Workforce Competencies
The digital ecosystems of modern enterprises are large and complex, usually spread geographically across the country and the world. The ecosystems encompass a large number and variety of technologies, products, platforms, systems, networks, applications, databases and services, which may be deployed on-premises, on cloud (IaaS, PaaS, SaaS) or in hybrid mode.
Enterprises usually have multiple teams of IT, OT, IIoT, information security and cybersecurity professionals and managers, who are responsible to carry out the organisations’ functions, activities and tasks related to the digital ecosystem of the organisation. CSEs and other organisations would derive significant benefits by establishing a strategic program and structured approach to ensure that their workforce and teams managing the digital ecosystem have the requisite cybersecurity competence (knowledge, skills and levels of expertise) to be effective in handling the entire gamut of work and responsibilities of IT, OT, IIoT, information security and cybersecurity.
Workforce Composition
Given the size and complexity of digital ecosystem, it may be impractical for most CSEs and other organisations to depend solely upon their internal workforce to acquire, implement, engineer, operate, manage and sustain the ecosystem. In practice, the organisations have a composite workforce that has a mix of own employees, hired manpower, specialist (OEM, ISV, SI, SaaS) teams and resources of managed services providers (MSPs), who work together to carry out the functions, activities and tasks related to the digital ecosystem.
Workforce Hierarchy
At an organisational level the digital ecosystem workforce can be divided into multiple levels of hierarchy, as given below. Typical job titles in each level indicate the associated job functions, tasks, and responsibilities.
Senior management level – Vice Presidents, CTO, CIO, CISO, CSO, Heads of Business Units, Divisions, Departments.
Middle and lower management level – Project Managers, Technology Managers, Operations Managers, Security Managers, Cyber Defence Team Leads, NOC and SOC Team Leads, GRC Managers, Workforce Development Managers etc.
Individual Contributor level – Operators, Analysts, Administrators, Engineers, Specialists, Technicians, Architects, Developers, Testers, Quality Testers, Apprentices, Associates, Interns.
Senior and middle level managerial roles are always assigned to employees of the organisations. Technical work and its deliverables could be assigned to external teams from OEMs, SIs, MSPs and other service providers, as long as the overall supervision and oversight is handled by designated senior and middle level managers of the organisation. The middle and lower management levels, and individual contributors, are accountable and responsible for day-to-day operational activities and tasks.
Note
The concept of “virtual managers” or “external advisors with C-level access” is gaining acceptance amongst many organisations, who need such services in a more flexible, scalable and cost-effective manner. The virtual manager, for example, a virtual chief information security officer (vCISO) performs most of the core functions as a traditional, full-time manager. They just differ in terms of their engagement model (part time) and presence (non-physical) in the organisation.
Workforce Specialisations
The sheer breadth and variety of the digital ecosystem technologies, products, deployment models, processes and practices in an organisation makes it impossible for any professional to develop competency in every area. Organisations therefore require professionals with different specialisations to work together in teams. An illustrative list of knowledge and skill specialisation areas for the composite workforce is given below. Source: NCIIPC-QCI Scheme for Cybersecurity Professionals.
| . | Knowledge and Skills Specialisation Areas |
|---|---|
| Knowledge Area | |
| 1 | Network Infrastructure & Network Security |
| 2 | Systems (HW, VM, Firmware, OS) Security |
| 3 | Software and Platform Operations Security |
| 4 | Secure Systems Engineering |
| 5 | Secure Software Design & Development |
| 6 | Enterprise Governance, Risk and Compliance |
| 7 | Enterprise Supply Chain |
| 8 | Enterprise IT and Information Security |
| 9 | Enterprise Cyber Defence and Security Operations |
| 10 | Data Analytics |
| 11 | Cyber Forensics |
| 12 | Cyber Security Training & Awareness |
| 13 | ICS Cyber Security |
| Skills | |
| 1 | Programming & Scripting |
| 2 | Managing and Securing Systems, Networks, Applications |
| 3 | Managing and Securing Information, Data And Identities |
| 4 | Custom Software Development and Management |
| 5 | Cyber Defence and Security Operations |
| 6 | Others (OEM/ ISV Technologies and Products) |
Each knowledge and skill area also has an expertise level (basic, intermediate, expert) associated with it. The expertise levels should generally be mapped to the workforce hierarchy, keeping in view the functions executed by a particular hierarchy of the workforce, the size of organisation and the complexity of their digital ecosystem. For example, junior levels are expected to acquire at least the basic level of expertise, while middle and senior levels are expected to acquire intermediate or expert level of expertise. Professionals working with the OEMs, ISVs, SIs, MSPs and other service providers are expected to have intermediate or expert level of expertise in their respective areas of specialisation.
