Cyber security continues to evolve from technology, process and people standpoints. To keep pace with these changes, organizations need to continually assess their cyber security posture and whether they have the talent they need to effectively protect the organization, its assets and stakeholders.
Roles and responsibilities differ from company to company, depending on their size, budget, existing staff and philosophy. Though this blog is about cyber security-related roles, it’s more important for organizations to have the right mix of skills. While medium and large companies can afford greater headcount and thus more specialists, smaller companies have to make do with less which usually means individuals working in IT, security or both will take on the responsibilities of more than one role. For example, there may be no CISO, so the CIO or CTO also oversees security.
Ideally, an organization will have a CISO because the typical CIO or CTO is not a security expert. A CISO is. A CIO or CTO can become a CISO by expanding their knowledge base. Alternatively, the CISO may report to the CIO or CTO (or even vice versa depending on what the company does and its priorities).
Of course, a CISO is only one of the roles companies should have in place. Following are three others.
Last week, we did a deep dive into DevSecOps, which is the latest version of DevOps. DevSecOps recognizes that application security falters when DevOps teams and security teams operate as separate entities. DevSecOps ensures that one or more security professionals is on the team to provide guidance on how to best design, build, test and deploy software that’s more secure.
The point of DevOps is to produce better quality code faster. Most teams have successfully increased speed, but not necessary quality which also extends to security. “Shift-left” security testing helps by making developers more responsible for the security of their code, but it’s not a substitute for DevOps and SecOps integration.
A relatively new role is a DevSecOps engineer who, like cloud security architects and cloud SOC engineers needs to understand IT and security at a technical level.
Cloud security architects have deep technical knowledge about cloud computing. They also understand cloud security best practices and marry those two bodies of knowledge to help ensure a secure cloud architecture. They need to understand security and compliance challenges and be able to implement cloud security standards across the enterprise.
Cloud security architects also need to know how to implement and migrate applications and workloads to a cloud environment. The security architect should also have security architecture expertise as well as experience with automation scripting, encryption tools, monitoring tools and forensics as well as enabling automation and integration.
This role defines or helps define the enterprise security strategy as it relates to cloud and ensures that the architecture continues to meet new requirements.
The cloud security or SOC engineer helps expedite cyber response. The SOC constantly monitors events to avoid or minimize the impact of threats. Cloud SOC engineers help determine the most effective ways of evaluating and triaging security events as well responding appropriately to events.
Since the SOC is heavily focused on monitoring and detection as a preemptive practice, its important for the SOC engineer to minimize the number of false positives so the number of alerts don’t become unwieldy. They also need to minimize the number of false negatives since those are incidents that went undetected.
Like cloud architects, they also have to be mindful about how the business, threats, processes and technologies are evolving.
Companies serious about security employ red teams whose job it is to find holes in the security fabric. They tend to use tools and tactics that are similar to what contemporary hackers use to best emulate an attack. Companies also use blue teams to defend against both the red team and actual foes.
One of the reasons why the red and blue teams may be separate from the security team is because their job is ongoing as opposed to event based. If they have other responsibilities then they’re not solely focused on their function and are therefore less effective.
Whether a purple team is necessary or not is a matter of debate. Its job is to learn from the interactions between the red and blue teams so that cyber defenses can be improved. The argument against having a team dedicated to the purple function is that if the blue team is learning from and adapting to the red team’s exploits, it’s effectively doing the purple team’s job.
Pen testing is a form of adversarial learning.
Cyber security has been evolving since the first firewall was created. It continues to become more complex and nuanced, necessitating the need for continuous learning.
Cyber security teams need to constantly update their knowledge and tools to mirror what’s happening across the evolving threat landscape. They also need to understand where danger lurks from both a technical and people vulnerability standpoint and how those things are changing.