Home

Search
Close this search box.
EPISODE 31
 
All the Jobs in a Large Cybersecurity Organization
 
EPISODE 31
 
 
All the Jobs in a Large Cybersecurity Organization
 

ALL THE JOBS IN A LARGE CYBERSECURITY ORGANIZATION

About this episode

In this episode, we will walk you through what a typical large cybersecurity organization looks like. We will help you plan for what’s next if you’re already in cybersecurity, and if you’re not yet, we will help you plan for what’s ahead.

Wes and Kip will show you the big picture of what different positions are in a cybersecurity organization so that you will know what is waiting for you in this industry. Throughout this episode, and several that are coming out soon, you will learn about the different roles that may be present in a small or large organization as well as the common reporting structure for a security organization. 

The 14 disciplines are broken down into the four largest parts of a security organization and their accompanying roles. This episode will also help you understand the three disciplines found in security operations and the different tools used to achieve their goals. As someone trying to break into cybersecurity, it is important to understand where you fit into a security organization so you can obtain your new role in this industry. 

What you’ll learn

  • What the 14 disciplines in a large security organization are
  • What the four parts and their subgroups are
  • What the different roles involved in each part are
  • What the common services that a security organization offers are

Relevant websites for this episode

Other Relevant Episodes

Episode Transcript

Kip: 

Hi, everyone. Welcome to your cyber path. This is the podcast where we help you get your dream cybersecurity job. I’m Kip Boyle. I’m here with Wes Shriner. We are experienced hiring managers of Cybersecurity Professionals, and we are here to help you. If you’re listening to the podcast through your podcast listener, as you probably always do, what you don’t know is that we’re also making a video today and we’re going to be making videos from now on in fact. If you want to watch the video, just go to our YouTube channel search for Your Cyber Path podcast, and you’ll find our playlist up there. This is important because we’re actually going to be sharing with you some visuals and actually we’re kicking off a whole series of podcast episodes. What we’re doing, Wes and I, is we’re going to give you a guided tour of a typical cybersecurity organization in a large enterprise and we’re going to tell you why are doing this in a moment, but just another tip for you is, we’re going to start numbering the episodes, so it’ll be much easier for you to figure out how to watch these things in order, because they are going to build on each other.

Wes, good to see you. It’s good to see you.

Wes: 

It’s good to see you too kip. This is going to be a lot of fun. We’re going video now and video’s a little scary, mostly because now I can see my mug on the screen, but we’ll figure that out.

Kip: 

Yeah. I have what, three years of recording podcast audio only. I’m not used to doing this either. This is kind of strange, but that’s okay. We’re going to get used to it.

Wes: 

And with the videos, we’re going to have to learn to like each other. So…

Kip: 

That’s right, because in the past I’d be like, I don’t like what he’s saying. I’d be, nobody could see that, but now here we are.

Wes:

It’s a new day, a new dawn, a new era, and it’s going to be fun. I’m looking forward to it.

Kip: 

I think this is really going to help people. The reason why we made this change is because Wes and I were talking about content and we were talking about, how can we help? Right? What’s something big we can do to help that maybe nobody else has done yet. How can we help folks who want to get into cybersecurity? Or maybe you’re just in cybersecurity and you’re in your first job, and you’re thinking, where do I want to go to next? If you’re a person who thinks about the future. We thought, well, why don’t we just show people how a typical large organization is laid out. Then we thought, oh, but if we do that, we’re going to want to show pictures, graphics, right? Org charts, right? We’re going to want to show stuff.

So then we said all right, we’re going to have to do this with a video recording. We’re also going to have to do it in a way that respects the people who don’t want to watch this as a video who are already listening to it and prefer that. As best we can, we’re going to continue to narrate what we’re doing in a way that if you can’t see the visuals, it’s not going to stop you from getting value from what we’re doing. You can tell us if we’re not getting it right, just let us know. You can send me a message kip@35.167.158.44 and you can let us know how we’re doing.

