REPLAY OF “ALL THE JOBS IN A LARGE CYBERSECURITY ORGANIZATION”

Kip Boyle: 

Hi. Wes and I are taking some time off. So today we’re going to revisit one of our most popular episodes with you. This episode marked the beginning of our grand tour of a common cybersecurity department in a large company. In fact, we’re in the middle of that tour right now, and we’ll finish it over the course of several future episodes. Now this replay will be especially good for those of you who recently joined our community, but haven’t gone back yet to see the big picture that we’re trying to describe. Okay. I really think you’re going to enjoy this episode.

Hi everyone. Welcome to your cyber path. This is the podcast where we help you get your dream cybersecurity job. I’m Kip Boyle. I’m here with Wes Shriner. We are experienced hiring managers of cybersecurity professionals, and we’re here to help you. And if you’re listening to the podcast through your podcast listeners, as you probably always do, what you don’t know is that we’re also making a video today and we’re going to be making videos from now on in fact. And if you want to watch the video, just go to our YouTube channel, search for your cyber path podcast, and you’ll find our playlist up there.

And this is important because we’re actually going to be sharing with you some visuals, right? And actually we’re kicking off a whole series of podcast episodes. What we’re doing, Wes and I, is we’re going to give you a guided tour of a typical cybersecurity organization in a large enterprise. And we’re going to tell you why we’re doing this in a moment. But just another tip for you is as we’re going to start numbering the episodes. So it’ll be much easier for you to figure out how do I see things in order because they are going to build on each other. So, Wes good to see you.

Wes Shriner: 

It’s good to see you too Kip. This is going to be a lot of fun. Well, we’re going video now and video’s a little scary, right? Mostly because now I can see my mug on the screen, but we’ll figure that out.

Kip Boyle: 

Yeah. I have what, three years of recording podcast audio only. And so, yeah. I’m not used to doing this either. This is kind of strange, but that’s okay. We’re going to get used to it.

Wes Shriner: 

And with the videos we’re going to have to learn to like each other.

Kip Boyle: 

That’s right, because in the past I’d be like, blah, I don’t like what he’s saying. I’d be miming [crosstalk]. But no one could see it. But now here we are.

Wes Shriner: 

It’s a new day, a new dawn, a new era, and it’s going to be fun. I’m looking forward to it.

Kip Boyle: 

Yeah. I think this is really going to help people. So yeah, the reason why we made this change is because Wes and I were talking about content and we were talking about, gosh, how can we help, right? Like what’s something big we can do to help that maybe nobody else has done yet. Like how can we help folks who want to get into cybersecurity? Or maybe you’re just in cybersecurity, right? You’re in your first job. And you’re thinking like, where do I want to go to next, if you’re a person who thinks about the future. And so we thought, well, why don’t we just show people how a typical large organization is laid out. And then we thought, oh, but if we do that, we’re going to want to show pictures, graphics, right?

Org charts. We want to show stuff. And so then we said, all right, we’re going to have to do this with a video recording. We’re also going to have to do it in a way that respects the people who don’t want to watch this as a video who are already listening to it and prefer that. And so as best we can, we’re going to continue to narrate what we’re doing in a way that if you can’t see the visuals, it’s not going to stop you from getting value from what we’re doing. So, but you can tell us if we’re not getting it right. Just let us know, right? You can send me a message kip@35.167.158.44 and you can let us know how we’re doing.

Wes Shriner: 

Yeah. It’s the changing of the seasons right now Kip. We hit the cold spell on the farm this week. Weather drop below freezing, the flowers that were left, all got crispy and brown. We pulled the last apples off the tree. And I started thinking about, I’ve been doing some fence planning, right? Because in a suburban backyard, you just do a little fence around the edge of your property. But when you’re trying to build corrals and pastures and rotate your flocks, and then you’ve got to figure out I want to do a vegetable garden next year. But how do you do that? You’ve got to have an eight foot high defensive perimeter to keep the deer out. And that’s just the deer. If you want to grow any carrots or corn or anything else. So it’s an eight foot high and you’ve got to go electric if you want to keep the bears out.

Kip Boyle: 

Oh my gosh. So you have a bear threat? Really?

