← Foundations

Security Roles & Actors

How security roles map to OSA patterns, aligned to the NIST NICE Framework and NIST CSF 2.0.

OSA patterns use generic actors to represent the security roles responsible for implementing and operating controls. Understanding which roles are involved in each pattern helps organisations assign accountability and plan capability development.

The NICE Framework

The definitive taxonomy for cybersecurity roles is the NIST NICE Workforce Framework (SP 800-181 Rev 1). It defines 52 work roles across 7 categories, providing a common language for describing cybersecurity work.

The roles most relevant to OSA patterns are:

Design & Development

  • Cybersecurity Architecture (DD-WRL-001) -- ensuring security requirements are addressed in enterprise, segment, and solution architectures. This is the core role for OSA pattern consumers.
  • Secure Software Development -- building security into applications from design through deployment. Key for patterns like Secure SDLC (SP-012), API Security (SP-030), and Secure Application Baseline (SP-041).
  • Systems Testing & Evaluation -- verifying that security controls function as intended. Relevant to Offensive Security Testing (SP-035) and Vulnerability Management (SP-038).

Implementation & Operation

  • Systems Security Analysis -- monitoring and analysing security posture across infrastructure. Central to Security Monitoring (SP-031) and Zero Trust Architecture (SP-029).
  • Network Operations -- implementing and maintaining network security controls. Key for Firewall (SP-005), DMZ (SP-009), and Secure Network Zone Module (SP-017).
  • System Administration -- configuring and hardening systems. Relevant across most infrastructure patterns.

Protection & Defense

  • Defensive Cybersecurity -- protecting against and responding to threats in real time. Maps to Incident Response (SP-036) and the APT pattern (SP-019).
  • Vulnerability Analysis -- identifying and assessing vulnerabilities. Core to Vulnerability Management (SP-038).
  • Threat Analysis -- analysing threat actors, capabilities, and intent. Relevant to all patterns via their threat models.

Oversight & Governance

  • Cybersecurity Policy & Planning -- developing strategies, policies, and plans. Maps to GRC patterns like PCI Full Environment (SP-026) and Cyber Resilience (SP-034).
  • Security Control Assessment -- evaluating control effectiveness. This is the role that consumes OSA assessments and benchmark data.
  • Privacy Compliance -- ensuring data protection requirements are met. Relevant to Data at Rest (SP-022) and cloud patterns.

Specialist Roles

  • OT Cybersecurity Engineering -- securing industrial automation and control systems. Maps directly to Industrial Control Systems (SP-023) and IEC 62443.
  • Identity Management -- designing and operating identity infrastructure. Core to Identity Management (SP-004), Modern Authentication (SP-032), Passkey Authentication (SP-033), and Privileged User Management (SP-037).

For the full NICE Framework taxonomy, see NIST SP 800-181 Rev 1 at https://www.nist.gov/nice.

Why Define Roles? CSF 2.0 GV.RR

NIST Cybersecurity Framework 2.0 added the Govern function, which explicitly requires organisations to define security roles and responsibilities:

  • GV.RR-01: Organisational leadership is responsible and accountable for cybersecurity risk
  • GV.RR-02: Roles, responsibilities, and authorities are established, communicated, and enforced
  • GV.RR-03: Adequate resources are allocated commensurate with strategy and roles
  • GV.RR-04: Cybersecurity is included in human resources practices

Mapping your team's roles to OSA patterns helps satisfy these requirements -- you can demonstrate which roles are accountable for which architectural controls.

Architecture Layers

Security roles operate at different levels of abstraction. The SABSA framework provides a useful layering model:

  • Contextual -- business owners defining security vision and risk appetite
  • Conceptual -- security architects aligning controls to business objectives
  • Logical -- security designers specifying control services and processes
  • Physical -- security engineers selecting and configuring technology
  • Component -- developers and integrators implementing security in code
  • Operational -- security operators running day-to-day monitoring and response

OSA patterns span these layers. Strategic patterns like Cyber Resilience (SP-034) operate at the contextual and conceptual levels. Implementation patterns like Firewall (SP-005) and API Security (SP-030) operate at the physical and component levels. Security Monitoring (SP-031) and Incident Response (SP-036) are primarily operational.

Historical Context

The original OSA Actor Model (2008) evaluated OWASP CLASP roles and ITIL v3 roles as candidate frameworks. ITIL v3 was selected for its comprehensive lifecycle coverage and familiarity within enterprise IT. Since then, CLASP has been superseded by OWASP SAMM v2.0, and ITIL v3 has been replaced by ITIL 4 which moved security from a siloed design process to an embedded enabling practice. The NICE Framework has emerged as the industry standard for cybersecurity role taxonomy, and CSF 2.0 has made role definition a governance requirement.