Wes: 

You know, it’s the changing of the seasons right now, Kip. We hit the cold spell on the farm this week.

Kip: 

That’s right.

Wes: 

Weather dropped below freezing, the flowers that were left, all got crispy and brown. We pulled the last apples off the tree and I started thinking about, I’ve been doing some fence planning, because in a suburban backyard, you just do a little fence around the edge of your property, but when you’re trying to build corrals and pastures and rotate your flocks. Then you’ve got to figure out, I want to do a vegetable garden next year. But how do you do that? You’ve got to have an eight foot high defensive perimeter to keep the deer out, and that’s just the deer. If you want to grow any carrots or corn or anything else. So it’s an eight foot high, and you’ve got to go electric if you want to keep the bears out.

Kip: 

Oh my gosh. So, you have a bear threat? Really?

Wes:

It’s not a threat. They climb the trees, they break the branches, but they eat the rest of the apples. That’s why I had to take the apples off the tree because if I don’t, the bear does and he’ll break the branches on his way down.

Kip:

Oh my gosh, this is great, man. Talk about planning, right? Talk about advanced planning.

Wes: 

That’s exactly what we’re doing. If you want to plan your fence line and build your pastures and your corrals, you’ve got to plan that ahead of time. You can’t just go start digging posts. I think the same thing is true in our cyber security career. There’s a lot of opportunity for, I could just go dig a post, dig a post and, and run a fence line here, or go get this job. But if we understood what the bigger picture is, and then started to apply that to our careers, we can really have a beautiful pasture and corral and plan for our yard and our careers.

Kip: 

That sounds great. Well, I’m on board and I hope everybody out there listening and watching, I hope you understand why we’re doing this and I hope that this is helpful. So, we’re going to do this as a series of episodes. Today what we’re going to do is just introduce the organization and paint in very broad brushstrokes, where we’re going with all this.

Wes:

It’s going to be a lot of fun. The video pod podcast is new. It’s a new journey, a new video. This is part one of what could be a lot of content, a lot of interesting stuff and understand the big picture leads to understanding, what’s my fit in this organization? How do I fit here?

Kip: 

Yep.

Wes: 

The assumptions we’re making are for a large organization. You and I both have a lot of experience in Fortune 100 companies, assuming a 200 person security organization and a hundred million dollar budget, non-staff budget, but the mid markets and the startups also have these same responsibilities and these same functions, they just apply them differently. It may be one security person who happens to put on this hat and then put on this hat and then put on this hat, moving through the process, and the same thing’s going to be true.

Kip: 

That’s right.

The point that Wes is bringing up is, and I’m going to restate it, is that yes, we’re showing you a large security organization, but even if you work in a smaller organization, the things that they do in the big organization’s still typically need to be done in a small organization. Now it’s not scaled down linearly. It’s not just a matter of doing exactly the same stuff in the exact same way with less people. I see that sometimes. I don’t think that’s a good approach. That’s like telling a 14 year old who needs to go to a fancy event, just wear your dad’s suit. We’ll cuff it and you’ll be fine. Like that doesn’t work. You’ve got to actually create something that’s going to fit, but I still think this is a good template. You might want to go work in a large security organization or a mid-size one or a small one. I think the concepts are the same and the jobs are similar.

Wes: 

We’re going to try and keep the understanding really transferable. We’re going to talk about the 23 common services of security service catalog. We’re going to go into one common tool and one common process that are used in that discipline, and then for our job seekers, we’re going to look at what kind of roles are normally in place in that area and are they technical roles? Are they business roles? Are they analysis roles? Are they PM? Are they engineer? We’re going to start to take a look at whether these are more roles or more junior roles, or maybe there’s a blend of both. I think that’s going to be really helpful for our audience.

Kip: 

Yeah. We’re talking about career pathing, right. So it’s not just, what’s my path into cyber, but what’s my path once I get in? This is great,

Wes: 

Indeed. Lastly, what’s my path in both as a new hire and as a senior person, maybe technology who wants to make the jump from a technology team to a security team.

