This is the second of six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.
NICE provides a listing of typical roles or titles for staff working in the Securely Provision category. Obviously, all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have all these particular jobs, titles, or roles in their organization, or they may be combined where a full-time resource is not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:
There are a number of critical issues an organization needs to deal with in the Securely Provision category. Many organizations will utilize vendors to develop systems, or will integrate third party software or system components, which introduces risk outside the organization’s direct control. Cybercrime is a burgeoning business, and one of the Open Web Application Security Project’s (OWASP) top ten vulnerabilities year after year is misconfiguration. Systems may have highly complex vulnerabilities, but the simple act of forgetting to make the right configuration or check the right boxes can easily lead to a disaster.
The other big pain point for organizations is balancing the costs of security with the organization’s other missions, objectives, or priorities. Spending money or time to securely provision a system does not directly generate revenue or contribute to achieving a mission, but a hack or breach will definitely have a negative impact. Making the case for risk management to business leaders can be difficult as it can be perceived as merely hypothetical rather than a dangerous reality.
Some of the skills required for workers in these roles will need to be organization-specific, such as establishing the risk tolerance and evaluating systems to determine if they are authorized to operate or require additional security controls. On the job training, job aids, and organization-specific documentation will be key.
Many of the skills in Securely Provision can also be acquired outside the organization, such as coding and system development, information system audit or assessment, and system testing. Some certifications and training which might be useful for developing workforce skills include: