Close your skills gap: Putting the NICE Workforce Framework for Cybersecurity to work

[00:00:00] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work will be releasing a new episode every single day. In these dozen episodes, we’ll discuss hiring best practices, team development, career strategies, security awareness essentials, the importance of storytelling in cybersecurity and answer some questions from actual cybersecurity professionals and newcomers.

For our second episode entitled Close Your Skills Gap: Putting the NICE Workforce Framework for Cybersecurity to Work, we’ll hear from Danielle Santos, program manager at the National Initiative for Cybersecurity Education, or NICE; and Leo Van Duyn, cybersecurity and technology workforce development strategy at J.P. Morgan Chase. Danielle and Leo explain how to provide targeted rules-based training based on knowledge, skills and competencies and guide you step-by-step through creating custom role profiles to match your organization’s specific cybersecurity needs.

We hope you enjoy this 30-minute discussion between Danielle and Leo, with moderator Megan Sawle. And if you want to learn cybersecurity, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills, which is aligned to the work roles, knowledge and skill statements in a NICE workforce framework. So be sure to use the code cyberwork when signing up. Details are in the episode description below. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel. And now, let’s start the show.

[INTERVIEW]

[00:01:31] MS: So as someone relatively new to the industry, the NICE framework was such a welcome resource for me personally. It helped me better understand the types of works every security pros do, and of course the expertise they need to be effective in those roles. And I was also surprised to see like how much the work roles can actually overlap with each other, and it really helps you see sort of those common threads between like a whole body of a workforce. It makes it a lot easier to conceptualize how organizations might scale their teams, and of course how practitioners can transition from one role into the next.

So Danielle, before we jump in to how organizations can actually put this framework into practice, I was hoping you could tell us all a little bit more about the goals of the framework. So what challenges is NICE trying to solve for the cybersecurity community?

[00:02:22] DS: Sure, and thanks for having me today, Megan. So at its core, the NICE framework provides a common language to describe cybersecurity work. It helps organizations in recruiting, developing and retaining those cybersecurity workforce, but it also helps learners. And when we talk about learners, we’re kind of referring to anyone who’s in that learning life cycle, whether it’d be students, or job seekers, or even current employees. And it’s meant to help learners kind of explore the realm of cybersecurity and start looking at what kinds of skills they need to develop.

To address some of the cyber security community challenges, I’ll maybe answer that by going over the attributes of the NICE framework. There are four attributes. The first being agility, and we’re all very familiar with the ever-changing ecosystem of cybersecurity. Every day there’s a new threat vulnerability tool introduced. And so the framework really takes an agile approach and that it creates these building blocks that can be flexible enough to address that ever-changing ecosystem, and that’s actually the second attribute, is flexibility. Depending on an organization’s size, scope, what sector they’re in, their workforces are going to differ pretty severely from organization to organization. So again, that building block approach for the NICE framework helps with that flexibility for the end user.

The last two attributes are interoperability and modularity. So again, that building block approach really try to start defining some common terms that can be used across multiple workforces across different users, learners to create that base for what then can be built and customized, as we’ll get into a little bit, for the various different organizations and their workforce needs. So really what it comes down to is the NICE framework tries to simplify the communication and provide focus for how cybersecurity work is described and presented.

[00:04:47] MS: Thanks, Danielle. And Leo, as part of that cybersecurity community, I’d love to hear your thoughts on the framework and how you’ve actually put it into us at J.P. Morgan Chase. Have you always used the framework to guide your training plans and job descriptions, or whether other tools in the past? Tell us your history and how you’ve used the framework.

[00:05:10] LVD: The NICE framework is relatively new. Taking a common taxonomy approach to understanding your human capital is a unique idea. So we’ve only been doing it for about a year, a year and a half, but things that we really kind of liked about the framework is that it gave you a good starting point for understanding what was needed in particular roles within cybersecurity. What that allowed us to do was then expand upon that and describe the different functions that we had within our organization and align them with the expectations for that particular role. By doing that, we were then able to collect employee data to better understand where they fit within their current position.