Tip
CSEs are advised to refer Appendix 1A of NCIIPC-QCI Scheme for Cybersecurity Professionals, which has a comprehensive and detailed table of knowledge, skills and expertise for each specialisation area of an organisation.
Functions
The composite workforce of CSEs and other organisations carry out the five technical and five management functions on a daily or periodic basis. In practice, to enable proper distribution of work and responsibilities, the ten functions are sub-divided into different domains.
Domains
A domain in the context of workforce specialisations is a distinct technical/ organisational capability of processes, people and technology that a CSE must have to meet its IT and cyber security objectives successfully. Each domain typically has an organisational hierarchy associated with it that is designed to handle different levels of work and responsibilities. An illustrative diagram of IT and cybersecurity domains mapped to organisational teams is given below.
Job Roles and associated Competencies
An illustrative list of IT and cybersecurity job roles and job descriptions in an entity is given below. The knowledge, skills and expertise level required for each of the job roles is mentioned against each role in the form of codes that are taken from Appendix 1A of NCIIPC-QCI Scheme for Cybersecurity Professionals.
| . | Organisation Job Role (Job Title) | Work, activities and tasks required to be done as part of the Job Role (Job Description) | Knowledge, Skills & Expertise |
|---|---|---|---|
| 1 | Information Security Specialist | Conduct risk assessment to help identify cybersecurity risks and determine appropriate controls to ensure that IT and ICS systems perform within acceptable limits of risks. Monitor, track and manage risk mitigations and exceptions to ensure compliance with cybersecurity standards and policies. | KM-0601F SM-0602F |
| 2 | Information Security Officer (ISO) Chief Info Security Officer (CISO) | Drive cybersecurity policies, standards and guidelines aligned to the organisation’s risk management framework, legislation and regulation. Responsible for establishing and approving ISMS policies, standards and guidelines to effectively manage cybersecurity risks, integrate and align the cyber risk management framework in the organisation’s context. | KM-0601A, KM-0701F SM-0602A, SM-0603A |
| 3 | IT GRC Strategist | Strategise, design IT GRC framework and ISMS for organisations and drive projects and investments for cybersecurity of the organisation. | KM-0601M, KM-0701A SM-0602A, SM-0603A |
| 4 | Field Security Engineer | Provide engineering support in the field for security and security management of in-production/ in-use IT and ICS systems of both on-premises and cloud infrastructure of organisations. | KM-0401F, KM-0801F, KM-0802F, KM-0803F SM-0301F, SM-0602F |
| 5 | Technology & Systems Security Team Leader Chief Technology Officer (CTO) Chief IT Officer (CIO) | Conceptualise, design, engineer, integrate and implement the security and security management aspects in IT and ICS systems of both on-premises and cloud infrastructure of organisations. | KM-0401A, KM-0801A, KM-0802A, KM-0803A SM-0301A, SM-0602A |
| 6 | Technology &System Security Architect Technology Strategist | Strategise, conceptualise, design, engineer, integrate the security and security management aspects of large, complex IT and ICS systems of both on-premises and cloud infrastructure of organisations. Identify IT and ICS cybersecurity needs of the organisation and translate them into security designs and principles. Recommend and lead the adoption of new technological advances and best practices in IT and ICS systems to mitigate security risks. | KM-0401A, KM-0801A, KM-0802A, KM-0803A SM-0301A, SM-0602A, SM-0603A |
| 7 | Apps & Data Security Engineer | Configure, operate, administer the day to day security aspects of both on-premises and cloud software platforms (including SaaS) of organisations. Provide security engineering support for development of secure software (Dev-Sec-Ops, secure CI/CD and AI/ML pipelines). Work to be done using enterprise platforms for identity, role-based access management, LDAP, zero-trust infrastructure, IT and ICS asset management, EMS (application management), ITSM and ISMS platforms for patch management, configuration management (CMDB), ticketing and incident management, compliance management, reporting. | KM-0301F, KM-0302F, KM-0501F SM-0101F, SM-0301F, SM-0401F |
| 8 | Apps & Data Security Administrator | Design, oversee and manage secure software design and engineering, including secure software supply chain management. Plan, design, engineer, analyse, oversee the security and security management aspects of software platforms of both on-premises and cloud infrastructure (including SaaS) of organisations. | KM-0301A, KM-0302A, KM-0401A, KM-0501A SM-0301A |
| 9 | Software Security Tester | Security testing of software platforms and applications prior to use in production environment and prior to upgrades. | KM-0502F SM-0401F |
| 10 | Software Security Analyst/ Administrator | Oversee and manage the security testing of software platforms and applications. | KM-0502A SM-0401A |
