Background
Competency Framework
As cybersecurity threats for the enterprise is evolving rapidly, we need to develop a competency framework to evaluate staffing and for pipeline development.
This competency framework can be used to develop customised training programmes for individuals (or teams) and also for evaluation of skills for promotion considerations.
Principle Considerations
Key points when creating this framework
- Enable focused development to build deep capabilities
- Relevant to business needs
- Set skills expectations for job-grade
Competency Mapping
Role Categories
As the cybersecurity domain is very wide and most organisations may not have specialist in every type of skills, the mapping will be categorised to 4 main types of roles:
- CISO
- Cybersecurity Specialist
- Governance, Risk, Compliance
- Cybersecurity Engineers
Competency Areas
The skill areas for each competency can be viewed as such:
Cybersecurity Operations
|
Cybersecurity Consulting
|
Cybersecurity Governance
|
Cybersecurity Engineering
|
Incident Response
|
Cyber Risk Assessment
|
Strategy Development
|
Adversary Simulation
|
Digital Forensics
|
Cybersecurity Design
|
Policies Development
|
Social Engineering
|
Malware Analysis
|
Cyber Programme Mgmt
|
Audit & Compliance
|
Penetration Testing
|
Cyber Threat Intelligence
|
Cyber Tech Assessment
|
|
Software Development
|
Cyber Threat Analysis
|
|
|
|
SOC Operations
|
|
|
|
Level of Competency
The level of competency can be categorised into 5 levels:
Level
|
Description
|
Test Question
|
L1
|
Understanding
|
Can you explain the subject ?
|
L2
|
Application
|
Tell me how you would apply this knowledge?
|
L3
|
Analysis
|
How would you perform root-case analysis related issues?
|
L4
|
Synthesis
|
How would you apply lessons learned to re-design the approach?
|
L5
|
Evaluation
|
How would you assess the effectiveness of your applied strategy?
|
Roles
CISO
CISO is a job which requires broad knowledge across cybersecurity domains, and deep competencies in areas of consulting and governance, to support the business leaders.
Job Description
|
You will oversee the security posture of the organisation. You will be responsible for maintaining the cybersecurity policies, standards and procedures for the organisation and driving cybersecurity compliance. You will be key in driving the security awareness of the organisation and oversee all cybersecurity incidents.
|
Responsibilities
|
- Build out expertise in the cybersecurity domains
- Promote cybersecurity awareness across the organisation
- Own the tools and initiatives for cybersecurity operations.
- Optimize cybersecurity budget to get the best defence within budget
- You will identify needs, weaknesses, risks and build the roadmap to address them and bring the cybersecurity posture to the next level.
- Close out all cybersecurity audit findings promptly.
|
|
|
|
Relevant Areas
|
Grade
|
Competencies
|
Assistant
|
2 X L2
2 X L3
1 X L4
|
Deputy
|
3 X L2
2 X L3
1 X L4
|
Senior
|
5 X L2
4 X L3
1 X L4
|
|
Cybersecurity Operations
|
Cybersecurity Consulting
|
Cybersecurity Governance
|
Cybersecurity Engineering
|
Incident Response
|
Cyber Risk Assessment
|
Strategy Development
|
Adversary Simulation
|
Digital Forensics
|
Cybersecurity Design
|
Policies Development
|
Social Engineering
|
Malware Analysis
|
Cyber Programme Mgmt
|
Audit & Compliance
|
Penetration Testing
|
Cyber Threat Intelligence
|
Cyber Tech Assessment
|
|
Software Development
|
Cyber Threat Analysis
|
|
|
|
SOC Operations
|
|
|
|
|
Cybersecurity Specialist
Cybersecurity Specialist is a role which requires deep expertise in a particular domain to support the needs of a particular function.
|
Relevant Areas
|
Grade
|
Competencies
|
Intern
|
1 X L1
|
Associate
|
1 X L1
1 X L2
|
Junior
|
2 X L1
1 X L2
1 X L3
|
Senior
|
3 X L1
2 X L2
1 X L4
|
|
Cybersecurity Operations
|
Cybersecurity Consulting
|
Cybersecurity Governance
|
Cybersecurity Engineering
|
Incident Response
|
Cyber Risk Assessment
|
|
Adversary Simulation
|
Digital Forensics
|
Cybersecurity Design
|
|
Social Engineering
|
Malware Analysis
|
Cyber Programme Mgmt
|
|
Penetration Testing
|
Cyber Threat Intelligence
|
Cyber Tech Assessment
|
|
Software Development
|
Cyber Threat Analysis
|
|
|
|
SOC Operations
|
|
|
|
|
Governance, Risk & Compliance
GRC is a job which requires broad knowledge across cybersecurity domains, and deep competencies in areas of governance, to deliver mandate for all system implementers.
