Applied security capability

Skill Definition

"Applied security capability is formed of a set of complementary security skills. Individual roles may have a requirement for a different profile across these skills. Applied security capability involves 4 elements: 1. Security requirement elicitation: gathering and deriving meaningful security requirements to support an identified need 2. Application of security capabilities: apply standardised or unique security capabilities to address security needs 3. Provision or assurance and confidence: provide confidence that business priorities are appropriately protected 4. Security and risk reporting: communicate security and risk effectively"

Awareness

Understands why security must support business needs and the importance of being able to demonstrate that relationship

Aware of some key, well-understood, security principles and can demonstrate an awareness of some Cyber Security relevant technologies

Understands why it is important to gain confidence in security measures and can describe some straightforward mechanisms such as pen-tests

Understands and can describe basic security concepts

Working

Aware of the need to provide traceability between business need and security requirements.

Gathers and derives simple or obvious security requirements for highly standardised use cases, using well-established guidance that is unlikely to be contentious

Provides basic security advice to address standard security needs. Advice could be written or verbal. Knows the limitations and scope for what advice can be given and when to draw on others’ expertise

Is aware of and follows appropriate process such as quality control arrangements

Understands and can apply a range of basic approaches to assurance and understands their applicability

Meaningfully describes straightforward security concepts and their business applicability

Ensures security recommendations and risk statements developed are reasonably and well contextualised to the business need under consideration

Practitioner

Elicits security requirements based on straightforward approaches such as threat/vulnerability/impact analysis. Security needs will include an understanding of the user as part of the overall system

Helps organisations to derive and reason about their security needs, such as understanding and applying security principles to particular business scenarios

Interprets and clarifies management or organisational intention with regards to security, such as described in risk appetite statements. This includes interpreting such statements into meaningful and appropriate security requirements

Provides security advice to non-standard use cases, drawing on and using experts in specific topics or technologies

Uses standardised control frameworks (such as 27001/2) appropriately, with awareness of their strengths and limitations

Understands when security measures might impact on users or business needs and provides effective advice to help the business make an appropriate decision

Applies a range of assurance approaches, with a clear understanding of the strengths and limitations of each approach. There is a clear ability to map the assurance options recommended directly to the security need to be addressed

Assurance and confidence is not limited to a point in time, but seeks to address confidence across the system/service life cycle

Provides meaningful security and risk communication in a range of scenarios.

Understands and takes account of the limitations of various risk communication mechanisms such qualitative v quantitative approaches

Expert

Considers complicated, non-obvious security needs, e.g. where the connections between business need, the technology that supports that need and how it might be impacted are important to work out

Works closely with those who ‘own’ business needs, deduces their tolerances with regard to things they care about and turns those into meaningful security statements that can be applied. This might be either complicated and specific, or simple scenarios with broad applicability

Delivers security advice that is contextualised and appropriate for the strategic customer need

Avoids providing ‘point’ solutions or advice that does not address the overall key need. Looks at the wider ‘system’ including sociotechnical considerations (e.g. the role the user plays in meeting the desired security outcomes)

Provides security advice that extends beyond particular technologies of which the candidate is familiar and draws upon and directs appropriate expertise to solve the bigger security problem. Ensures the overall technical coherence and quality of advice

Together with assurance experts, develops and applies novel approaches to assurance of products/systems/services

Understands and applies different approaches to product, implementation and operational assurance. Uses each appropriately to derive a genuine understanding of confidence that the overall business objective is protected

Provides technical leadership for specific experts (be they pen-testers, product or behavioural assurance, for example) in the context of a specific technical assurance or confidence challenge

Effectively communicates difficult risk and security concepts in accessible ways that can be clearly understood by business leaders. Contributes to and develops risk communication strategies