Commentary
October 1, 2020

Building today’s most effective cybersecurity teams

Cybersecurity is no longer the province of IT departments alone—effective teams must be deeply integrated throughout an organization at all levels. But recruiting for such teams in Canada can present a significant challenge given the country’s cybersecurity skills gap.
Building today’s most effective cybersecurity teams
By 

It’s always been difficult to find and recruit a good hacker when you need one. But, as threat landscapes and cybersecurity approaches have evolved for Canadian organizations in recent years, the growing gap between available talent and understood roles has resulted in what a recent Deloitte report called a “chronic shortage of cybersecurity talent.” That study found that Canadian organizations would need to recruit 8,000 new cybersecurity roles between 2016 and 2021, but even in 2020, the gap is proving exceedingly difficult to close. The talent is out there, though perhaps hidden in bedrooms or languishing in other less-suited roles. The problem is that approaches to training, recruitment, and strategy have not yet caught up to real world needs.

Within organizations, cybersecurity policy and practice have traditionally been the province of IT departments, and largely in a reactive capacity. Today’s most effective cybersecurity teams stand alone from IT and are present in conversations from the C-Suite on down. Security is not simply an operational matter, but a strategic and existential one. As organizations shift broadly towards a Governance, Risk and Compliance (GRC) approach, cybersecurity becomes more than a job responsibility but a priority throughout the organization, with separate budgets and reporting pathways in day-to-day IT operations.

Building a new kind of cybersecurity team for today’s modern business means more than just convincing reluctant talent to come on board—it requires changing internal expectations and assumptions, and standardizing at an industry-level to get the right training and recruitment pathways in place. Teams need to be built and recruited through long-term strategic planning, rather than reactive, incident-based concerns.

So, as organizations are finding an insatiable demand for new roles they never previously knew they needed, how do they create and find the right talent for these brand new roles, and build a long-term structure with clear pathways for development? How do they even write a job description for roles that have never existed for them before? The answer, on an industry level, is an important move towards standardization.

Beyond outmoded job descriptions, towards human-centric standards

The non-traditional nature of many of the key roles in a modern security team can make recruitment extremely difficult. Current training pathways in Canada don’t necessarily lead toward clear and obvious certifications that match the required responsibilities, and students don’t necessarily understand the expectations of these new roles. As it stands, you can’t write a job description with a list of qualifications and skills, or years of industry experience, and simply expect to find the right match with these basic search criteria.

Instead, a recruitment approach needs to begin with a thorough assessment of needs and existing skill sets within an organization. Deloitte calls for an approach that’s “human-centric”—in practice, we think this is pretty simple to articulate: you’ve got to understand who can do what, and what you need that they can’t do. What an organization needs most to help build this kind of approach is the same as what educators and recruiters need—a robust standardization of roles and requirements in a manner that’s flexible enough to work across industries and existing workflows.

In Canada, these much-needed standardization efforts are being led by Technation (formerly ITAC, the Information Technology Association of Canada) in a multi-year, all-stakeholder process. The Technation efforts build on the hard work already done by NIST in the United States to develop the National Institute for Cybersecurity Education (NICE) framework, codifying national occupational standards (NOS) tailored to unique Canadian industry needs and regulatory requirements.

What should a modern cyber security team look like?

The NICE framework is useful but extremely complex and tends to be best suited for large and varied institutions. Technation’s efforts aim to simplify it in a way that encourages more flexible and realistic implementation within businesses of all sorts. The approach we outline here is ADGA’s own, informed by the Technation process but based on our interpretation of what works in today’s market. As the standards settle, we hope to see them similarly reflect real world operational and strategic concerns.

The modern cybersecurity team should not be considered simply in terms of offensive and defensive roles—a division that typically emphasizes reactivity more than strategy—but rather five key categories of responsibility that carry throughout all aspects of an organization’s operations, regardless of business sector, while encompassing a range of technical and non-technical roles.

We have listed a range of example roles under each category—roles would not be limited to those listed here.

Category Example Roles
1. Oversee & Govern
An empowered cyber security leadership team, at both C-suite level and in senior management.
Chief Information Security Officer
A senior-level strategic leadership role, responsible for an organization’s information and data security.