Once we have that profile, it really then allows you to start doing a gap analysis as to where people are proficient within their current job function and where they need assistance or development efforts. It’s a really unique way at looking at data to start coming up with different learning plans and projecting your learning budgets for your organization, whether it’s a particular business unit or it’s an entire company. So it really gives you unique data-driven and perspective about understanding your human capital.

[00:06:29] MS: Excellent. And so I think this is my first impression of the NICE framework is it seemed really complex, right? But once you understand sort of the sort of components of that framework, it’s really thorough. And Danielle, as you mentioned, very flexible, very modular workforce planning tool. So at the simplest level, the framework consists of task knowledge, skill statements, work roles and competencies. So, Danielle, what is the difference between task, knowledge and skills?

[00:06:57] DS: So, recently, one of the coauthors of the NICE framework has come up with this great graphic we see here. On the right hand side, we have knowledge and skill. And knowledge and skill statements are probably the lowest level building block. They’re the start. And this is what describes the learner, again, that student, job seeker, employee. And describing the learner, we have knowledge, which we define as a retrievable set of concepts within memory. So think knowledge of penetration testing, tools and techniques.

In addition to knowledge, we have skills, and skills are the capacity to perform an observable action. So think a skill in using social engineering techniques. Together, these knowledge and skills make up tasks, which are seen on the left side. And when we get into tasks is where we start really describing a work being done instead of the learner, the person doing the work. Tasks are activities directed at achieving an outcome, or an objective. This is what the employer, the workforce managers will build depending on the needs and objectives for their organization. So think here we’ll need to prepare an audit report. That includes identifying findings and presenting recommendations. So together, knowledge and skills build tasks, which then get into work roles. And work roles will describe the work being done. It’s important to know here that the work roles aren’t job titles, but rather can be fed into or can be combined to create job functions, job roles. And I think Leo can probably describe that a little better than I can, as he’s actually been able to do that.

[00:09:11] MS: Yeah, absolutely. Let’s actually go ahead and skip ahead a little bit in the presentation to talk about this concept of like competencies versus work roles. And so, Leo, there’s a common issue with the framework. It’s not really an issue, but it’s a misconception, is that there’s the 52 work roles in the framework are the 52 job titles of the cybersecurity industry, right? Of course, what we know is it’s not necessarily the case.

Leo, tell us more about how you’ve used sort of the building blocks, right? Those knowledge and skill statements at J.P. Morgan Chase to make it work for your own organization.

[00:09:47] LVD: Right. So when we adapted the NICE framework in our original attempt, it was actually prior to the work roles coming out. So what we had were the competencies and the KNSs. So what that allowed us to do was it allowed us to look at logical modular parts that made sense for a role. So for our organization, we partnered really heavily with our subject market experts in those disciplines to determine which areas were the most effective to be covered in a work role?

Now, with the evolution of the work roles or the anthology that NICE has embedded into the framework, it now allows other organizations that might not have that depth that we have to also look at the work roles and determine the work that we’re doing here might be a combination of these. And then they looked at those roles in comparison and do the same thing. They look at the competencies in the K and the S statements that relate to them or are used in multiple facets within that set of work roles that they’re looking at and determine which ones are going to be most effective for describing their work.

And that’s really the strength of the framework, is the ability to manipulate it until you see the use case that describes what you’re trying to accomplish. The competencies are great pivot points. They’re good at anchor points into learning systems, into certifications, into your work role. So they allow you a good way to pivot from one resource to another while still maintaining interconnectivity between systems.

[00:11:21] MS: So, Danielle, competencies are new. And the framework as Leo and yourself have alluded to is undergoing some changes right now. So can you tell me more about why competencies were actually added in to the latest revision?

[00:11:35] DS: Yeah. So based on feedback I guess is the easy answer of why we started including them. But competency is really help show how the NICE framework can be used for the learners. We discussed the tasks really describe the work being done. Therefore, work roles describe the work being done. But competencies describe the learner. It allows the learner to be able to succinctly communicate and effectively demonstrate the requisite knowledge and skills that they have to be able to perform work.

So it enables the learner to demonstrate in themselves how they match up to a work role. It also helps with the development of materials for the learners. If we’re talking about education materials, curriculum training, competencies can be aligned to that and help develop to make sure that the person is prepared for the work.

