To borrow from the Nobel Prize-winning songwriter, the (security) times, they are a-changin’. When the commercial Internet was young—say in 1995—IT structure was relatively simple. It consisted of just three layers: server, network, and client. Each had its own security component.
Ah, the good old days. Growing complexity is one of IT’s biggest security challenges today. The more complex the system, the greater the attack surface (in general). It is much easier now for cyberattackers to hide multipronged attacks in different layers and parts of the IT infrastructure.
Digital systems are dynamic. In today’s "XaaS” environments, it can be tough to track security events. Before, if someone was installing a new server in your computer room, others would notice this physical event. They would ask about the installer’s identity, authorization, and purpose of his or her activities. Who are you and what are you doing here? What’s this new machine’s purpose?
Not any longer. Today’s world has thousands of virtual machines. They move constantly between cloud data centers, appearing and disappearing on demand. It is almost impossible to notice one extra virtual machine that doesn’t belong, and may exist only for a few minutes at a time.
Some digital systems provide too much visibility. These make it hard to spot the needle in the haystack and separate truly threatening incidents from merely unusual events in logs of thousands or millions of transactions.
New Threats, New Adversaries
In this post-desktop era, employees use their own laptops, smartphones, and tablets. Everything from a doorbell to a camera to an automobile has an embedded system. As a result, even formerly mundane objects, such as light bulbs and thermostats, can be exploited. This greatly expands the attack surface. Cybersecurity professionals have their hands full patching and plugging holes across a huge variety of devices and systems, and checking to make sure each type of device (many low-powered) is up to date (fully patched), and not being compromised or leveraged as a pivot point in an attack.
Hyper-connectivity is another big security issue. Everything today seems to have an always-on connection to high-speed networks. Every device has an intelligent system embedded in it. These systems often use dynamic, on-demand services across ever-changing topologies. The security risks associated with always connected people, machines, and devices can be a huge headache.
Automation may be more efficient, but it adds to security risks. Automatic controls now have the same permission levels as a system administrator. The integrity of those controls is vital.
Then there are the external factors like the bad actors. Organizations no longer face lone attackers working from one location. Many of today’s cyberthieves are loosely organized and dispersed individuals forming ad hoc associations. These groups work together for a short time to exploit security holes and monetize the information assets that they compromise.
There are also professional cybercriminals. These specialists for hire may be working for organized crime syndicates, or be sponsored by nation states. They can be hired over the dark web, and paid in hard-to-trace digital currencies, changing the economics of cybercrime. There has been a steep rise in the volume of information and technology assets sold in the global underworld market.
In short, there is a nonstop, ever-escalating arms race between attackers and defenders. This has been ongoing over many years and does not look like it will end any time soon.
Evolving Models for Security Teams
Back in 2005, the U.S. Department of Defense (DoD) introduced Directive 8570 as an information security workforce organization model. It was an effort to keep up with changing security needs. It outlined 14 specific job roles under four categories. The categories include Management, Architect, Technician, and Operations.
In 2015, the DoD introduced Directive 8140, beginning a multiyear move toward the new National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) developed in conjunction with the Department of Homeland Security (DHS) and the private sector, academia, and government. This more thorough workforce framework divides information security into seven activity categories and 31 specialty areas. The activity categories are as follows: analyze, collect and operate, investigate, operate and maintain, oversight and development, protect and defend, and securely provision.
The goal of the NCWF is to align all U.S. federal information security jobs with a new model. Although the process of standardization has begun, it will be two to three years before many federal agencies are on board with an implementation plan. Thus, 8570 is relevant for the time being.
This latest cybersecurity workforce framework will have a big impact on IT professionals looking for cybersecurity jobs, and on organizations putting together security teams. It comes along at the same time that enterprise information security has shifted away from a focus on perimeter security—a major transition in strategy. It also eases the ability of workers to move between similar roles in different parts of the federal government, including among military, civilian, and contractor positions. Using a standard team framework and teams built in similar structures will allow departments to work more smoothly together in joint exercises and learning projects.
The IT industry’s security focus formerly relied on perimeter security, layered security, and defense-in-depth. These were regarded as best practices for information security preparation. A strong castle made the organization safe by keeping intruders and security risks outside, and away from the organization. That was the philosophy behind this approach.
