Dr. Vilius Benetis, CISA, CRISC NRD CS, Mon. 10:30-11:45

Transcription

1 Dr. Vilius Benetis, CISA, CRISC NRD CS, Mon. 10:30-11:45

2 Problem Cybersecurity controls are failing to protect organizations. Controls consist of skills, process, and technology. Audit of technology and process is well understood. Audit is expected to assist organizations. How to approach the skills audit for better cybersecurity result?

3 Cybersecurity Skills Audit: When and Where? From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

4 Cybersecurity Skills Audit: When and Where? Automation of business functions From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

5 Cybersecurity Skills Audit: When and Where? Automation of business functions Ex. Assess org/is resilience to cyber treats From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

6 Cybersecurity Skills Audit: When and Where? Should we include skills audit? Automation of business functions Ex. Assess org/is resilience to cyber treats From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

7 Cybersecurity Skills Audit: When and Where? Should we include skills audit? 1) Risk: Lack of skilled people 2) Skills required to assess Automation of business functions Ex. Assess org/is resilience to cyber treats From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

8 Cybersecurity Skills Audit: When and Where? Should we include skills audit? 1) Risk: Lack of skilled people 2) Skills required to assess Methodologies (NICE, CSC, e- CF, SABSA) Automation of business functions Ex. Assess org/is resilience to cyber treats From recent ISACA publication: Information Systems Auditing: Tools and Techniques Creating Audit Programs

9 Other Reasons for Skills Audit HR: Re-organization preparation. What skillsets we need to plan? What skillset to hire? CISO office: Information security should be handled better. What skills are missing? Career planning: What should I focus for my cybersecurity career?

10 Cybersecurity Skills Models NIST NICE United States e-cf European Union / Dutch SFIA6 Matthew Burrows / SFIA6 Design Authority, design@sfiaonline.org / EuroCACS/ISRM 2015 presentation

11 NIST NICE

12 NIST NICE

13 NIST NICE

14 What skills required for Cybersecurity?

15

16 EU model e-cf 16

17

18 CSC operation: Security vs. IT roles Total 0% 2% 17% 39% 25% Developer ICT Security Manager ICT Security Specialist Network Specialist Systems Administrator Systems Architect (blank) 17% 18

19 CSC operation: Alternatively 1% 3% 1% 1% 5% Total 1% 7% 14% 67% Developer Enterprise Architect ICT Security Manager ICT Security Specialist Network Specialist Service Desk Agent Systems Administrator Systems Architect Trainer (blank)

20 ISACA CISM PvIB/e-CF model Job Profiles Domains e-competences CISO ISO ICTSM ICTSS D1. Information Security Governance D.1. Information Security Strategy Development Level 5 D2. Information Risk Management and Compliance E.3. Risk Management Level 4 Level 3 Level 3 D3. Information Security Program Development and Management E.8. Information Security Management Level 5 Level 4 Level 4 Level 3 D4. Incident Management and Response Not Available

21 ISACA CISA PvIB/e-CF model Job Profiles, proficiency Domains e-competences CISO ISO ICTSM ICTSS D1. The Process of Auditing Information Systems (14%) E.8. Information Security Management Level 5 Level 4 Level 4 Level 3 D2. Governance and Management of IT (14%) E.9. IS Governance Level 4 (e-cf only) D3. Information Systems Acquisition, Development, and Implementation (19%) B. BUILD (ICTSS: B.4. Solution Deployment) Level 2 D4. Information Systems Operations, Maintenance and Support (23%) C. RUN (ICTSS e-cf only: C.2 Change Support, C.3 Service Delivery) Level 3 (e-cf only)

22 ISACA CRISC PvIB/e-CF model Job Profiles, proficiency Domains e-competences CISO ISO ICTSM ICTSS D1. Risk Identification (27%) E.3. Risk Management Level 4 Level 3 Level 3 D2. Risk Assessment (28%) D3. Risk Response and Mitigation (23%) D4. Risk and Control Monitoring and Reporting (22%)

23 PvIB REALM ISACA REALM PvIB Job Profiles, Proficiency levels PvIB Model ISACA CISM ISACA CISA ISACA CGEIT ISACA CRISC CISO ISO ICTSM ICTSS e-competences Domains Level 3 Level 3 A.7. Technology Trend Monitoring D1. Risk Identification (27%) Level 2 B.4. Solution Deployment D2. Risk Assessment (28%) Level 5 D.1. Information Security Strategy Development D1. Information Security Governance (24%) D3. Risk Response and Mitigation (23%) Level 4 Level 3 Level 3 E.3. Risk Management D2. Information Risk Management and Compliance (33%) D4. Risk Optimization (24%) D4. Risk and Control Monitoring and Reporting (22%) Level 4 E.4. Relationship Management Level 5 Level 4 Level 4 Level 3 E.8. Information Security Management D3. Information Security Program Development and Management (25%) D1. The Process of Auditing Information Systems (14%) E.9. IS Governance D2. Governance and Management of IT (14%) D1. Framework for the Governance of Enterprise IT (25%) NA D4. Incident Management and Response (18%) D4. Information Systems Operations, Maintenance and Support (23%) D3. Benefits Realization (16%) NA PvIB does not cover D3. Information Systems Acquisition, Development, and Implementation(19%) D2. Strategic Management (20%) Level 4 Level~3 Level~3 Level~3 General competences: G.1. Leadership G.2. Project management G.3. Communication and persuasion G.4. Technical research G.5. Organisational sensitivity G.6. Management G.7. Analytical skills G.8. Integrity Generic competences, proven experience and continuous education

24 SFIA6

25 SFIA6 (sample)

26 How to run skills audit? Simplest: Ask: what skills are missing to reach the goals? Medium: Inventory/assess existing skills via questionnaires (list competences, ask to self-assess) Sophisticated: Run serious tests to assess

27 Output of skills audit Simplest: List of skills/competences and who covers them Items without people missing competences Medium: Skills/competences with required levels, and fulfilled levels Gap is visible Sophisticated: Detail report of professional skills assessors

28 Summary Main cybersecurity challenges are in governance, workforce skillset, and technology inability to be resilient. Presentation is geared for auditors to learn how to use different cybersecurity workforce models to prepare better for cybersecurity audits. Differences of the NIST NICE, EU e-cf, SFIA models are presented, along with how to modify these frameworks for own use, along with Critical Security Controls integration

29 Assertion on your capabilities after presentation: 1. create own adjustments to cybersecurity workforce skillset 2. connect cybersecurity tasks with skills 3. recommend to organizations remediation actions for cybersecurity workforce problems 4. apply US and EU cybersecurity skills, job profiles and e- competences models to own internal and external audits

30 Thank you! Dr. Vilius Benetis, CISA, CISM NRD CS