How to Use the NICE Framework to Plan Cybersecurity Careers and Teams

A Compass for Navigating Cyber Careers When someone says they work in cybersecurity, it could mean anything from cloud engineering to incident response, from red teams to risk governance. The field is vast and only getting more complex. Despite all the frameworks we use to secure systems, most organisations still lack a shared language for describing the people who do the work. That’s what the NICE Framework offers: a way to map roles, skills, and development pathways across the full cyber landscape. ...

June 1, 2025 Â· 3 min

ISF IRAM2

Context For professionals moving into governance roles within the financial sector or large multinationals, familiarity with proprietary frameworks is often as important as knowledge of international standards. While ISO 27005 establishes the principles of risk management, the Information Security Forum’s IRAM2 is frequently the specific implementation found in major institutions. You may not need to become a certified IRAM2 practitioner, but you should understand the structure if you intend to work in large-scale enterprise environments. ...

2 min

Spring Framework - IT audit considerations

Understanding the Spring Framework Evolution, Risks, and Audit Considerations** History & Evolution Released in 2003 by Rod Johnson as a lightweight alternative to Java EE. (Wikipedia - link) Evolved into a full ecosystem, including Spring Boot (2014) for simplified deployment, Spring Security, and Spring Cloud for microservices. Originally developed by Interface21, later acquired by SpringSource, then VMware. Widely used in enterprise applications, cloud services, and microservices. Audit Questions to Ask What versions of Spring and Spring Boot are in use? Are legacy Spring applications still maintained and patched? Is the team using official support channels, or relying on outdated third-party dependencies? Key Risks for In-House Development Dependency risks – Third-party libraries (e.g., Log4j) can introduce vulnerabilities. Security misconfigurations – Weak Spring Security settings may expose authentication flaws. Excessive complexity – Over-engineered architectures can hinder maintainability. Inconsistent coding practices – Lack of standardisation can create operational risks. Questions to Ask How does the team track and update dependencies? Are security configurations reviewed regularly? Are developers following a consistent architecture and coding standard? Audit & Governance Best Practices Use Software Composition Analysis (SCA) tools to monitor third-party dependencies. Implement secure CI/CD pipelines to enforce security checks before deployment, and maintain audit trail / ability to roll-back. Ensure strong access controls – Proper OAuth2 configurations, API gateways, and authentication reviews. Monitor Spring security advisories and enforce timely patching. Questions to Ask Does the organization use tools like Snyk or OWASP Dependency-Check for vulnerability scanning? Are secure coding practices enforced in CI/CD pipelines? How often are Spring applications tested for security weaknesses?

2 min

What is the second line of defence (2lod)?

Context Understanding organisational structures is vital for career progression. If you are moving from an operational role into a governance, oversight, or more senior management position, grasping the distinction between executing controls and overseeing them is essential. Definition Within the standard governance model, the second line of defence consists of the functions responsible for defining risk management frameworks and compliance standards. Typical second-line functions include Risk Management, Compliance, and Legal departments. ...

2 min