The presentation discusses how auditors can conduct cybersecurity skills audits to improve organizational cybersecurity. It outlines challenges with current controls and the need to audit skills in addition to technology and processes. Various cybersecurity skills frameworks are presented, including NIST NICE, the EU e-CF, and SFIA models. Methods for implementing a skills audit through questionnaires and skills assessments are described. The output of a skills audit would be a list of existing skills coverage and identification of skills gaps to guide remediation actions.
2. #EUROCACS
Problem
• Cybersecurity controls are failing to protect organizations.
• Controls consist of skills, process, and technology.
• Audit of technology and process is well understood.
• Audit is expected to assist organizations.
• How to approach the skills audit for better cybersecurity result?
4. #EUROCACS
Cybersecurity Skills Audit:
When and Where?
From recent ISACA publication:
Information Systems Auditing: Tools and Techniques—Creating Audit Programs
Automation of
business
functions
5. #EUROCACS
Cybersecurity Skills Audit:
When and Where?
From recent ISACA publication:
Information Systems Auditing: Tools and Techniques—Creating Audit Programs
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber treats
6. #EUROCACS
Cybersecurity Skills Audit:
When and Where?
From recent ISACA publication:
Information Systems Auditing: Tools and Techniques—Creating Audit Programs
Should we include
skills audit?
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber treats
7. #EUROCACS
Cybersecurity Skills Audit:
When and Where?
From recent ISACA publication:
Information Systems Auditing: Tools and Techniques—Creating Audit Programs
1) Risk: Lack of
skilled people
2) Skills required
to assess
Should we include
skills audit?
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber treats
8. #EUROCACS
Cybersecurity Skills Audit:
When and Where?
From recent ISACA publication:
Information Systems Auditing: Tools and Techniques—Creating Audit Programs
1) Risk: Lack of
skilled people
2) Skills required
to assess
Methodologies
(NICE, CSC, e-
CF, SFIA)
Should we include
skills audit?
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber treats
9. #EUROCACS
Other Reasons for Skills Audit
HR:
• Re-organization preparation. What skillsets we need to plan?
• What skillset to hire?
CISO office:
• Information security should be handled better. What skills are
missing?
Career planning:
• What should I focus for my cybersecurity career?
10. #EUROCACS
Cybersecurity Skills Models
• NIST NICE
United States
• e-CF
European Union / Dutch
• SFIA6
– Matthew Burrows / SFIA6 Design Authority, design@sfia-
online.org / EuroCACS/ISRM 2015 presentation
20. #EUROCACS
PvIB/e-CF modelISACA CISM
e-Competences
Job Profiles
D.1. Information
Security Strategy
Development
Domains
E.3. Risk
Management
E.8. Information
Security
Management
CISO ICTSMISO ICTSS
D1. Information
Security
Governance
D3. Information
Security Program
Development and
Management
D2. Information Risk
Management and
Compliance
D4. Incident
Management and
Response
Not Available
Level 5
Level 4
Level 5
Level 3
Level 4
Level 3
Level 4 Level 3
21. #EUROCACS
C. RUN (ICTSS e-CF
only: C.2 Change
Support, C.3 Service
Delivery)
PvIB/e-CF modelISACA CISA
e-Competences
Job Profiles, proficiency
E.8. Information
Security
Management
Domains
E.9. IS Governance
B. BUILD
(ICTSS: B.4. Solution
Deployment)
CISO ICTSMISO ICTSS
D1. The Process of
Auditing
Information
Systems (14%)
D3. Information
Systems Acquisition,
Development, and
Implementation
(19%)
D2. Governance and
Management of IT
(14%)
D4. Information
Systems Operations,
Maintenance and
Support (23%)
Level 5 Level 4 Level 4
Level 4
(e-CF only)
Level 3
Level 2
Level 3
(e-CF only)
23. #EUROCACS
PvIB REALM ISACA REALM
PvIB does not cover
PvIB Model
e-Competences
A.7. Technology Trend
Monitoring
B.4. Solution Deployment
D.1. Information Security
Strategy Development
E.3. Risk Management
E.4. Relationship Management
E.8. Information Security
Management
General competences:
G.1. Leadership
G.2. Project management
G.3. Communication and
persuasion
G.4. Technical research