Chief Information Security Business Information Security Officer
Works as liaison between business and technology leadership to ensure security plans are heeded, and core to overall strategy.

Senior Security Intelligence Advisor
Provides expert intelligence-based advice and threat assessment to senior leadership in both planning and execution.

Information Systems Security Officer
An operational role, responsible for establishing policies, plans and processes around systems security, and informing and guiding users.
2. Design & Develop
Roles responsible for implementing cyber security strategy and designing security solutions to support an organization’s security operations.
Information Systems Security Architect (ISSA)
A senior role responsible for designing, building, testing, and implementing security systems in an organization’s network.

DevSecOps Engineer
Responsible for implementing and managing the DevSecOps program in an organization, embedding security as part of the Software Development Lifecycle (SDLC)

Application Security Architect / Senior Software Developer
Works with development and architecture teams to build secure applications, test for weaknesses and vulnerabilities, and provide guidance to development teams.

Information Systems Security Engineer (ISSE) / Technical Security Product Specialist
Responsible for applying systems engineering principles to building and maintaining secure systems, projects, applications, and business processes.
3. Analysis & Collection
Roles that proactively look both inside and outside the organization for emerging threats and risks, and analyzing and testing what they find.
Risk Analyst / Information Security Risk Manager / Cyber Security Risk Manager
An experienced security professional responsible for identifying and assessing IT-associated risks to the confidentiality, integrity, and availability of an organization’s information assets.

Threat Intelligence Analyst (TIA)
Collects and analyzes information about known threats and provides recommendations for mitigating risks. Tiered from Level 1 (entry level) to 5 (senior leadership).

Security Penetration Tester / PenTester / Ethical Hacker
A creative role, responsible for emulating real-world scenarios to assess vulnerabilities within a network or software application, and the impact of successful exploitation of these vulnerabilities.
4. Operate & Maintain
Whatever the development or information workflow of an organization, these are the hands-on roles that keep cyber security processes operating efficiently and effectively.
These roles overlap to a large degree, practically speaking, with “Design & Develop”, as typically people in these roles are also responsible for the hands-on work.

For descriptions, see above.

Information Systems Security Architect (ISSA)
DevSecOps Engineer
Application Security Architect / Senior Software Developer
Information Systems Security Engineer (ISSE) / Technical Security Product Specialist
5. Protect & Defend
The hands-on incident responders, informed by the broader team but dedicated to swift action. May be positioned within a Cyber SWAT Team or SOC (Security Operations Center).
Incident Response (IR) Investigator / SOC Operator / Security Analyst
Detects, assesses, and handles cyber security incidents. Acts as the first responder or triage for incidents.

Digital Forensic Analyst / Forensic Investigator
Conducts forensic examination activities of networks, devices and computers in a responsive role following a security incident.

The challenges of attracting talent

As it stands, if you’re looking for these positions, you’re probably not going to find them via traditional recruiting methods. It will take many years before standardization efforts settle and search criteria can more easily match skills according to defined NOS.

Right now, many people uniquely suited for these roles simply aren’t applying for traditional jobs, or looking in the same spaces where organizations know to post. People attracted to these roles tend to be more often driven by the challenge of the work itself, something rarely articulated in traditional job descriptions. And, being frank, a younger generation of security professionals who’ve come of age online tend to be resistant to full-time office placements in suburban locations.

A team’s composition should be based on needs, with permanent staff in the critical positions, and a blend of staffing, tactical, or project-based recruitment where it makes sense (for instance for standalone development initiatives). Outsourcing entire functions, such as intelligence, should be considered where the expertise simply does not exist within the business structure.

Building a team with ADGA

Here at ADGA, we have over 25 years of experience leading strategic cybersecurity engagements and implementations for clients at all levels across Canada.

Our processes for sourcing, screening, and onboarding candidates have been tested and borne out over time, and have been evolving to match the ever-changing landscape.

With 1,000+ pre-screened candidates on our books, and an understanding of exactly what they can bring an organization within this new standardized model, our approach builds human-centric and effective modern teams as a matter of course.