Perimeter security by itself is not effective in today’s virtual systems, however. Even the strongest castles are not dynamic. They do not adapt to rapidly changing circumstances. They do not guard or defend themselves. Enterprise faith in strong perimeters was further weakened by the examples of Edward Snowden, Private Manning, and other famous insider-threat breaches. Throw in endless advanced attacks that broke through the defenses of many a well-fortified organization, and even the most diehard perimeter-focused strategists saw the need for a new approach.
The current security approach adds guards to the castle. Organizations need guards in addition to stout walls. Guards know what suspicious behavior is, and note if people are not where they ought to be, or doing things they shouldn’t. They notice when an area is under attack. They sniff out holes in the castle defenses, and work with architects and builders to recommend reinforcements to the castle walls.
This guard approach is providing a security operations function. Leading organizations are now making security operations part of the overall information security team, helping the organization gain awareness of external and internal security issues. These organizations then also remain aware of their security status and are well equipped to detect and defend against any attacks.
Cybersecurity Needs Teams
Much of the growth in cybersecurity jobs under the new NICE framework comes from new roles and responsibilities. One of the big takeaways from this latest model is the necessity of teams. Cybersecurity is much too big a task now for just one lone defender, or even a tiny band of professionals.
It’s hardly surprising that cybersecurity jobs are growing three times faster right now than IT jobs in general, and 12 times faster than the overall job market. In a 10-year period, cybersecurity jobs grew 74 percent. That growth is continuing to accelerate.
Organizations everywhere face a global shortfall of 1.5 million cybersecurity trained workers by 2019. This crunch has boosted cybersecurity job salaries 9 percent higher than other IT professional positions. Hiring qualified, trained cybersecurity professionals is a huge challenge. That’s why more than one-third of employers ask job candidates for industry certifications.
In the DoD 8570 framework, each job role has a set of certifications designed to help show that a person has the minimal amount of training, knowledge, skills, and abilities to perform that role. New certifications are now also being mapped into the NCWF too.
Although developed for the U.S. federal government, the NCWF may also be suited for large enterprise organizations that can support security departments numbering in the hundreds. For smaller businesses or organizations, this large-scale framework can be overwhelming, especially considering that many job roles must be staffed 24/7. This means organizations need many more than one person to fill them.
A Simplified Security Team Model
To get a handle on staffing the security team and covering all the bases, smaller organizations should look at a simplified model. A simplified model provides a great starting point toward helping management understand how to meet the entire spectrum of their security needs.
Start by breaking down security job functions into four teams.
The first team includes chief information security officers (CISOs), chief security officers (CSOs), executives, and managers. Their job is as follows:
- Set budgets, and organizational priorities and policies
- Understand regulatory and legal compliance
- Understand business risks, priorities, and tradeoffs
The second team is made up of security architects. Their job role comprises the following:
- Understand and evaluate new and existing security technologies
- Design security controls to meet requirements and budgets
- Define and revise security architecture and controls
- Define security procedures and best practices
- Frequently also hire and build out the rest of the security team
- Set security strategy
The third team is composed of security engineers, technicians, and administrators. Their jobs are the following:
- Build out and implement the security architecture
- Deploy new systems using best practices and architect guidelines
- Respond to requests from the architect and security operations, making changes to existing security controls as needed
Finally, the fourth team is security operations. This is frequently the front lines of information security. Here are the responsibilities of security operations center (SOC) team members:
- Analyze security events
- Ensure security equipment operates effectively and properly
- Detect security attacks and events
- Respond to and investigate security attacks or events
- Mitigate or clean up after security breaches
The number of security team members needed will vary with each organization’s unique requirements. No matter how an organization configures its team, the team members should keep their security skills current, and have a training and development program in place for their team members to grow their skills and keep up to date with the latest threats and security technologies. Given the widespread shortage of professionals with cybersecurity skills, a strong talent development program can be an attractive asset for employees to stay on board. Ultimately, the right training and certifications will make a huge difference in the quality of the team and how quickly and effectively it works together to detect and respond to both current and future security incidents.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.