This is the fourth of six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.
Typical Roles/Skills for this Category
NICE provides a listing of typical roles or titles for staff working in the Operate and Maintain category. Obviously all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have these particular jobs, titles, or roles, and they may be combined with other functions, outsourced, or not performed if they are not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:
- Cyber Legal Advisor:
- Laws and regulations which impact security and privacy are constantly evolving, and determining how or if they apply to your organization often requires specialized skills and training in the legal field.
- Cyber Instructional Curriculum Developer, Cyber Instructor, Cyber Workforce Developer and Manager:
- We have all attended training that was boring and ineffective, some of which is caused by poorly designed material and some due to lack of instructional delivery skills. Instructional design, presentation, and teaching skills all require knowledge and practice. Determining the right blend of skills and acquiring training or education to develop an organization’s workforce also requires the ability to understand HR and workforce development.
- Privacy Officer/Privacy Compliance Manager, Information Systems Security Manager, Communications Security (COMSEC) Manager:
- Managing the organization’s security and privacy efforts often requires understanding and interpreting outside requirements like privacy regulations, as well as having adequate hands-on experience managing people, process, and technology in accordance with the requirements.
- Cyber Policy and Strategy Planner, Executive Cyber Leadership, IT Investment/Portfolio Manager:
- These are high level management roles and require both a thorough understanding of information security and cybersecurity concerns, as well as business leadership and management skills like strategic planning. This governance provides direction and oversight for all the organization’s activities, and leaders must understand how to adapt it to changing business or mission requirements.
- Program Manager, IT Project Manager, Product Support Manager:
- One step down from executive and strategic leadership, these managers are typically focused on tactical execution tasks in alignment with an organization’s mission or strategy. This may include managing the delivery and maintenance of individual products, IT systems, or portfolios of services, systems, and capabilities which allow the organization to achieve its goals.
- IT Program Auditor:
- Auditors need the ability to evaluate both systems and the overall programs used to operate and maintain them. This requires skills in data collection and analysis, as well as some management skills to schedule and coordinate the work required.
Many organizations struggle to implement risk-based security because it involves a thorough understanding of several aspects of operations, including what systems and services are in use, where and how data is utilized, and the actual task of implementing and enforcing governance like policies and standards. Risk management must be a concern at the very highest level of an organization, but too often security is deprioritized in favor of operational concerns until there is a security breach.
Defining governance structures can be a challenge as leaders are required to understand internal requirements of the organization as well as external factors like regulations and laws. The need to provide oversight can also be a challenge as it is an overhead cost in most organizations, so audit or assessment activities can be resource-constrained to the point of ineffectiveness.
Skills Development Opportunities
Governance and oversight are a blend of universal skills such as business leadership, audit, and risk assessment, and internal or organization-specific skills like program management frameworks and oversight tools including metrics and scorecards. Developing senior, executive, and C-level management skills is also a challenge, as personnel require a mix of on the job experience and formal training and skills development. In this category many certifications exist which help validate that employees have the theoretical knowledge required, including:
- Certifications such as CISSP and CCISO which develop and demonstrate skills at high-level program management and leadership of a security program.
- Certifications such as CIPP/US, CIPT, or CIPM which develop skills needed to understand and implement global privacy requirements, technology, and processes.
- Information System Audit, which teaches skills in assessing the architecture of a system.