[00:12:53] MS: Okay. And you mentioned that these were added based off of feedback. Can you give some context around that? How does NICE work with other organizations or employers to adapt the framework overtime?

[00:13:07] DS: Sure. As Leo mentioned, the framework itself is fairly new. It was published back in 2017 as a special publication. But before that, it had been around. It was kind of born out of a government interagency group. But pretty quickly we realized that it wasn’t just government that has a cybersecurity workforce. It’s industry as well and academia, preparing the people who are not just academia, but training providers as well preparing the people to fill those roles.

So we brought in subject matter experts from academia industry and government to start looking at how this needs to be developed. Again, published in 2017, and maybe two years ago now we decided it’s time to update it again and figure out how we’re going to regularly keep this updated. So what NIST does and all of its publications is through a public comment process. So through subject matter experts, we kind of drafted a revision, put together what we thought was the good next revision and step for this framework. To do that, we did open up request for information from the public to get that feedback to tell us where should we go?

This summer we actually put out the draft for public comments again to get feedback from the public on does this look right? Is it meeting your needs? Are we going way off in a direction that we shouldn’t be? Or does this look good and it supports what you’re doing? And so after getting that feedback, we kind of finalized and put it back up there. And in another few years we’ll do it all again just to make sure we’re keeping it updated.

One of the big things we did during this most recent update is we actually removed both the lists of work roles, knowledge statements, skill statements. We removed that from the formal publication of the document for a couple of reasons. One being with them in the document, the document becomes 80 pages, and no one wants to read an 80-page document. So by removing them, we’re able to downsize into less than 20 pages. So it’s more approachable. And two, it allows us to be able to update those knowledge skills, work roles, competencies. We can update them more frequently. Because they’re separate from the formal publication, we can have them as living documents. We can create a separate process for how we add new ones when new ones are needed or adjust existing ones if they’re really not meeting the needs of the users. So with this most recent update, we are looking at different ways we can keep it up-to-date again to that agility attribute I mentioned earlier.

[00:16:11] MS: Yeah, that’s excellent. And I know Leo is someone who’s a very early adapter of the framework, putting it into place at your own organization. I was curious if you could shed some light on the topic of competencies, right? These are new. They might be unfamiliar to people. And there’re actually four groupings. So technical, operational, professional and leadership. And there’s a wide mix, right? Some of those categories might be surprising to people who have been more deeply embedded in the technical side of cybersecurity. So can you shed me light on how those were selected and how you use them at J.P. Morgan Chase?

[00:16:47] LVD: So the higher level groupings just came out as part of a working group that I was involved in with NICE, and it just made sense to kind of structure them in these four categories, because as we were doing knowledge and skill statement review and we were reintroducing possible competencies back into the actual framework, we know noticed that a lot of businesses could look at the framework outside of just true cybersecurity roles. There’re a lot of implications in the framework. They can be utilized for other technical roles as well as some of the more software managerial roles. And the work roles that are in the framework also show that. So by showing that they’re professional skills, that they’re organizational skills, it allows you to see other use cases for work. And I think that was really kind of the strength of this higher level group and it kind of simplifies, “Oh, I’m looking for purely technical things. So I’m going to look here. I’m looking for the software skills. I’m going to look under professional.” And it just helps simplify a lot of data for people to consume at a little easier spread.

[00:17:56] MS: Okay. Excellent. And so now that we’re kind of all caught up on what the framework actually is, change is the last revision. I wanted to talk about how organizations can actually use this resource to structure their own cybersecurity roles and teams. So, Leo, to kind of build on what you just said, tell me more about how you’ve actually used the NICE framework at J.P. Morgan Chase. And we will of course demo. Leo has built a pivot tool table that he personally uses himself to build out custom roles. But specifically on that topic, Leo, when do you make call whether you should use one of the existing 52 work roles in the framework or sort of build out your own?

[00:18:40] LVD: I think you can play with it in a couple of different ways. You can obviously can investigate numerous work roles together and see if they form the position that you have in mind, or you can kind of do what I always refer to as the Amazon wish list effect, where you could consult with your subject matter experts, which you would do in either use case and determine which competencies are most relevant. And then just explore the K and the Ss that you want to have included in those work roles. So there is a lot of flexibility. The consultation process with your subject matter experts is extremely important.