Wes Shriner: 

It’s not a threat. They climb the trees. They break the branches, right? Well, they eat the rest of the apples. That’s why I had to take the apples off the tree because if I don’t, the bear does and he’ll break the branches on his way down.

Kip Boyle: 

Oh my gosh. This is great man. Talk about planning, right? Talk about advanced planning.

Wes Shriner: 

And that’s exactly what we’re doing, right? If you want to plan your fence line and build your pastures and your corrals, you’ve got to plan that ahead of time. You can’t just go start digging posts, right? And I think the same thing is true in our cybersecurity career, right? There’s a lot of opportunity for, I could just go dig a post and run a fence line here or go get this job. But if we understood what the bigger picture is, and then started to apply that to our careers, we can really have a beautiful pasture and corral and plan for our yard and our careers.

Kip Boyle: 

Yeah. That sounds great. Cool. Yep. Well, I’m on board and I hope everybody out there listening and watching. I hope you understand why we’re doing this. And I hope that this is helpful. So we’re going to do this as a series of episodes. And today what we’re going to do is just kind of introduce the organization and paint in very broad brush strokes where we’re going with all this.

Wes Shriner:

It’s going to be a lot of fun. The video podcast is new. It’s a new journey, a new video. This is part one of what could be a lot of content, a lot of interesting stuff and understand the big picture leads to understanding what’s my fit in this organization, right? How do I fit here? And the assumptions we’re making are for a large organization, right? You and I both have a lot of experience in fortune 100 companies, assuming a 200 person security organization and a hundred million dollar budget, a non-staff budget. But the mid markets and the startups also have the same responsibilities and these same functions. They just apply them differently, right? It may be one security person who happens to put on this hat and then put on this hat moving through the process and the same thing it’s going to be true.

Kip Boyle: 

That’s right. And so the point that Wes is bringing up is, and I’m going to restate it. Is that yes, we’re showing you a large security organization, but even if you work in a smaller organization, the things that they do in the big organization still typically need to be done in a small organization. Now it’s not scaled down linearly, right? So it’s not just a matter of doing exactly the same stuff in the exact same way with less people. I see that sometimes. I don’t think that’s a good approach. That’s like telling a 14 year old who needs to go to a fancy event, just wear your dad’s suit, right? We’ll cuff it and you’ll be fine, right? That doesn’t work. So you’ve got to actually… You actually have to create something that’s going to fit, but I still think this is a good template because you might want to go work in a large security organization or a mid-sized one or a small one, but I think the concepts are the same and the jobs are similar.

Wes Shriner:

And we’re going to try and keep the understanding really transferrable. We’re going to talk about the 23 common services of security service catalog. We’re going to go into one common tool and one common process that are used in that discipline. And then for our job seekers, we’re going to look at what kind of roles are normally in place in that area. And are they technical roles? Are they business roles? Are they analysis roles? Are they PM? Are they engineer? We’re going to start to take a look at whether these are more senior roles or more junior roles, or maybe there’s a blend of both. And I think that’s going to be really helpful for our audience.

Kip Boyle: 

Yeah. We’re talking about career pathing, right? So it’s not just, what’s my path into cyber, but what’s my path once I get in. So yeah, this is great.

Wes Shriner: 

Indeed. And then lastly, oh, what’s my path in both as a new hire and as a senior person maybe in technology who wants to make the jump from a technology team to a security team. There’s a lot of transferable skills there. And then the other thing I love what we’re doing this year Kip is, your idea, right? We’re going to bring in the hottest guest speakers you’ve ever heard. Experts who’ve been doing this for 20, 30 years or as long as it’s been around, right? They’re going to give us their secret sauce. So I think that’s going to be awesome.

Kip Boyle: 

Yeah. Thank you for mentioning that. I totally forgot to tell people about that. But yeah, we’re going to bring in some people that are going to really help you understand what’s going on.

Wes Shriner:

I’m looking forward to it. So today we’re going to define the common reporting structure for a large security organization and build a roadmap for where we’re going next.

Kip Boyle:

Let’s do it.

Wes Shriner:

All right. There it is. We’re done.

Kip Boyle: 

Read it and weep ladies and gentlemen.

Wes Shriner: 

We did it.

Kip Boyle: 

Yeah. So there’s a visual now, right? This is where it becomes visual. And so what you’re seeing on the screen and what you’ll be able to see later on, if you’re just listening right now is an actual diagram of what the typical security organizational units look like. And Wes, why don’t you just take us on a quick [crosstalk].

Wes Shriner: 

Sure. So let’s start with a cybersecurity organization in the middle. That’s probably a BP, a CSO. The person who owns that is the security leader for the organization.

Kip Boyle: 

Yeah. The security executive, right? The senior security executive is another true term that I’ve heard used.

Wes Shriner: 

Thank you. Or ahead of head of information security, head of cybersecurity. And then we’ve got four organizational units that we’re going to wrap around that. On the bottom, we’re going to add security operations. Then on the right, we’re going to add engineering, architecture, and test. On the top left. We’re going to have governance, risk and compliance. And then we’ll put product security in the bottom left. I want to break down each one of those just a little bit more. And now that we’ve introduced the diagram, I think this would be a good time. 

Kip Boyle:

Yeah.

Wes Shriner: 

The security operations group, right? Who is that? That’s the group that works tirelessly night and day to defend our organization from attacks. They have all the tools and the personnel and expertise to run a multi-week incident response function for the company. Probably using the [MITRE] attack framework. These are your heroes.

Kip Boyle: 

Yeah, for sure.

Wes Shriner: 

They’re a disciplined bunch with specific requirements. They have processes for everything until they run into a bad actor with a zero day and then no process exists. And that’s when this team shines, right? They may be working all night. So forgive their bad breath and just slide another pizza under the door, right? They’ll be okay.

Kip Boyle: 

Yeah,.

Wes Shriner: 

That’s the pizza under the door team and they’re a good group of folk, right? I’m going to go… Anything you want to add to security ops?

Kip Boyle:

It can be a tough gig, right? I mean, being a hero is not easy work, but it’s absolutely necessary. And it’s a common front door for people trying to break in.

Wes Shriner: 

It’s a great place to start.

Kip Boyle: 

Yep.

Wes Shriner: 

We’ll get a lot more detail in this. Understand, we’re just introducing the largest organizational units. We’re going to go two clicks deeper before we get done here. Maybe even three clicks. So it’s going to be fun. And on the right hand side, we see the security engineering, architecture and test team. It can be known by a lot of names. What is best described as your blue team or your defense team, right? This is your technical group that is defending your organization. They plan, they architect, they build, they scan, they test to remove vulnerabilities before they’re discovered and exploited.

Kip Boyle: 

Yeah. And so security operations is sometimes called a blue team, right? And now we’ve got some blue team activities and security engineering architecture, right? That’s blue, but then red team, right? So that’s a common term that people are used to, right? Red team versus blue team. And so in this org, you’ve got some red team members, right?

Wes Shriner:

Good deal. Good call, you’re right. Your red team lives here as well with your penetration testing folks. Yeah. Some of your threat hunting.

Kip Boyle: 

Great. And then projects, right? A lot of project work in this area?

Wes Shriner: 

Actually this team supports the organizational project work, but most of the security sponsored project work is in our next option, right?

Kip Boyle: 

Okay.

Wes Shriner: 

We’re going to go to the… Oh, sorry. My screen jumped on you there. We’re going to go to the governance, risk and compliance area. That’s the top left area.

Kip Boyle: 

Okay. 

This is the third of four organizations.

Wes Shriner:

Yeah. This is the business side of cyber sec. They handle all the program, planning, the budgets, the staffing. They categorize risk and roll it up to the large organization. They make sure we pass our compliance requirements so we can keep on doing business and they build [inaudible] for the rest of the… And they build training for the rest of the organization to better internalize security. This is the group that manages our security policies and reports security progress to the executives and the board of directors.

Kip Boyle: 

Got it. Yep. GRC. So if you guys hear GRC, that’s what Wes just described.

Wes Shriner: 

And there’s plenty of tools and processes we’ll get into in greater detail later. For now, just understand, there’s a lot of opportunity in the governance, the risk and the compliance parts of the security organization.

Kip Boyle: 

Yup. Okay. That’s three of four. What’s number four?