|
Relevant Areas
|
Grade
|
Competencies
|
Intern
|
1 X L1
1 X L2 (GC)
|
Associate
|
2 X L1
1 X L3 (CG)
|
Junior
|
2 X L1
1 X L2
1 X L3 (CG)
|
Senior
|
3 X L1
2 X L2
1 X L4 (CG)
|
|
Cybersecurity Operations
|
Cybersecurity Consulting
|
Cybersecurity Governance
|
Cybersecurity Engineering
|
Incident Response
|
Cyber Risk Assessment
|
Strategy Development
|
Adversary Simulation
|
Digital Forensics
|
Cybersecurity Design
|
Policies Development
|
Social Engineering
|
Malware Analysis
|
Cyber Programme Mgmt
|
Audit & Compliance
|
Penetration Testing
|
Cyber Threat Intelligence
|
Cyber Tech Assessment
|
|
Software Development
|
Cyber Threat Analysis
|
|
|
|
SOC Operations
|
|
|
|
|
Cybersecurity Engineer
Cybersecurity engineer is a job which requires deep expertise in a particular domain to support the needs of a particular function.
|
Relevant Areas
|
Grade
|
Competencies
|
Intern
|
1 X L1 (CE)
|
Associate
|
2 X L1
1 X L2 (CE)
|
Junior
|
2 X L1
1 X L2
1 X L3 (CE)
|
Senior
|
3 X L1
2 X L2
1 X L4 (CE)
|
|
Cybersecurity Operations
|
Cybersecurity Consulting
|
Cybersecurity Governance
|
Cybersecurity Engineering
|
Incident Response
|
Cyber Risk Assessment
|
Strategy Development
|
Adversary Simulation
|
Digital Forensics
|
Cybersecurity Design
|
Policies Development
|
Social Engineering
|
Malware Analysis
|
Cyber Programme Mgmt
|
Audit & Compliance
|
Penetration Testing
|
Cyber Threat Intelligence
|
Cyber Tech Assessment
|
|
Software Development
|
Cyber Threat Analysis
|
|
|
|
SOC Operations
|
|
|
|
|
Competency Areas
Incident Response
Training
|
CSX Practitioner
|
Incident Handling
|
Digital Forensics
|
|
|
|
Assessment
|
Level
|
Able to articulate IR process
|
L1
|
Describe information to collect during IR
|
L1
|
How would you use information collected during IR
|
L2
|
How would you determine root cause of incident
|
L3
|
Describe some process improvement for IR
|
L4
|
Develop automation tools for IR
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Gather information related to incident
- Categorize the incident according to guidelines
- Assist with mitigation of incident
- Help document the mitigation process
|
L2
|
Application
|
- Review categorisation by L1
- Perform triage
- Perform log analysis
- Escalate as per SOP
|
L3
|
Analysis
|
- Correlate evidence to diagnose incident
- Manage the containment of incident
- Lead the root cause analysis
|
L4
|
Synthesis
|
- Develop mitigation strategies
- Coach and supervise IR teams
- Establish SOPs and develop incident playbook
|
L5
|
Evaluation
|
- Adapt and create new SOPs and playbook for group
- Develop automaton for SOPs
|
Digital Forensics
Training
|
Digital Forensics
|
Encase/Axiom training
|
Cellebrite
|
|
|
|
Assessment
|
Level
|
Able to articulate how forensics images are collected
|
L1
|
Describe some coming imaging tools
|
L1
|
How would you use a forensics tool to extract evidence
|
L2
|
How would you determine incident from evidence
|
L3
|
Describe some process improvement for forensics investigation
|
L4
|
Develop new techniques/tools for forensics
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Understand basic forensics techniques and tools
|
L2
|
Application
|
- Process media to collect evidence
- Preserve chain of custody of evidence
|
L3
|
Analysis
|
- Evaluate tools and techniques for forensics
|
L4
|
Synthesis
|
- Establish forensics SOP
- Mentor and guide forensics team
- Create techniques, tactics and procedures for forensics practice
|
L5
|
Evaluation
|
- Develop new tools and/or techniques for forensics
|
Malware Analysis
Training
|
Digital Forensics
|
Malware deep dive
|
MITRE ATT&CK
|
|
|
|
Assessment
|
Level
|
Able to articulate malware families and how they work
|
L1
|
How would you extract a malware and determine its type
|
L2
|
How would you reverse engineer a malware
|
L3
|
Describe ways to counter malware and how would you implement them
|
L4
|
Develop new techniques/tools for malware capture and reverse engineering
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Understand basic malware characteristics and families
- Understand how malware works
|
L2
|
Application
|
- Create investigation sandbox
- Replicate malware attack
- Document exploit and mitigation
- Use anti-malware tools to contain threat
|
L3
|
Analysis
|
- Perform reverse engineering to find root cause
|
L4
|
Synthesis
|
- Develop defenses to counter malware
- Verify intel on malware threats
|
L5
|
Evaluation
|
- Develop new tools and/or techniques for malware detection and response
|
Cyber Threat Intelligence
Training
|
OSINT
|
MITRE ATT&CK
|
|
|
|
|
Assessment
|
Level
|
Able to articulate what is CTI
|
L1
|
Describe some threat intel source
|
L1
|
How would you use open source intel feed to build a story
|
L2
|
How would you gather intel feed and how to verify and make sense
|
L3
|
Describe how would you use STIX, TAXII, YARA and what make up these files
|
L4
|
Demonstrate new tools/techniques for intel collection and analysis
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
|
L2
|
Application
|
- Able to gather information using OSINT
|
L3
|
Analysis
|
- Possess analysis skills to better comprehend, synthesise and leverage complex scenarios
|
L4
|
Synthesis
|
- Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
- Create indicators of compromise (IoCs) in formats such as YARA, OpenIOC, and STIX
|
L5
|
Evaluation
|
- Establish structured analytical techniques to be used by analyst.
