The TRU Cybersecurity Reference Model™ is a deliberate skills-based guide to the myriad of technical functions and job responsibilities that exist throughout the cyber continuum. The CSRM gives clarity to what skills are required throughout the information security life cycle and will be a reference to discuss what stages of the model are in high growth and demand. TRU’s CSRM has six primary stages: technology inventory, assess, compliance & governance, security architecture & systems, monitor and respond.
Technology Inventory – Organizations must understand their current state of technology and undertake a comprehensive audit of networks, hardware and software, mobility, application development and contingency plans. Skills needed are in network engineering, disaster recovery and business continuity. GSNA and GCCC certifications could prove useful. These types of services are predominantly provided by consulting firms.
Assess – This involves evaluating and testing the current security configuration and determining if stated policies are being followed. It includes evaluation and testing of external and internal protections including online, mobile and insider threat countermeasures. This is an area where penetration testing occurs, which may require CEH and CPEN certification as well as system auditing certifications such as CISA.
Compliance & Governance – Various industries must comply with different cyber standards. This stage will assist organizations in following HIPAA, HITECH, PCI, NIST, ISO and a litany of emerging federal and state regulations. Highly relevant certifications include CSCS, CHA, CHP and CCSA. Often talent will come from the consulting community, and while pen testing may be the first service to commoditize in cybersecurity, it is still an essential part of the process (much like e-discovery processing). This is also where attorneys and those privacy professionals with CIPP certification can prove extremely relevant.
Security Architecture & Systems – This stage is massive and includes the development, evaluation and implementation of all of current and emerging security technologies including advanced persistent threat analysis tools, SIEM, identity management, threat visualization tools, firewalls and honeypots, just to name a few. Application development processes may be brought into alignment with security-by-design and privacy-by-design concepts. The CISSP certification is the most prominent and widely accepted system architecture certification, with more than 83 percent of open jobs in cyber requiring or preferring this certification. The CISSP has a five-year minimum working InfoSec experience requirement for those interested in pursuing it. Additional certifications include CCP, CESG and CASP.
Monitor – Organizations must have the ability to monitor and evaluate threats and quickly determine which threats require action. SOCs (security operations centers) have been developed as a centralized unit to perform this task and can be built and maintained internally or outsourced to an MSSP (managed security service provider). GIAC has created a new standard, GMON, sharing space with the many application-specific certifications out there provided by HP (ArcSight), Cisco, IBM and McAfee. It is also likely the industry will see the emergence of subscription based “monitoring” services for vendors specializing in security.
Respond – Once a threat has been identified, it must be isolated, damage and data loss must be assessed and the perpetrator identified. This is the domain of a CIRT (cyberincident response team), which is a multidisciplinary group, also referred to as a red team, comprised of analysts, engineers, digital forensics specialists and reverse malware engineers. A litany of forensic certifications is useful including EnCE, FCE, incident response certifications such as CIRH and malware engineering such as GREM and CCMRE. There will be abundant opportunities for contractors in this sector of security, for forensic examiners, as well as data breach remediators/incident responders. Large corporate and consulting organizations will augment permanent staff with contractors when voluminous projects arise.