This is the fifth of the six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.
NICE provides a listing of typical roles or titles for staff working in the Protect and Defend and Analyze categories. Obviously all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have these particular jobs, titles, or roles, and they may be combined with other functions, outsourced, or not performed if they are not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:
One of the biggest issues organizations face in both the Analyze and Protect and Defend categories is the sheer volume of data which must be collected, transformed into useful intelligence, and analyzed. Tools such as Security Information and Event Management (SIEM) platforms can gather the data, make it searchable, and potential identify security issues which require investigation, but they are not a magical solution. Appropriately skilled personnel are required to configure and tune them to weed out false positives and investigate the alerts that are generated.
The sheer volume of data, alerts, and activity on an organization’s network can also be a major stumbling block, as the number of staff and time required to perform proper analysis simply may not exist. Many tools are sold with promises of artificial intelligence and machine learning (AI and ML) that can replace human skills, but these systems are still immature and are no replacement for properly-trained personnel.
Analyzing security data and taking action to both proactively protect and defend networks against attack is largely a set of universal skills, i.e., a SOC analyst or cyber first responder’s skills will be portable from one organization to the next. There will be vendor-specific skills that can be acquired either on the job or with vendor-provided training, such as how to configure a particular next generation firewall (NGFW) to perform intrusion prevention analysis and block malicious traffic. Skills and certifications which would be useful for workers in this role include: