(Parekh, et al., 2018) determined that conceptual understanding in vulnerabilities, system failures, establishing defences and identifying targets and attackers were the among the most important core aspects of cyber security along with evaluating security goals and the impact of security decisions and strategies on the CIA triad. In addition, ethics and privacy concerns were determined as equally important.
While that research was focused on establishing a generalised and core foundational basis for cybersecurity and its assessment, (Jones, et al., 2018) approached their research differently, while also focusing similar attention to establishing the importance of specific cybersecurity topics, but with the specific goal to establish a more practical approach to devising an educational curriculum that is directly associated with industry related needs.
This pragmatic pursuit is reflected in their methodology to actively try and determine the gaps in educational needs required by current cyber security professionals, in contrast to the generalist cyber security experts consulted in the former research.
These results suggest that, vulnerability assessment is key, as is an understanding of network security, but the research into professional practise yielded more pragmatic additions including insights into specific personality traits that would increase success in the discipline, such as persistence, self-determinization, curiosity and inherent interest in Cyber security.
It also suggested that communication skill is essential in being able to convey meaning and decisions in assessing cyber security approaches. This is supported by related research that suggests that there is an increasing importance towards less technical areas such as, “…human, organisational and societal security” (Cabaj et al., 2018)
Interestingly, most professionals found that they needed self-study in many aspects of their jobs to fulfil the requirements their jobs, indicating that adaptability and changeability are important traits to have.
The CISA Security Architect role requires many of these aspects. For example, core tasks include developing security designs for networks, and systems within networks, which requires understanding networks and how they interoperate and are protected.
The task of assessing the security posture requires determining what are, and which vulnerabilities have or have not been mitigated within networked systems and who might seek to exploit them, and as such draws from the ability to understand the implications of vulnerabilities and where they lie. This also pertains to evaluating security architectures to meet security requirements and mitigating risks from prior analysis and assessment, also straddling on the increased need for effective communication skills, which particularly important during security reviews and identifying gaps in security architecture (an inherently collaborative endeavour).
There are some areas that were addressed by the prior research but were not identified among the most important aspects, but which appear to be of particularly high importance to this role, which includes management, i.e., the ability to use secure management processes, prioritize and collaborate with stakeholders and to develop plans. This is likely to be particularly important skill in mediating between cyber security skills, business needs and effective and secure deployment of those skills in and increasingly socio-technical workplace. This trend is particularly evident in role’s requirements to maintain compliance with PCI and privacy constraints such as PII (Personal Identifiable Information).
The specifics and detailed core knowledge required for this role, which are not specifically included in cyber security educational curricula as determined by the prior research, such as knowledge of microprocessors and knowledge of electrical engineering and electronics, will likely require drawing upon the afore mentioned skills of independent study and persistence, and, to a large extent self-management e.g., compliance with best practises and security guidelines.
References:
Condori-Fernandez, N., Franqueira, V.N.L. and Wieringa, R.J. (2012) ‘Report on the Survey of Role-Based Access Control (RBAC) in Practice’. Available at: https://research.utwente.nl/en/publications/report-on-the-survey-of-role-based-access-control-rbac-in-practic (Accessed: 26 June 2023).
McGrew, D.A. and Viega, J. (2004) ‘The Security and Performance of the Galois/Counter Mode (GCM) of Operation’, Lecture notes in computer science, pp. 343–355. Available at: https://doi.org/10.1007/978-3-540-30556-9_27.
Ahmad, N., Wei, L.M. and Jabbar, M.H. (2018) ‘Advanced Encryption Standard with Galois Counter Mode using Field Programmable Gate Array.’, Journal of Physics: Conference Series, 1019(1), p. 012008. Available at: https://doi.org/10.1088/1742-6596/1019/1/012008.
Williams, T. (2023) ‘Securing Microservices with Bearer Tokens’, in Microservices Design Patterns In . NET. United Kingdom: Packt Publishing, Limited.
Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC (no date). Gaithersburg, MD.
Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC (no date). Gaithersburg, MD.
Cabaj, K. et al. (2018) ‘Cybersecurity education: Evolution of the discipline and analysis of master programs’, Computers & security, 75(C), pp. 24–35. Available at: https://doi.org/10.1016/j.cose.2018.01.015.