|
Cyber Threat Analysis
Training
|
OSINT
|
MITRE ATT&CK
|
|
|
|
|
Assessment
|
Level
|
Understand what is CTA
|
L1
|
Able to understand information found using OSINT
|
L2
|
Possess analysis skills to better comprehend, synthesise and leverage complex scenarios
|
L3
|
Generate threat analyse to explain and predict threats
Create analyst reports for management
|
L4
|
Establish structured analytical techniques to be used by analyst.
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
|
L2
|
Application
|
- Able to explain risk of threats identified
|
L3
|
Analysis
|
- Possess analysis skills to articulate risk of threat from intel for the organisation
|
L4
|
Synthesis
|
- Generate threat report on possible scenarios and countermeasures to be deployed
|
L5
|
Evaluation
|
- Publish industry threat analysis
|
SOC Operations
Training
|
OSINT
|
MITRE ATT&CK
|
SOAR
|
|
|
|
Assessment
|
Level
|
Able to articulate role and function of a SOC
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
•Perform operational task per SOP
|
L2
|
Application
|
•Level 1 diagnostics on alerts
•Able to escalate to right Level 2 analyst team
|
L3
|
Analysis
|
•Able to correlate alerts to make sense of alarms
•Establish root cause of alarm
|
L4
|
Synthesis
|
•Develop orchestration flows for SOC processes
|
L5
|
Evaluation
|
•Automate SOC processes with SOAR tools and create products to improve SOC productivity
|
Cyber Risk Assessment
Training
|
GRC
|
MITRE ATT&CK
|
|
|
|
|
Assessment
|
Level
|
Able to articulate what is cyber risk
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
•Knowledge of cyber risk concepts, regulations, policies and common standards
•Follow SOPs and standards to help identify risk areas
•Assist in checking compliance to policies and standards
|
L2
|
Application
|
•Develop audit plan
•Conduct audits
•Able to perform impact analysis on risk
•Develop action plan to close audit gaps
|
L3
|
Analysis
|
•Uncover root cause for high-risk areas
|
L4
|
Synthesis
|
•Develop tools to improve risk assessment capabilities
|
L5
|
Evaluation
|
•Publish risk models in international conference or journals
|
Cybersecurity Design
Training
|
Cybersecurity Arcitecture
|
MITRE ATT&CK
|
|
|
|
|
Assessment
|
Level
|
Able to articulate what is threat model
|
L1
|
Able to apply threat models to design
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
•Knowledge of cybersecurity architecture concepts
|
L2
|
Application
|
•Review architecture for security risk
•Able to categorize risk areas
|
L3
|
Analysis
|
•Enhance architecture to include countermeasures for security risks
•Able to rate and prioritize risk areas
|
L4
|
Synthesis
|
•Develop cybersecurity artifacts that can be reused by group
|
L5
|
Evaluation
|
•Develop new cybersecurity design paradigms for the organisation
|
Cyber Programme Management
Training
|
CISSP
|
MITRE ATT&CK
|
NIST Framework
|
ISO27001
|
|
|
Assessment
|
Level
|
Able to explain what is the NIST Framework/ISO27001
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
•Knowledge of cybersecurity programme management concepts
|
L2
|
Application
|
•Able to use frameworks to develop programme maps
|
L3
|
Analysis
|
•Understand details of NIST CSF and MITRE ATT&ACK frameworks in detail
•Establish and mandate usage of a document review and version management system to support ongoing management of CMP documentation
|
L4
|
Synthesis
|
•Able to develop an enterprise wide cybersecurity programme charter
•Able to identify and treat high-priority development efforts such as key elements with enterprise wide impact
|
L5
|
Evaluation
|
•Develop and publish new cybersecurity frameworks
|
Cyber Technology Assessment
Training
|
CISSP
|
MITRE ATT&CK
|
NIST Framework
|
ISO27001
|
|
|
Assessment
|
Level
|
Able to explain what is the NIST Framework/ISO27001
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Knowledge of cybersecurity technologies
|
L2
|
Application
|
- Able to use frameworks to test and evaluate technologies
|
L3
|
Analysis
