[00:00] Chris Sienko: It’s a celebration here in the studio, because the Cyber Work with Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.
To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.
Enough of that, let’s begin the episode.
[01:04] CS: Welcome to another episode of the Cyber Work with Infosec Podcast, the weekly podcast in which we talk with a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, as well as offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
Today’s podcast episode is an information-packed webinar we posted on our YouTube channel on July 15th entitled NICE Cybersecurity Workforce Framework: Close your skills gap with role-based training. The National Initiative for Cybersecurity Education, or NICE, has created the NICE Cybersecurity Workforce Framework. The framework provides the following benefits to you and your organization. It establishes a common language around skill development. It provides targeted role-based training with competencies and KSAs. You can create custom role profiles to match your organization and you can use the framework to better identify higher and cross-train your employees. Walking us through the framework today is Leo Van Duyn, cybersecurity and technology workforce development strategy at JPMorgan Chase & Company; and Bill Newhouse, Deputy Director of the National Initiative for Cybersecurity Education, or NICE, if you will.
Please note that video version of this on our YouTube page contains a visual walkthrough of the Excel Pivot Tool and how you can use it to find and filter your knowledge skills and abilities, or KSAs, and various competencies for a custom role in your organization or the educational requirements to create such a role in your organization. It’s a pretty powerful tool, and unfortunately an audio podcast won’t really give you the full experience. So if you want to know more, a link to the walkthrough is provided in the description of today’s episode.
And now let’s zip you over to the webinar with Leo Van Duyn and Bill Newhouse along with moderator, Megan Sawle entitled NICE Cybersecurity Workforce Framework: Close your skills gap with role-based training.
[02:59] Megan Sawle: I’m joined today by I’m joined today by Leo Van Dune. He is part of the cyber security training and cybersecurity and technology workforce development strategy at JPMorgan Chase. And Bill Newhouse is the Deputy Director of the National Initiative for Cybersecurity Education. Bill coauthored the NICE cybersecurity workforce framework, and both Bill and Leo are coauthors on the NIST special publication 800-16 cybersecurity role profiles for training. Both of which we will be discussing today.
And as I mentioned before, I’m Megan Sawle, Director of Product Marketing here at Infosec. But enough about me. Let’s go ahead and take a look at what we have planned for today’s discussion. As I mentioned, we will start off today’s presentation with a brief overview of what that NICE cyber security workforce framework is. Of course, everyone on the call today probably has varying degrees of experience with the framework. We want to make sure you can all follow along as we progress through the talk.
We’ll also dip into cyber security role profiles, specifically SP 800-16.How we can use the new competencies that are going to be added back into the framework to structure your own job descriptions. And then of course, how you can use the new NICE framework Pivot Tool to make those job descriptions a little bit more clearer for everyone at your organization. We’ll also touch on creating a role-based training program. And then as mentioned, take your questions at the end.
So let’s jump right in, Bill and Leo, and talk about the NICE framework. I know that both of you have had a lot of involvement in creation of this publication. So, Bill, since you co-authored the actual framework, can you give us a little more insight into what went into that? Specifically interested in what the goals are of the framework and the types of challenges you’re trying to solve for.
[04:39] Bill Newhouse: Yeah. The goals are listed nicely here in the bullet on the slide, and this common language idea is important. As we came into the 2010s, there was already a notion that we didn’t know if we had enough people or people with the right skills being in this space to focus on cybersecurity risk or the risk of anything that could happen based on the complexity of all these systems that we were interconnecting and using in cyberspace or in the internet.
And so, this NICE framework began to be developed initially for the federal government, and they started asking people, “Well, what do you do?” And that’s a model that’s interesting to try to figure out. Well, is that all that needs to be done? And then building from that, what needs to be done, tasks, what need to be performed? This framework was designed to describe cybersecurity work and it does offer this categorization of the work. It organizes it in a way that companies, businesses and government can start to think about who they need to have on their teams. And in that common lexicon and organizational models, it lets us do a lot of the things that we know we need to do to identify and add and keep people in our teams. So it really is just the first best effort at describing cybersecurity work for our nation.
I said it started as a federal thing and eventually it was asked that NIST would lead an initiative to make this work for the whole nation so that we would be communicating out to the private sector into academia as well and knowing that the federal government workforce is using technologies that are common across both private sector and public sector. It’s been a big lift in 2016, is when we committed to making it in this special pub. And to doing so, we were trying to point out to the nation that this document will be a living document that will be updated periodically.
[06:36] MS: That makes a lot of sense, that speaking the same language when it comes to cybersecurity roles and what everyone does helps people not only get into the industry, but also advance into the next stage of their career. I know we did some research on this last year, and it was overwhelming. Like more than 3/4 of people who are in cybersecurity are training and trying to learn things, new things every day, right? But very, very few are actually certain that they’re learning the right things for their role they have today as well as roles that they’re looking to get in the future.
Kind of along those lines, Leo, I know at JPMorgan Chase you’ve been doing a lot of work on the training program there, and I’d love to hear your thoughts on the framework and how you’ve been using the framework to structure that program as well as how you’ve seen the use of it evolve over the past few years. Have you always used the framework to guide training plans and role descriptions, or is this something that’s new to JPMorgan Chase?
[07:31] Leo Van Duyn: This is a relatively new initiative using a common taxonomy to describe work roles and level set proficiency expectations. However, it’s leading to some really interesting data that’s coming from the analysis of our workforce. I think the real benefit is it allows you to see yourself in a particular work role. And if you use it to transcribe multiple work roles and you level set the expectations for those work roles, once you gather the employees’ assessment data, it has two really interesting effects. One, you can look at how a person or a group of employers are doing in a particular role and use that data to guide your development for that particular group. You can also leverage that dataset to also see where people are doing well in a particular role. So you can leverage those people for mentoring aspects.
