Daniel Deter is the Manager of Information Security at Green House Data. Follow him on LinkedIn.
All journeys begin in darkness.
The student's eyes opened to darkness, surrounding him, enveloping him in the fear and uncertainty of the unknown. With no light to guide him, he knew not where to go next. He could feel that he still wore his student's robes, and the soft-soled shoes of his order. Without conscious thought he reached up and ran his fingers across the silver symbols embroidered upon the left breast of his robe: the number of his student ID, of his identity.
My first experience as an information security (InfoSec) manager began unexpectedly. My director called me into the conference room, where he sat with the security manager, and said, “Deter, you’re the new security operations center manager.” I responded with, “Ah, yeah, hard pass,” to which he replied, “Too bad, it’s already decided.”
I soon took over a team that tracked no key performance indicators (KPI), had no training program, had very few documented procedures, and didn’t actively monitor the implemented security information and event management (SIEM) tool. Three months later, my director called me into the same conference room once again, and said, “Deter, the security manager is leaving, you’re the new security manager.”
This left me with a 24/7 SOC, a security engineering team, and a compliance team under my purview. This included a recently acquired FedRAMP compliance. I soon realized that each team suffered from severe dysfunction. A core component of that dysfunction was a lack of definition in roles or understanding about job responsibilities. It was clear to me that I had to rebuild the security teams, but how?
Several years later I left that team, and at that time it was understood to be the most high-functioning team within a much larger MSP organization. It had robust and well written documentation, and a deeply technical group of personnel with expertise across all segments of IaaS, and MSP services. We built what we later began to call an integrated delivery team (IDT), where each archetype (more on that to follow) was logically aligned with functional competencies from within the broader MSP business.
The purpose of this article isn’t to walk through the trials and tribulations that took my team from zero to hero, but rather to begin to distill those lessons into concise and easily consumed guidance that any leader can use to support team building, and any practitioner can use to guide their own personal journey as a student of information security.
It is generally understood, with broad industry concurrence, that an InfoSec skills gap exists and presents a significant challenge for those of us responsible for managing risk within an organization. What is often not understood, by both practitioners and leaders alike, are:
To close the skills gap, an organization must first understand the competencies required by security teams in their pursuit of information technology risk management.
Information security is information technology. While the function and key performance indicators of the person may differ between roles, the skills required to be successful do not (i.e., InfoSec is inherently a technical discipline).
Information security consists of three core archetypes: builders, breakers, and defenders. It is through recruiting and building the skills of these archetypes that the foundations of highly functional security teams are formed.
Each of the three archetypes represents core technical knowledge, skills, and abilities (KSA) that, when leveraged for information security risk management, improve the efficacy of security programs and reduce overall cost of information security risk management.
What is a builder?
Builders are those who build secure infrastructures. This can include the network, the systems, and the applications.
Note: Yes, your DevOps team are also builders, and are absolutely critical to InfoSec, though for the purpose of this article I’ll be focusing on secure architecture in the KSA below.
What kind of jobs do builders do?
What are some core competencies for a builder?
What is a breaker?
The breaker is the hacker or cracker. The role of the breaker is to functionally identify and test vulnerabilities.
What kind of jobs do breakers do?
What are some core competencies of a breaker?
In this archetype you’ll find the widest range of skill sets. The foundational skills are:
Breakers hold a broad range of information technology skills, including programming, infrastructure administration, and system administration. To be highly successful breakers need to understand how applications function, how operating systems function, and how communication occurs both across and within networks.
Talk to one of our experts today.
What is a defender?
The defender performs monitoring and response functions. In its simplest form, a defender has two primary duties:
The defender requires a broad skill set to be successful. Attackers only require competency in a single avenue of attack, while defenders need to understand information system architectures, operating systems, applications, and how they each communicate across a network. For best results on hiring defenders, start with someone with proven competency in operating system and/or network administration. The tough part isn’t learning to use your SIEM, it’s understanding the data coming into it, and then building a meaningful narrative of risk based upon it.
What kind of jobs do defenders do?
What are some core competencies of a defender?
What is IA and Compliance?
The Information Assurance (IA) and Compliance — AKA Governance, Risk, and Compliance (GRC) — aspect of information security programs represents the mechanisms through which an organization measures information security. As anything measured tends to improve over time, GRC teams provide significant value-add for an organization.
Please note: To keep your GRC program on track, ensure that work efforts are focused on measuring (e.g., KPI) of the existing security program against a standard (e.g., NIST, ISO), a baseline, or an industry best practice.
What kind of jobs do IA and Compliance staff do?
What are some core competencies of IA and Compliance?
A great resource for those looking to map InfoSec jobs to knowledge, skills, and abilities (KSA) is the NIST NICE framework, SP 800-181.
The student stepped out of the darkness into the bright light of a cloudless summer day. The sun stung his eyes, long-since adjusted to the darkness. The heat of the day washed over him. Beads of sweat began to form on his forehead. He turned around, sudden resolve bubbling from the depths of his subconscious. He faced towards the cave, and the unknown terrors that lurked within.
He'd survived, he'd found the light, but he knew, intrinsically, that survival was not victory. Victory would require action, persistence, and a continual pursuit knowledge. The student had faced the darkness, and now the darkness would have to face him. With a nod to no one, he stepped back into the cave, the sun glinting off the silver thread of his student ID a final moment before being swallowed by the darkness, the numbers clearly visible, “1337”.