March 1, 2023
Daniel Deter is the Manager of Information Security at Green House Data. Follow him on LinkedIn.
All journeys begin in darkness.
The student's eyes opened to darkness, surrounding him, enveloping him in the fear and uncertainty of the unknown. With no light to guide him, he knew not where to go next. He could feel that he still wore his student's robes, and the soft-soled shoes of his order. Without conscious thought he reached up and ran his fingers across the silver symbols embroidered upon the left breast of his robe: the number of his student ID, of his identity.
My first experience as an information security (InfoSec) manager began unexpectedly. My director called me into the conference room, where he sat with the security manager, and said, “Deter, you’re the new security operations center manager.” I responded with, “Ah, yeah, hard pass,” to which he replied, “Too bad, it’s already decided.”
I soon took over a team that tracked no key performance indicators (KPI), had no training program, had very few documented procedures, and didn’t actively monitor the implemented security information and event management (SIEM) tool. Three months later, my director called me into the same conference room once again, and said, “Deter, the security manager is leaving, you’re the new security manager.”
This left me with a 24/7 SOC, a security engineering team, and a compliance team under my purview. This included a recently acquired FedRAMP compliance. I soon realized that each team suffered from severe dysfunction. A core component of that dysfunction was a lack of definition in roles or understanding about job responsibilities. It was clear to me that I had to rebuild the security teams, but how?
Several years later I left that team, and at that time it was understood to be the most high-functioning team within a much larger MSP organization. It had robust and well written documentation, and a deeply technical group of personnel with expertise across all segments of IaaS, and MSP services. We built what we later began to call an integrated delivery team (IDT), where each archetype (more on that to follow) was logically aligned with functional competencies from within the broader MSP business.
The purpose of this article isn’t to walk through the trials and tribulations that took my team from zero to hero, but rather to begin to distill those lessons into concise and easily consumed guidance that any leader can use to support team building, and any practitioner can use to guide their own personal journey as a student of information security.
It is generally understood, with broad industry concurrence, that an InfoSec skills gap exists and presents a significant challenge for those of us responsible for managing risk within an organization. What is often not understood, by both practitioners and leaders alike, are:
To close the skills gap, an organization must first understand the competencies required by security teams in their pursuit of information technology risk management.
Information security is information technology. While the function and key performance indicators of the person may differ between roles, the skills required to be successful do not (i.e., InfoSec is inherently a technical discipline).
Information security consists of three core archetypes: builders, breakers, and defenders. It is through recruiting and building the skills of these archetypes that the foundations of highly functional security teams are formed.
Each of the three archetypes represents core technical knowledge, skills, and abilities (KSA) that, when leveraged for information security risk management, improve the efficacy of security programs and reduce overall cost of information security risk management.
What is a builder?
Builders are those who build secure infrastructures. This can include the network, the systems, and the applications.
Note: Yes, your DevOps team are also builders, and are absolutely critical to InfoSec, though for the purpose of this article I’ll be focusing on secure architecture in the KSA below.
What kind of jobs do builders do?
What are some core competencies for a builder?
What is a breaker?
The breaker is the hacker or cracker. The role of the breaker is to functionally identify and test vulnerabilities.
What kind of jobs do breakers do?
What are some core competencies of a breaker?
In this archetype you’ll find the widest range of skill sets. The foundational skills are:
Breakers hold a broad range of information technology skills, including programming, infrastructure administration, and system administration. To be highly successful breakers need to understand how applications function, how operating systems function, and how communication occurs both across and within networks.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
