Developing a Highly Skilled IT Security Workforce

Bill Boni is one of the leading information risk management practitioners based in the USA, with broad experience in all aspects of creating, sustaining, and transforming security protection for organizations. A visionary information security leader with outstanding written and verbal communications skills. Direct experience with Federal/state governments, high technology, biotech, aerospace/defense and banking segments and operations in mainland China.

 

Leveraging NICE and the OODA Loop in Security Workforce Development

There has been rapid transformation in the IT security industry over the past several years. Widespread migration to the cloud and the shift to remote work during the Covid crisis means that there are no longer distinct perimeters surrounding corporate networks. When coupled with the digital transformation including the adoption of IoT and the BYOD trend this means that security teams have an almost impossibly large attack surface to protect. At the same time, thanks to stringent compliance requirements and evolving corporate attitudes toward risk, organizations now desire transparency across their IT environments and continuous threat monitoring, detection, and response.

Further, the growing volume of threat alerts is overwhelming the ability of security operations teams in large organizations—those with 10,000 employees or more—to keep pace. In a report by (ISC)² nearly all organizations (99%) reported that alert volume is creating problems for the IT security team, and 93% are unable to address all alerts the same day.

The report also found that the use of cloud services for security operations has become nearly ubiquitous. On average, 64.6% of IT security operations and services are now hosted in the cloud. Organizations in the technology, healthcare, and government sectors are leading the movement to cloud-hosted SOC services.

There are many actions needed to meet today’s cybersecurity challenges. Some include technical solutions, like designing software and systems to be more resistant to cyberattacks or applying artificial intelligence capabilities to detect and protect our assets. Others involve educating our industries and citizens about basic cyber hygiene.

But almost none is more important than having a highly-skilled cybersecurity workforce that can protect the public and private sector systems that our lives and economy depend on. However, it is estimated that over 500,000 cybersecurity positions across the public and private sectors remain unfilled, and that gap is only expected to grow. To compound these shortages, cybersecurity needs are constantly changing as technology and practices evolve.

 

The NICE Workforce Framework for Cybersecurity

The NICE Workforce Framework for Cybersecurity (NICE Framework) created by NIST provides users with a common lexicon that can be used to improve processes and practices around identifying, recruiting, developing, and retaining cybersecurity talent. It can be further applied across organizations and sectors in the development of resources and tools that define or provide guidance on workforce development, planning, training, and education.

The concept for the NICE Framework began even prior to the establishment of NICE in 2010, growing from a recognized need to better define and assess the cybersecurity workforce in both the public and private sectors. To address this challenge, more than 20 governmental departments and agencies along with representatives from the private sector and academia came together to determine how to provide a common understanding of cybersecurity work. This resulted in the creation of two early versions of the NICE Framework prior to its release as NIST Special Publication 800-181 in 2017 and the subsequent 2020 revision. The evolution of the NICE Framework now provides a resource that is agile, flexible, interoperable, and modular and continues to draw from the engagement between the government, private sector, and academia.

 

Definitions of the Components of the NICE Framework

The NICE Framework is comprised of the following components:

• Categories (7) – A high-level grouping of common cybersecurity functions
• Specialty Areas (33) – Distinct areas of cybersecurity work
• Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities (KSAs) required to perform tasks in a Work Role

We are not going to address all 92 of the NICE Framework components in this blog post, you can find them in their description on their Workforce Framework for Cybersecurity (NICE Framework). The framework can be used for a variety of areas in IT security, however, perhaps its most effective use is for IT security managers to find the right talent, at the right time for the right job.

The NICE framework can be leveraged to:

• Track your staff to understand strengths and weaknesses in knowledge, skills, and abilities
• Identify training and qualification needs to develop knowledge, skills, and abilities
• Enhance job descriptions with more relevant content that speaks to specific roles
• Categorize the most crucial work roles and chart a career path for staff to achieve skills to move up
• Develop a universal terminology between yourself and your HR staff for more optimal recruiting and retention efforts

 

 

The Building Blocks of the NICE Framework

The basic building blocks of NICE are called TKSs (Tasks, Knowledge, and Skills). They are intended to provide organizations a common language to describe their security work and workforce.

Task, Knowledge, and Skill (TKS) Statements:

• Task: An activity directed toward the achievement of organizational objectives. Tasks include associated Knowledge and skill statements that represent learners’ potential to perform those tasks.
• Knowledge: A retrievable set of concepts within memory.
• Skill: The capacity to perform an observable action.
• Competencies: A mechanism for organizations to assess learners. Competencies consist of a name, description, and group of associated TKS statements.
• Work Roles: A way of describing a grouping of work for which someone is responsible or accountable. They are associated with groupings of Tasks that constitute the work to be done.

