InfoSec Roles and Archetypes to Close the Skills Gap

Image

March 1, 2023

Daniel Deter is the Manager of Information Security at Green House Data. Follow him on LinkedIn.

Prologue

All journeys begin in darkness.

The student's eyes opened to darkness, surrounding him, enveloping him in the fear and uncertainty of the unknown. With no light to guide him, he knew not where to go next. He could feel that he still wore his student's robes, and the soft-soled shoes of his order. Without conscious thought he reached up and ran his fingers across the silver symbols embroidered upon the left breast of his robe: the number of his student ID, of his identity.

The Journey Begins

My first experience as an information security (InfoSec) manager began unexpectedly. My director called me into the conference room, where he sat with the security manager, and said, “Deter, you’re the new security operations center manager.” I responded with, “Ah, yeah, hard pass,” to which he replied, “Too bad, it’s already decided.”

I soon took over a team that tracked no key performance indicators (KPI), had no training program, had very few documented procedures, and didn’t actively monitor the implemented security information and event management (SIEM) tool. Three months later, my director called me into the same conference room once again, and said, “Deter, the security manager is leaving, you’re the new security manager.”

This left me with a 24/7 SOC, a security engineering team, and a compliance team under my purview. This included a recently acquired FedRAMP compliance. I soon realized that each team suffered from severe dysfunction. A core component of that dysfunction was a lack of definition in roles or understanding about job responsibilities. It was clear to me that I had to rebuild the security teams, but how?

Several years later I left that team, and at that time it was understood to be the most high-functioning team within a much larger MSP organization. It had robust and well written documentation, and a deeply technical group of personnel with expertise across all segments of IaaS, and MSP services. We built what we later began to call an integrated delivery team (IDT), where each archetype (more on that to follow) was logically aligned with functional competencies from within the broader MSP business.

 

Building a Successful InfoSec team

The purpose of this article isn’t to walk through the trials and tribulations that took my team from zero to hero, but rather to begin to distill those lessons into concise and easily consumed guidance that any leader can use to support team building, and any practitioner can use to guide their own personal journey as a student of information security.

It is generally understood, with broad industry concurrence, that an InfoSec skills gap exists and presents a significant challenge for those of us responsible for managing risk within an organization. What is often not understood, by both practitioners and leaders alike, are:

  • The foundational skills that make up the kit of an InfoSec professional, and
  • The archetypes that make up a functional InfoSec team.

To close the skills gap, an organization must first understand the competencies required by security teams in their pursuit of information technology risk management.

Information security is information technology. While the function and key performance indicators of the person may differ between roles, the skills required to be successful do not (i.e., InfoSec is inherently a technical discipline).

Information security consists of three core archetypes: builders, breakers, and defenders. It is through recruiting and building the skills of these archetypes that the foundations of highly functional security teams are formed.

 

Understanding the Infosec Archetypes

Each of the three archetypes represents core technical knowledge, skills, and abilities (KSA) that, when leveraged for information security risk management, improve the efficacy of security programs and reduce overall cost of information security risk management.

Builder

What is a builder?

Builders are those who build secure infrastructures. This can include the network, the systems, and the applications.

Note: Yes, your DevOps team are also builders, and are absolutely critical to InfoSec, though for the purpose of this article I’ll be focusing on secure architecture in the KSA below.

What kind of jobs do builders do?

  • Information system/security architect
  • Security engineer (i.e., those who build and manage security infrastructure)

What are some core competencies for a builder?

  • Knowledge of secure infrastructure design
  • Skills in managing physical and virtual infrastructure, including system administration, networking, and application management
  • Ability to align business requirements to risk mitigations during software or system builds

Breaker

What is a breaker?

The breaker is the hacker or cracker. The role of the breaker is to functionally identify and test vulnerabilities.

What kind of jobs do breakers do?

  • Penetration tester
  • Application tester
  • Red team

What are some core competencies of a breaker?

In this archetype you’ll find the widest range of skill sets. The foundational skills are:

  • Knowledge of attack methodologies
  • Skills in each stage of the attack process (i.e., foot-printing, scanning, enumeration, hacking)
  • Ability to adopt creative approaches in an effort to elicit unexpected responses from expected functionality of an information system component

Breakers hold a broad range of information technology skills, including programming, infrastructure administration, and system administration. To be highly successful breakers need to understand how applications function, how operating systems function, and how communication occurs both across and within networks.