Key members of the modern cybersecurity team

Chief Information Security Officer (CISO) My company’s cyber security approach all ladders up to my role. I represent the entire team at the C-Suite level, ensuring that everything runs smoothly, and our priority projects have the funding and leadership buy-in for us all to stay ahead of threats. I work closely with the Chief Technology Officer (CTO) on matters of both implementation and strategy, but we are of equal seniority, and they see me as a trusted and critical collaborator. I’ve been around the industry for 15+ years, mostly within large enterprise environments, so I know what works and what doesn’t politically and operationally. I’m not a “no” person when it comes to technology implementation and modernization, I lean on my entire team to show how modern cyber security approaches can be collaborative, responsive, and human-first.
Information Systems Security Architect (ISSA) I’ve been in the industry for 10 years, designing and working on all kinds of large and complex IT systems. I keep an eye on evolving standards, protocols, and best practice — in this line of work, these are changing day by day. The team expects me to anticipate possible security threats and identify weaknesses, and be there for the Incident Response Team when there’s an active breach. They need me to look at the big picture in these moments, ensuring that we learn from what’s happening so we can continue to stay secure and protected, and be able to explain it to the organization’s non-specialist staff in plain language, strengthening broader security awareness.
Information Security Risk Manager Risk management means realistically assessing what can go wrong in a constructive and collaborative manner. My role is driven by established frameworks like COBIT 2019, NIST CSF, and ISO 27001, which I’ve come to know deeply over the past decade. I help the entire organization understand these frameworks as useful operational tools for managing risk, not just static lists of rules in the way of their job to be done. I work with stakeholders across the company to help them understand and better plan for the cyber security implications of their decisions, from procurement and management through to service delivery and continuity. I want them to be able to operate in a way that’s compliant with standards and best practice, and I do this by listening to their needs and developing plans to ensure they can do this with minimal security impact or risk.
Senior Threat Intelligence Analyst I’ve been working in threat intelligence for more than eight years, and was recently promoted to a level 4 position. My experience wasn’t all in corporate environments — I started out in the military, where I picked up valuable perspectives and lessons on real world threats that map well onto the challenges we now face as a company. When a threat escalates, I look for evidence of attacks not just on our own networks, but also out in the online underground, where hacks may be coordinated in forums or on hidden TOR sites. I’ve come to know the ins and outs of those dark spaces intimately, and can enter them without raising suspicion. As I’ve stepped up to this new position, I’m glad to be more than just a support to the SOC when the red lights start flashing. Now I’m starting to have significant oversight on longer term projects, and to help the leadership team evaluate and understand how third party intelligence reports and white papers apply to us.
Penetration Tester My job is to find the vulnerable spots in our company’s infrastructure and then exploit them to better understand the impact of a breach. I do this by trying to break it in every way I can. It’s sort of a “white hat” role, but more — I try to think and act like the hackers I know, picking apart the malware I find, poring over source code, sniffing the traffic in our wi-fi network, and trying out and developing new exploits. There’s social engineering too, but that’s only a small part of it; I’m not just trying to trick people into making mistakes, but better understand how things might be broken at the system level. It’s one thing to find the problems, but the most rewarding part of my job is helping to build solutions and explaining the issues to the broader team. I can’t just show them my cool bash script and have them get what the danger is — they need to understand what will happen if we don’t fix the issue, and what it will take to keep us safe.
Incident Response (IR) Investigator / SOC Operator / Security Analyst Even in the best organized cyber security infrastructure, there are always going to be real world incidents. That’s where I come in, as the first line of response when things start to go wrong. I work within the SOC to understand what’s happening, and ensure we adhere to best practice as we rapidly develop and implement our response to the incoming threat. Of course, not every threat is the same, so while others in the SOC are actively fighting it off, I’m expected to do on-ground analysis and triage, and then communicate the relevant priority to others in the company so the right resources can be mobilized. It’s critical during an active incident to ensure we adhere to Standard Operating Procedures (SOP), and as I’ve gained more experience, I’ve worked with leadership to ensure everybody in the SOC is well drilled and trained, and the SOP continues to evolve and adapt to the attacks we’ve actually had to fight.

Become a client

Reach out to discuss how we can help with your critical business challenges.

Get In Touch

Work with ADGA

With positions from coast to coast, find the perfect opportunity for you as part of our 600+ member team.

Design Your Career
 
ISO 9001:2015 – Quality Management Systems – certified
ISO 27001:2013 – Information Security Management – certified