The other real benefit is once you’ve captured that assessment data, that assessment data for an employee could be applied against any other role that uses the same taxonomy to describe itself and they can see themselves in second, third and fourth careers within your own organization. So one of the knock-on effects is helping people see longevity in a company and reinvent themselves into other roles that are interesting for them.
Because of that, you can now also help people develop better career paths and mobility options for themselves so they get a more individualized ability to control their development within your corporation. So, we’re now trying to find other ways to leverage this data to better, one, educate our employees and empower them even further to control their own development within the company by using a common taxonomy approach.
[09:38] MS: That makes a ton of sense. I know one of the most surprising things to me about the framework when I when I first opened it was the amount of actual non-technical related competencies and skills that are highlighted in there. And I think a lot of people, if they’re aware that cybersecurity isn’t all hacking computers or configuring networks or pen testing networks, they might be a little bit more interested in some of the open roles that the industry has.
I know we just had a question come in about what the most recent version of SP 800-16 is. So let’s go ahead and jump in and talk about what that publication is. For those of you who aren’t familiar, SP 800-16 is sort of like the stop gap between the nice framework and where the rubber hits the road at actual organizations and security practitioners.
Personally, I found it makes it very easy to understand the framework and how it applies to individual organizations. And, also, kind of gives you a plate step-by-step instructions on how to implement the nice cybersecurity workforce framework at your organization.
So, Bill, first off, the technical question, which version of 800-16 is the current version?
[10:52] BN: Yeah. 800-16 is one of the documents, and there’s another one, 800-50, that were written over a decade ago originally, and they were the ones that drew people to saying, “Hey, if the federal government is going to lead a national initiative,” and everybody on this call who does work in infosec and cybersecurity is part of that initiative in my mind that we’re seeking to make the nation more prepared at all levels. That those are the two documents that drew people. Say, NIST is a good organization for this. We’re non-regulatory and we focus on consensus-based documents and that we put out a publication and we put it out for comments. And then we make it final.
When we entered into making the nice framework 800-181, the team there said, “Hey, there had been a concept of competencies in an earlier version of the framework that was not published by NIST.” It was kind of stewarded initially by the Department of Homeland Security, our colleagues there. And it had competencies in it. But when we did 181, we hadn’t had a chance to really go back and do what I would call the consensus building on that space. We left the competencies out of 181, and the authors, as we kept talking about this NICE framework and the value of it kept bumping into people who said, “Hey, competencies. I used those from the 2014 spreadsheet. Can you bring them back?”
And we thought that 800-16, which I talked about training, a lot of the training aspects there were training, but it was a broad set of training things but it had a strong focus on security awareness training and the value of that for an organization. And so we kind of co-opted out that idea. Pulled it into that notion that, “Hey, we really want to now tell people that the framework with competencies can be a reference resource for you to develop for your organization for your teams,” as Leo was just saying, “the ability to do this.”
Long-winded answer is we have a revision 2 as a preliminary draft in the NICE framework resource Center. It’s under a tab called related. And it is a document that will move towards public comment, again, later in this year, because we’re also doing a revision update to the NICE framework. And it’s new revision 2 form that you can see on our website, you’ll see the structure that Leo and two other coauthors from the government. We worked out mappings and things that we’ll describe in a moment.
[13:15] MS: Okay. And so it seems to me that the 800-16, the cybersecurity role profiles for training is really like the how. And then 181, the framework, is sort of like the what. What were like the primary reasons for updating 800-16? Was it to bring the competencies back and tie it more closely back to 181? Or what was the plan there, Bill?
[13:41] BN: Exactly what you said. Leo, I want you to chime in here, because Leo is the one who, as a person more closely connected to the training needs of his organization than I am in my role at NIST, recognize that, “Okay. The nice framework –” and it’s 52 work roles, “those 52 work roles are groupings of KSAs, knowledge, skill and abilities, and tasks, and a grouping of knowledge, skill and abilities is also part of the definition of what a competency is. And so the NICE framework gave you 52 starting points to think about cybersecurity work. And if you just didn’t quite understand the words that were used to describe the role, title of the role, that could cause you a little bit of like, “Wait. I don’t see something in there.”
Well, working with Leo and the other two authors, we mapped KSAs into competencies to give you one other lens into this space with cybersecurity work. So if you can’t figure out what a COMSEC person is, a COMEC custodian, well, you could still borrow a task statement or a skills statement from that work role by the use of these competencies.
[14:48] MS: Okay. Leo, let’s talk a little bit about that, about sort of the practical application. How are you using this at JPMorgan Chase and what goals are you trying to accomplish with it?
[15:00] LVD: Right. I think the work that we did with the newest revision by adding the competencies did one really important thing to the framework. It allowed us to reorganize the KSAs and put them into more effective containers and it modularizes the framework, right?
If you look at the framework in its current revision, you’ll see a work role. That work role may not be 100% what you’re trying to do within your own organization. With the competencies, you could now say, “Oh! These competencies are really the ones that are relative to my role at company A.” And another company may say, “Well, these competencies are the ones that’s really related to my work here at company B.”