G.5. Organisational sensitivity
G.6. Management
G.7. Analytical skills
G.8. Integrity
ISACA CISM
Domains
D1. Information Security Governance
(24%)
D3. Information Security Program
Development and Management (25%)
D2. Information Risk Management and
Compliance (33%)
D4. Incident Management and Response
(18%)
Generic competences, proven experience and continuous education
D1. The Process of Auditing Information
Systems (14%)
D3. Information Systems Acquisition,
Development, and Implementation(19%)
D2. Governance and Management of IT
(14%)
D4. Information Systems Operations,
Maintenance and Support (23%)
D1. Risk Identification (27%)
D3. Risk Response and Mitigation (23%)
D2. Risk Assessment (28%)
D4. Risk and Control Monitoring and
Reporting (22%)
D1. Framework for the Governance of
Enterprise IT (25%)
D3. Benefits Realization (16%)
D2. Strategic Management (20%)
D4. Risk Optimization (24%)
ISACA CISA ISACA CRISCISACA CGEIT
E.9. IS Governance
NA
NA
PvIB Job Profiles, Proficiency levels
CISO ICTSMISO ICTSS
Level 3 Level 3
Level 2
Level 5
Level 4 Level 3 Level 3
Level 4
Level 5 Level 4 Level 4 Level 3
Level 4 Level~3 Level~3 Level~3
26. #EUROCACS
How to run skills audit?
Simplest:
• Ask: what skills are missing to reach the goals?
Medium:
• Inventory/assess existing skills via questionnaires (list
competences, ask to self-assess)
Sophisticated:
• Run serious tests to assess
27. #EUROCACS
Output of skills audit
Simplest:
• List of skills/competences and who covers them
• Items without people – missing competences
Medium:
• Skills/competences with required levels, and fulfilled levels
• Gap is visible
Sophisticated:
• Detail report of professional skills assessors
28. #EUROCACS
Summary
Main cybersecurity challenges are in governance, workforce
skillset, and technology inability to be resilient.
Presentation is geared for auditors to learn how to use different
cybersecurity workforce models to prepare better for cybersecurity
audits.
Differences of the NIST NICE, EU e-CF, SFIA models are
presented, along with how to modify these frameworks for own
use, along with Critical Security Controls integration
29. #EUROCACS
Assertion on your capabilities after presentation:
1. create own adjustments to cybersecurity workforce skillset
2. connect cybersecurity tasks with skills
3. recommend to organizations remediation actions for
cybersecurity workforce problems
4. apply US and EU cybersecurity skills, job profiles and e-
competences models to own internal and external audits
1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location).
2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine whether program source code changes occur in a well-defined and controlled environment.
3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the review. For example, in the previous example (program changes), the scope statement might limit the review to a single application, system or a limited period of time.
4. Perform preaudit planning.
• Conduct a risk assessment, which is critical in setting the final scope of a risk-based audit. For other types of audits (e.g., compliance), conducting a risk assessment is a good practice because the results can help the IS audit team to justify the engagement and further refine the scope and preplanning focus.
• Interview the auditee to inquire about activities or areas of concern that should be included in the scope of the engagement.
• Identify regulatory compliance requirements.
• Once the subject, objective and scope are defined, the audit team can identify the resources that will be needed to perform the audit work. Some of the resources that need to be defined follow:
– Technical skills and resources needed
– Budget and effort needed to complete the engagement
– Locations or facilities to be audited
– Roles and responsibilities among the audit team
– Time frame for the various stages of the audit
– Sources of information for test or review, such as functional flowcharts, policies, standards, procedures and prior audit work papers
– Points of contact for administrative and logistics arrangements
– A communication plan that describes to whom to communicate, when, how often and for what purposes