Our InfoSec Practice
Protiviti’s infosec practice has been around since the company’s founding in 2002. What started as a small team of a dozen compliance and infosec professionals has grown substantially since then, to over 200 infosec professionals today.
Our practice has a few main groups:
- Local Security Consulting Personnel – The largest overall group (combined), our local information security personnel perform the full spread of information security projects. Most of these projects are PCI related (gap assessments, remediation help, formal assessments), though we also have a number of projects related to HIPAA, privacy, security strategy, and internal audit support (e.g., mobile device audits). We also do some pen testing, vuln assessments, and incident response-related work from these local offices.
- Pen Testing/Vuln Scanning Labs – These groups do most (but not all) of our pen testing and vulnerability scanning work. They are based in Philadelphia, Chicago, and New York, with some remote testers.
- Incident Response/Forensics Lab – This group is based in New York and performs most (but not all) of the incident response and forensics work we do.
- Security Operations Center Group – This group is distributed across the country, but primarily East Coast-based, and helps companies stand up SOCs, primarily with ArcSight.
While the above groups have their own specialties, it is important to note that there is crossover between the groups. If you become interested in a particular area of security, it is pretty easy to become more involved in such projects by reaching out to the right people.
What We Look For
While each position has slightly different experience and skills required, there is one thing we look for that doesn’t change: a passion for information security and technology. Skills can be taught, experience gained, but we have found the underlying curiosity, drive, and long-term commitment to information security and technology is the most important factor contributing to an infosec professional’s success.
People show their deep interest in information security and technology in many ways, but here are some of the things we look for:
- You actively participate in the information security/IT community, whether on IRC, twitter, or at conferences.
- You’ve paid your way to infosec conferences that weren’t work-sponsored.
- Your interest in security/IT doesn’t stop when your work day is over; it is a hobby for you as well as a job.
- You’ve contributed to open source projects, whether security related or not.
- Your curiosity started early --- before you could work you built computers, reverse-engineered household appliances, wrote programs.
- You examined websites, programs, and devices for security flaws, even when you weren’t paid to (all legally, of course).
In short, we look for true hackers, in the non-media-sensationalized meaning of the word.
Protiviti has a number of levels, and position descriptions can vary depending on the group.
In general, though, open positions fall into these categories:
- Consultants, Senior Consultants, and Managers – There are two levels within the Consultant and Senior Consultant categories, for a total of five levels (including Managers). These positions are heavily involved in project execution, with the Managers having some oversight responsibilities (especially in the labs).
- Senior Managers and Associate Directors – These positions are still very involved in project execution for complex projects, and have a supervisory role in less complicated projects. There is a stronger emphasis on business development at these levels as well, and there is increased involvement in proposal and statement of work creation.
Positions beyond the above include Directors and Managing Directors, which have increased management and business development responsibilities.
Who You'll Work With
In internal surveys, most employees list types of work and career advancement as key reasons they joined, and the people as the top reason they are staying. Protiviti’s infosec practice tends to attract people that are smart without being arrogant, hard-working without sacrificing hobbies/families, and demanding of excellence without being unfair. As a result, from managers to top leadership, Protiviti’s infosec practice is a solid group of people to work with.
Our infosec practice is comprised of people from all types of career backgrounds, including:
- Networking and Systems Administration
- Software Development
- In-House Information Security
- Internal Audit
- Other Infosec Consulting Firms
- Security Software/Hardware Vendors
- The Big 4
- Defense Contractors
- Military Service
As a result of the various backgrounds on our InfoSec teams, when questions go out on our internal lists, or people need an SME in a particular area, it is rare that no one has an answer.