The benefit is those competencies are a little more stable than the underlying KSA. It allows the intent of what under the competency to change and evolve while the competency itself stays the same. An example would be KSAs that relate to operating systems. The other real benefit to the competencies is it kind of acts like an anchor point. One, it allows you to create a kind of custom role, if you wanted to, or understand how roles can overlap with each other. Two, it allows you to associate that competency to something like learning in your LMS, or to a certificate, or to a range-based event. So it gives you a nice anchor point between different facets of learning to allow you to absorb content from other vehicles into your profile. And that’s really the concept that I’m working on fleshing out right now, is how can we leverage those competencies and the understanding of our employees and how they see themselves in those competencies and add other layerings of learning into their profiles so that we can really start showing more than just self-assessment data. We can show the true development of an employee so that they are representing themselves to the fullest at the company. And then the company has a real understanding and the talent pool that they have at hand. And I think that’s the elegance of the framework right now.
[17:47] LVD: I think it absolutely does. When you use the framework to define what your role is going to look like and you establish the proficiency expectations for that role and then you collect the employee data. Let’s say I have 300 people that are in cyber operations. We could look at that employee data and we can say, “Okay. What are the areas of opportunity in this group? Where are people kind of below baseline?”
If there’s four or five competencies that are standing out, that’s kind of giving us our starting point for how do we want to develop training for the organization. And then if you break it down by smaller functions within that organization, you can further customize it. So it does allow you to start seeing a roadmap. And then if you take the competencies that you want to develop and you look at the underlying KSAs you may have associated to your work role, those KSA’s are now telling you, “Oh! These are the areas that we want to kind of use as our guides when we develop the training.” So it’s almost like you can give this back to the Learning team and say, “Here’s kind of starting point. Let’s talk with this. This is important to the organization. How can we curate a content that allows us to develop this?”
The other benefit is, is once that training is completed and you have your employees reassess, you should start seeing a trend where certain competencies are falling out, but maybe certain new ones are falling in, and that could be because you’re bringing new people into the organization or just through the maturization of your existing workforce. Yeah, it’s very, very useful from what I’m starting to see and helping customized learning plans or development plans for your employees. And that’s from an organizational standpoint.
The other benefit is the employees can also individualize their training. They can say, “Oh! You know what? I’m interested in these.” Again, going back to maybe career mobility or their own interest within their role, or maybe looking forward from their current pay grade to the next pay grade. These are things that I want to take to make me a candidate for promotion, right? It doesn’t necessarily guarantee promotion, but it allows them to start developing towards that concept of either moving or being promotable. Hopefully that answers your question.
[20:01] MS: Thanks, Leo. This question is for Bill. And I think here at Infosec we’ve seen a lot, we’ve heard a lot of different discussions about the NICE framework, and it seems, overwhelmingly, a lot of people see this as a tool for sort of a mature organization like JPMorgan Chase. But what about for the smaller organizations or maybe organizations that are just getting that internal security team established? Is it helpful for them as well, Bill? How might that type of organization use this sort of build out their team?
[20:33] BN: There’s an interesting question when you think that about small, medium businesses. It’s expertise and subject – How many subject matter experts do you have? And the competencies bring the language down to a level that is more recognizable by folks who don’t have to be complete experts. So it starts to build the conversation in my mind faster. So if somebody who walks towards the framework, they know they know they need to work on cybersecurity risk, because maybe they’ve been introduced to the NIST cybersecurity framework. Another framework that teammates of mine have built that, say, there are functions to do to reduce risk.
Well, as you start to say, “Well, I’m going to take that on. My organization is going to try to reduce risk.” Starting by looking at work roles might fail you because you just don’t have a lot of people around you, and you’ve never really needed to describe yourself that way. But if you do describe it in terms of what did I see in that CSF, this framework as keywords and then look towards the competencies. You can then be drawn into the NICE framework and start to gain confidence.
The process that we developed into the 800-16 Rev 2 points out you need to find some subject matter experts. And so if more organizations do this, if they’re part of a professional, like picture they are sector-specific information sharing analysis organizations. So if you’re a small business that wants to focus on cybersecurity for hospitality industry, you might be able to find other experts to draw in and help you with these conversations.
Just to finish up, it normalizes the language down to a good abstraction that will be easier to make people feel comfortable in the first set of conversations around this. And then when you get stuck, it’ll potentially offer you the ability to say, “Hey. Is anybody else – Come to NICE where we have public-private partnerships.” And say, “Is anybody else doing this? And can I partner with you to help me?” You’ll be able to draw in your subject matter experts at a quicker pace and to leverage them faster using this tool as well.
[22:30] MS: Okay. Thanks. And we’ve had a lot of different questions come in regarding like training and how this framework could maybe guide people who are just looking to kind of break into the field. So related to all of this is the actual mapping, right? That training component to work roles, or specialty areas, or competencies that’s in the framework. So if I want to get to X, what do I need to do to get there?
So, here at Infosec, we are mapping all of our training content to KSAs. That’s where we’re starting. And then likely moving that into competencies and roles after that. I curious, Bill, or Leo, if there’s one sort of standard approach to this, whether it’s you as an L&D professional mapping your existing content to the framework. Whether you’re a training vendor like US mapping our content, or you’re just an individual looking to seek out training that’s aligned to the framework. Is there one standard approach for this or do you have any recommendations for people using the framework as a guide to build out those training plans?
[23:30] LVD: Bill, I can answer this if you want.
[23:32] BN: Go for it.
[23:33] LVD: I think it’s really kind of up to you. And I’ll give some examples. Certain certificate providers may look at the framework and they may say, “Well, the KSAs aren’t quite the maturity level that we would like to see them,” or they feel like there might be some gaps in the KSAs. In which case, mapping to the competency areas may resonate with them. And that’s completely okay.
Whereas, say, you’re creating an on-net experience in the cyber range or something like that. You may want to use the KSAs to kind of describe the work that’s going to be done as part of the subjective. The benefit is, is if you go to the lowest tier of the framework, which are the KSAs right now and you map to them. Once the new special pub comes down, it automatically will associate back to the corresponding competency.
