Over the years, I’ve tracked the ongoing ways that cybersecurity has morphed its way into today’s IT departments, as well as into upper management. The changes have been significant as new and emerging technologies continue to weave their way into our daily lives. As we learn more about these new technologies, it’s only natural that we’d learn how to better protect our valuable data. Sometimes the best way to do this is via specialization. When we have specific roles and responsibilities, theoretically less falls through the cracks. Let’s take a look at the advent of the cybersecurity trifecta and how the inclusion of infrastructure, operations and management is working in today’s digital world.
The Evolution: How We Grew From IT to Cybersecurity
A couple of decades ago, the responsibilities of the information technology (IT) and cybersecurity workers were pretty much all lumped into one big circle of IT. There was really no division of responsibilities, or separation of duties.
Even though this works well for some organizations, a major trend became apparent starting around 2010. This is where the IT industry began formally dividing its IT and cybersecurity functions into two teams, or divisions. The first division focused on providing IT services. The second – cybersecurity – focused on securing those services.
Then, around 2015, the IT industry realized that a third element was very important: cybersecurity management.
The diagram below shows how one IT department has split into three over the past decade:
- IT Infrastructure
- Cybersecurity Operations
- Cybersecurity Management
Figure 1: The three major divisions of cybersecurity in IT departments
When it comes to cybersecurity, we’re seeing more than just one big IT circle of influence. We now have three. I’ve used the terms trifecta and hat trick before, when describing three ways to keep track of emerging technology. It seems like we’ve got another trifecta – or three winners in a race – when it comes to cybersecurity.
The table below outlines the responsibilities of the three teams found within IT and cybersecurity departments today.
These are the people who manage and configure systems of all types (e.g., installed, cloud, hybrid) to make sure that both internal and external customers have access to reliable technology. Key performance indicators tend to focus on speed, reliability and availability of services.
These are the techies who configure and manage security functions, which can include security analytics, cloud security and penetration testing. Key performance indicators tend to focus on the ability of security controls to either thwart or respond to cybersecurity incidents, as well as the ability to design useful solutions.
These are the managers who focus on overall strategy, rather than tactical approaches. They are responsible for creating and managing policies and organization cultures that foster security throughout the organization. Key performance indicators tend to focus on strategic business continuity initiatives, the efficiency of tactical teams and the ability to properly manage cybersecurity incidents, as well as disaster recovery.
The Trend: How We Train Cybersecurity Professionals to Keep Up
This three-part division makes quite a bit of sense, and is a natural part of how cybersecurity continues to morph and change as it works its way through all divisions of an organization. CompTIA’s certification offerings have reflected this growing trend for some time.
For example, the CompTIA Security+ (SY0-601) exam (live in November 2020) very strongly reflects this new three-part cybersecurity trifecta, as you might expect. If you download the objectives for this new exam, you’ll see that there’s an entirely new domain called Governance, Risk and Compliance (GRC).
Figure 2: The CompTIA Security+ 601 exam domains, including the new one on Governance, Risk and Compliance (GRC)
Even though the CompTIA Security+ 601 exam has streamlined several topics found throughout the 501 exam, this entirely new domain. It’s good to see that it reflects the growing interest in governance and privacy. Yes, privacy.
The Question: What Is GRC?
Though Governance, Risk Management and Compliance (GRC) might seem boring, they really aren’t. Why is that? Well, think of GRC from the perspective of an individual who uses the internet every day. We all want reasonable proof that our Personally Identifiable Information (PII) is being properly curated, managed and stored.
How exactly can you prove this? Well, one of the primary ways is to ensure that an organization – say, one that provides social media services – has complied to useful laws and cybersecurity frameworks. That’s what compliance means. The term governance is used to describe the steps, measures and procedures a company takes in order to be compliant.
Those laws can include:
But governance and compliance don’t stop there. You’ll need to learn your cybersecurity frameworks, such as the Lockheed-Martin Cyber Kill Chain, the MITRE ATT&CK model and the Diamond model. These frameworks are helpful to cybersecurity tacticians and managers alike.
Want to learn more about compliance? Read part 1 and part 2 of Compliance in Cybersecurity.
The Proof: Governance Proves That IT And Cybersecurity Have Grown Up
The trifecta (or hat trick) of cybersecurity, then, reflects the fact that cybersecurity has grown up, in a lot of ways. I love the technical side of cybersecurity; it’s fun to geek out and create intrusion detection services using Zeek and the ELK / Elastic Stack. I love discussing threat hunting, and how security analysts create data-driven hypotheses to profile and thwart attackers. Yet it’s also gratifying to see how cybersecurity is addressing the importance of risk management, and cybersecurity management in general. After all, you can’t have proper cybersecurity without considering all elements of the cybersecurity trifecta.
Validate your cybersecurity skills related to governance, risk and compliance by getting the new CompTIA Security+ (SY0-601). Download the exam objectives to start studying.