Baselining Cybersecurity Skills for All IT Professionals

In the era of modern IT, it is becoming increasingly important for IT professionals to have a base-line contemporary cybersecurity skillset. Ultimately, since any IT person can positively or negatively impact cybersecurity within an organization, this is paramount for both individuals and organizations. With cybersecurity skills continuing to be scarce, ensuring that all staff are incorporating good cybersecurity practices into their day-to-day work greatly helps organizations to reduce risk. Furthermore, it will also help to close the skills gap by providing IT staff with more opportunities in other areas, if they want to transition their careers into cybersecurity.

To develop baseline cybersecurity skills, IT professionals should look to master key cybersecurity concepts, and in particular, cybersecurity controls. ISACA’s upcoming Information Technology Certified Associate (ITCA) credential includes five stackable certificate programs, with Cybersecurity Fundamentals being one of them, along with Computing Fundamentals, Networks and Infrastructure Fundamentals, Data Science Fundamentals and Software Development Fundamentals. While the certification is a great fit for young professionals and career-changers since there is not an experience requirement, it can also help experienced professionals to base-line and upgrade their IT skillsets with current trends and potentially transition into new roles in the future.

As an example, it is important for newcomers to the cybersecurity field to cover the architecture of cybersecurity solutions and to be aware of key controls that should be implemented as a baseline to thwart the most common type of attacks. Since a range of weaknesses are abused in the most common types of attacks, knowledge in these areas can help to ensure that organizations are secured from the inside-out.

Security architecture in cloud computing is also becoming increasingly important as organizations choose to become cloud-first, or cloud-native, for new organizations. This starts with knowing how to securely architect cloud solutions. While cloud providers hold myriad certifications that provide assurance to organizations, the game is won and lost within the configuration of cloud systems. Understanding the tools that can be used to maintain hygiene and continuously scan for gaps is essential to ensure that the public cloud is secure.

From a threat perspective, it is important to know the common types of threats, how systems and vulnerabilities are exploited and the preventative controls, in particular, response and recovery controls. This also includes ensuring that the mindset of professionals is aligned against current thinking, such as understanding that preventative controls are no longer sufficient since attacks are so varied in nature that they may not always be prevented. Instead, response and recovery are more important.

There are a range of contemporary security controls that are becoming increasingly adopted within the industry that are providing real value to organizations. Professionals should invest time in understanding what these controls are, what their benefits are, and the suitable use cases where they can be applied.

For example, understanding zero-trust and the benefits that it can provide to reduce the blast radius of a breach is important. From an endpoint security perspective, understanding the difference between Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) is key to prevent malware from executing on endpoints.

In support of this, it is important to understand where these products fit into the kill chain, and what controls either upstream or downstream can prevent malware from being delivered in the first place – or, if it does successfully execute on the endpoint, understanding how to prevent command and control traffic from exiting the network.

From an emerging technology perspective, it is important for professionals to understand the benefits of these new technologies and the associated risks are that need to be managed. As an example, without the necessary due diligence being completed, some Internet of Things (IoT)  solutions can be inherently insecure. So, we must understand the key controls that should exist in such solutions, from the sensor to the gateway to the cloud.

It is expected that most IT roles will include some form of responsibility to protect assets and information in the future. Being ready for this shift will enable professionals to secure new roles and be effective in reducing cyberrisk in their organizations.

Editor’s note: To find out more about ISACA’s new ITCA credential, visit https://www.isaca.org/credentialing/itca.