensure they meet specifications. By definition, this is a third-party chore, and one that’s filled by solution providers and accounting firms alike. As GRC requirements increase, so too will audit opportunities.

What security jobs do you think are the coolest? Where do you see security growth and business opportunities? Share your thoughts here.