|
- Understand details of security technologies to identify strength and weakness of technologies or products
- Able to create realistic POCs for product evaluation
|
L4
|
Synthesis
|
- Able to reverse engineer security technologies
- Develop ways to bypass security during assessment
|
L5
|
Evaluation
|
- Able to create new cybersecurity technology assessment frameworks
|
Strategy Development
Training
|
CISSP
|
MITRE ATT&CK
|
NIST Framework
|
ISO27001
|
|
|
Assessment
|
Level
|
Able to explain the cyber domains
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Knowledge of cybersecurity domains
|
L2
|
Application
|
- Able to define documented operational standards, process, procedures and other collateral that specify what operators should do and how they should do it.
|
L3
|
Analysis
|
- Able to identify why cybersecurity is needed, consider the business issues, and then define, document and publish the direction that the required cybersecurity programme will adopt
|
L4
|
Synthesis
|
- Able to define controls and measurement metrics
|
L5
|
Evaluation
|
- Identify as leader in vertical industry
|
Policies Development
Training
|
CISSP
|
MITRE ATT&CK
|
NIST Framework
|
ISO27001
|
|
|
Assessment
|
Level
|
Able to explain the cyber domains
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Knowledge of cybersecurity domains
|
L2
|
Application
|
- Able to define, interpret and implement policies related to cybersecurity
|
L3
|
Analysis
|
- Able to formulate and offer recommendations on new security policies
|
L4
|
Synthesis
|
- Able to analyse complex cybersecurity issues and work with analytics to develop or revise existing policies
|
L5
|
Evaluation
|
- Establish as thought leader in policies development
|
Audit & Compliance
Training
|
CISSP
|
ISO27001 Lead Auditor
|
NIST Framework
|
PCI-DSS
|
GRC
|
|
Assessment
|
Level
|
Able to explain the cyber domains
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Knowledge of cybersecurity domains and audit principles
|
L2
|
Application
|
- Able to analyse policies and define compliance checkpoints.
|
L3
|
Analysis
|
- Able to research, analyse and evaluate issues/situations pertaining to policies
|
L4
|
Synthesis
|
- Posses qualitative and quantitative skills In descriptive and inferential statistic to perform basic forecasting
|
L5
|
Evaluation
|
- Identified as thought leader in vertical industry
|
Adversarial Simulation
Training
|
MITRE ATT&CK
|
OSCP
|
OSWP
|
Crest
|
|
|
Assessment
|
Level
|
Able to explain the red/blue/purple concepts
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Maintain current knowledge of malware attacks, and other cyber threats
|
L2
|
Application
|
- Able to deliver objective insights into the existence of vulnerabilities, the effectiveness of defence and mitigation controls – both in places and planned for future implementation
|
L3
|
Analysis
|
- Able to take a comprehensive approach to seeking vulnerabilities across the full spectrum of organisation policies, processes and defences in order to improve organisational readiness
|
L4
|
Synthesis
|
- Able to develop new tools and techniques for adversarial simulation
|
L5
|
Evaluation
|
- Identified as thought leader in vertical industry
|
Social Engineering
Training
|
Social Engineering
|
Psychology 101
|
|
|
|
|
Assessment
|
Level
|
Able to explain the social engineering domains
|
L1
|
|
L2
|
|
L3
|
|
L4
|
|
L5
|
|
Skills Expectation
Level
|
Description
|
Skills
|
L1
|
Understanding
|
- Understand concept of social engineering and basic human behaviour
|
L2
|
Application
|
- Able to employ standard social engineering techniques to manipulate subject to perform certain tasks
|
L3
|
Analysis
|
- Able to take a comprehensive approach to exploiting human weakness in order to extract information or to get access to system via human manipulation.
|
L4
|
Synthesis
|
- Able to develop new tools and/or techniques for social engineering
|
L5
|
Evaluation
|
- Identified as leader in vertical industry
|