So if you map to the KSA, there’s no harm, no foul. It will map to the corresponding competency. So if somebody is only pulling data from a training provider into their profile and they’re just leveraging the competencies and maybe a few descriptive words to allow them to see themselves in that competency, they can still get the benefit from an organization that’s giving them data based on their employee’s training in a particular discipline.
I really think it depends on what allows you to feel like it represents the learning and the best. I know, within certain LMSs, mapping into the KSA level may be way too difficult, whereas saying this particular course, like the CISSP deals with information assurance and it deals with some cryptography. So being able to say that if you take this course, you’re developing in these areas at a certain proficiency. It is absolutely plenty of data for somebody to absorb if they have a role profile created using NICE.
It’s really what speaks the best to your ability to map into the framework, and the competencies allow you to be very, very modular. And I think when you see the Pivot Tool, the penny kind of drops for people. They’ll be able to say, “Oh! I can absolutely see if we are creating a role. We can use this to guide that conversation, and maybe we want to use these KSAs to map,” or maybe you wouldn’t just want to say, “We’re going to map to the competencies.” It really allows you to be very individualized in the way that you use it, because it all maps. If you use KSAs, it will map to the competency. It gives you a lot of flexibility.
[26:16] MS: Yeah. That’s great advice, and that’s actually exactly where we landed with our own internal project here. I know we’ve tossed around a lot of acronyms, KSAs. Lots of numbers, 181, 800-16. So before we dive deeper and actually show off that Pivot Tool that Leo was mentioning, I want to make sure everyone’s following along with us.
Bill, can you cover a little bit about like how the framework is actually structured when it comes to category specialty areas, work roles and how they all sort of roll up?
[26:46] BN: Yeah. I was only in a few of the rooms where it happened in the sense that over a decade ago people got together and they said, “What do we do and what do we need to do?” And they wrote down, I’m sure, on either whiteboards or sticky notes and they started popping them up against the wall. And that initial work led to, “Hey, we’re starting to see some hotspots here.” And they decided on seven categories. I mean, potentially they could have done ten. They could have done five. It was a choice, probably a little bit of a balance in some respects and overlaid by the fact that was initially government people talking to other government people. And then they broaden the conversation including industry and academia. And they landed in this structure of seven categories. And then the specialty areas, divide those areas up a little more. Offer a description of each of these – Some of these look like competencies, and some of these look like very specific areas of cybersecurity.
You mentioned earlier that the people have sort of been surprised that there’s stuff in this nice framework about just having professional soft skills and potentially leadership skills and other things. Why did they end up in this framework? Well, this framework was being built in a very broad way to say to everybody, “This is what we think cybersecurity work encompasses. We want to inspire and help people aspire to join us in this journey,” and it’s even used now to the k-12 level to say, “Look, cybersecurity work is broader than just packing or just defending or whatever.”
These 33 specialty areas were the initial stopping point where those knowledge scalability statements were mapped that somebody said, “We’re going to talk about systems architecture. And here, the KSA is entasked,” that are associated with that.
2015, our Department of Defense said, “You know what? I need to add more specificity.” And they decided with clarity to go and have more of these panels with groups and they came up with 52 work roles where some of these 33 in these boxes got divided up into more than one work role. And they felt like program and project acquisition was one of the areas where like, “Hey, that’s going to be five work roles. And some of the other ones stayed individual that target threat analysis is still just a threat analyst in the work role level. That’s the abstraction that was built.
And to the previous question about training and the use of this framework, we didn’t give tools that make any of this extraction easy. And so a spreadsheet was offered, and Leo is a spreadsheet master, as you’ll see in a moment. As we move forward with this nice framework, more and more people are building it into online databases and into tools that will allow you to extract from it. And this pivot table tool is one of the best first examples of what we can do with it.
[29:31] MS: Yeah. I would definitely agree with that. And kind of to that point, Leo, I know that one of the first reactions, there’s like a multistep process when you first you first get introduced to the framework. It’s like you have to digest the information. And then I think the first criticism is always my work role doesn’t roll up to one of these 52 two work roles. And I know that’s part of the big driving factor behind the creation of that Pivot Tool. But can you touch sort of lightly on that topic? Is the framework intended to be a direct one-to-one match for your organizations or your own existing role? Or is it more of like a guideline, Leo?
[30:07] LVD: So, it’s a taxonomy. It’s a starting place, right? It gives you something that you can leverage how you see fit. It’s not a prescriptive taxonomy. It’s not you have to do this or it won’t work. I think if we touch on two areas, specialty areas if you’re in the private industry. While they’re not hugely adapted, they do allow you to see what private industry might consider like a job family. So risk management, software development. So you can kind of see where certain job families may reside within the framework.
The work roles are really interesting, because every company is going to approach cyber differently depending on the amount of resources they have. Smaller companies may only have ten people, and they’re doing multiple, multiple functions. Larger companies may have dedicated blue teams and red teams and vulnerability assessment teams, and threat analysis teams. So being able to leverage the work roles that speak to your need for your company or your need to develop a certain type of training and being able to select those and then see yourself in the framework helps get rid of the largest complaint I’ve ever heard from their framework, which was it’s a really nice start, but it’s too much, right?
I think those two facets of being able to see yourself in different capacities makes it more manageable and more consumable. It kind of takes the massiveness of the fact that there’s so much in the framework and it allows you to kind of pinpoint it a little more accurately to your needs. And I think that the real benefit of adding those competencies backend.
