Submission By: Tom Gilheany
In the first part of this blog series, we talked about how the evolution of cybersecurity threats means that security teams need to evolve too. We also talked about the National Cybersecurity Workforce Framework (NCWF) from the U.S. Department of Homeland Security that gives big organizations a place to start for designing their own security teams.
Yet, smaller organizations need diversified security teams too, but lack the same resources that bigger organizations do to build out larger teams.
To get a handle on staffing your security team at a smaller scale, and covering all your bases, use a simplified model.
This model can help you be sure that you have met the entire spectrum of today’s security needs.
If you are starting from zero, or educating yourself about starting a team from scratch, a simplified model is a great way to start a team organization or staffing conversation. What kind of security roles do different team members on the security team play, and how do they work together to protect my organization?
Start by breaking down the entire security team’s functions into four quadrants. Imagine those quadrants as parts of a larger circle like you see here:
In the top right position of the circle is the CISO/CSO/manager. This person’s role is to accomplish the following:
- Set budgets, priorities, and policies
- Understand regulatory and legal compliance
- Understand business risks, priorities, and tradeoffs
In the quadrant at the top left is the security architect. This person’s job is as follows:
- Understand and evaluate security technologies
- Understand and quantify security risks
- Design security controls to meet requirements and budgets
- Define and revise security architecture, controls, and best practices
- Frequently act as the top technical person on a security team, and have input to hiring for the next two quadrants
In the lower left quadrant are engineers, technicians, and administrators. Here are their job responsibilities:
- Build out and implement the security architecture
- Deploy new systems using best practices and architect guidelines
- Keep systems up to date and ensure that correct procedures are being followed
- Respond to requests from the architect and security operations
In the lower right quadrant is the security operations team. This is where the rubber meets the road during a security incident. The job of security operations center (SOC) team members consists of these activities:
- Analyze security events
- Ensure security equipment is operating effectively/properly
- Detect security attacks and events
- Respond to and investigate security attacks or events
- Mitigate and/or clean up after security breaches
How many security team members you need from each quadrant depends on your organization. No matter how you configure your security team, its members should keep their security skills current.
That is where the right training and certifications can make a huge difference in the quality of your team and how well it responds to the inevitable attacks.
Staffing Your Team Going Forward
As we look ahead, security teams need to be much more diversified than they have been in the past.
First, organizations are being attacked by teams playing offense. That means that you need a team playing defense.
Second, security teams should be designed and built strategically, with planning and forethought. Too many security teams are assembled ad hoc over time in response to fire drills.
Large organizations can look at government best practices for putting together security teams. Smaller organizations can use simplified models like the one shared above.
Ultimately, the team that performs well is the team whose members have well-defined roles. People in those defined roles are well trained, work together well, and communicate well. In the end, a well-designed security team leads to a better secured organization overall.
I welcome your feedback in the comments below. Wanting to build your team's skills? Take a look at Cisco's Security, Cyber Ops, and Security Specialist training offerings.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.