topic Re: Job title - help me understand in Tech Talk

Job title - help me understand

JKWiniger — Fri, 04 Dec 2020 04:08:17 GMT

It has been a hard day for me so please bare with me..

I was talking with someone I know and he mention a person with the job title of "Application Security Analyst"

I found thing interesting because I know the person and had no idea they knew anything about security.

So I asked what the job entailed, the reply was, making sure users had proper access to the applications they needed.

To me I would have called this a user admin role, or at least it used to be.

For my sanity I would like others to comment on this.

Thank you,

John-

Re: Job title - help me understand

Early_Adopter — Fri, 04 Dec 2020 06:58:34 GMT

Hi John,

Limited information there but to me an “Application Security Analyst” would be working with one or more applications, their platforms an related upstream/downstream services, components and dependencies to fulfil this list of points I cobbled together:

1. Create, update and maintain the register of risks, vulnerabilities and threats to the application, it’s data and users(more from a technical standpoint than business, but that understanding would be there);

2. They’d look at security by design(possible to look privacy by design as well, but that’s more from an assist) and of course work through inception, through traceable requirements(functional, non-functional and security);

3. They’d likely develop attack trees and would be actively helping to exploit the application as part of the application security testing intially to catch the easy stuff before helping with pen test, red team, blue team activities;

4. They’d help with coding standards, component assurance, security controls (deter, prevent, detect, remediate etc), how does it fit with our security architecture and tooling?

5. they’d be part of the regular review cycles, work with internal audit, compliance, poss even regulators in banking, healthcare etc, they be documenting the security decisions and looking at cost/benefit;

6. They would consider availability of the app for folk of course, but more from a reliability engineering standpoint - the right observability of the right events in a timely manner manner.

I could add more, but from your description of the explanation I feel that it’s likely missing some info, the explanation looks more like app support, or as you say admin - either of the app or the directory service permissions.

cheers.

Re: Job title - help me understand

dcontesti — Fri, 04 Dec 2020 08:48:04 GMT

Sanity?

Sorry, I don't think Job title means a lot anymore..........I worked with an individual and they called them a Senior Specialist Information Security. This was done for HR (pay purposes). The manager wanted to pay this person a higher salary grade and the only way was to give them a higher title

Unfortunately in a number of corporations, jobs and job title are tied to base pay and seldom truly reflect the individuals real job.

In my case, I had a Specialist (one step down from the senior position) that was training the individual on things like firewalls, IPS systems, etc.....image how the junior person felt. Of course I had a battle on my hands to have the junior person promoted........

So totally understand the confusion, you might ask HR/IT manager for formal job descriptions, etc.

Have a better day today

Re: Job title - help me understand

Steve-Wilme — Fri, 04 Dec 2020 12:53:59 GMT

Job titles are affectively meaningless. Job descriptions often equally so, if they don't reflect when the person actually spends their time doing. Companies often make jobs seem bigger or smaller than the actually are to to attract candidates or to justify the lower salary. It's not uncommon to see positions advertised as being middle to senior when they're little more than an IT admin focusing on 2 or 3 technologies hands on. I've nothing against Sys Admins, but describing jobs as what they are is a whole lot simpler and less frustrating for both employees and employers.

Re: Job title - help me understand

ericgeater — Fri, 04 Dec 2020 13:00:53 GMT

Regarding titles, the best rundown I've ever seen was in Peter Gregory's CISM study guide.

Depending on the company and the needs, titles can be given thoughtlessly by misunderstanding supervisors. I worked for a company that had a titled Application Programmer. That person worked for sixteen years, worked up three Access runtimes for rudimentary asset trackers, and tethered ODBC drivers. And. That's. It.

Re: Job title - help me understand

Steve-Wilme — Fri, 04 Dec 2020 13:32:19 GMT

I once has the title 'Consultant' and what this meant in practice was that any reasonably important one off task that need doing, from managing suppliers, to seeking our tax advisors opinion, to developing a credit management regimen, to procuring things, to reigning in our product managers to do snagging on civils to implementing KPIs fell to me. Everyone else had a full time role and slotted into their silo. My job description said 'Do stuff for Jon', quite literally. HR weren't pleased LOL.