| 11 | Product Security Tester | Security testing of hardware, devices and appliances prior to use in production environment and prior to upgrades. | KM-0201F, KM-0202F SM-0401F |
| 12 | Product Security Analyst/ Administrator | Oversee and manage the security testing of hardware, devices and appliances. | KM-0201A, KM-0202A SM-0401A |
| 13 | Network Security Engineer | Configure, operate, administer the day to day security aspects of telecom, IT and ICS networks of organisations. Work to be done using enterprise platforms for patch management, configuration management (CMDB), ticketing and incident management, NMS (network management), reporting. | KM-0101F, KM-0102F SM-0101F, SM-0201F, SM-0601F |
| 14 | Network Security Administrator | Plan, design, engineer, analyse, oversee the security and security management aspects of telecom, IT and ICS networks of organisations. | KM-0101A, KM-0102A, KM-0201F, KM-0202F SM-0201A, SM-0601F |
| 15 | System Security Engineer | Configure, operate, administer the day to day security aspects of systems of both on-premises and cloud infrastructure of organisations. Work to be done using enterprise platforms for patch management, configuration management (CMDB), ticketing and incident management, EMS (systems management), reporting. | KM-0201F, KM-0202F SM-0101F, SM-0201F, SM-0601F |
| 16 | System Security Administrator | Plan, design, engineer, analyse, oversee the security and security management aspects of systems of both on-premises and cloud infrastructure of organisations. | KM-0101F, KM-0102F, KM-0201A, KM-0202A SM-0201A, SM-0601F |
| 17 | Security Support Operator | Operate and support the day to day security issues of end user systems and devices. | KM-0201F, KM-0202F, KM-0803F SM-0101F |
| 18 | System Security Administrator | Plan, design, engineer, analyse, oversee the security and security management aspects of end user systems and devices. | KM-0201A, KM-0202A, KM-0803A SM-0101F |
| 19 | Security Performance Junior Analyst | Collect, collate, normalise, analyse cybersecurity related data for assessing performance of cybersecurity functions | KM-1001F SM-0101F |
| 20 | Security Performance Senior Analyst | Plan, design, engineer, oversee the cybersecurity performance analysis to derive insights and identify areas of improvement. | KM-0101F, KM-0102F, KM-0201F, KM-0202F, KM-1001A SM-0101F |
| 21 | ICS Cybersecurity Operator | Operate, administer the day to day security aspects of ICS environment of organisations. | KM-1301F |
| 22 | ICS Cybersecurity Analyst ICS Security Manager | Plan, design, engineer, analyse, oversee the security and security management aspects of ICS environment of organisations. | KM-1301A |
| 23 | ICS Cyber Defence Strategist | Develop frameworks, strategies and processes for vulnerability management, protection, cyber incident detection, response, recovery, investigation and cyber forensics in the ICS environment. | KM-1301M SM-0602F, SM-0602A, SM-0603A |
| 24 | IT Cyber Defence Operator | Operate, carry out the day to day cyber defence functions like rogue asset discovery, vulnerability tracking, cyber threat intelligence (CTI) analysis. | KM-0804F, KM-0901F SM-0101F, SM-0501F |
| 25 | IT Cyber Defence Analyst Cyber Defence Manager | Plan, design, engineer, analyse, oversee the security and security management aspects of cyber defence. May include cybersecurity management of outsourced and third-party service providers like MSPs and MSSPs. | KM-0804A, KM-0901A SM-0101F, SM-0501F, SM-0501A |
| 26 | IT Cyber Defence Strategist | Develop frameworks, strategies and processes for protection, threat and cyber incident detection, response, recovery in the IT environment. | KM-0804A, KM-0901M SM-0101F, SM-0501A, SM-0601F, SM-0603A |
| 27 | Vulnerability, Threat, Risk Operator | Carry out the day to day vulnerability and risk assessment, threat hunting activities, technical audits. Proactively scan logs, network traffic, SIEMs and other channels for suspicious behaviours and indicators of compromise. Identify IT and ICS assets prone to cyber threats and attacks, monitor for potential threats actors/ groups/ individuals attempting cyber-attacks. | KM-0804F SM-0602F |
| 28 | Vulnerability, Threat, Risk Analyst Risk Manager | Plan, design, engineer, oversee, manage the vulnerability and risk assessment, threat hunting activities, technical audits. Derive deep insights for providing strategic direction and investments. | KM-0804A SM-0602A, SM-0603A |
| 29 | Security Operations Operator | Carry out the day to day security operations activities in the SOC, like surveillance and monitoring of IT and ICS systems and assets, support the identification of threats and vulnerabilities, provide incident response and remediation support. | KM-0201F, KM-0803F SM-0101F |
| 30 | Security Operations Analyst Security Operations Manager | Plan, design, engineer, oversee, manage the security operations in the SOC. Respond to cyber incidents, coordinate for containment and mitigation of incidents and recovery. | KM-0201A, KM-0803A SM-0101F |