Kip: 

Exactly. Right.

Wes: 

There’s a lot of, of transferable skills there. And then the other thing I love what we’re doing with this here, Kip is your idea, we’re going to bring in the hottest guest speakers you’ve ever heard.

Kip: 

Oh yeah.

Wes:

Experts, who’ve been doing this for 20, 30 years or, as long as it’s been around. They’re going to give us their secret sauce.

Kip:

Yeah.

Wes: 

So I think that’s going to be awesome.

Kip: 

Yeah. Thank you for mentioning that. I totally forgot to tell people about that. We’re going to bring in some people that are going to really help you understand what’s going.

Wes:

I’m looking forward to it. So, today we’re going to define the common reporting structure for a large security organization and build a roadmap for where we’re going next.

Kip: 

Let’s do it all right.

Wes: 

There it is. We’re done.

Kip:

Read it. And weep ladies and gentlemen, we did it. Yeah. So there’s a visual now. This is where it becomes visual, and so what you’re seeing on the screen and what you’ll be able to see later on, if you’re just listening right now is an actual diagram of what the typical security organizational units look like. Wes, why don’t you just take us on a quick spin?

Wes: 

Sure. So let’s start with the cyber security organization in the middle. That’s probably a VP, a CISO, the person who owns that is the security leader for the organization.

Kip: 

The security executive, right? The senior security executive is another true term that I’ve heard used.

Wes: 

Thank you, or a head of information security, head of cybersecurity. And then we’ve got four organizational units that we’re going to wrap around that, on the bottom. We’re going to add security operations, then on the right, we’re going to add engineering, architecture, and test. On the top left, we’re going to add governance, risk and compliance. Then we’ll put product security in the bottom left.

I want to break out, break down each one of those just a little bit more, now that we’ve introduced the diagram, I think this to be a good time.

Kip:

Yeah.

Wes: 

The security operations group, who is that? That’s the group that works tirelessly night and day to defend our organization from attacks. They have all the tools, the personnel and expertise to run a multi-week incident response function for the company, probably using the MITRE attack framework. These are your or heroes.

Kip: 

Yeah, for sure.

Wes: 

They’re a disciplined bunch with specific requirements. They have processes for everything until they run into a bad actor with a zero day and then no process exists, and that’s when this team shines. They may be working all night, so forgive their bad breath and just slide another pizza under the door. They’ll be okay.

Kip: 

Yeah.

Wes: 

That’s the pizza under the door team and they’re a good group of folk, right? Anything you want to add to security ops?

Kip: 

It can be a tough gig, I mean, being a hero is not easy work, but it’s absolutely necessary, and it’s a common front door for people trying to break in.

Wes:

It’s a great place to start. We’ll get a lot more detail in this. Understand, we’re just introducing the largest organizational units. We’re going to go two clicks deeper before we get done here, maybe even three clicks. It’s going to be fun. On the right hand side, we see the security engineering, architecture and test team. It can be known by a lot of names, but is best described as your blue team or your defense team. This is your technical group that is defending your organization, that they plan, they architect, they build, they scan, they test to remove vulnerabilities before they’re discovered and exploited.

Kip: 

Security operations is sometimes called a blue team. Now we’ve got some blue team activities and security engineering architecture. That’s blue, but then red team, so that’s a common term that people are used to, red team versus blue team. In this org, you’ve got some red team members.

Wes: 

You do good call you’re right. Your red team lives here as well with your penetration testing folks. Some of your threat hunting.

Kip: 

Great, and then projects, a lot of project work in this area?

Wes:

Actually this team supports the organizational project work, but most of the security sponsored project work is in our next option. We’re going to go to the gov. Oh, sorry. My, my screen jumped on you there. We’re going to go to the governance risk and compliance area. That’s the top left area.

