Cybersecurity has matured into a complex and diverse set of functions. In a large organization, there are eight functional areas, each represented by a separate team. In the smallest organizations, perhaps one or two individuals will try to cover as much as they can, and outsource the rest. In any case, each of these functional specializations represent different roles requiring different knowledge, skills, and abilities.
The eight specializations are:
• Architecture and Policy
• Data Loss Prevention
• Governance, Risk and Compliance
• Identity and Access Management
• Incident Response and Forensic Analysis
• Penetration Testing
• Secure DevOps
• Secure Software Development
Architecture and Policy
The cybersecurity architect designs and implements secure architectures and translates standards, business processes, and frameworks into internal policies. In most organizations, this is an experienced engineer, typically with many years in IT, who can make complicated tradeoff decisions. In other words, they can typically think of several ways to tackle a particular problem, and then sort through those alternatives to find the best solution. Architects are familiar with many products and protocols, and can develop functional diagrams of how applications actually work in the data center. More importantly, they are comfortable defining secure interfaces between applications and systems. The policies developed by the architects are driven by the underlying architecture they have chosen to use. Architects use frameworks to organize the architecture into manageable structures.
Data Loss Prevention (DLP)
These engineers deploy and manage security applications such as malware detection on endpoints and servers. Many modern anti-virus systems on PCs use an advanced client connected to services on the back-end to push out signature updates and the like. These engineers make sure the system stays up to date and troubleshoot negative interactions with new applications (that sometimes interfere with virus checkers). DLP personnel also manage the security of data on servers and databases, often installing and maintaining special software for permissions and logging as well. Finally, they often engage in user privacy issues and work on GDPR compliance.
Governance, Risk and Compliance (GRC)
These analysts measure and quantify risk, performs internal audits against best practices and standards, and develop plans for business continuity and disaster recovery. Risk analysis is becoming quite important because it must align with business risk. Applications and programs critical to the business need more protection than others, and it’s up to these analysts to make sure the risk has been identified and mitigated properly. The GRC team typically acts as the “security auditor” and checks the work of the other seven specializations against compliance checklists such as PCI-DSS and frameworks such as the Risk Management Framework (RMF). When there are findings of non-conformance, the GRC team provides tracking and verification until they are resolved.
Identity and Access Management (IAM)
This team manages identification, authorization and permissions across all systems. Because of the proliferation of protocols and technologies (OAuth, SAML, etc.), they tend to be protocol experts across all platforms, from desktops and servers to smartphones and tablets. They also need to understand and enforce identification policies across the entire organization. This includes understanding roles and role-based access management for business processes. They also track the latest in multi-factor identification and biometrics. More importantly, this team is most directly impacted by cloud architectures, which makes the job much more complex. This function typically has less staff than the other specialties, but the most common attack is user credential compromise, so diligence is required.
Incident Response and Forensic Analysis
Even the best defenses are breached from time to time. This team runs the Security Operations Center (SOC) and does threat hunting and detection. They detect and analyze security events and correctly respond by taking appropriate action, whether that means disconnecting a machine, or simply sand-boxing a piece of software to determine if it is malware. They are also experts at forensic analysis, and can detect what an attacker did and how they did it. As a result, this team develops evidence to be used in trial when needed, following standard chain-of-evidence rules.
This is the most commonly outsourced specialization, but many organizations still perform some internally. This team intentionally attacks systems to expose vulnerabilities and probe weaknesses. Often called the “Red Team,” they attack systems and processes exactly as a black hat attacker would. Done correctly, they can expose weaknesses and vulnerabilities before the real attackers do. More importantly, they make recommendations on how to harden systems against future attack. They also perform “human engineering” tests by trying to convince users to give up sensitive information. Because of that, they are often located off-site so they aren’t recognized.
This is the hands-on team that actually manages systems in the data center (or cloud). They securely install, configure, and operate systems and software—especially dedicated security products such as firewalls, intrusion detection, and even dedicated HSMs (Hardware Security Modules) to hold sensitive keys and certificates. Often, the team is called DevSecOps to signify that “security is in the middle.” Even in a cloud environment, they still need to manage security processes and functions securely.
Secure Software Development
Some organizations develop software to sell as a product, while others develop their own software just to use internally. In either case, this team develops and tests applications to have minimal vulnerabilities. They typically use rigorous processes and policies regarding software architecture, and then use special tools to scan software for vulnerabilities. Application security testing can be done statically (code inspection) or dynamically (run time behavior), but most organizations need to do both.
There are some natural similarities between the functional areas. For example, it’s common for the Architecture and GRC roles to either work closely or be performed by the same person. Likewise, the DevSecOps, IAM and Secure Development teams often work closely together.
Finally, it’s common for the Incident Response/Forensic team to do some penetration testing. It should also be noted that some of the functional specializations are often outsourced. For example, security consultants can routinely do security audits and assessments to support the GRC specialization. In addition, some companies provide penetration testing services.
All of these functional specializations will continue to evolve, just as the underlying technologies will evolve as they support the evolving needs of the organization. New innovations such as cloud, IoT, machine learning, and blockchains will affect each of the eight specializations in different ways. Therefore, it’s critical to the success of the cybersecurity team (and the organization as a whole) to stay on top with strong and timely training.
Like a sports team, skills must be developed for each position. Not everyone needs the same training, but together they can be much stronger. Global Knowledge can help you get there.
Never miss another article. Sign up for our newsletter.
In this article
- cybersecurity organizations
- access management
- architecture and policy
- cybersecurity team
- data loss prevention
- forensic analysis
- functional areas
- functional specializations
- governance risk and compliance
- identity and access
- identity and access management
- incident response and forensic
- incident response and forensic analysis
- penetration testing
- response and forensic
- response and forensic analysis
- risk and compliance
- secure software development
- work closely