NICE Framework: "Securely Provision" Challenges

2020-10-14

This is the second of six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.

Typical Roles/Skills for this Category

NICE provides a listing of typical roles or titles for staff working in the Securely Provision category. Obviously, all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have all these particular jobs, titles, or roles in their organization, or they may be combined where a full-time resource is not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:

• Authorizing Official/Designating Representative, Security Control Assessor, Secure Software Assessor:
  • These roles typically focus on understanding the overall risk profile of an organization and its component system and software, and either make or support decisions on the fitness of the security controls to reduce risks. They need business analysis and risk management capabilities, and may also have specializations in particular areas such as software development security or information system audit.

• Enterprise Architect, Security Architect:
  • Architects typically focus on high level details and require the ability to abstract details to produce a clear understanding of how all the components of an organization's IT portfolio or security controls fit together.

• Software Developer, Research & Development Specialist, Systems Requirements Planner, System Testing and Evaluation Specialist, Information Systems Security Developer, Systems Developer:
  • These roles are usually individual contributors rather than management level, meaning they operate on tactical and operational levels of the organization to execute on the mission. They will be "hands on keyboard" performing engineering tasks, deploying and maintaining organization infrastructure, and conducting testing and validation activities.

There are a number of critical issues an organization needs to deal with in the Securely Provision category. Many organizations will utilize vendors to develop systems, or will integrate third party software or system components, which introduces risk outside the organization's direct control. Cybercrime is a burgeoning business, and one of the Open Web Application Security Project's (OWASP) top ten vulnerabilities year after year is misconfiguration. Systems may have highly complex vulnerabilities, but the simple act of forgetting to make the right configuration or check the right boxes can easily lead to a disaster.

The other big pain point for organizations is balancing the costs of security with the organization's other missions, objectives, or priorities. Spending money or time to securely provision a system does not directly generate revenue or contribute to achieving a mission, but a hack or breach will definitely have a negative impact. Making the case for risk management to business leaders can be difficult as it can be perceived as merely hypothetical rather than a dangerous reality.

Skills Development Opportunities

Some of the skills required for workers in these roles will need to be organization-specific, such as establishing the risk tolerance and evaluating systems to determine if they are authorized to operate or require additional security controls. On the job training, job aids, and organization-specific documentation will be key.

Many of the skills in Securely Provision can also be acquired outside the organization, such as coding and system development, information system audit or assessment, and system testing. Some certifications and training which might be useful for developing workforce skills include:

• Secure Software Development, which offers engineers or developers skills in designing and delivering secure software and identifying ways to integrate security into the development process.
  • Related Training:
    • Course 1825 Fundamentals of Secure Software Development Training
  Information System Audit, which teaches skills in assessing the architecture and security controls in a system, and Authorization, which develops capabilities for understanding how a system's risk impacts the overall organization and whether those risks have been adequately mitigated.
  • Related Training:
    • Course 2040 Certified Information Systems Auditor (CISA) Training
    • Course 2061 Certified Authorization Professional (CAP) Certification and Training

• CertNexus Certified Cyber Secure Coder, which helps developers learn skills needed to identify security requirements for a system and implement common protections to meet those requirements.
  • Related Training:
    • Course 2071 CertNexus Certified Cyber Secure Coder Training