[31:57] MS: Yeah. On that note, let’s jump into competencies and talk a little bit about what these are and then why we’ve added them back into the framework. First off, these are being added into the framework soon. Correct, Bill?
[32:17] BN: Yeah, indeed. Last summer when we first showed Rev 2 to the public as a preliminary draft and where it still sits as a publication, this is our first organization. Four people, Leo, myself, Kevin Sanchez, Cherry and Clarence Williams, two other government colleagues. We sat down and we looked at every knowledge skill and ability statement in the NICE framework and said where do they map to? Which competency. And it’s like 1k to one competency model.
So this is a subject matter expert opinion structure. And the groupings that you show here are our opinion of where these competencies sit. And that’s based on having done that mapping, because we remembered when we said this K goes into teaching others, for instance, that the idea behind them all, it has a flavor to it. And so as time goes, this number of groupings or bins could change. Your organization may not want to describe them this way. There’s a flexibility. So 800-16 Rev 2 and the pivot table tool are a first set of opinions from some experts. And we think it’ll open up the Pandora’s box to be able to use this for your own organization.
[33:30] MS: Okay. You said these came from subject matter experts. Tell me a little bit more about that process. There’re quite a few competencies and there’s obviously many more that could have been included, right? I don’t know. Leo, if you want to chime in here too. I’m curious how you landed on what you did and then also how you decided on these four specific groupings.
[33:54] LVD: To be honest with you, when I first started working with the NICE framework, it was pre special pub. So what they called the version 2, which had competency. We early adapted using a version that actually had these. We just took a very simple approach. We leveraged what was in version 2 into a special pub because it allowed it to be backward compatible for anybody that might have adapted pre special pub so that all their work wasn’t lost. So I would say probably 90% of the competencies that you see in the special pub came from the version 2 release. There are a few that we may have contributed here from Chase just because they were maybe a better fit or a better descriptive text for the KSAs that resided in it. That’s kind of how it came.
The four groupings that Bill was talking about, there’s a concept that you could also apply. And it’s not called out in NICE. It’s just something that you may think about. But professional and leadership skills tend to be fairly universally thought of. So there’s always the possibility that while you’re operational and technical competencies will change, you may take an approach that says, “You know what? I want every role that we developed to have presenting skills, written skills, oral skills represented and maybe they need to have project management or strategic planning in there as well”
So it allows you to, again, leverage the framework and leverage those competencies, which make it modular to however you want to structure your work role development. Again, that’s the real beauty, is if those competencies make this modular. You can plug and play – My old reference is when I was a kid, it was the Sears Wish Book that came out for Christmas. You dog-ear every page you thought was important for Christmas. Now, it’d be an Amazon wish list. This is kind of like your wish list for developing a work role.
[35:59] MS: That makes a lot of sense. And do you guys find that, just anecdotally, as you’ve been working on 800-16 and the revision to 181. Do people seem to understand competencies more? Does it make it a little bit more digestible and easy to use? Have you found that just working with staff or industry partners?
[36:20] LVD: Industry partners, I can say, I’ve talked to some of our collegiate partners and they have struggled with trying to map everything to a work role, because maybe the work role that they’re mapping to, there are certain things that are covered and it don’t necessarily get covered in that training plan, or they’re struggling to map all the KSAs to it. And as soon as you introduce competencies, it’s kind of, again, that penny drops are like, “Oh! I can definitely say this certificate or this learning will encompass information systems network security. It will encompass computer network defense and some other categories.” And I think being able to use those categories really will hopefully speed up the adaption of a common taxonomy approach across the learning industry.
[37:05] BN: Yeah. The fact that we didn’t build any like web tools to make this stuff easier to pull extract from the NICE framework. If you walk up the NICE framework and you grab the spreadsheet and you notice that there are over 2,000 KSA and T task statements in this thing, it starts to feel very like, “Oh my goodness! Where do I begin?” And we try to say you begin with those 52 work roles, which you would describe a job or a position by grabbing more than one work role. People didn’t always see that material as they walked into the spreadsheet, because now you’re not reading and you’re not being guided. When you go shopping on the Internet these days, you’re often guided, “Hey, you looked at this before. Have you thought about this?” We didn’t build those tools in there. So we’re catching up on that now, and it’s hard to measure what in the framework has been the most valuable to everybody.
People love to come to us and say, “Hey, this framework is awesome,” and I’m like, “Okay. What did you do with it?” They’re like, “We now know what cybersecurity work looks like.” I’m like, “What you do with it?” “Oh, it’s great. You have all these things in there,” and like you try to struggle and pull it out. This step of letting people grab another lens into this thing is kind of key, and that’s why we’re excited to move into this space and that’s where competencies will be the framework moving forward.
And you can argue with one of a title of a competency. Great. This one, vulnerability assessment. When you pull up the pivot table tool in a moment, you’ll see which KSAs were mapped to it. If you don’t see one and your subject matter expert says, “Hey, for us, we also need to have somebody who has this skill. Where is that in the framework? Oh, I wonder if that’s under threat analysis. Okay. Let’s go check.” And then you can extract it and then use that to describe the cyber security role that you need to train your team or your individual towards.
[38:42] MS: Excellent. We had Julie ask a question about they need to figure out a way to start at a higher level with the framework and then get down to a more granular level. And I think you guys definitely just answered that question.
What about the nontechnical competencies? Leo, you’re doing some interesting work at JPMorgan Chase to sort of identify transferable skills within the organization. Could you talk a little bit more about that and how the framework might be used to recruit people internally?