Kip:

This team is the third of fourth of four Organizations.

Wes: 

Yeah, this is the business side of cybersec. They handle all the program planning, the budgets, the staffing, they categorize risk and roll it up to the large organization. They make sure we pass our compliance requirements so we can keep on doing business. They build training for the rest of the organization to better internalize security. This is the group that manages our security policies and reports security progress to the executives and the board of directors.

Kip: 

Got it. Yep. GRC. So if you guys hear GRC, that’s what Wes just described.

Wes: 

There’s plenty of tools and processes we’ll get into in greater detail later. For now, just understand, there’s a lot of opportunity in the governance, the risk and the compliance parts of the security organization.

Kip: 

Yep.

Okay. That’s three of four. What’s number four?

Wes: 

The last one’s really interesting. This is our product security group. Product security is primarily focused on securing the customer facing wild facing devices and services. I’m thinking about something like the Xbox. Xbox is a hardware component that must be rigorous secured. A common thing to say in security is that if you have physical access to a computer, it’s not your computer anymore. If I have physical access to your computer, it’s my computer.

Kip: 

That’s right.

Wes: 

Well, the Xbox device must be hardened for global customer distribution. It includes all of the OEM and third party device architecture and manufacturing, including running local software and drivers operating systems and bios behind the Xbox is also a huge service infrastructure with web security, network security and all the privacy and compliance aspects of global business service. Product security is both the device and the services behind it that our customer uses. When we do security for those, what we’re doing is we’re… We’ve made promises to our customer when they receive our product, that we’re going to protect their data and protect their interactions on our devices. It’s our job as the security organization to help our business, keep those promises and every design decision and delivery decision made in our organization.

Kip: 

Right. And it’s interesting because some organizations have products that are not hardware and maybe they just offer a software as a service. So the product security is really around identification and access management, and it’s very software intensive. but then you get, Xbox is the example that you brought up. Okay, well now I got a piece of hardware, but it’s also a very software driven product as well. Way more complicated. I would expect a product security group to be much bigger in an organization that has a piece of hardware that people are actually buying and using.

Wes: 

We just named the four largest parts of a security organization, and we’re going to break the down the sub components of that as we go forward. But let’s talk about what didn’t make the list. Things that didn’t make the cut. Some large organizations have a security research organization. These are essential for advancing the state of the art, but they’re not something every security org is going to have.

Kip: 

Right, but you’ll see, you’ll see it in some right. Mostly big organizations, I think.

Wes:

Yeah. and I’ll just leave that one there. Yes. In big organizations you’ll see that. Another thing we might see as large organizations may have a political influencer in Washington, DC. Somebody who is their D O D or top secret, or is a political influencer. Any one of those might be a reason to have a DC based group as well. All of these are legitimate components of some orgs. They’re not common enough to all orgs to merit putting them in this conversation.

Kip: 

Yeah. Okay. Good. That makes sense. We’re not trying to cover absolutely everything here. We’re trying to cover the common stuff.

Wes:

But let’s have some fun because this next slide, I hope you enjoy. We just got 14 disciplines inside those four security organizational units.

Kip: 

This all breaks down. You’ve got the first level, you have a cybersecurity organization, we broke that down into four main areas and now we’re further breaking it down into subgroups. This is really going to be the roadmap for the rest of the episodes that we do in this series.

Wes: 

I think this is going to help us understand, where am I at in the organization and give us a baseline common understanding to be able to say, oh, you’re talking about this part. Oh, you’re talking about that part. And that’s going to be really helpful.

Kip:

Yeah. So I’m at the mall and I walk up to the big map and I look for the dot that says you are here so that I can figure out where the Apple store is or whatever it is I want to go to, I want to get a Starbucks or something. That’s what I’m looking at here.

Wes:

We did a Microsoft plug. We might as well do an Apple plug. I love it.

Kip: 

Nobody’s sponsoring this show by the way. They’re not sponsors.

Wes: 

Not yet, but you can send me money.