Wes Shriner: 

The last one’s really interesting, right? This is our product security group. Product security is primarily focused on securing the customer facing while facing devices and services. I’m thinking about something like the X-Box, right? X-Box is a hardware component that must be rigorously secured. A common thing to say in security is that if you have physical access to a computer, it’s not your computer anymore, right? Or if I have physical access to your computer, it’s my computer.

Kip Boyle: 

Right. That’s right.

Wes Shriner: 

Well, the X-Box device must be hardened for global customer distribution. It includes all of the OEM and third-party device architecture and manufacturing, including running local software and drivers operating systems and bios. Behind the Xbox is also a huge service infrastructure with web security, network security and all the privacy and compliance aspects of global business service. Product security is both the device and the services behind it that our customer uses. And when we do security for those, what we’re doing is we’ve made promises to our customer when they receive our product, that we’re going to protect their data and protect their interactions on their devices. And it’s our job as a security organization to help our business keep those promises in every design decision and delivery decision made in our organization.

Kip Boyle:

Right. And it’s interesting because some organizations have products that are not hardware and maybe they just offer a software as a service, right? And so the product security is really around identification and access management, and it’s very software intensive, right? But then you get like X-box is the example that you brought up. Okay, well now I got a piece of hardware, but it’s also a very software driven product as well. So way more complicated. And I would expect a product security group to be much bigger in an organization that has a piece of hardware that people are actually needing and using.

Wes Shriner:

Indeed. So we just named the four largest parts of a security organization, and we’re going to break down the sub-components of that as we go forward. But let’s talk about what didn’t make the list.

Kip Boyle: 

Okay.

Wes Shriner: 

Things that didn’t make the cut, right? Some large organizations have a security research organization, right? These are essential for advancing the state of the art, but they’re not something every security org is going to have.

Kip Boyle: 

Right. But you’ll see it in some, right? Mostly big organizations, I think.

Wes Shriner: 

Yeah. I’ll just leave that one there. Yes. In big organizations you’ll see that. Right. Another thing we might see as large organizations may have a political influencer in Washington, DC, right? Somebody who is their DOD or top secret or is a political influencer and any one of those might be a reason to have a DC-based group as well.

Kip Boyle: 

Okay.

Wes Shriner: 

All of these are legitimate components of some orgs. They’re not common enough to all the works to merit putting them in this conversation.

Kip Boyle: 

Right. Yeah. Okay. Good. That makes sense. Yeah. We’re not trying to cover absolutely everything here. We’re trying to cover the common stuff.

Wes Shriner: 

But let’s have some fun cause this next slide, I hope you enjoy. Oh yeah. We just got 14 disciplines inside those four security organizational units.

Kip Boyle: 

Yeah. Because this all breaks down, right? So you’ve got the first level is, you have a cybersecurity organization. Then we broke that down into four main areas. And now we’re further breaking it down into subgroups. And this is really going to be the roadmap for the rest of the episodes that we do in this series, right?

Wes Shriner: 

I think this is going to help us understand where am I at in the organization and give us a baseline common understanding to be able to say, oh, you’re talking about this part. Oh, you’re talking about that part. And that’s going to be really helpful.

Kip Boyle: 

Yeah. So I’m at the mall. And I walk up to the big map and I look for the dot that says you are here so that I can figure out where the Apple store is or whatever it is I want to go to. I want to get a Starbucks or something. That’s what I’m looking at here.

Wes Shriner: 

We did a Microsoft plug. We might as well do an Apple plug. I love it.

Kip Boyle: 

Nobody’s sponsoring this show by the way. They’re not sponsors.

Wes Shriner: 

Not yet, but you can send me money. All right. We’re going to roll on to breaking down these boxes that now sit around our diagram, right? At the security operations in the bottom row, we have three disciplines. Those three disciplines are the security operations function, the security that might have the security operation center and incident response team. We’re also going to see security tools that support security operations. And then lastly, we’re going to see a shared services function that sometimes lives in the security organization. And that’s going to be your keep the lights on shared services like identity and firewalls and encryption as a service or any of the as a service solutions.