[39:18] LVD: Yeah. So, the transferable skills, and it’s not just necessarily like professional skills. What we’re seeing is by leveraging the competencies to develop the roles. It’s allowing you to see what skills interplay between different roles. So if I set up profile A and profile B and the overlap in those profiles, they share six competencies, but the proficiency expectation for that role is slightly different. It allows that employee to say, “Oh! Well, I have the competency of information systems network security. This role also wants me to have that. But when I look at myself against this role, the proficiency expectation for me is to be advanced versus intermediate.” So both the hiring manager and/or the employee know this is kind of that low-hanging fruit that I could work on to build myself to that role.
The other real benefit is what’s the net new learn for me to go from one role to another? What is going to be the big lift for me to go into this role? And I think that story it’s something that we’re leveraging learning plans for. If we understand what each role has and how they differ from each other, we can ensure that when we develop these learning plans that not only are we addressing the critical skills for the people that are in the role, but that it also has facets of learning that will allow them to come in, a new employee to come in and check themselves against that role.
I always refer to it as kind of cyber curation cyber framework. But if you’re curious about a role and it has a learning plan that’s associated to it, you can take some of the courses that are in there and say, “I thought I was interested in this role. I took some of the training. It doesn’t really speak to me.” It really opens up the curiosity factor for your employees to go and look at themselves in other roles and play with the learning plans that are for those roles and determine, “Is this something that I want to go to?” And then they have their speaking points when they talk to the managers, and the managers, if they choose to share that data with the hiring manager, they also can look at this is where the employee stands. We understand what the quick lift is and we understand what the larger lift is from a learning perspective.”
But it shows how your skillset is transferable in any role. That is, I think, the brilliance of this approach is it allows people to answer that question. What does it take for me to move to a new role, which is as old as I am? That was harder back in my day.
[42:12] MS: And that has application outside of the IT and security department, right? That’s not just for people in the field now. It’s also for maybe accountants or business managers who are looking to just really change things up.
[42:26] BN: I think if their role is being collected in a similar fashion where they’re using a common taxonomy approach and you can absorb that data into something that’s using this framework, absolutely, right? Using larger different roles is absolutely something that you can do. And I did find that when we were using this, we were actually able to cover almost all of our technology job families. So it wasn’t just our cyber roles. It was our architects, our engineers, our software developers. Project managers were able to be done program managers. So we were able to cover about 50,000 employees and using a common taxonomy to describe their roles.
Now moving that forward to everything that might be covered by Chase for every possible position, that’s going to require a larger lift, right? That will require us to take this taxonomy, put it into a more custom created taxonomy, because not everything that we do at Chase would be covered by this, right? The retailer effect wouldn’t be, our investment piece wouldn’t be. But it gives us a blueprint to say, “Can we take this further?” Your concept is definitely pliable. It’s just going to require something larger than NICE to get to that full scale approach.
[43:52] MS: Okay. Well, we have talked a lot about this Pivot Tool, Leo. I’d like to demo this in front of the attendee so they can kind of see how it works. So let me get this open and I’ll give control over to you, Leo, so you can walk people through how this tool actually can be used by them. One second. Right. You should be good.
[44:18] LVD: Okay. Give me one second. And this is just a basic Pivot Tool. I mean, Bill is a really nice guy, and he tells me, you know “You’re excellent at Excel”. It’s a basic pivot, but there’s a lot of power to it. So we had kind of spoken a couple times. It allows you to see what you believe a work role within an organization or a work role that you want to develop learning for could look like. The key thing here is this tells you what the competencies maybe, what the KSAs maybe. Bill has already referenced it. You need to engage subject matter experts, because if you really want the power to this, you will have to establish your proficiencies and determine how many grades you’re going to create profiles for and then nuances between those. But this is a great starting point for having that discussion with your subject matter experts.
I’ll give you an example. So we’ll just go in and we’ll look at the different work roles. So all the work roles are represented in the tool. For our example, we’ll just say company A, our cyber defense group, is a mix of an analyst. They do some forensics work and they also do incident response. What we’re thinking right now is you this work role that we’re trying to create is a blend of these three based on just our understanding of the nature of our work role. So we can click on ok.
And what you’ll notice what it does right now is it’s showing us these are the competencies that are most related to those three work roles and it tells you how many KSA are in there. At a glance, without even looking at the KSAs, you could say, “Oh! You know what? These are the competencies that we’re going to focus on. Maybe we’re going to look at vulnerability assessment, computer forensics, computer network defense, threat analysis.” Then you could say – You could pick the ones based on this list that most resonate with your needs in your company or your needs for the development of the learning that you want to go with. And if you want to go a level deeper, the nice thing is you can grab the KSAs and you can add them in. And now when I look at vulnerability assessment, it’s telling me these first four KSAs are shared by all three of those work roles. These are shared by two of those work roles. It’s showing you in those work roles that you selected four vulnerability assessment, which is the competency.
Here are the KSAs that really resonating in those work roles. And you could go with the most effective, the most used KSAs, or you might see some other ones that you think resonate. Like maybe you want them to have skill and using protocol analyzers or packet level analysis. But it shows you based on those work roles that you are interested in the competencies and the KSAs that really resonate for those work roles. This again allows you to be very modular and leverage the framework the way that you want it to be. It simplifies it so that you can see it under the lens of what you need. This is a really simple example.
I know I had also spoken where the specialty areas kind of resonate as a job family in private and private industry. So another thing that you could do is you could say, “Oh! I want to look at the framework,” and I really think that we’re focusing on the cyber investigation side and our organization as well as the cyber defense analyst. Our job family of cyber defense would be these two special tiers.