All right, we’re going to roll on to breaking down these boxes that now sit around our diagram, right? At the security operations in the bottom row, we have three disciplines. Those three disciplines are the security operations function. The security that might have the security operations center and incident response team. We’re also going to see security tools that support security operations, and then lastly, we’re going to see a shared services function that sometimes lives in a security organization. That’s going to be your, keep the lights on shared services like identity and firewalls and encryption as a service or any of the as a service solutions.

Kip: 

Got it. Okay. So security operations breaks down into three subgroups at this point.

Wes: 

Three disciplines.

Now this we’re going to move to the right side, engineering, architecture and test. We’re going to see security strategy and architecture, solution engineering and architecture and I want to call those out as being very different things. We’ll get a chance to dig into that later. We go into security testing and I’ve rolled App Sec separate from security testing. Although application security is very much a security testing function. Understanding that it is a new and growing field, and so I’ve called it out separate from the rest of security testing.

Kip: 

Got it.

Wes:

We’ve also got security functional testing, vulnerability scanning, internal and external web bone scans, bug bounty capability, penetration testing, and we’ll close this out with thread intelligence.

Kip:

Okay. So nice job trying to sneak that one in. So, it’s not entirely clear that that’s where threat intelligence belongs. So why do you like it there?

Wes: 

This is the most hotly contested discipline on this diagram for where it should live. I’m not going to lie. I showed this diagram to 10 people and every one of them disagreed with me and not one of them agreed with each other.

Kip: 

Okay. Well, but that’s okay, because guess what? Information, security, cybersecurity, whatever label you want to use, it’s always changing. It’s common to have something new show up that you’ve never had before. Application security, for example, I remember when there was no application security as a separate discipline. And everybody was like, what do we do with that? Here’s threat intelligence, same thing. Get all squinty eyed. What are we going to do with that? Eventually it’ll find a place that most people will agree with. We’re going to invoke executive privilege and put it there.

Wes: 

That’s exactly it. If we put it in operations because it helps fan bad guys. That’s great, but it’s a nine to five job. It doesn’t really contribute to attack and defense. In the same way. Some have argued for replacing in risk because it identifies risk, but it’s a little more of a technical role than the common risk function, so it was out of place there.

Kip: 

Yeah. Okay.

Wes:

It could go anywhere on the diagram. That’s where it’s going to go. That’s what we think.

Kip: 

All right.

Wes: 

Let’s keep moving.

Kip:

Yeah. Let’s keep moving.

Wes: 

Governments risk and compliance in the top left. This is perhaps the most straightforward G is for governance, which includes the project management office, the policies and standards, and the executive reporting function. R is for risk, which includes cyber risk and third party cyber risk, which is actually like App sec, in the last five years, a new function for most organizations.

Kip: 

Yeah.

Wes: 

The C is for compliance, which may include any relevant compliance function. Compliance in the US can come from federal government regulations like Sox, HIPAA, Fedramp, GLBA, which is the banking one or CP And I for call data records. It can come from state government regulations like CCPA, the California privacy protect act. It can come from industry wide self regulation, like PCI, which is your credit card industry protections.

Kip: 

Yep.

Wes: 

It can come from standards based alignments like NYST, the US government’s security posture or the ISO 27 001, which is more of an international security strategy. the fourth arm of GRC is the sneaky one because it doesn’t have a letter.

Kip: 

It’s like silent E. I’ve got little kids living at home and we’re talking about silent E right now, silent E strikes again! It’s right there. Hanging on the end.

Wes:

Do you, do you ever go to Starbucks? Tell them your name is Bob and tell them the K is silent and see what they do with it?

Kip: 

Oh, well, I do better than that. I tell them it’s Cornelius and you spell it with a Q.

Wes: 

Nice. The security awareness and training function is quite possibly one of the most important functions in the whole organization.