Kip Boyle: 

Got it. Okay. So security operations breaks down into three subgroups at this point

Wes Shriner: 

Three disciplines. Yeah.

Kip Boyle: 

Three disciplines. Okay, great.

Wes Shriner:

Yeah. Now, we’re going to move to the right side. Engineering, architecture, and test. We’re going to see security strategy and architecture, solution engineering and architecture. And I want to call those out as being very different things. We’ll get a chance to dig into that later. We go into security testing and I’ve rolled app sec separate from security testing. Although application security is very much a security testing function, understanding that it is a new and growing field. And so I’ve called it out separate from the rest of security testing.

Kip Boyle: 

Got it.

Wes Shriner: 

We’ve also got security functional testing, vulnerability scanning, internal and external web phone scans, bug bounty capability, penetration testing. And we’ll close this out with threat intelligence.

Kip Boyle: 

Okay. So nice job trying to sneak that one in. So, it’s not entirely clear that that’s where threat intelligence belongs. So why do you like it there?

Wes Shriner:

This is the most hotly contested discipline on this diagram for where it should live. I’m not going to lie. I showed this diagram to 10 people and every one of them disagreed with me and not one of them agreed with each other.

Kip Boyle: 

Okay. Well, but that’s okay. Because guess what. Information security, cybersecurity, whatever label you want to use, it’s always changing. And so it’s common to have something new show up that you’ve never had before application security for example. I remember when there was no application security as a separate discipline. And everybody was like, ah, what do we do with that? And so here’s threat intelligence. Same thing, right? You get all squinty eyes. What are we going to do with that? Eventually it’ll find a place that most people will agree with, but we’re going to invoke executive privilege and put it there.

Wes Shriner: 

And that’s exactly it. If we put it in operations because it helps fan bad guys. That’s great, but it’s a nine to five job. And it doesn’t really contribute to attack and defense in the same way, right? Some have argued for a placing in risk because it identifies risk. But it’s a little more of a technical role than the common risk function. So it was out of place there.

Kip Boyle: 

Yeah. Okay.

Wes Shriner: 

It could go anywhere on the diagram. So we should [crosstalk].

Kip Boyle:

All right. Well that’s where it’s going to go. So that’s what we think.

Wes Shriner: 

All right. So let’s keep moving.

Kip Boyle: 

Yeah. Let’s keep moving.

Wes Shriner:

Governance, risk and compliance in the top left. This is perhaps the most straightforward. G is for governance, which includes the project management office, the policies and standards, and the executive reporting function. R is for risk, which includes cyber risk and third-party cyber risk, which is actually like App sec in the last five years, a new function for most organizations. The C is for compliance, which may include any relevant compliance function, right? Compliance in the US can come from federal government regulations like Sox, HIPAA, FedRAMP, GLBA, which is the banking one, or CPNI for call data records. It can come from state government regulations like CCPA, the California privacy protection act. They can come from industry-wide self regulation, like PCI, which is your credit card industry protections. It can come from standards. Based alignments like a NIST, the US government’s security posture or the ISO 27-001, which is more of an international security strategy. The fourth arm of GRC is the sneaky one because it doesn’t have a letter.

Kip Boyle: 

It’s like silent E. I’ve got little kids living at home. And we’re talking about silent E right now, right? Like our silent E strikes again. It’s right there hanging on the end.

Wes Shriner:

Do you ever go to Starbucks? Tell them your name is Bob. And tell him the K is silent and see what they do with it.

Kip Boyle: 

Oh, well, I do better than that. I tell them it’s Cornelius and you spell it with a Q.

Wes Shriner: 

Nice. The security awareness and training function is quite possibly one of the most important functions in the whole organization.

Kip Boyle: 

And Wes, why would you say that? It seems boring.

Wes Shriner: 

Full stop. It is often treated as a second class citizen in the services of a security program, but I’m going to tell you it is full stop, the most important part. And here’s why, right? How does malware most commonly get in our environment? Through the wetware.

Kip Boyle: 

Yeah, the wetware. Oh my gosh. Okay. So listen, everybody. If you’re learning all this for the first time. Here’s the part where I tell you that we have pet names for everything. All right. And wetware is probably a good point for me to take right now and just say-

Wes Shriner: 

I can help with that. We’ve got hardware-

Kip Boyle:

Yeah. If we use a bunch of jargon and we don’t stop and tell you what it means, then you should call us out on it. But I’m going to call out Wes on wetware. Go ahead. Tell us what it is.