Again, I can select them. It automatically shows me, again, at the top the top competencies that relate. Again, it will show you the KSAs that have the most impact in those specialty areas. So it allows you to – You can look at it at a higher level, or the work role level. I really think the work role level resonates with more people, because they can see themselves in the work roles easier. But like I said, specialty areas do sometimes resonate as a job family within a private industry. So you can also use those to refine and see yourself in there.
Really, the gist of it is it really simplifies the framework to allow you to see what’s interesting to you. And that is important. When we were talking about creating a learning plan, if you want to your learning team and you said, “Oh! We’re going to develop vulnerabilities and assessment,” and you had the KSAs. That’s almost like you’re talking points now for that learning team engagement.” And then if your subject matter expert say, “Well, for vulnerability assessment for this role, we want pay grade 1 to be beginner, pay grade 2 to be intermediate, pay grade 3 to be intermediate.” Now you’re also layering on the proficiency expectation for the development of that competency and the subsequent KSAs. Again, it standardizes your conversation and it makes it much more efficient to work with your learning team.
[49:37] MS: We had a couple questions come in about the framework or about this tool. One is, is this tool available to the public?
[49:49] LVD: Yes. It’s on this website.
[49:53] BN: Yeah. The same website you just offered out.
[49:53] LVD: Bill can provide the link.
[49:54] BN: Yup. The link has just been provided. Yeah, that’s where you’ll find a Pivot Table Tool. It’s also on the domain actual current framework page that has a PDF of the NICE framework as a spreadsheet that’s a reference resource of that PDF. And then the Pivot Table Tool all sit next to each other in our framework resource center.
[50:13] MS: Excellent. Thank you. Bill, we had a question come in. Well, actually, before I jump into that, if anyone logging on to the webinar now has questions about specific use cases for this tool, feel free to drop those in the chat. Leo is here, as Bill likes to say, the spreadsheet master. So I’m sure he can answer those questions for you if you have them. But, Bill, we had a question about how often the framework is updated. And I think it’s super relevant, right? Things change daily in cyber security technology and the constantly is changing. So walk us through what that update process and cycle looks like.
[50:46] BN: Well, we actually are in the middle of one. It’s always a bit of a moving target when you have a live document, and that everything that’s related around it is a snapshot in time of, “Hey, we mapped to these competencies, the KSAs.” Those KSAs are in today’s framework. Tomorrow’s framework may have more KSAs. In fact, it should, and have more task statements. It should be able to ingest anything that we think you need to do in cybersecurity work if somebody believes that’s work that’s important to be done.
Time-wise, we started last November asking requests for comments. We wanted to know what people liked about the current structure and what they’d like to see. Again, kind of the question of how are you using it and where has it been valuable and where has it missed the mark? And we aim in mid-July to actually put out a new revision. And I’ll tell you that revision won’t be a bunch of changes to the KSAs or Ts at this point. It will be a tightening of the description of the framework. It will start to set up the relationships in a more consistent way so that as more people try to use these things, we can we can get this data into useable tools, things that will hold on to. All these knowledge skill and ability statements in a way that lets you extract them better and faster.
In July, we’ll give you a draft for public comment so people can come and argue with and say, “Hey, you’ve changed something we don’t like, or tell us you really like the new look and description of cybersecurity work that the NICE framework offers.” We’ll tip off what happens next as sort of a phase two with improvements on the KSAs and tasks and the addition of more of them. It’ll give you a chance to argue with the first set of sixty competencies that we mapped to here in this Pivot Table tool.
And we kind of picture that every two to three years, there should be some, “How’s this thing going?” And once we build a better data structure for the KSAs than a spreadsheet, and the task statements, and the work roles, and these competencies, once we have kind of an interrelated set of data that other tools can consume, then I think we’ll start to see the gaps and we’ll be able to measure the gaps based on other things you’re being asked to do in cybersecurity. Not just the workforce angles, but what’s the risk reduction angles? What are the things that move on into this space? We’re going to improve it to make sure that people who do industrial control and operational technology and building management’s and all these things that happen now with tools that are interconnected to Cyberspace, that they feel that the knowledge skill and abilities and tasks are for them too. That it’s not just designed for the office space with desktop computers, laptops and mobile devices being managed by an organization. That it really goes out to the gas pipelines and into the advanced manufacturing of our nation over.
[53:27] MS: I think that’s a great point, right? This tool only works if it kind of works for everyone, right? That means that public comment, that collaboration between you guys over at NICE and NIST and also private-public enterprises are all kind of working together on it to make sure it’s a usable thing.
We had a really specific comment about if post-quantum security skills will be added to the taxonomy. I don’t know if you can answer that one right now though, but what –
[53:55] BN: I’m in danger of taking too much time to answer it. AI, machine learning and quantum information science, those are areas that somebody – It has been saying in legislation and other places, “We need to have a workforce framework for those,” and they come to the NICE framework and say, “Is it a good model to follow?” And we think that KSAs and tasks and bundling them into work roles and competencies, then those two models will always give you a good lens into the kind of things you need your workforce to perform.
Adding skill statements, adding task statements for quantum information sciences is going to be vital. Privacy is a concept. We want to have that in its own framework or as an overlap between privacy and cybersecurity. And probably we’ll focus on that overlap space first as we move forward. So, yes, and yes, and yes.
[54:39] MS: Okay. And a couple of related questions around, is the framework currently being used or implemented across multiple government entities? And then a similar question for, is it being used for government and military roles and positions?
[54:52] BN: Yes and yes. There’s a federal interagency working group that’s building career paths using the NICE framework. They’re starting at a roll level and asking what other work roles are you most likely to perform or be able to move into as your career advances? Yes, that’s a group, and the NICE framework is the first place to reference in that construct. So looking at this kind of table here, what training education and experience would allow you to move around in work roles is a conversation being held.
