Two posts in one day? These are certainly unusual times.
I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the Archives of Psychology that mentioned four key terms:
- The novice is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person).
- An apprentice has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task.
- The journey(person) is qualified to perform almost any work done by members of the trade.
- An expert can perform quickly and with superior skill any work done by (people) in the trade.
I believe these four categories can apply to some degree to the needs of the digital security profession.
At GE-CIRT we had three levels -- event analyst, incident analyst, and incident handler. We did not hire novices, so those three roles map in some ways to apprentice, journeyperson, and expert.
One difference with the classical description applies to how we worked with apprentices. We trusted apprentices, or event analysts, with specific tasks. We thought of this work as important, just as every role on a team is important. It may not have been leading an incident response, but without the work of the event and incident analysts, we may not have discovered many incidents!
Crucially, we encouraged event analysts, and incident analysts for that matter, to always be looking to exceed the parameters of their assigned duties.
However, we stipulated that if a person was working beyond their assigned duties, they had to have their work product reviewed by the next level of analysis. This enabled mentoring among the various groups. It also helped identify people who were candidates for promotion. If a person consistently worked beyond their assigned duties, and eventually reached a near-perfect or perfect ability to do that work, that proved he or she was ready to assume the next level.
This ability to access work beyond assigned duties is one reason I have problems with limiting data by role. I think everyone who works in a CIRT should have access to all of the data, assuming there are no classification, privacy, or active investigation constraints.
One of my laws is the following:
Analysts are good because they have good data. An expert with bad data is helpless. An apprentice with good data has a chance to do good work.
I've said it more eloquently elsewhere but this is the main point.
For more information on the apprenticeship model, this article might be useful.