Assignment Profiles

Each assignment profile describes the security skills, training resources, books, and certifications relevant to a specific responsibility in the SAMM Skills Framework. Use these profiles to assess current capabilities and plan training.

Where available, profiles include a mapping to the EU Cybersecurity Skills Framework role profiles.

Product Security Strategy

Build out and scale a product security program, ensuring that products are developed with security in mind.

In smaller organizations, this assignment is often shared by the (C)ISO. In larger organizations, a separate role covers it.

Example roles: Product Security Officer, Product Security Architect, CISO

EU Cybersecurity Skills Framework: Chief Information Security Officer (CISO)

Security skills

  • High-level SDLC (Secure Development Lifecycle) knowledge
  • Selecting and using security frameworks
  • Risk assessment expertise

Training resources

Books

  • Secure and Resilient Software Design (ISBN 9781498759618)
  • Alice and Bob Learn Application Security (ISBN 9781119687405)
  • The Security Culture Playbook (ISBN 9781119875239)
  • Software Security (ISBN 9780321356703)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on broad mid-level and specialized high-level certifications in “Security and Risk Management” and “Software Security”
  • ISC2 CSSLP (Certified Secure Software Lifecycle Professional)
  • GIAC GSSP (GIAC Secure Software Programmer)

Organizational Security Strategy

Oversee the organization’s cybersecurity strategy and its effective implementation to ensure protection of systems, services, and assets.

This role defaults to a CISO in most organizations, except very large ones where it might sit at the business unit level.

Example roles: CISO, BISO, Security Officer

EU Cybersecurity Skills Framework: Chief Information Security Officer (CISO)

Security skills

  • Understanding of security policies
  • Risk management expertise
  • Regulatory and compliance knowledge

Training resources

Books

  • The Security Culture Playbook (ISBN 9781119875239)
  • The CISO Evolution: Business Knowledge for Cybersecurity Executives (ISBN 9781119782483)

Certifications

Business Strategy

Set strategic direction, make high-level decisions, and lead different areas of the business to achieve the company’s overall objectives.

This is the “rest of the C-suite,” included because of the importance of management buy-in and the management assignment for security.

Example roles: C-level executive, Business unit manager, VP

EU Cybersecurity Skills Framework: N/A

Security skills

  • Business acumen (security can be an enabler and differentiator)
  • Risk management

Training resources

Books

  • Cybersecurity for Executives: A Practical Guide (ISBN 9781118908801)

Certifications

  • ISACA CGEIT (Certified in the Governance of Enterprise IT)
  • SANS Institute GSLC (GIAC Security Leadership Certification)

Architecture

Oversee the overall structure of systems or projects, ensuring that technical solutions align with business objectives and requirements.

Security can be a specialization in system architecture, but most often it needs to be considered together with the other “ilities” by every architect.

Example roles: Product Security Architect, Architect, Lead Developer

EU Cybersecurity Skills Framework: Cybersecurity Architect

Security skills

  • Security architecture
  • Security standards
  • Threat modeling

Training resources

Books

  • Security Engineering: A Guide to Building Dependable Distributed Systems (ISBN 9780470068526)
  • Threat Modeling: Designing for Security (ISBN 9781118809993)
  • Threat Modeling: A Practical Guide for Development Teams (ISBN 9781492056553)

Certifications

  • Paul Jerimy’s Certification Roadmap : domain “Security Architecture and Engineering”
  • ISC2 CISSP-ISSAP (Information Systems Security Architecture Professional)
  • TOGAF: Integrating Risk and Security within a TOGAF Enterprise Architecture
  • SABSA: Chartered Security Architect, Foundation Certificate (SCF)
  • IEC 62443 Cybersecurity Expert

Evangelizing Security

Act as an advocate and champion within the team to integrate security best practices into everyday workflows and development processes.

In this context, evangelizing security is a team-level assignment focused on upskilling the team, acting as a security single-point-of-contact and ambassador of the product security strategy assignment.

Together with its technical counterpart the dev lead, the security champion is the core security function at the team level. In many organizations, both roles are held by the same person.

Example roles: Security Champion, Security Engineer, Security Ambassador

EU Cybersecurity Skills Framework: Cybersecurity Implementer

Security skills

  • Broad, high-level security knowledge
  • Training and mentoring
  • Technical writing

Training resources

Books

  • Secure and Resilient Software Design (ISBN 9781498759618)
  • Alice and Bob Learn Application Security (ISBN 9781119687405)
  • Real-World Cryptography (ISBN 9781617296710)
  • Threat Modeling: Designing for Security (ISBN 9781118809990)
  • Threat Modeling: A Practical Guide for Development Teams (ISBN 9781492056553)
  • Bulletproof SSL and TLS (ISBN 9781907117091)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on certifications relevant to the competence area (SW development, cloud, network, etc.)
  • ISC2 CSSLP (Certified Secure Software Lifecycle Professional)

Cybersecurity Regulatory Compliance

Ensure that the organization adheres to relevant laws, regulations, and industry standards, avoiding legal penalties and protecting its reputation.