Wes Shriner: 

So hardware and software. We’ve got malware. Well, the wetware is the person who’s made up of 90% water sitting behind the computer, right?

Kip Boyle:

Part of the system.

Wes Shriner: 

It’s the phishing attack, right? The softest part of getting into your computer is you. Believe it or not, right? It’s a [pebkac] issue. Pebkac is the person existing between the keyboard and the chair, right? P-E-B-K-A-C.

Kip Boyle: 

Okay. So, that’s the other thing you need to understand ladies and gentlemen is we have many TLAs, three letter acronyms. Maybe even more letters than that. So again, if we don’t do a good job of spelling out our acronyms, call us out on that.

Wes Shriner: 

So the security awareness and training function attempts to teach our organization not to click on the phishing emails and to build an enterprise culture that understands security is everyone’s responsibility.

Kip Boyle: 

And to slow down and follow the procedures because errors are what causes a lot of problems.

Wes Shriner: 

What if we just started with only you get to use your badge? What if we started with, when you walk through a door and you badge through that door, nobody else gets to walk also through that door.

Kip Boyle: 

Okay. But now you’re crossing into a physical security discipline.

Wes Shriner: 

It’s still security. Because if I can touch your computer, it’s my computer.

Kip Boyle: 

Right. Okay. So yeah.

Wes Shriner:

That’s for another day. We’ll have some fun with that.

Kip Boyle: 

Yeah. And I can talk about all kinds of other like oldie, moldy ideas about that stuff. So, okay.

Wes Shriner: 

Oh, don’t give that away now. So, we’ve got to keep moving though because we’ve got a guided tour today and I promised that would get us done in 30 minutes.

Kip Boyle: 

Okay. Let’s go.

Wes Shriner:

So to the bottom left to the organization is the product security function. It’s split into two pieces, device or product security, the device, the hardware. And then the services behind it and understand that can grow as small or as large as the products demand that we’re delivering to our customers and that kind of data we’re protecting in the process.

Kip Boyle:

Right. And you already gave a great example of an X-Box, but it could also be, oh, I said before, like a software as a service. It could be a mobile phone, right? It could be an iPhone. It could be-

Wes Shriner: 

This is where your IoT devices live.

Kip Boyle: 

Yeah. A lot of internet of things, right? So if you’ve got a refrigerator that’s internet aware, right? A general dynamics engine hanging off of a 787 airframe, right? Believe it or not, most people don’t know this. But a jet engine is constantly streaming telemetry information over the internet while the airplane is flying.

Wes Shriner:

You can’t tell us that Kip. Now Boeing is going to come after you.

Kip Boyle: 

Maintenance and all kinds of really interesting things. And so if the jet… Like if that engine sends off a fault code in flight, and it’s not critical, like a flight ending code, but maybe a little maintenance thing. So you could actually have a maintenance team on the ground at the gate when the jet rolls up, because they already know that there’s a fault code was thrown in flight.

Wes Shriner: 

With a new wing in hand ready to go.

Kip Boyle: 

Whatever it takes, right? But that’s an internet of things item and it needs to be secure.

Wes Shriner: 

Very well. Good deal. Kip is you… And that’s one thing IoT can tell you, right? It can say, is your refrigerator running?

Kip Boyle: 

Yeah.

Wes Shriner:

I‘m sorry, I didn’t just do that.

Kip Boyle: 

And if it is you should probably go catch it.

Wes Shriner: 

Good times.

Kip Boyle: 

Dad jokes, right?

Wes Shriner:

So we just did what needs to be in the security organization. We covered the 14 disciplines of a common security organization, split them up by the four organizational units. Let’s look at what didn’t make the cut, right? You already brought it up with physical security, right? Phys sec is not a common cyber security function anymore. It’s still listed in ISC squared as a security discipline, one of the 10, but I’ve not seen physical security co-located with cyber security at any fortune 100 company in a long time.