Kip:

And Wes, why would you say that? It seems…

Wes: 

Full stop. It is often treated as a second class citizen in the services of a security program, but I’m going to tell you it is full stop, the most important part, and here’s why, how does malware most commonly get in our environment? Through the wet wear?

Kip: 

Yeah. The wet wear. Oh my gosh. Okay. So listen, everybody, if you’re, you’re learning all this for the first time, here’s the part where I tell you that we have pet names for everything. Wetware is probably a good point for me to take right now and just say…

Wes: 

I can help with that. If we’ve got hardware, if [crosstalk]

Kip: 

Yeah, if we use a bunch of jargon and we don’t stop and tell you what it means, then you should call us out on it, but I’m going to call Wes out on wetware.

Wes: 

Please do.

So hardware and software we’ve got malware. Well, the wetware is the person who’s made up of 90% water sitting behind the computer.

Kip:

Part of the system.

Wes: 

It’s the phishing attack. It’s the softest part of getting into your computer is you, believe it or not. it’s a pebkaz issue. The pebkaz is the person existing between the keyboard and the chair. Right. P-e-b-k-a-z.

Kip:

So that’s the other thing you need to understand ladies and gentlemen is we have many TLAs, three letter acronyms, maybe even more letters than that. So again, if we don’t do a good job of spelling out our acronyms, call us out on that.

Wes: 

So the security awareness and training function attempts to teach our organization, not to click on the phishing emails and to build an enterprise culture that understands security is everyone’s responsibility.

Kip: 

And to slow down and follow the procedures because errors are what causes a lot of problems.

Wes: 

What if we just started with, only you get to use your badge? What if we started with, when you walk through a door and you badge through that door, nobody else gets to walk also through that door.

Kip: 

Okay. But now you’re crossing into a physical security discipline.

Wes:

It’s still security. Because if I can touch your computer, it’s my computer.

Kip:

Right. so that’s for another day, and I can talk about all kinds of other like oldie, moldy ideas about that stuff. So, okay.

Wes: 

Oh, don’t give that away now. We’ve got to keep moving though, because we’ve got a guided tour today and I promised I would get this done in 30 minutes. so okay. The bottom left to the organization is the product security function. It’s split into two pieces, device or product security that the device, the hardware, and then the services behind it and understand that can grow as small or as large as the products demand that we’re delivering to our customers and the kind of data we’re protecting in the process.

Kip: 

Right. And you already gave a great example of an Xbox, it could also be, a software as a service, it could be a mobile phone. It could be an iPhone. It could be…

Wes: 

This where your IOT devices live.

Kip: 

A lot of internet of things. If you’ve got a refrigerator that’s internet aware, a general dynamics engine hanging off of a 787 airframe. Believe it or not, most people don’t know this, but a jet engine is constantly streaming telemetry information over the internet while the airplane is flying.

Wes: 

You can’t tell us that Kip now Boeing’s going to be after you.

Kip: 

Maintenance and all kinds of really interesting things. And so, if the jet, if that engine sends off a fault code in flight and it’s not critical, like a flight ending code, but maybe a little maintenance thing, you could actually have a maintenance team on the ground at the gate when the jet rolls up, because they already know that a fault code was thrown in flight and with a new wing in hand, ready to go. Whatever it takes. but that’s an internet of things, item and it needs to be secure.

Wes: 

Very well. Good deal. Kip is your… And that’s one thing IOT can tell you, right. It can say, is your refrigerator running?

Kip: 

Yeah. And…

Wes: 

I’m sorry, I didn’t just do that.

Kip: 

And if it is, you should probably go catch it.

Wes: 

Good times.

Kip: 

Dad jokes, right?

Wes: 

We just did what needs to be in the security organization. We covered the 14 disciplines of a common security organization split them up by the four organizational units.

Let’s look at what didn’t make the cut. You already brought it up with physical security. FISC is not a common cyber security function anymore. It’s still listed an ISC squared as a security discipline, one of the 10, but I’ve not seen physical security co-located with cyber security at any Fortune 100 company in a long time.

