cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JKWiniger
Community Champion

Job title - help me understand

It has been a hard day for me so please bare with me..

 

I was talking with someone I know and he mention a person with the job title of "Application Security Analyst"

 

I found thing interesting because I know the person and had no idea they knew anything about security.

 

So I asked what the job entailed, the reply was, making sure users had proper access to the applications they needed.

 

To me I would have called this a user admin role, or at least it used to be.

 

For my sanity I would like others to comment on this.

 

Thank you,

John-

12 Replies
Early_Adopter
Community Champion

Hi John,

 

Limited information there but to me an “Application Security Analyst” would be working with one or more applications, their platforms an related upstream/downstream services, components and dependencies to fulfil this list of points I cobbled together:

 

1. Create, update and maintain the register of risks, vulnerabilities and threats to the application, it’s data and users(more from a technical standpoint than business, but that understanding would be there);

2. They’d look at security by design(possible to look privacy by design as well, but that’s more from an assist) and of course work through inception, through traceable requirements(functional, non-functional and security);

3. They’d likely develop attack trees and would be actively helping to exploit the application as part of the application security testing intially to catch the easy stuff before helping with pen test, red team, blue team activities;

4. They’d help with coding standards, component assurance, security controls (deter, prevent, detect, remediate etc), how does it fit with our security architecture and tooling?

5. they’d be part of the regular review cycles, work with internal audit, compliance, poss even regulators in banking, healthcare etc, they be documenting the security decisions and looking at cost/benefit;

6. They would consider availability of the app for folk of course, but more from a reliability engineering standpoint - the right observability of the right events in a timely manner manner.

 

I could add more, but from your description of the explanation  I feel that it’s likely missing some info, the explanation looks more like app support, or as you say admin - either of the app or the directory service permissions.

 

cheers.

 

 

 

dcontesti
Community Champion

Sanity?

 

Sorry, I don't think Job title means a lot anymore..........I worked with an individual and they called them a Senior Specialist Information Security.  This was done for HR (pay purposes).  The manager wanted to pay this person a higher salary grade and the only way was to give them a higher title

 

Unfortunately in a number of corporations, jobs and job title are tied to base pay and seldom truly reflect the individuals real job.

 

In my case, I had a Specialist (one step down from the senior position) that was training the individual on things like firewalls, IPS systems, etc.....image how the junior person felt.  Of course I had a battle on my hands to have the junior person promoted........

 

So totally understand the confusion, you might ask HR/IT manager for formal job descriptions, etc.

 

Have a better day today

 

d

 

Steve-Wilme
Advocate II

Job titles are affectively meaningless.  Job descriptions often equally so, if they don't reflect when the person actually spends their time doing.  Companies often make jobs seem bigger or smaller than the actually are to to attract candidates or to justify the lower salary.  It's not uncommon to see positions advertised as being middle to senior when they're little more than an IT admin focusing on 2 or 3 technologies hands on.  I've nothing against Sys Admins, but describing jobs as what they are is a whole lot simpler and less frustrating for both employees and employers.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
ericgeater
Community Champion

Regarding titles, the best rundown I've ever seen was in Peter Gregory's CISM study guide.

 

Depending on the company and the needs, titles can be given thoughtlessly by misunderstanding supervisors.  I worked for a company that had a titled Application Programmer.  That person worked for sixteen years, worked up three Access runtimes for rudimentary asset trackers, and tethered ODBC drivers.  And.  That's.  It.

-----------
A claim is as good as its veracity.
Steve-Wilme
Advocate II

I once has the title 'Consultant' and what this meant in practice was that any reasonably important one off task that need doing, from managing suppliers, to seeking our tax advisors opinion, to developing a credit management regimen, to procuring things, to reigning in our product managers to do snagging on civils to implementing KPIs fell to me.  Everyone else had a full time role and slotted into their silo.  My job description said 'Do stuff for Jon', quite literally.  HR weren't pleased LOL.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tmekelburg1
Community Champion

We have an Application Analyst , sans 'Security' but it's more than just providing access to applications. She troubleshoots user level issues and will contact the application's helpdesk for deeper level debugging if necessary. Also trains Users on the applications if they are new or if they need some type of refresher training. Technically she's considered a Systems Admin but role name types are changing and we made the change because that's where the industry seems to be heading, at least in our area. 

JKWiniger
Community Champion

I would like to thank everyone for your replies, you have all given me a lot to think about. Sadly this makes me feel that the problems with job descriptions extends right into the job titles and I see this as a major failing in HR. How can a person find a new position if all the information they are presented with is basically wrong!

 

I have been in those consulting positions where I just did what needed to be done. The biggest problem later was when I needed to put it on the resume I couldn't really put down "I did stuff." Taking the time to figure out proper names for the things I was doing was a bit of a pain, and it's hard to find resources to help with this. I believe this probably extends to normal positions as well where people need to realized what their job description is does not match what they are actually doing. This can be a two fold problem, one, are you getting paid for what they have you doing, and are you putting on your resume what you actually do rather than what your job description claims you do?

 

At one of my first IT jobs they had me doing much higher level work than what I was hired for and I just went with it expecting a raise and a promotion. I got a tiny raise and no promotion with the promise they would stop giving me the higher level work that they were not paying me for. Days later it happened again and I asked why, they replied, because you do it! I left the position a few days later!

 

John-

Steve-Wilme
Advocate II

@JKWiniger Yes a common problem.  You have to make sure that you're compensated for what you do. otherwise you're being taken advantage of.  The function of many strategic HR department is often to keep down staffing costs.  If they can find a rationale to pay under the market rate then many will.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
JKWiniger
Community Champion

@Steve-Wilme If companies are in the practice underpaying doesn't this set the stage for low employee retainment because it gives them a big reason to look for other employment when they realize they can be paid more towards what they are worth somewhere else? Seems like bad management to me.

 

John-