But if you’re trying to develop use cases and understanding whether or not it applies to you, being able to look at it from a combination of work roles or a combination of specific competencies that you find are interesting towards that work role that you’re trying to define. It’s a very streamlined process for kind of understand what the framework can provide you. And for larger organizations like Chase, the framework is just one subset of a larger human capital taxonomy, because we do more than just cybersecurity, but the approach is attractive enough to try and push out through other technology roles as well as other roles within the company. Because at the end of the day, if you create roles that use a common taxonomy approach and you establish your baselines for proficiency expectations and gathering your employee input, then that allows for a lot of creative and interesting ways to deal with that data. One is how do you create learning plans based on that data? Can you use it to express mobility options to your employees based on their profile? Those two things right there are extremely interesting to companies as they try and keep employees around and have them have second third and fourth careers within company so that they can continue to develop and continue educating themselves. And then once you have those profiles established as well, as I previously mentioned, you can use that to start informing your learning strategy goals for particular roles or even an organization if you need to.

[00:20:56] MS: Okay. And Danielle, based off of what you've seen and the conversations you've had, are most organizations using one of the existing work roles? Tell me more. Like how much customization are you seeing out there?

[00:21:09] DS: So all anecdotal, of course, but I think most people try to start with the work roles as is, because again they're there, they're defined the easy starting place. But I think as organizations start to really implement it, they'll start seeing gaps. Again, depending on size, scope, sector that they're in, Leo in the financial sectors is going to see things differently from someone in energy working with more operational technology needs and security. I think as people use the existing ones as a start, when they're getting started and then kind of figuring things out. And that's really what the framework is meant to be. It's meant to be that general reference and place to start figuring out how to talk about cybersecurity work, knowing that they'll need to be adjusted.

I think in academia specifically with formal education programs who are looking at the framework to align their curriculum to, I think that's where I've seen more of – I haven't seen much of those kinds of groups using custom roles. I've seen most of them. They'll take what's there and align their planning to what's already there, because it is so hard to plan depending on where your students are going to go. It's hard to plan for that customization. So having that kind of broader, more generic set is a better start for them.

[00:22:56] MS: Oh, that makes so much sense. Even people just trying to jump into the industry for the first time, right? It's a nice jumping off point. So, Leo, many of our clients are aligning their existing team roles to the framework. It's actually a conversation we have a lot here at Infosec. We're trying to align our content to the same. So it's to sort of bridge that gap. Of course it's not – As we just discussed, it's not always a one-to-one fit role. And we commonly have requests around customized sort of SOC analyst roles with sort of the following KSs, or KSCs, or competencies.

So what those are, are like cyber defense infrastructure, cyber defense analysis, cyber defense incident responders. So we have about 10 minutes left, and I would love to use this time to have you show our audience how you would actually use your pivot table tool to build out a custom role with these identified areas that we want to focus on. So I'm going to pass the screen control over to you. Give me one moment. And Leo, I’ll let you take it from here.

[00:23:59] LVD: Perfect. Thank you very much. So what I've done currently in the pivot tool is I've already selected the work roles that you had identified. So now what we can do, they're selected, is we can go over to the pivot table field and we can grab – First and foremost, let's just look at the competencies and see what competencies are shared within those roles. So right now we have these competencies listed here. One of the other things that I like to do is I like to kind of get an idea of how many KSAs are in this competency. So I'll grab the KSA and put it under values. So the data is kind of disorganized. What I'll do is I'll go ahead and sort it highest to smallest. There we go. So you can see just at a quick glance here are the top five competencies that are related to the roles that we selected. So from a talking point perspective, if you wanted to, just looking at this data without even looking at the knowledge and skills that are underneath them, you could go back to your subject matter experts and give them maybe your top 15 competencies and say, “Which ones of these resonate to you from these roles?” And they may come back and say, “You know, because we're a smaller shop, some of the forensics and computer languages, we want to have those involved in these as well.” But it gives you a nice starting point to say, “Oh! These might be the interesting competencies that we're going to investigate.”