Kip: 

It ebbs and flows. Sometimes there is a big desire to smush them together, And then to pull them apart again. I can you as somebody who for a couple of years was responsible for both, it’s weird because the people who work in the physical security teams are, I mean, it’s just very different, very different culture, very different way of doing things. Some of the concepts are similar, like choke points. You want choke points in your physical security perimeter and you want choke points in your networks. I mean that, but that’s really where the similarity similarities end.

Wes:

My expectation for our listeners is you’re probably not going to see physical security as one of the primary disciplines in a security organization as you’re looking for work, it might be there. Kip tells you it could be there.

Kip: 

It could be, but it’s not common.

Wes:

It’s not common. Let’s talk about business continuity and disaster recovery as well. Those make the list. Business continuity is handled by our business teams who want to keep their business operating. I may run in front of them and try and find things that will trip their business up, but that’s the extent of the business continuity that our security, cybersecurity, organization’s probably going to be doing. We own confidentiality, integrity, and availability, but that’s from an attacker and security perspective, not necessarily from an, keep the lights on IT operations, or even a business operations. We partner with our business teams to enable them to do business continuity, but we aren’t the business continuity owners and the same is true with disaster recovery.

Kip: 

Generally that’s true. I’ve seen especially medium and small size organizations, I’ve seen that, not be the case.

Wes:

True.

Kip:

It can go either way, depending on the circumstance, but even when it is part of your cybersecurity org, you can’t do it in a vacuum. You’ve got to do it in partnership. I think that’s a really important thing that you just said, which is, don’t sit in your stove pipe. Your silo, and think that you can figure out a great biz continuity plan or a great DR plan because nobody will follow it when it’s really needed. So be careful.

Wes: 

We know that a DR plan, it begins with a business impact analysis or BIA. It’s an assessment of which assets do I have and which are most important to bring back online first, second, and third. I rarely see security orgs create and curate that document. DR is really best managed by the operations team that supports the technology functions, and again, we help them. I want to call out one more thing here, because this is the slide to do it. If any of you ever say, that’s not my job, you’re done. Do not say that’s not my job. Your job is to make your company successful, to help them win and to handle the security flank in the process. You will do whatever it takes to help that company be successful.

Kip: 

That’s why in my JD’s, job descriptions, the last responsibility is other duties as assigned.

Wes:

The next group I’m going to talk about is private and legal. These are critical partners with security, but they shouldn’t be confused with security functions specifically. Here’s a privacy example of how they should be working together, because when a partner comes to us asking, what can I do with this data? It’s the privacy teams who step in first to say the data owner identified the data classification of this data as high or medium or low. After data classification is assigned, then the security team steps in to assist in defining appropriate controls and permissions for handling that level of classified data.

Kip: 

Got it.

Wes: 

Privacy helps with classification and permission for use, security helps with protecting the data, wherever it may go or stay. I’d prefer it stay actually, if I can.

Kip:

It’s not listed on this diagram, but I am seeing a merge. A lot of people are, thinking that with the increased emphasis on privacy, that we’re going to see chief privacy officers and chief security officers, that those functions are going to merge. I don’t know that I believe in that, but they are highly correlated. That’s for sure.

Wes: 

I use privacy as my primary business case for security. Whenever I need money as a security manager. Find my privacy team and say, Hey guys… Because the privacy team always stays in better hotels than the security team does.

Kip: 

Okay. So if you’re looking for a cyber security job, you might want to start looking for a privacy job now. Now that secret is out. Now that the hotels [crosstalk].

Wes: 

Depends on how you want to travel. Your corporate travel privacy teams are staying in the legal team hotels, and security teams are staying in the operations team hotels.

Kip: 

So good point.

Wes: 

Yeah. The next group is enterprise risk function. Enterprise risk is, what am I going to do to manage risk for my organization? This is the group that puts data, puts a list of scary things on the organizational 10 K, which is a form that’s filed with the US government.

