Tuesday, March 21, 2017

Cybersecurity Domains Mind Map

Last month I retweeted an image labelled "The Map of Cybersecurity Domains (v1.0)". I liked the way this graphic divided "security" into various specialties. At the time I did not do any research to identify the originator of the graphic.

Last night before my Brazilian Jiu-Jitsu class I heard some of the guys talking about certifications. They were all interested in "cybersecurity" but did not know how to break into the field. The domain image came to mind as I mentioned that I had some experience in the field. I also remembered an article Brian Krebs asked me to write titled "How to Break Into Security, Bejtlich Edition," part of a series on that theme. I wrote:

Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.

I offered to help the guys in my BJJ class find the area of security that interests them and get started in that space. I thought the domains graphic might facilitate that conversation, so I decided to identify the originator so as to give proper credit.

It turns out that that CISO at Oppenheimer & Co, Henry Jiang, created the domains graphic. Last month at LinkedIn he published an updated Map of Cybersecurity Domains v2.0:

Map of Cybersecurity Domains v2.0 by Henry Jiang
If I could suggest a few changes for an updated version, I would try to put related disciplines closer to each other. For example, I would put the Threat Intelligence section right next to Security Operations. I would also swap the locations of Risk Assessment and Governance. Governance is closer to the Framework and Standard arena. I would also move User Education to be near Career Development, since both deal with people.

On a more substantive level, I am not comfortable with the Risk Assessment section. Blue Team and Red Team are not derivatives of a Penetration test, for example. I'm not sure how to rebuild that section.

These are minor issues overall. The main reason I like this graphic is that it largely captures the various disciplines one encounters in "cybersecurity." I could point a newcomer to the field at this image and ask "does any of this look interesting?" I could ask someone more experienced "in which areas have your worked?" or "in which areas would you like to work?"

The cropped image at the top of this blog shows the Security Operations and Threat Intelligence areas, where I have the most experience. Another security person could easily select a completely different section and still be considered a veteran. Our field is no longer defined by a small set of skills!

What do you think of this diagram? What changes would you make?


Anonymous said...

What about Cybersecurity R&D? Researchers in academia or industry who look for vulnerabilities and develop exploits? Software engineers who build commercial security products or open-source tools? Where do they fit?

Hakon Olsen said...

I think the diagram is nice, it provides a starting point for learning about the different aspects of security. Of course, it is possible to extend it more, and it is possible to increase granularity.

I made a suggestion for the risk assessment part here: https://safecontrols.blog/2017/03/21/extending-the-risk-assessment-mind-map-for-information-security/, trying to push the different activities into the ISO 31000 glossary.

Something we could try to make in addition, to help newcomers, would be some suggested learning paths for some of these branches - in flowchart style.

christ said...

I'm curious, who had it first? This map reminds me a lot of this one: http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/

cliff said...

In the health care space, secure destruction of data is one of the essential issues I deal with. Yet it is not in the mind map at all. It belongs in Operations.