Re: Job title - help me understand

tmekelburg1 — Fri, 04 Dec 2020 16:35:23 GMT

We have an Application Analyst , sans 'Security' but it's more than just providing access to applications. She troubleshoots user level issues and will contact the application's helpdesk for deeper level debugging if necessary. Also trains Users on the applications if they are new or if they need some type of refresher training. Technically she's considered a Systems Admin but role name types are changing and we made the change because that's where the industry seems to be heading, at least in our area.

Re: Job title - help me understand

JKWiniger — Tue, 08 Dec 2020 17:29:33 GMT

I would like to thank everyone for your replies, you have all given me a lot to think about. Sadly this makes me feel that the problems with job descriptions extends right into the job titles and I see this as a major failing in HR. How can a person find a new position if all the information they are presented with is basically wrong!

I have been in those consulting positions where I just did what needed to be done. The biggest problem later was when I needed to put it on the resume I couldn't really put down "I did stuff." Taking the time to figure out proper names for the things I was doing was a bit of a pain, and it's hard to find resources to help with this. I believe this probably extends to normal positions as well where people need to realized what their job description is does not match what they are actually doing. This can be a two fold problem, one, are you getting paid for what they have you doing, and are you putting on your resume what you actually do rather than what your job description claims you do?

At one of my first IT jobs they had me doing much higher level work than what I was hired for and I just went with it expecting a raise and a promotion. I got a tiny raise and no promotion with the promise they would stop giving me the higher level work that they were not paying me for. Days later it happened again and I asked why, they replied, because you do it! I left the position a few days later!

John-

Re: Job title - help me understand

Steve-Wilme — Wed, 09 Dec 2020 09:08:00 GMT

@JKWiniger Yes a common problem. You have to make sure that you're compensated for what you do. otherwise you're being taken advantage of. The function of many strategic HR department is often to keep down staffing costs. If they can find a rationale to pay under the market rate then many will.

Re: Job title - help me understand

JKWiniger — Wed, 09 Dec 2020 22:29:15 GMT

@Steve-Wilme If companies are in the practice underpaying doesn't this set the stage for low employee retainment because it gives them a big reason to look for other employment when they realize they can be paid more towards what they are worth somewhere else? Seems like bad management to me.

John-

Re: Job title - help me understand

Steve-Wilme — Thu, 10 Dec 2020 13:32:30 GMT

Yes of course paying below market rates shows short termism, but some companies are all about the short term, which they can be as they may simply not be in business in the medium to long term.

Then there are the things that they try to retain lowly paid employees, like

a) Training contracts, where if you leave you have to pay them for the experience gained whilst working for them

b) mandating training and then arguing you need to pay for it if you leave

c) restrictive clauses that state you cannot work in the same industry for an arbitrary period if you leave

etc.

So there are measures dreamt up by HR departments to chain staff to the organisation and penalise them financially if they leave. So poorly paid staff will bide their time an in the interim they get to employ them for peanuts.

Re: Job title - help me understand

JKWiniger — Thu, 10 Dec 2020 16:26:54 GMT

I think there are a lot of tactics that are used that are not really ethical and often outright illegal, but the employee doesn't know that so the go along with it. I believe I have it where it would deemed illegal to restrict a person from getting another position in the same industry because the previous company was basically preventing the person from making a living.

Companies have always faced the catch 22 of either you pay more for a person who has been trained or you pay less, pay for the training, and hope they don't leave afterwards. Normally better companies realize that as they train people they need to be promoted in some way in order to retain them.

John-

Re: Job title - help me understand

Steve-Wilme — Fri, 11 Dec 2020 10:33:07 GMT

As with all things there is a flip side to some of the more unpleasant HR tactics.

There have been cases in many occupations were employees have won cases for constructive dismissal, having received no training, been expected perform in spite of this. The cases are normally won on the basis that the stress that this would cause is skilled occupation is entirely forseeable by the employer and therefore they have failed in their duty of care.