Now, if you want to get a deeper look into those, you're more than welcome to take the KSAs and drop those underneath your competencies. Again, I'm going to reorganize the data. So I'll click in here and I will do my sort from largest to smallest. And now as I'm investigating the competency and vulnerability assessment, I see that these are probably the most utilized based on the data, knowledge and skill statements that are in that competency. So now if you're trying to create a very detailed role profile that describes cyber work within your institution and you didn't want to just say, “This role constitutes these competencies.” You can now give your employees a little more data and say, “We expect you to have knowledge in these areas or skill in these areas.” And that is extremely empowering to an employee.

It's also beneficial in regards to your ability to shape learning plans. So as you're developing this and as you set your proficiency levels for your pay grades or for the particular position and you begin collecting data again from your human capital, you could then go back to your learning teams, or you could even go back to a university and say, “We've identified that we need help in something that will allow us to have more knowledge or more skill in these areas for these competencies.”

So it starts to become a nice blueprint for you to deal with your learning organizations, to set the objectives, to upscale your organization, and as well as better understand the objectives of a particular competency and a role. So it really starts demystifying what cyber means in an organization. And if you look at another level down, if you're trying to transition from one role to another, if I could look at that role and say, “Oh, I need to understand vulnerability assessment, and here are the knowledge and skill statements that I need to be aware of and have skill in, and this is the proficiency expectation for the role,” you can then take that information and determine, “Oh! As an employee, this is what I want to start adding to my individual learning plan for career development.” And not only can you have plans that deal with what you do when you're in a function. As an employee, you can start understanding what it takes to move from one career to another. And that's really useful for the employee, because it really empowers them to take advantage of the resources that the company tries to provide in regards to learning.

So all that comes from just a better understanding of what roles are we interested in. How do those rules correlate? Within those roles, what competencies are most useful for us as an organization? And it doesn't have to be all. It can be some. And then what statement, if you want to, are we going to apply to that particular role? And from there, the data-driven possibilities and the information that you can serve back to your employees to better self-serve them and better develop them is almost boundless.

The other thing that you can do is from an organizational and a managerial standpoint, you now understand better where your resources are. So where I have people with certain strengths and vulnerability assessment? Where I can set up mentoring relationships? Where I can have people come in for special projects? So there're a lot of unique possibilities that occur just by using this framework to start describing your work in cyber and then allowing people to tell you where they are in relationship to the expectations of the role.

[00:29:14] MS: That’s awesome. And I think Danielle just serves to show the point of how flexible the framework can be if you're willing to map your job descriptions to those knowledge and skills and competency areas. So, Leo, thank you for walking us through how the framework can be applied to really any organization regardless of their current job descriptions or their current team structure. And I encourage everyone on the call today to download that tool and try out the approach Leo shared today. I tried it earlier. If I can do it, you can do it too. And Danielle, before we close and head into the ask us anything Q&A where people can go and learn more about the NICE framework and of course download all the resources we discussed today, anything else you'd like to add about where they can maybe get those later on? Is that something from the NICE website or –

[00:30:04] DS: Yeah, sure. So we have a NICE framework resource center. It's at nist.gov/nice/framework. I believe it was linked earlier in the slide. So folks are welcome to grab that link. And on that resource center, we'll have the current version of the framework including this lovely pivot tool. It's downloadable as an Excel file. So anyone can take it and run with it, which we highly encourage. There are also a whole host of other resources we are starting to try to build out to help people understand the pathways piece, the position description development piece. All sorts of extra kind of supplemental tools and programs or resources that people can use. So I highly encourage folks to check out that nist.gov/nice/framework site.

[OUTRO]

[00:31:00] CS: Thanks for checking out Close Your Skills Gap with Danielle Santos and Leo Van Duyn. Join us tomorrow for the results of our first ask us anything panel with guests Karl Sharman of Stott and May, Leo Van Dun again of J.P. Morgan Chase, and Danielle Santos of NICE once again. You can hear their answers to questions about developing security talents and teams, which was recorded live on September 22nd, 2020.

Cyber Work with Infosec is produced weekly by Infosec and is aimed at cybersecurity professionals and those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our Youtube channel and all popular podcast platforms. To claim one free month of our Infosec skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word, small letters, and you can get a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.

Thanks again for listening and we will next you back here tomorrow for more Cyber Work.