Submission By: Tom Gilheany
Over the years, IT security and its associated job roles have evolved. In 1995, the arrangement was fairly simple. It consisted of just three layers: server, network, and client. Each had its own security component.
A decade later, the U.S. Department of Defense (DoD) introduced Directive 8570 as a workforce model for security teams. It was adopted and adapted by other very large organizations worldwide and is now well understood throughout the industry.
The 8570 framework outlines 14 specific job roles. Each role has a set of certifications designed to show that a person has at least the minimal amount of training, knowledge, skills, and abilities to perform a job. The 8570-approved baseline certifications include Cisco CCNA Security and Cisco Cybersecurity Specialist (SCYBER) certifications.
Over the past decade, much has changed in the world of security. Alongside digital government initiatives, and the pervasiveness of online government services and the Internet, the jobs involved with securing everything have become much more diverse. The threats faced have also become more complex, with nation-state-sponsored hacking, advanced persistent threats (APTs), and cyber-facilitated espionage activities.
A Time of IT Transition
Security needs have changed, too. To keep up, the U.S. Department of Defense published Directive 8140.01: "Cyberspace Workforce Management." This is a more inclusive and comprehensive model. It sets the direction to move toward the National Cybersecurity Workforce Framework (NCWF), authored as part of the National Initiative for Cybersecurity Education (NICE).
The NCWF divides IT security into seven activity categories and 31 specialty areas. The goal is to align all U.S. federal security jobs with this new framework. Although the process of standardization has begun, it will be a few more years before all of the various federal departments, agencies, and bureaus have an implementation plan in place for their personnel.
This latest IT security workforce framework will have a big impact on IT professionals looking for cybersecurity jobs, and on organizations putting together security teams. It came about at a time of a major IT transition: The shift away from perimeter-centric security.
The industry’s focus used to be centered on perimeter security, layered security, and defense-in-depth, all designed to keep intruders out using strong border controls. The theory? Build as strong a castle as possible, and then organizations would be safe.
Castles are not dynamic, however. They do not rapidly adapt to changing circumstances and new threats. They do not guard or defend themselves. In the wake of Edward Snowden, Private Manning, and other famous insider-threat breaches from those already “inside the castle,” the weakness of perimeter-only defense strategies became obvious even to non-experts. Add to that endless APT attacks and social engineering that manage to bypass a multitude of fortified, perimeter-based security controls, and the need for a “detect and respond” methodology becomes evident.
Current security thinking adds guards and watchtowers to the castle. Organizations need castle guards in addition to stout walls. Guards know what suspicious behavior is. They stop and investigate suspicious activities, notice when an area is being attacked, and can sound the alarm to bring reinforcements. They also inspect the defenses to make sure they are still in place, and point out any holes in the defenses.
This guard function in a castle equates to security operations (SecOps): make security operations professionals part of an overall security team, and the organization gains awareness of security issues (events, threats, vulnerabilities, weaknesses, breaches, attacks), on both the inside and the outside. It also remains aware of security status and is well equipped to defend actively against any attacks that manage to breach the perimeter defenses. Being able to protect against intrusion, hacks, and thefts throughout the full threat continuum—before, during and after an attack—is critical. Having guards in a SecOps function strengthens the ability to prevent attacks before they begin, and enhances the ability to effectively respond to them during and after an attack as well.
Overlapping Job Roles
Interestingly, in the NCWF, about 40 percent of the new security specialty areas have a security operations aspect. Much of the growth in jobs under the NCWF comes from new job categories, roles, and responsibilities. One of the big takeaways from this new model is the necessity of leveraging teams for security. It’s no longer a one-person job.
Smaller organizations trying to put together cybersecurity teams might be overwhelmed by the range and scope of new roles and duties. A good number of these roles, especially in operations, must be filled 24/7. This requires multiple staff members for the same job or overlapping jobs, and means that some staff will be working odd hours in order to provide 24/7 coverage.
Many specialty area job roles in the NCWF overlap and may be covered at least in part by the same job roles defined in the older 8570 framework. For example, an 8570 CND: security analyst (or the NCWF’s “Protect and Defend – Computer Network Defense Analyst") identifies, analyzes, and reports security events in order to protect information, information systems, and networks from threats. Likewise, an 8570 Incident Responder roughly corresponds to an NCWF “Protect and Defend: CND – Incident Responder,” who responds to crisis or urgent situations to mitigate immediate and potential threats.
The NCWF opens up many new career options for IT professionals. Study it to become familiar with the choices and possibilities. If you are planning a career in cybersecurity as an employee or contractor for any department, agency, or bureau of the U.S. federal government (or any other very large organization), the NCWF will help you to understand how large-scale cybersecurity teams will be structured, the roles available to you, and the training and certifications you may need in order to move or grow into those roles. If you are hiring and managing a cybersecurity team, it can be useful to understand how the largest of institutions structures and staffs their teams, especially if you wind up hiring from the public sector.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.