Kip: 

Right. If you’re a publicly traded company in the United States, then that’s the document that you use to share with potential and current investors like, what are the risks?

Wes: 

They manage data from external and internal audits and the enterprise risk register. The cyber risk organization is a contributor to this enterprise risk function. Risks should be scored the same way, they should be rolled up to the enterprise risk list where appropriate. We are different functions who work very closely together. The next three are business functions that are run by business teams with a security component contributing to their business activities. The security operations group manages all the digital forensics. We do this for the enterprise. Then the D four or digital forensics team turns over the results to the appropriate actioning team. That team may be internal investigations. It may be fraud, or it may be the incident response team. In each case, these teams are partners dependent on digital forensics, but they are not included in the cybersecurity organization usually.

Kip:

Oh, interesting. So where would… But digital forensics is part of what we do, right?

Wes: 

The digital forensics is getting, retrieving the data appropriately and maintaining chain of custody of that data. Whereas, what the business chooses to do with that data, whether it’s fraud investigation or loss prevention, whether it’s internal investigations or external, that’s handled, or even incident response, that’s handled by the business team that’s managing.

Kip:

Yep. I agree. That’s what I’m seeing response. That’s

Wes: 

What I’ve seen. So Kip, what other things would you add or remove and why? I mean, this is a lot of list, right? We’ve gotten 20 some services, disciplines. There’s so many to think about.

Kip:

Yeah. 

There is. And you know, we’ve gone over this as part of our show prep, so I don’t have anything particular to put on the table, but just simply I think, this kind of starts to get into the caveats. Just because we’re giving you this example here, don’t expect that everywhere you go, it’s going to look just like this.

Wes: 

Nope it doesn’t. In fact, this is how we built it based on what we’ve seen, observed and would do when we’re king. But, you, my dear listener are going to learn from what we’ve offered. You’re going to stand on our shoulders. You’re going to get the bigger job, and you’re going to define this for the next generation. When you do, come back and let us know what you did, because we can update the diagram. That would be awesome.

Kip: 

That’s right, definitely. Please do. There’s… It’s synthetic, I like that term. We’re showing you a synthetic example, but there’s a lot that we think that you can can learn from it. It’s not about right and wrong. So, be careful. Don’t go into your new org and say, well, I saw on a podcast that threat intelligence is part of… So that’s the way we got to do it.

Wes:

No, we are here offering you a way you can look at the organization and if it changes over time, that’s okay too.

Kip: 

Yeah. okay. Young Padawan.

Wes: 

What are your takeaways for today? Cybersecurity is complex. It can be understood, and as we better understand it, we can help us find where we fit in that larger program organization function. I’m really looking forward to next week, because we’re going to finish building out this diagram. We’re going to take it to the next and next level, after that. We’re going to look at the 23 common services to a security service catalog, and we’re going to look at the individual teams that might support each one of those services and disciplines that we’ve already had a chance to look at.

Kip: 

Okay. So we’ve got, let’s see, at the top level we got the org, you break it down into four major areas. That says the next layer…

Wes: 

Organizational units.

Kip: 

Organizational units. Then you’ve got disciplines clustered in each organizational unit, then finally the next level of detail that we’re going to go to is the service layer.

Wes: 

Yes. We’ll introduce what is a service catalog and then how is it used in all of technology as a space, then we’ll introduce the common services that a security organization will offer to its business. Think of it as a service catalog as an order by number on a menu. I want a number 17, three star. Everybody knows what a number 17 three star, is because the menu says number 17 is this food.

Kip: 

Got it. Looking forward to it. Thanks Wes. And thanks everybody for being here, and for checking out this new format, we really appreciate the opportunity to share this information with you. We really hope that it’s helpful. You should tell us if it’s not helpful, you should tell us how we could be more helpful to you, but until next time, remember, you’re just one path away from your dream cyber security job. See you later. Bye.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!