NICE Framework: “Securely Provision” Challenges

• Authorizing Official/Designating Representative, Security Control Assessor, Secure Software Assessor:
  • These roles typically focus on understanding the overall risk profile of an organization and its component system and software, and either make or support decisions on the fitness of the security controls to reduce risks. They need business analysis and risk management capabilities, and may also have specializations in particular areas such as software development security or information system audit.

• Enterprise Architect, Security Architect:
  • Architects typically focus on high level details and require the ability to abstract details to produce a clear understanding of how all the components of an organization’s IT portfolio or security controls fit together.

• Software Developer, Research & Development Specialist, Systems Requirements Planner, System Testing and Evaluation Specialist, Information Systems Security Developer, Systems Developer:
  • These roles are usually individual contributors rather than management level, meaning they operate on tactical and operational levels of the organization to execute on the mission. They will be “hands on keyboard” performing engineering tasks, deploying and maintaining organization infrastructure, and conducting testing and validation activities.

Pain Points

There are a number of critical issues an organization needs to deal with in the Securely Provision category. Many organizations will utilize vendors to develop systems, or will integrate third party software or system components, which introduces risk outside the organization’s direct control. Cybercrime is a burgeoning business, and one of the Open Web Application Security Project’s (OWASP) top ten vulnerabilities year after year is misconfiguration. Systems may have highly complex vulnerabilities, but the simple act of forgetting to make the right configuration or check the right boxes can easily lead to a disaster.

The other big pain point for organizations is balancing the costs of security with the organization’s other missions, objectives, or priorities. Spending money or time to securely provision a system does not directly generate revenue or contribute to achieving a mission, but a hack or breach will definitely have a negative impact. Making the case for risk management to business leaders can be difficult as it can be perceived as merely hypothetical rather than a dangerous reality.

Skills Development Opportunities

Some of the skills required for workers in these roles will need to be organization-specific, such as establishing the risk tolerance and evaluating systems to determine if they are authorized to operate or require additional security controls. On the job training, job aids, and organization-specific documentation will be key.

Many of the skills in Securely Provision can also be acquired outside the organization, such as coding and system development, information system audit or assessment, and system testing. Some certifications and training which might be useful for developing workforce skills include: