When the commercial internet was young, IT structure was relatively simple. Today, though, growing complexity is one of IT’s biggest security challenges. The more complex the system, the greater the attack surface. It is much easier now to hide multi-pronged attacks in different layers and parts of the IT infrastructure. Virtual machines, BYOD, “-aaS” environments, hyper-connectivity, automation and professional cybercriminals have created an onslaught of vulnerabilities that yesterday’s cybersecurity cannot address. Organizations need a multi-pronged security approach, and this is best accomplished in the context of teams.
Teamwork: what cybersecurity needs now
Cybersecurity jobs have seen a growth spurt that is reflected in the new federal NICE Cybersecurity Workforce Framework (NCWF) due to its new recommended roles and responsibilities. One of the big takeaways from this latest model is the need for teams. Cybersecurity is much too big a task now for just one lone defender.
These jobs are growing three times faster right now than IT jobs in general, and 12 times faster than the overall job market. In a 10-year period, cybersecurity jobs grew 74 percent. That growth continues to accelerate.
By 2019, just two years from now, organizations will face a global shortfall of 1.5 million cybersecurity trained workers. This crunch has boosted cybersecurity job salaries 9 percent higher than other IT professional positions. Hiring qualified, trained cybersecurity professionals is a huge challenge. That’s why more than one-third of employers ask job candidates for industry certifications.
In the U.S. Department of Defense’s 8750 directive, each job role has a set of certifications designed to help show that a person has the minimal amount of training, knowledge, skills and abilities to perform that role. Security certifications are now also being mapped into NCWF, too.
A significant number of the new categories jobs in cybersecurity reflected in the security specialty areas of the NCWF framework have some operations aspect. In the real world, many jobs may overlap multiple specialty areas, and may be covered at least in part by the same certifications. For example, a Computer / Network Defense job role may include elements of detection, response, forensic investigation, or “clean up” activities, depending on the person’s skills and the size of their team.
While the NCWF framework was developed for the federal government, it may also be suited for large enterprise organizations that can support security departments numbering in the hundreds. For smaller businesses or organizations, this large-scale framework can be overwhelming, especially considering that many of the many of the job roles must be staffed 24/7. This means organizations need multiple people to fill each functional area.
What security teams can look like now
Smaller organizations should look at a simplified model to get a handle on staffing the security team and covering all the bases. A simplified model provides a great starting point to helping management understand how to meet the entire spectrum of their security needs.
The model begins with breaking down security job functions into four teams or groups.
Group One is comprised of CISOs, CSOs, executives, and managers. Their job is to:
- Understand regulatory and legal compliance.
- Understand business risks, priorities and tradeoffs.
- Set budgets, and organizational priorities and policies.
Group Two is staffed by security architects. They:
- Set security strategy.
- Understand and evaluate new and existing security technologies.
- Design security controls to meet requirements and budgets.
- Define and revise security architecture and controls.
- Define security procedures and best practices.
- Frequently also hire and build out the rest of the security team.
Group Three is made up of security engineers, technicians and administrators. Their goals are to:
- Deploy new systems using best practices and architect guidelines.
- Build out and implement the security architecture.
- Respond to requests from the architect and security operations, making changes to existing security controls as needed.
Group Four is security operations. This is frequently the front lines of information security. The job of this group is to:
- Ensure security equipment operates effectively/properly.
- Detect security attacks and events.
- Analyze security events.
- Respond to and investigate security attacks or events.
- Mitigate/clean up after security breaches.
How many team members will an organization need? It will depend on the organization’s specific situation. The common denominator for all organizations, though, is the need for team members to keep their security skills current, and have a training and development program in place for their team members to grow their skills and keep current with the latest threats and security technologies. With the global shortfall of cybersecurity skills, a robust talent development program can incentivize employees to remain on board. A team with the appropriate and up-to-date training and certifications will be an effective team that is equipped to meet present and future security challenges.
Want to learn more about how to get the skill sets needed to meet these challenges? Visit the Cisco Learning Network.
Tom,
Great article. I have been working with a major university to help them create a training program that will enable organizations of any size operationalize the NIST Cybersecurity Framework across it organization and supply chain. The program also provides them guidance on how to build the suporting workforce in alignment with the NIST/NICE Cybersecurity Workforce Framework.
They will be going to market shortly and if you have time I could connect your with the author to give you a briefing
If you are at the RSA Conference in San Francisco next week, I will be presenting in the Cisco Theatre once per day. Please drop in and visit, I’d love to chat more!
Tom,
This is a blog I wrote on the 100,000 cybersecurity professional the government wants to create by 2020. I think it aligns to what you are saying above
https://www.linkedin.com/pulse/nist-cybersecurity-framework-ncsf-whats-missing-rick-lemieux
Rick,
I liked your article. I think that organizations are just beginning to figure out the intermediate layer of the NCWF — how the framework translates to their particular realities, from a practical perspective.
It will likely be the very large organizations that figure it out first, since it can be daunting to down-scale 31 specialty areas & 52 job roles for smaller organizations.
The successful smaller organizations’ teams I’ve seen have existing teamwork structures focused on mapping the 7 functions of NCWF with Risk Management Framework, and something like the simplified model I presented.
Tom,
You are spot on. In fact our initial focus has been just that the small to medium size businesses. What we are finding is that some are willing to take on the tasks while others are looking to outsource. The university I am working with has built its own SOC and staffed it with student interns and seasoned vets. In this situation everyone wins…customer gets the security services they need in alignment with the NIST CSF, The interns get the degree, certifications and experiences they need to land a job and the university creates a revenue stream to fund future interns with apprenticeship programs.
You are correct this is a huge area.
I have been part of a team that has developed a new cyber security course for our students. We are looking at partnering with a Uni to get a combination of practical (our end) and theoretical (uni)