Ownership of cybersecurity regulatory compliance sits in the legal and compliance team, often assisted by the CISO and product security functions. Personnel with this assignment translate relevant laws and regulations into security policies, advise on legal implications of security decisions, and follow up on regulatory changes.

Example roles: Legal Counsel, Compliance Officer

EU Cybersecurity Skills Framework: Cyber Legal, Policy and Compliance Officer

Security skills

  • Knowledge of regulations
  • Compliance management

Training resources

Books

  • Cybersecurity Law (ISBN 9781119517323)
  • Data Privacy and GDPR Handbook (ISBN 9781119546095)

Certifications

  • IAPP CIPP (Certified Information Privacy Professional)

Product Ownership

Define the vision and strategy for a product, prioritizing features and requirements and guiding the development team to deliver value to customers and stakeholders.

Product ownership and similar assignments may not be security-focused but need to fully support security efforts for them to succeed. They facilitate the integration of security requirements into the product development lifecycle, prioritize security features in the product backlog, and ensure that security considerations are addressed during planning and development.

Example roles: Product Owner, Product Manager, Business Analyst

EU Cybersecurity Skills Framework: N/A

Security skills

  • Understanding market cybersecurity demands
  • Technical understanding of product architecture, including security considerations

Training resources

  • High-level knowledge of security standards (NIST SP800 series, IEC 62443-4-2, ETSI 303645)
  • High-level knowledge of applicable regulations (GDPR, HIPAA, PCI/DSS, EU CRA, EU NIS2)
  • OWASP ASVS

Books

  • Alice and Bob Learn Application Security (ISBN 9781119687405)

Certifications

Security Awareness and Training

Educate employees about potential cyber threats and safe practices, empowering them to recognize and respond appropriately to security risks.

This assignment is held by different roles depending on the type and size of organization. It can sit within a security group, the engineering department, or HR.

Example roles: Product Security Officer, Security Trainer, Human Resources

EU Cybersecurity Skills Framework: Cybersecurity Educator

Security skills

  • High-level cybersecurity knowledge
  • Cybersecurity awareness, education, and training programme development
  • Knowledge of cybersecurity-related certifications

Training resources

N/A

Books

  • The Security Culture Playbook (ISBN 9781119875239)

Certifications

N/A

Technical Leadership (Dev Lead)

Guide the development team by providing technical direction, ensuring that projects execute efficiently and align with architectural standards and business goals.

In this context, the dev lead assignment is the technical part of the security champions role. They ensure secure coding practices are followed, integrate security tools into the development pipeline, and conduct code reviews. If the assignment is split into a separate role, they collaborate closely with security champions to address and remediate security issues during development and act as a liaison with the security team.

Example roles: Technical Lead, Lead Developer, Principal Developer, Security Champion

EU Cybersecurity Skills Framework: Cybersecurity Implementer

Security skills

  • Advanced proficiency in programming language(s)
  • Knowledge of code quality and standards, including secure development
  • Security aspects of specific development frameworks and tools

Training resources

Books

  • Secure and Resilient Software Design (ISBN 9781498759618)
  • Alice and Bob Learn Application Security (ISBN 9781119687405)
  • Real-World Cryptography (ISBN 9781617296710)
  • Threat Modeling: Designing for Security (ISBN 9781118809990)
  • Threat Modeling: A Practical Guide for Development Teams (ISBN 9781492056553)
  • Bulletproof SSL and TLS (ISBN 9781907117091)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on certifications relevant to the competence area (SW development, cloud, network, etc.)
  • ISC2 CSSLP (Certified Secure Software Lifecycle Professional)

Offensive Security Testing

Identify vulnerabilities in systems and applications by simulating real-world cyberattacks, enabling the organization to proactively fix security weaknesses before they are exploited.

Penetration testing is a capability most often sourced externally at lower maturities, before building an in-house capability as the organization’s security program matures.

Example roles: Penetration Tester, Security Tester

EU Cybersecurity Skills Framework: Penetration Tester

Security skills

  • Knowledge of penetration testing tools
  • Vulnerability assessment and reporting
  • Exploitation techniques

Training resources

Books

  • The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws (ISBN 9781118026475)
  • The Hacker Playbook 3: Practical Guide to Penetration Testing (ISBN 9781980901754)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on certifications in the “Security Assessment and Testing” domain
  • Offensive Security OSCP (Offensive Security Certified Professional)
  • GIAC GPEN (GIAC Penetration Tester)
  • HackTheBox HTB CPTS (Certified Penetration Testing Specialist)

Defensive Security Testing

Proactively identify and mitigate security weaknesses by maintaining threat intelligence, vulnerability assessments, and incident response capabilities.

