Two ways to build a secure software team using the NICE Framework
In business, you are often presented with complex situations to resolve. Often, those that involve human beings are the most difficult to get right. Often, you are offered lots of advisories and frameworks to help in making the wheels of your organization turn smoothly. NIST Special Publication 800-181 Revision 1 “Workforce Framework for Cybersecurity (NICE Framework)” is one such framework.
The latest version of the NICE Framework, published in 2020, guides the development of a workforce that can manage an organization’s cybersecurity risk. The key phrases behind this revision are “agility, flexibility, interoperability and modularity.” These tenets of workforce development are the foundation, the NICE Framework uses this to build pillars based on roles and competencies, the goal being to create effective multidisciplinary teams.
How does the NICE Framework for Cybersecurity apply to a secure software team?
The NICE Framework for Cybersecurity sets out a path to standardize how a workforce is developed, including mapping competencies to roles. The framework provides a view of the structure needed to populate a secure software team as well as the certifications, knowledge and skills needed by each team member. The NICE Framework, however, does specify that this is a generalized structure and plan and that local adaptations may be required. It is this latter point that allows the leeway that an innovative team leader can use to add in the staff and skills needed to create an exemplary secure software development team.
Examples of roles and competencies within a secure software development team
Building effective teams begins by deciding on the basic roles, competencies and skill sets needed to develop a well-rounded secure software development team.
Cybersecurity can be a challenging and complicated discipline that is ideally suited to teams made up of individuals that have complementary or even contrasting skills. The NICE Framework for Cybersecurity suggests two ways to build these teams:
- Top-down: a role-centered approach to building teams
- Bottom-up: building teams with competencies
Top-down: Work role-centered approach to building teams
Using a “top-down” approach begins with outlining the work roles required of each team member. The NICE Workforce Framework sets out the basic roles for a secure software team that can map to the software development life cycle (SDLC) and the secure software development framework (SSDF) from NIST. These roles are broken down into areas:
- Design, security architect: this person is involved in the initial design phases of software development. The role manages any stakeholder security requirements needed to protect the organization’s mission and ensures that all security aspects of enterprise architecture are addressed.
- Build, software developer: this role is responsible for creating and maintaining code for new and existing applications and systems. The software developer creates functional software and is relevant across the SDLC.
- Deploy, network operations specialist: this role has the responsibility for planning, implementation and operation of network services/systems including hardware and virtual environments.
- Operate, technical support specialist: this role provides technical support to customers. They are skilled in developing, updating and/or maintaining standard operating procedures (SOPs).
- Maintain, database administrator: the employee(s) behind this role are involved in the secure storage and utilization of data within a database.
- Decommission, cyber legal advisor: this role works to advise on decommissioning software and systems so the employee(s) must have an appropriate legal background.
An example of a team based on a top-down approach
Building a secure software team using a top-down approach would typically start with asking: what is the project or goal? In other words, identify the work.
For example, the goal is to develop an identity platform for your customer base. To begin the work would be split into “phases” or “work packages” across the lifecycle of the project.
Work would start with a requirement gathering exercise via the project stakeholders. The team lead would generate the work packages to reflect distinct areas of work within the project, each area then being assigned to a team role. These roles would fit with the NICE Workforce Framework suggested roles but may require some additional localized roles depending on the project. For example, in the case of the development of a customer-facing application, user experience experts may be required.
The team members would work in their assigned area, whilst iterating on details.
The top-down approach to secure software team creation draws upon the NIST Secure software development framework (SSDF). The SSDF is built upon the tenets of secure software development practices as defined by organizations such as OWASP. When mapped to the advisories within the SSDF, the software code developed by a top-down team based on the NICE Workforce Framework, will be able to apply best practice secure coding to reduce vulnerabilities.
A great use case showing how top-down can be applied to team creation is that of Cal Poly California Cybersecurity Institute (CCI). CCI used the NICE Framework as a guide in identifying cybersecurity roles and skills.
Bottom-up: building teams with competencies
The bottom-up approach is based on knowing that there are a set of core competencies needed to achieve a robust, secure software team. NIST outlines a list of NICE core competencies to use as a basis for bottom-up team management. One of the advantages of this method is that you can create a learning environment, allowing people with the right skills to move into role positions in the team as the work goals change. Bottom-up teams are often filled with innovative individuals who are experts in their domain.
Technology is an area that changes rapidly. As such, a bottom-up approach to building secure software teams creates a more open environment for learning. Learning propagates innovation. Leaders of bottom-up teams need to harness their employee knowledge base and create learning opportunities that cut across field domains.
An example of a team based on a bottom-up approach
A competency led version of a team developing a customer-centric identity system, would look for competencies need to design and develop such a system, these would include the following “notional competencies” from the NIST competencies list:
- Identity management
- Requirements analysis
- Risk management
- Project management
- Software testing and evaluation
- Vulnerabilities assessment
- Data privacy
- Data security
The project phase, including requirement gathering, can typically take longer using a bottom-up team, as every member of the team comes together to impart know-how into the project.
A real-world example of the use of bottom-up, competency led team development is the Lynx Technology Partners use case. Lynx uses competencies as building blocks to make sure they hire, develop and promote effectively.
A vision of a secure software team
NIST’s vision is to “Prepare, grow, and sustain a cybersecurity workforce that safeguards and promotes America’s national security and economic prosperity.” This is an ambitious statement, but one that needs to be made in a world where the cybersecurity skills gap continues to challenge industry. Whether you build a team using top-down or bottom-up or even a hybrid of the two, the NICE Framework for Cybersecurity will help guide your staff choices.
NIST Special Publication 800-181 Revision 1 “Workforce Framework for Cybersecurity (NICE Framework), NIST
Secure Software Development Framework (SSDF), NIST
NICE Core Competencies Draft, March 2021