Given that titles vary from one organization to another be mindful to focus on the TKSs associated with a work role rather than the title NICE attributes. Teams can use NICE to groom and develop talent, which leads to reduced risk – ensuring staff meets appropriate skill bars more effectively. However, to do this, all training stakeholders need to get together to figure out what training is needed for their work roles because they will most certainly differ from how NICE defines them.

 

Leveraging the OODA Loop in Cybersecurity

U.S. Air Force Colonel John Boyd created the concept of the OODA loop to aid in the development of military strategy. By rapidly observing and analyzing an adversary’s behaviors, Col. Boyd believed that a strategist using the OODA decision-making process could gain an advantage. Accepting the chaos associated with rapid analysis and working more rapidly than the opponent allows a decision-maker to appear unpredictable and cause chaos in the adversary’s decision-making.

Boyd suggested that the key is to obscure your intentions and make them unpredictable to your opponent while you simultaneously clarify his intentions. That is, operate at a faster tempo to generate rapidly changing conditions that inhibit your opponent from adapting or reacting to those changes and that suppress or destroy his awareness. Thus, a hodgepodge of confusion and disorder occurs to cause him to over- or under-react to conditions or activities that appear to be uncertain, ambiguous, or incomprehensible.

The OODA loop is a four-stage process for decision-making: observe, orient, decide and act. A strategist should cycle through these phases often and rapidly as part of their analysis and decision-making process.

 

 

The OODA Loop. Boyd’s final sketch of the OODA Loop, as presented in his summation of “A Discourse on Winning and Losing,” which he referred to as “the big squeeze,” 28 June 1995. Adapted from Hammond, Mind of War, 190.

 

Applying the OODA Loop in Cybersecurity

During a cybersecurity incident, acting quickly is crucial. Over half of phishing emails are clicked within an hour and 11% of phishing emails are clicked within a minute of being sent. The OODA loop is designed to help people make decisions and take action rather than freezing up and doing nothing. In a world where network defenders or CISOs can be fired for failing to prevent or mitigate an attack, the risks of taking the wrong action may seem greater than the risks associated with doing nothing at all. During a cyber-incident, doing something — even if it isn’t the best thing — is better than doing nothing.
At its core, the OODA loop is a process for identifying and analyzing how a person thinks, acts, and responds to stimuli. This process can be invaluable to an information security team and has numerous applications, both offensive and defensive.

When a hacker is testing a network’s defenses, he is testing his knowledge and skills against those of the network defender. Anything that the defender can do to add confusion or uncertainty in the mind of the attacker may thwart or limit the attack.

Observing the hacker’s attack methodologies and orienting oneself in the hacker’s worldview allows a defender to decide on a course of action and act upon it before it’s too late. Many cyberattacks are won in minutes or seconds, not hours or days. The more quickly a defender can respond to an attack, the less it costs the enterprise.

OODA loops are applicable in non-adversarial contexts as well. Our experiences shape how we act, down to the smallest detail. Understanding someone’s thought processes (even our own) can be extremely valuable in quality assurance and vulnerability assessment exercises. The knowledge of how the developer thinks a system works helps highlight the differences from how it really works. Identifying these gaps and rapidly acting upon analysis of them allows an auditor to efficiently find the vulnerabilities that these differences create and decreases the probability that over-analysis will cause them to be overlooked.

 

Conclusion

In building or augmenting a skilled workforce for your organization you should start with the following questions:

• What is the current state of my employee’s cyber capabilities?
• What gaps do we need to fill?
• What kinds of cybersecurity workers do we need to hire?
• How can I keep and grow my cybersecurity staff?

The NICE Framework for Cybersecurity will allow you to answer these 4 critical questions by performing and tracking the IT security gaps you have in the “people” portion of your “people, processes and technology.” NICE is complicated as is almost everything that comes from NIST or DHS, however, the framework is a useful and critical tool for almost any organization.

The OODA Loop leverages the improving talent, skills, and processes in your organization to limit your attack surface and defend your network more effectively. There is very little probability an organization can respond effectively to an attack until they have a solid foundation of their people, processes, and technology; as well as their ability to measure their effectiveness.

Once you understand the current capabilities and limitations of current teams, focus on detection and response processes. Consider whether or how they may be able to apply OODA loop analysis of adversary actions and reactions, to streamline your efforts and disrupt the adversary’s execution of attacks. Done periodically this can reduce organizational “friction” and significantly improve the effectiveness of your cyber-protection program.

 

To Learn More About How to Augment Your Security Team or If You Have Been Attacked Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.

You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://secureops.com/contact-us/