This assignment overlaps with both offensive security testing and security operations, touching aspects of regular quality assurance, security analysis, and security operations. It differs from offensive security testing by focusing on proactive measures and detection capabilities. It is distinct from the security operations assignment by focusing more on the product and application level, ensuring products have the necessary capabilities to integrate well into security operations.

Example roles: Security Analyst, Security Tester, QA Engineer

EU Cybersecurity Skills Framework: Cyber Threat Intelligence Specialist (imperfect match)

Security skills

  • Threat intelligence
  • Monitoring and incident detection
  • Incident response

Training resources

Books

  • Security Chaos Engineering: Sustaining Resilience in Software and Systems (ISBN 9781492070931)
  • Defensive Security Handbook: Best Practices for Securing Infrastructure (ISBN 9781491960387)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on certifications in “Security Assessment and Testing” and “Security Operations” domains
  • Entry level: CompTIA CySA+ (Cybersecurity Analyst)
  • GIAC GCIH (GIAC Certified Incident Handler)
  • ISC2 CISSP-ISSEP (Information Systems Security Engineering Professional)

Vendor Management

Maintain the reliability of the supply chain by overseeing the selection, negotiation, and ongoing relationships with external suppliers, ensuring they meet the organization’s demand while adhering to quality, cost, and security standards.

Vendor management is crucial for the D-SR-B stream, “Supplier Security.”

Example roles: Vendor Manager, Procurement Manager, Contracts Manager

EU Cybersecurity Skills Framework: N/A

Security skills

  • Knowledge of relevant cybersecurity standards
  • Third-party security assessments
  • Knowledge of typical cybersecurity provisions in vendor contracts

Training resources

Books

  • Third-Party Risk Management: Driving Enterprise Value (ISBN 9781118084436)
  • Vendor Management: Using COBIT 5 to Manage Vendor Risk (ISBN 9781604204782)

Certifications

  • TPRI C3PRMP (Certified Third Party Risk Management Professional)

Build System and Automation

Harmonize build processes by standardizing tools and workflows, enabling continuous integration and continuous deployment (CI/CD) while embedding security testing and quality gates at relevant stages.

Depending on the organization, this can be a shared assignment in the team, a team-level role, or even a separate team. A dedicated person should take up this assignment, especially in organizations where the build system and pipelines are shared between multiple teams.

Example roles: Lead Developer, DevOps Engineer, Build & Release Manager

EU Cybersecurity Skills Framework: N/A

Security skills

  • Security in CI/CD pipelines
  • Securing infrastructure
  • High-level knowledge of automated security scanning and testing
  • Software Bill of Materials and related concepts

Training resources

Books

  • The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win (ISBN 9780988262591)
  • Agile Application Security: Enabling Security in a Continuous Delivery Pipeline (ISBN 9781491938843)
  • Securing DevOps (ISBN 9781617294136)

Certifications

  • Paul Jerimy’s Certification Roadmap : focus on certifications in the “Security Architecture and Engineering” domain
  • Practical DevSecOps CDP (Certified DevSecOps Professional)
  • Microsoft AZ-400 (Microsoft Certified: DevOps Engineer Expert)

Security Operations

Monitor and manage the organization’s security infrastructure, detecting and responding to threats in real-time to protect assets, data, and systems from cyberattacks and breaches.

This assignment often sits with the infrastructure team in smaller organizations, and moves to a separate team in larger or more mature organizations.

Example roles: Security Engineer, Security Analyst

EU Cybersecurity Skills Framework: Cyber Incident Responder

Security skills

  • Incident response expertise
  • Knowledge of monitoring and detection tools
  • Network security expertise

Training resources

Books

  • Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases (ISBN 9781717813307)
  • Cybersecurity Ops with Bash (ISBN 9781492041337)

Certifications

  • GIAC GSOC (GIAC Security Operations Certified)
  • EC-Council CSA (Certified SOC Analyst)

Infrastructure

Provide and maintain the foundational technology systems, including hardware, software, networks, and data centers, that enable all other business functions to operate effectively.

Depending on the organization, this role overlaps with build automation and security operations. In this context, the assignment covers managing the hardware, operating systems, and networks that underpin development, deployment, and operations of applications in scope of SAMM.

Example roles: System Engineer, DevOps Engineer, Operations Engineer

EU Cybersecurity Skills Framework: N/A

Security skills

  • Systems and infrastructure security (including automation)
  • Network design and management
  • Cloud security

Training resources

Books

  • The Practice of System and Network Administration (ISBN 9780321919168)
  • Site Reliability Engineering: How Google Runs Production Systems (ISBN 9781491929124)
  • UNIX and Linux System Administration Handbook (ISBN 9780134277554)

Certifications