Cybersecurity Meets EDRM with the Cybersecurity Reference Model

[IMGCAP(1)]

The Stages

Technology Inventory

Organizations must understand their current state of technology and undertake a comprehensive audit of networks, hardware and software, mobility, application development and contingency plans. Skills needed are in network engineering, disaster recovery and business continuity. Security certifications GSNA and GCCC could prove useful. These types of services are predominantly provided by consulting firms.

Assess

This involves evaluating and testing the current security configuration and determining if stated policies are being followed. It includes evaluation and testing of external and internal protections including online, mobile and insider threat countermeasures. This is an area where penetration testing occurs, which may require hacking certifications CEH and CPEN as well as system auditing certifications such as CISA (Certified Information Systems Auditor).

Compliance & Governance

Various industries must comply with different cyber standards. This stage will assist organizations in following HIPAA, HITECH, PCI, NIST, ISO and a litany of emerging federal and state regulations. Highly relevant certifications include CSCS, CHA, CHP and CCSA. Often, talent will come from the consulting community, and while pen testing may be the first service to commoditize in cybersecurity, it is still an essential part of the process (much like e-discovery processing). This is also where attorneys and those privacy professionals with CIPP (Certified Information Privacy Professional) certification can prove extremely relevant.

Security Architecture & Systems

This stage is massive and includes the development, evaluation and implementation of all of current and emerging security technologies including advanced persistent threat analysis tools, SIEM, identity management, threat visualization tools, firewalls and honeypots, just to name a few. Application development processes may be brought into alignment with security-by-design and privacy-by-design concepts. The CISSP certification is the most prominent and widely accepted system architecture certification, with more than 83% of open jobs in cyber requiring or preferring this certification. The CISSP has a five-year minimum working InfoSec experience requirement for those interested in pursuing it. Additional certifications include CCP, CESG and CASP.

Monitor

Organizations must have the ability to monitor and evaluate threats and quickly determine which threats require action. SOCs (security operations centers) have been developed as a centralized unit to perform this task and can be built and maintained internally or outsourced to an MSSP (managed security service provider). GIAC has created a new standard, GMON, sharing space with the many application-specific certifications out there provided by HP (ArcSight), Cisco, IBM and McAfee. It is also likely the industry will see the emergence of subscription based “monitoring” services for vendors specializing in security.

Respond

Once a threat has been identified, it must be isolated, damage and data loss must be assessed and the perpetrator identified. This is the domain of a CIRT (cyberincident response team), which is a multidisciplinary group, also referred to as a red team, comprised of analysts, engineers, digital forensics specialists and reverse malware engineers. A litany of forensic certifications is useful including EnCE, FCE, incident response certifications such as CIRH and malware engineering such as GREM and CCMRE. There will be abundant opportunities for contractors in this sector of security, for forensic examiners, as well as data breach remediators/incident responders. Large corporate and consulting organizations will augment permanent staff with contractors when voluminous projects arise.

CSRM/EDRM Comparisons

Both reference models have much in common in both subject matter and process. The greatest subject matter overlap occurs in the information governance and respond stages. Information governance's usage of data classification finds many similarities with the CSRM assessment stage, where cybersecurity professionals must understand the location and characteristics of data stores as well as which systems are being utilized for internal control of data. Additionally, the security architecture stage involves the implementation of new systems used to protect data classes based upon priority and nature of the data, which are defined through information governance.

Digital forensics, a key component of the respond stage, is the greatest bridge between the EDRM and the CSRM, using the same tools and collection methodologies. EnCase, FTK, Cellebrite and many other collection software are utilized in both e-discovery and cybersecurity. In addition, forensics provides the most direct career path between the two disciplines, as those with forensic certifications can immediately find opportunities to join cyberincident response teams.

While there are notable similarities between these two models, there is a great deal of difference as well. Transition careers from e-discovery to cyber do not take a short path. It will require determined intellectual curiosity, additional education and, above all, career patience and an understanding of the future where existing skills are replaced by advanced developing proficiencies.

Jeff Scarpitti is a partner in and president of TRU Cyber, a division of TRU Staffing Partners (www.trustaffingpartners.com). A frequent moderator, speaker and author on hiring strategies and development in the privacy and data security space, he can be reached at [email protected]. Jared Michael Coseglia is the founder and CEO of TRU Staffing Partners. An active speaker and published author on trends in the legal technology job market, he can be reached at [email protected].