Detect and respond: Blue team recruitment in 2020

It’s been over 25 years since the chief information security officer (CISO) role was created. Steve Katz is credited as the first ever CISO, having accepted a position at Citigroup after the company was hacked in 1994.

When reporters asked him how he felt about taking on the job, he famously replied: “I sleep like a baby; I get up every two hours and cry.”

I’m sure many CISOs can sympathize! And the role hasn’t got any easier in the years since. Quite the opposite. Cyber security complexity has increased, the threat landscape is rapidly evolving, and hackers have more points of access than ever before. It’s no wonder that cyber-crime costs a typical organization $13 million a year.

When CISOs were asked about the biggest challenges of their role in a recent Fortinet survey, the two most popular answers were hackers and attackers (46% chose this) and creating comprehensive cyber security strategies (32%).

How can they overcome these problems? Fortinet indicated that top-tier CISOs are 35% more likely to address cyber risks proactively, from detection through to response and remediation.

That may be easier said than done, but one way to strengthen your cyber defenses is to adhere to a robust security framework and ensure you have the knowledge, skills and experience in place to manage threats quickly.

A history of NIST

The early 2010s saw a significant rise in the volume and sophistication of cyber-attacks worldwide. Not only were major businesses getting hacked at a scale never seen before, but also cyber warfare between nation states began regularly hitting the headlines when malicious worm Stuxnet brought Iran’s nuclear program to a grinding halt.

There were already several cyber security frameworks available at the time, including COBIT 5 (now COBIT 2019), ISO 27000 and the National Institute of Standards and Technology’s (NIST) 800-53.

However, many of these frameworks focused on specific controls or processes. For example, NIST 800-53 is a regulatory document designed to keep US Federal Government agency systems secure, with departments expected to be compliant.

Then-President Barack Obama clearly felt more needed to be done, so in February 2014 he announced Executive Order 13636, which was a directive aimed at improving the nation’s critical infrastructure against cyber-attacks.

One year later, NIST announced its Framework for Improving Critical Infrastructure Cybersecurity, otherwise known as the NIST Cybersecurity Framework. The framework differs from NIST 800-53 in that it’s more concise (40 pages versus 460) and it’s voluntary, meaning businesses have greater implementation flexibility.

In 2015, Gartner predicted around 30% of US organizations were using the NIST Cybersecurity Framework. Today, almost six years to the day from its introduction, the figure is thought to be about 50%. When planning your CISO office recruitment with an established security model in mind, the NIST Cybersecurity Framework is probably a good place to start.

Blue team recruitment within NIST

NIST’s framework describes five key functions of a robust information security program:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Each category could be the topic of its own article, but I’d like to focus on cyber security jobs for detection and response, aka blue team recruitment.

These teams must interact as seamlessly as possible to tackle cyber security issues without delay. Hackers attack systems on average 2,224 times a day, which is the equivalent of once every 39 seconds. Unfortunately, the average time to identify a breach was 206 days in 2019.

Perhaps the most glaring example of a lackluster approach to detection and response is Yahoo’s infamous data breach, the extent of which only came to light when users’ personal information was being sold on the dark web in 2016.

The search engine firm was aware a hack occurred in 2014 and knew about it at the time. However, Yahoo had underestimated the seriousness of the attack (which compromised 500 million accounts) until an investigation in 2016. After further digging, Yahoo stumbled across a separate breach in August 2013 that impacted 3 billion users – its entire database.

The breach remains the biggest ever in terms of number of people affected and is a cautionary tale for cyber security professionals. It’s therefore crucial to ensure there are no gaps in an organization’s cyber security defenses and communication.

Mapping IT security recruitment to NIST

Let’s see how individual roles could potentially be mapped to the NIST Cybersecurity Framework. Below is a quick rundown of what the Cybersecurity Framework states should be the outcomes of diligent, well-run detection and response teams. In italics, I’ve proposed some of the roles that could help organizations achieve these outcomes.


  • Ensure anomalies and events are detected, with potential impacts fully understood:
    • SOC Engineers/Architects, Threat Intelligence specialists and Insider Threat experts
  • Implement security continuous monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures, which includes network and physical activities:
    • SOC Analysts (Tier 1 and Tier 2) and SOC Team Leads and Managers
  • Maintain detection processes to provide awareness of anomalous events:
    • SOC Analysts and SOC Team Leads/Managers. (Thorough documentation will also be required to ensure proper protocols are followed during these events)


  • Ensure response planning processes are executed during and after an incident:
    • Incident Response (IR) specialists
  •  Manage communications during and after an event with stakeholders, law enforcement and external stakeholders:
    • CISOs/Heads of Security, Heads of IR, Heads of Security Operations and Information Security Directors
  • Conduct analysis to ensure effective response and support recovery activities, including forensic analysis, and determining the impact of incidents:
    • Digital Forensics Experts and SOC Analysts (Tier 3)
  • Perform mitigation activities to prevent expansion of an event and to resolve the incident:
    • IR specialists as well as the broader team. These professionals should partner with Security Hardening/Protection teams to ensure these vulnerabilities are not exploited again
  • Implement improvements by incorporating lessons learned from current and previous detection and response activities:
    • Heads of Cyber Awareness & GRC, Security Engineering and Architecture, Information Security Directors and CISOs/Heads of security

Finding the right people for your organization

I’ve attempted to show how blue team roles can fit into a robust cyber security framework like NIST but, in reality, every organization is different. There is usually overlap between the tasks and responsibilities of those in detection and response teams.

For example, you may have a Security Operations Center (SOC) that combines various cyber security functions, including detection and response. Computer Incident Response Teams, or CIRTS, are also common and may exist separately or be incorporated into the wider SOC.

Ultimately, however your cyber defenses are set up, it’s vital to have access to talented security professionals. According to a recent survey, a lack of skilled staff was the top barrier to SOC excellence for 58% of businesses.

At Barclay Simpson, we can help you find the people you need to build stronger, more sophisticated detection and response capabilities. So, if you’d like to discuss your cyber security risk hiring needs in New York or elsewhere, I’d love to hear from you on +1 646 578 8951 or via email at