| 31 | Cyber Forensics Junior Analyst Incident Response Operator | Analyse and investigate cyber incidents to identify breaches, loopholes, process deviations, failures. | KM-1101F SM-0101F, SM-0501F |
| 32 | Cyber Forensics Senior Analyst Incident Response Manager | Plan, direct, oversee, monitor and manage the cyber forensic analysis and investigation activities into the cause and impact of incidents, develop detailed reports on incident timeline, evidence, findings, conclusions and recommendations. | KM-1101A SM-0101F, SM-0501A |
| 33 | Cyber Defence Architect Incident Response Strategist | Strategise, design, engineer, integrate cyber forensics and investigation processes into the security management of large, complex IT and ICS systems of both on-premises and cloud infrastructure of organisations. | KM-1101M SM-0101F, SM-0501A |
| 34 | Cyber Training & Awareness Assistant | Operate the routine cybersecurity training and awareness programmes. | KM-1201F SM-0601F, SM-0602F |
| 35 | Cyber Training & Curriculum Manager | Design and manage cybersecurity curriculum for end users, IT and ICS specialists and managers. | KM-1201A SM-0601A, SM-0602F |
An illustrative reporting hierarchy for different job roles is given in the diagram below.
The generic top-most positions for different reporting hierarchies are described as under:
- Chief Technology Officer (CTO) – Oversees the overall technology strategy, large project implementations and engineering functions.
- Chief Information Officer (CIO) – Oversees the IT operations and IT security functions.
- Chief Operations Officer (COO) - Many organisations with large OT/ ICS segments typically have separate COOs for overseeing the OT operations and OT security functions.
- Chief Information Security Officer (CISO) – Oversees the IT Governance (Policies), Risk & Compliance (GRC) functions and information security (IS) operations.
Highly specialised job roles like IT/ ICS GRC Strategist, Technology & System Security Architect, ICS Cyber Security Architect, Cyber Defence Strategist and Cyber Defence Architect are typically required in very large entities and consultancy organisations. Mid-sized and smaller CSEs may choose to contract their services on need- basis from consultancy organisations.
Competency Profiles and Certifications
The Government has embarked upon capacity building of cybersecurity workforce through mechanisms such as academic and education programs and certification of competency profiles by internationally recognised accreditation and certification bodies. A number of academic programs for cybersecurity are already being conducted by leading universities. In addition, there are many global and national level certification programs that are run by different private bodies.
An indicative list of major international certifications is collated here. The list has been prepared, based on publicly available information, and has not been vetted for correctness and completeness. Suggestions for improvements and rectification of errors are welcome.
Guidance on Workforce Capabilities
Organisations are advised to adopt the following steps to align workforce competencies and certifications to different IT and cyberseecurity job roles:
Categorise the organisation’s cyber security workforce requirements for different IT and cybersecurity domains and job roles, using the information of the work, activities and tasks that are listed against the job roles.
Map the knowledge and skills specialisation areas and expertise levels that are considered essential for the job roles. Identify the appropriate set of competency certifications and/ or academic programs that cover the knowledge, skills and expertise requirements for the job roles.
Choose a workforce composition mix that is most appropriate to achieve the IT and cybersecurity objectives of the organisation. The small and medium sized CSEs can club some of the job roles within Technical (Cybersecurity) vertical and the Technical (IT & ICS Security) vertical and assign it to one person with appropriate knowledge and skillsets. The clubbing of job roles across the above mentioned two verticals shall not be done.
Use the job roles, job descriptions, knowledge and skills specialisation areas, expertise levels, competency certifications and academic programs to create appropriate job profiles for internal and/ or external hiring and/or for sourcing of competent workforce from service providers and consultancy organisations.
Use the competency profiles (knowledge, skills and expertise levels) for different job roles to design training programs and if required for hiring training bodies to train the workforce in different cyber security domains, as part of capability and capacity development programs.
Use the competency profile certifications provided by accredited bodies recommended by the government/national nodal agencies as a basis for selection.
Use the competency profile certifications to demonstrate to the regulators and national agencies that cyber security personnel employed in critical IT & ICS domains have the required competence to carry out the respective job role responsibilities.