We’ve all been in a business lunch or a meeting where everybody is listening to the boss and it’s apparent that no one knows what he/she is talking about. Of course, nobody is willing to ask the question. You knew you didn’t know, you were pretty sure nobody else did either, but there was no way your hand was going up for fear that it might get sawed off after you exposed yourself as clueless. In Cyber Security, it’s beneficial to unlearn the above example, because the basics, and I mean the MOST basics can save a lot of hassle.
It’s not often that an entire new sector of the corporate employment spectrum goes from a $5B to $20B spend in less than 10 years. Fear is a powerful economic motivator. It also causes a ton of confusion. Questions like, “What do I need?”, “What level of security am I really buying?”, and “If I actually figure out what I need, what qualifications do I even look for?” are commonplace. It took me a while to even figure out the simple structure of a company Security Program. Then I found the NIST’s Cybersecurity Workforce Framework and it was immensely helpful. Over time, I did some rearranging and simplifying. With a big nod to the NIST, here’s my list of the six functional areas of a Cyber Program.
- Govern – These are your leaders – people that oversee, direct and develop, and advocate a company’s Security Program. An interesting number of these folks don’t deal in Security full-time. These people include your CISO or InfoSec Manager, legal, training and awareness, strategic planning folks, program and project managers and Security budget/audit people.
- Design and Build – These are your higher-level IT folks – people who create, design and build InfoSec systems. Architects, software and systems developers, test and risk management fall under this area.
- Operate and Maintain – Hands-on people that run the tools that operate the network. Data administration, tech support, network ops and sys administrators and analysts round out this group.
- Collect – Now we start to get into the sexy side of the business, as 4 through 6 tend to be what people think about when they hear the word Cyber. This group represents the people that collect Cyber information used to develop intelligence, primarily Cyber collection people and operational planning. Basically, these are folks that come out of the Intelligence community.
- Protect, Defend and Analyze – These are high and higher-level tech people that identify, analyze and mitigate threats to internal systems. You’ll find a bunch of analysts here, from cyber defense to incident response to vulnerability assessment and management and threat. Pentesters are also part of this group.
- Investigate – Most of this work is still done by law enforcement, but more and more large organizations with serious data are hiring these people which are a combination of cyber crime investigators and digital forensics people.
I use this framework almost everyday and I hope it helps bring some clarity to you.