Kip Boyle: 

It ebbs and flows. Sometimes there is a big desire to smush them together. And then to pull them apart again. And I can tell you as somebody who for a couple of years was responsible for both, it’s weird because the people who work in the physical security teams are… I mean, it’s just very different. Very different culture, very different way of doing things. Some of the concepts are similar, like choke points, right? You want choke points in your physical security perimeter and you want choke points in your networks. So I mean… But that’s really where the similarities end.

Wes Shriner: 

So my expectation for our listeners is you’re probably not going to see physical security as one of the primary disciplines in a security organization as you’re looking for work. It might be there. Kip tells you it could be there.

Kip Boyle:

It could be, but it’s not common.

Wes Shriner: 

It’s not common. Let’s talk about business continuity and disaster recovery as well, right? Those make the list. Business continuity is handled by our business teams who want to keep their business operating. I may run in front of them and try and find things that will trip their business up. But that’s the extent of the business continuity that our security, cybersecurity organizations probably going to be doing. We own confidentiality, integrity, and availability. But that’s from an attacker and security perspective, not necessarily from a keep the lights on IT operations or even a business operations. We partner with our business teams to enable them to do business continuity, but we aren’t the business continuity owners and the same is true with disaster recovery, right?

Kip Boyle: 

Yeah. Generally, that’s true. I’ve seen especially medium and small size organizations. I’ve seen that not be the case.

Wes Shriner: 

True.

Kip Boyle: 

So it can go either way depending on the circumstance. But even when it is part of your cybersecurity org, you can’t do it in a vacuum. You’ve got to do it in partnership. And so I think that’s a really important thing that you just said, which is don’t sit in your stove pipe, right? Your silo and think that you can figure out a great continuity plan or a great DR plan because nobody will follow it when it’s really needed, right?

Wes Shriner: 

We know that a DR plan, it begins with a business impact analysis or BIA, right? It’s an assessment of which assets do I have and which are most important to be bring back online first, second, and third, right? But I rarely see security orgs create and curate that document, right? DR is really best managed by the operations team that supports the technology functions. And again, we help them, right? And I want to call out one more thing here, because this is the slide to do it. If any of you ever say that’s not my job, you’re done. Do not say that’s not my job. Your job is to make your company successful, to help them win and to handle the security flank in the process. And you will do whatever it takes to help that company be successful.

Kip Boyle:

And my JD’s job descriptions, the last responsibility is other duties as assigned.

Wes Shriner: 

So the next group I want to talk about is privacy and legal, right? These are critical partners with security, but they shouldn’t be confused with security functions specifically. Here’s a privacy example of how they should be working together. Because when a partner comes to us asking, what can I do with this data? It’s the privacy teams who step in first to say the data owner identified the data classification of this data as high or medium or low. And then after data classification is assigned, then the security team steps in to assist in defining appropriate controls and permissions for handling that level of classified data.

Kip Boyle: 

Got it.

Wes Shriner: 

Privacy helps with classification and permission for use. Security helps with protecting the data, wherever it may go or stay. I’d prefer it stay actually, if I can.

Kip Boyle: 

Yeah, well it’s not listed on this diagram, but I am seeing merge, right? So a lot of people are thinking that with the increased emphasis on privacy, that we’re going to see chief privacy officers and chief security officers, that those functions are going to merge. I don’t know that I believe in that, but they are highly correlated that’s for sure.

Wes Shriner: 

I use privacy as my primary business case for security. Whenever I need money as a security manager, find my privacy team and say, Hey guys… Because the privacy always stays in better hotels than the security team does.

Kip Boyle: 

Okay. So if you’re looking for a cybersecurity job, you might want to start looking for a privacy job. Now that [crosstalk] is out. Now that the hotels [crosstalk]

Wes Shriner: 

Depends on how you want to travel. Your corporate travel privacy teams are staying in the legal team hotels, right? And security teams are staying in the operations team hotels. So yeah. So the next group is enterprise risk function, right? Enterprise risk is what am I going to do to manage risk for my organization? This is the group that puts data, puts a list of scary things on the organization 10-K, which is a form that’s filed with the US government, right?

Kip Boyle: 

Right. So if you’re a publicly traded company in the United States, then that’s the document that you use to share with potential and current investors. Like what are the risks.