And then the defense cyber security workforce framework is the foundation that makes the NICE framework. And so as we push the NICE framework from a NIST perspective out to the broader nation, the DOD is certainly doing that too. Those two frameworks are related and the same concepts of KSAs and tasks and work roles, they are 99% the same and trying to keep them aligned in a useful way for both organizations is vital as we move forward. Yeah, we do we do collaborate, and that’s our goal. Over.
[55:49] MS: Okay. I want to shift gears. I know we’re running out of time here. Just to talk a little bit about how training, education, and experience, and proficiency levels are all part of the framework too. What I really love about this slide is it sort of shows the need for cybersecurity education across the entire organization. That’s what we do at Infosec, and we know security, if people aren’t aware of that, that creates larger problems for everyone regardless of what title that you do maintain.
Bill, as far as organization, how does the framework fit into the different areas of how an enterprise might be structured? Like does it help inform different silos? You make better decisions around training and education? How might someone interpret this graphic to guide like how they can support people in the roles that they do assign?
[56:40] BN: It’s a loaded question. And we’re always trying to find good examples of it. The framework is meant to overlay on existing structures. When we build a picture that says, “Hey, the notion of there are training things that could help you become a beginner or entry level person in a work role.” There’s also training that can help you become an advanced person. And at an organizational level, that kind of relies on what technology and tools you’re responsible for running. What’s your mission space is? And then the of obviously experience and education. There’s been a large emphasis on education for too long.
Yesterday or a day before, there was an executive order from the White House that said, “By the way, we really need to push that it doesn’t always require a college degree to do work in cybersecurity. So let’s really work that out,” and apprenticeships are growing in our nation. So the fact that there are just three listed here is just this is the most basic simple image to say, “Yes, education matters, but it doesn’t have to be the only way you can advance and become an advanced person in a work role, an immediate person in a work role.”
There’s a lot of reliance on this overlay and building tools to make the people who are already focused on training want to come to the NICE framework. And if we make it too hard to use, they won’t.
But as more people use it, we have more proof that there’s value here. And we’re surprisingly still showing that value to folks, and this Pivot Table Tool I think lets people get there faster.
[58:08] MS: Okay. Leo, what’s your perspective on the balance between training, education experience? All the different ways someone can ready for a work role and then advance their proficiency? Curious how you value one over the other, or same, or how you’re measuring that.
[58:27] LVD: I don’t think they’re the same. I mean, there’s so many 2010 model, which is out
there for development. Obviously, most of your true development comes from experience. So it’s on-the-job. What we’re trying to focus on is how can we be more efficient in our training and education when we bring somebody in to the company? So how can we use this to determine, “Okay. These are the core things that we want to develop when we onboard somebody. This is what we want to train somebody on for this particular discipline or this particular work role. These are the educational requirements that might be nice to have. So maybe we want you to have these certs or we want you to take this particular training on our range event or our range system.”
And then the experience, it goes to better understanding our human capital and mentoring. So being able to see where people are above expectation in certain areas and allowing them to collaborate and mentor people that want to develop in that area or using them to be part of special projects. That’s where I really see the value, is the taxonomy is allowing us to evolve those columns and customize them to the needs of the particular business unit or a particular job family and/or a particular work role. By collecting data about the employees and looking at the gaps, it allows us to be much more targeted and much more efficient when we develop these programs or these experiences for our employees.
[01:00:09] MS: And we had a question come up, and I don’t know if you can answer this
Directly. But, Leo, is this something that one could use in recruiting to sort of help with that process?
[01:00:22] LVD: I think as more people start using the NICE framework or they start using a common
taxonomy approach to describing work, it is absolutely a valuable tool in recruiting. So say we were – This is just a hypothesis. But say we are going to a workforce event and we were going to recruit for six different work roles. If we understand what skills overlap all six of those were roles as we review and interview candidates, we could say, “You know what? We might not think you have all the skills for this particular blue team role, but your experience and our interview with you think you’d be a really good candidate for these other roles.” It will allow you to show people based on their skills other opportunities.
Another way that it could be done is you could actually set up an on-net experience that says, “Hey, go in and take these modules. Maybe it’s a 5, 10-minute module, and you can assess them in an on-hands type way and then extrapolate the data from that and then say, “We think you should go see these hiring managers.”
There’s a lot of really interesting concepts that you can apply. A lot of these are just that they’re just concepts where we’re working through, “Hey, what are the ramifications if you do something like this?” But there’s a lot of potential in hiring and being able to just say, “We think you’re a match for other roles,” versus just saying, “You’re not a fit for this,” right? Because you get a lot of candidates that come in that are really good. But they’re just not right for that particular role. But if you can give them other opportunities, you don’t lose that resource.
[01:02:03] CS: I hope you enjoyed today’s webinar episode. Just as a reminder, many of our podcasts including today specifically can contain video components, and in some cases feature walkthroughs or demonstrations that need to be watched as well as heard. These can all be found on our YouTube page. Just go to youtube.com and type in the words Cyber Work with Infosec. Check out our collection of tutorials, interviews and other webinars. And as ever, you can search Cyber Work with Infosec in your podcast app of choice for more of these episodes. And as always, we would appreciate a five-star rating and review if you wouldn’t mind.
For a limited time, the Cyber Work podcast is offering listeners one free month of our Infosec Skills learning platform. To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click in the link in the episode description. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, no spaces, no capital letters, cyberwork, and use it to claim one free month of our skills platform.
Thank you once again to Leo Van Duyn, Bill Newhouse and Megan Sawle, and thank you all for listening. We’ll speak to you next week.