BLOG
InfoSec Roles and Archetypes to Close the Skills Gap
Daniel Deter is the Manager of Information Security at Green House Data. Follow him on LinkedIn.
Prologue
All journeys begin in darkness.
The student's eyes opened to darkness, surrounding him, enveloping him in the fear and uncertainty of the unknown. With no light to guide him, he knew not where to go next. He could feel that he still wore his student's robes, and the soft-soled shoes of his order. Without conscious thought he reached up and ran his fingers across the silver symbols embroidered upon the left breast of his robe: the number of his student ID, of his identity.
The Journey Begins
My first experience as an information security (InfoSec) manager began unexpectedly. My director called me into the conference room, where he sat with the security manager, and said, “Deter, you’re the new security operations center manager.” I responded with, “Ah, yeah, hard pass,” to which he replied, “Too bad, it’s already decided.”
I soon took over a team that tracked no key performance indicators (KPI), had no training program, had very few documented procedures, and didn’t actively monitor the implemented security information and event management (SIEM) tool. Three months later, my director called me into the same conference room once again, and said, “Deter, the security manager is leaving, you’re the new security manager.”
This left me with a 24/7 SOC, a security engineering team, and a compliance team under my purview. This included a recently acquired FedRAMP compliance. I soon realized that each team suffered from severe dysfunction. A core component of that dysfunction was a lack of definition in roles or understanding about job responsibilities. It was clear to me that I had to rebuild the security teams, but how?
Several years later I left that team, and at that time it was understood to be the most high-functioning team within a much larger MSP organization. It had robust and well written documentation, and a deeply technical group of personnel with expertise across all segments of IaaS, and MSP services. We built what we later began to call an integrated delivery team (IDT), where each archetype (more on that to follow) was logically aligned with functional competencies from within the broader MSP business.
Building a Successful InfoSec team
The purpose of this article isn’t to walk through the trials and tribulations that took my team from zero to hero, but rather to begin to distill those lessons into concise and easily consumed guidance that any leader can use to support team building, and any practitioner can use to guide their own personal journey as a student of information security.
It is generally understood, with broad industry concurrence, that an InfoSec skills gap exists and presents a significant challenge for those of us responsible for managing risk within an organization. What is often not understood, by both practitioners and leaders alike, are:
- The foundational skills that make up the kit of an InfoSec professional, and
- The archetypes that make up a functional InfoSec team.
To close the skills gap, an organization must first understand the competencies required by security teams in their pursuit of information technology risk management.
Information security is information technology. While the function and key performance indicators of the person may differ between roles, the skills required to be successful do not (i.e., InfoSec is inherently a technical discipline).
Information security consists of three core archetypes: builders, breakers, and defenders. It is through recruiting and building the skills of these archetypes that the foundations of highly functional security teams are formed.
Understanding the Infosec Archetypes
Each of the three archetypes represents core technical knowledge, skills, and abilities (KSA) that, when leveraged for information security risk management, improve the efficacy of security programs and reduce overall cost of information security risk management.
Builder
What is a builder?
Builders are those who build secure infrastructures. This can include the network, the systems, and the applications.
Note: Yes, your DevOps team are also builders, and are absolutely critical to InfoSec, though for the purpose of this article I’ll be focusing on secure architecture in the KSA below.
What kind of jobs do builders do?
- Information system/security architect
- Security engineer (i.e., those who build and manage security infrastructure)
What are some core competencies for a builder?
- Knowledge of secure infrastructure design
- Skills in managing physical and virtual infrastructure, including system administration, networking, and application management
- Ability to align business requirements to risk mitigations during software or system builds
Breaker
What is a breaker?
The breaker is the hacker or cracker. The role of the breaker is to functionally identify and test vulnerabilities.
What kind of jobs do breakers do?
- Penetration tester
- Application tester
- Red team
What are some core competencies of a breaker?
In this archetype you’ll find the widest range of skill sets. The foundational skills are:
- Knowledge of attack methodologies
- Skills in each stage of the attack process (i.e., foot-printing, scanning, enumeration, hacking)
- Ability to adopt creative approaches in an effort to elicit unexpected responses from expected functionality of an information system component
Breakers hold a broad range of information technology skills, including programming, infrastructure administration, and system administration. To be highly successful breakers need to understand how applications function, how operating systems function, and how communication occurs both across and within networks.
Defender
What is a defender?
The defender performs monitoring and response functions. In its simplest form, a defender has two primary duties:
- Monitor the network for anomalous events and then determine if they represent a risk
- Proactively consume threat intelligence related to the supported infrastructure to proactively communicate risk to leadership and technical teams
The defender requires a broad skill set to be successful. Attackers only require competency in a single avenue of attack, while defenders need to understand information system architectures, operating systems, applications, and how they each communicate across a network. For best results on hiring defenders, start with someone with proven competency in operating system and/or network administration. The tough part isn’t learning to use your SIEM, it’s understanding the data coming into it, and then building a meaningful narrative of risk based upon it.
What kind of jobs do defenders do?
- Security analyst
- Incident responder
What are some core competencies of a defender?
- Knowledge of tactics, techniques, and procedures (TTP) leveraged by adversaries; vis a vis the systems, applications, and configurations that make up the protected information system
- Skills in leveraging a broad range of InfoSec tools and techniques to gather environmental data points
- Ability to build meaningful risk-based narrative from the collected data
What About Information Assurance and Compliance?
What is IA and Compliance?
The Information Assurance (IA) and Compliance — AKA Governance, Risk, and Compliance (GRC) — aspect of information security programs represents the mechanisms through which an organization measures information security. As anything measured tends to improve over time, GRC teams provide significant value-add for an organization.
Please note: To keep your GRC program on track, ensure that work efforts are focused on measuring (e.g., KPI) of the existing security program against a standard (e.g., NIST, ISO), a baseline, or an industry best practice.
What kind of jobs do IA and Compliance staff do?
- Information assurance
- Security controls assessor
- Information system security officer (ISSO)
What are some core competencies of IA and Compliance?
- Knowledge of governance frameworks, secure baselines, and industry best practices
- Skills translating requirements to technical implementations, and vice versa
- Ability to clearly and concisely document control implementation narratives, and to communicate outstanding risk to stakeholders in a consumable format
More to Know
A great resource for those looking to map InfoSec jobs to knowledge, skills, and abilities (KSA) is the NIST NICE framework, SP 800-181.
- For hiring managers and recruiters it maps KSA to job roles. This can be used to assist in building job requisitions, or to understand the duties your personnel should be performing
- For InfoSec professionals the same mappings can assist you in understanding the KSA that will be necessary to both obtain a job and to be successful in performing it
Epilogue
The student stepped out of the darkness into the bright light of a cloudless summer day. The sun stung his eyes, long-since adjusted to the darkness. The heat of the day washed over him. Beads of sweat began to form on his forehead. He turned around, sudden resolve bubbling from the depths of his subconscious. He faced towards the cave, and the unknown terrors that lurked within.
He'd survived, he'd found the light, but he knew, intrinsically, that survival was not victory. Victory would require action, persistence, and a continual pursuit knowledge. The student had faced the darkness, and now the darkness would have to face him. With a nod to no one, he stepped back into the cave, the sun glinting off the silver thread of his student ID a final moment before being swallowed by the darkness, the numbers clearly visible, "1337".