Wes Shriner: 

They manage data from external and internal audits and they enterprise risk register. The cyber risk organization is a contributor to this enterprise risk function. Risks should be scored the same way, they should be rolled up to the enterprise risk list where appropriate. But we are different functions who work very closely together.

Kip Boyle: 

Yup.

Wes Shriner: 

The next three are business functions that are run by business teams with a security component contributing to their business activities, right? The security operations group manages all the digital forensics. We do this for the enterprise. Then the [Difor] or digital forensics team turns over the results to the appropriate actioning team. That team may be internal investigations. It may be fraud or it may be the incident response team. In each case, these teams are partners dependent on digital forensics, but they are not included in the cybersecurity organization usually.

Kip Boyle: 

Oh, interesting. But digital forensics is part of what we do, right?

Wes Shriner: 

The digital forensics is retrieving the data appropriately and maintaining chain of custody of that data. Whereas what the business chooses to do with that data, whether it’s fraud investigation or loss prevention, whether it’s internal investigations or external that’s handled… Or even incident response, that’s handled by the business team that’s managing [crosstalk].

Kip Boyle: 

Right. Yep. I agree. That’s what I’ve seen.

Wes Shriner: 

So Kip, what other things would you add or remove and why? I mean, this is a lot of lists, right? We’ve gotten to 20 some services disciplines. There’s so many to think about.

Kip Boyle: 

Yeah. There is. And we’ve gone over this as part of our show prep. So I don’t have anything particular to put on the table, but just simply I think this kind of starts to get into the caveats, right?

Wes Shriner: 

It does.

Kip Boyle: 

Just because we’re giving you this example here, don’t expect that everywhere you go, it’s going to look just like this.

Wes Shriner: 

Nope. It doesn’t, in fact, this is how we built it based on what we’ve seen, observed and would do when we’re king, right? But you, my dear listener are going to learn from what we’ve offered. You’re going to stand on our shoulders. You’re going to get the bigger job. And you’re going to define this for the next generation. And when you do come back and let us know what you did, because we can update the diagram. That’d be awesome.

Kip Boyle: 

That’s right. Yeah, definitely. Please do. It’s synthetic. I like that term, right? We’re showing you a synthetic example, but there’s a lot that we think that you can learn from it. It’s not about right and wrong. So to be careful, right? Don’t go into your new org and say, well, I saw a podcast that threat intelligence is part of… So that’s the way. Please don’t do it.

Wes Shriner: 

No, we are here offering you a way you can look at the organization and if it changes over time, that’s okay too.

Kip Boyle:

Yeah. Okay. Young padawan.

Wes Shriner: 

What are your takeaways for today? Cyber security is complex. It can be understood. And as we better understand it, we can help us find where we fit in that larger program organization function, right? I’m really looking forward to next week because we’re going to finish building out this diagram. We’re going to take it to the next and next level after that, we’re going to look at the 23 common services to a security service catalog. And we’re going to look at the individual teams that might support each one of those services and disciplines that we’ve already had a chance to look at.

Kip Boyle: 

Okay. So we’ve got. Let’s see, at the top level we got the org, you break it down into four major areas, right? That says like the next layer-

Wes Shriner: 

Organizational units.

Kip Boyle: 

Organizational units. And then you’ve got disciplines clustered in each organizational unit. And then finally the next level of detail that we’re going to go to is the service layer, right?

Wes Shriner: 

Yes.

Kip Boyle: 

Okay.

Wes Shriner: 

But we’ll introduce what is a service catalog and then how is it used in all of technology as a space and then we’ll introduce the common services that a security organization will offer to its business. Think of a service catalog as an order by number on a menu, right? I want a number 17 three-star, right? Everybody knows what a number 17 three-star is because the menu says number 17 is this food.

Kip Boyle:

Got it. Looking forward to it. Thanks Wes. And thanks everybody for being here. And for checking out this new format. We really appreciate the opportunity to share this information with you. We really hope that it’s helpful. You should tell us… If it’s not helpful, you should tell us how we could be more helpful to you. But until next time, remember, you’re just one path away from your dream cybersecurity job. See you later.

Wes Shriner:

Bye.