The NIST NICE Framework: How to improve cybersecurity role clarity and recruiting
500,000.
It's a number all too familiar to those involved in cybersecurity hiring, one that grows year after year.
What does it represent? It's the current number of projected unfilled cybersecurity jobs in the United States, a figure that is only going to continue to grow as businesses continue to feel the direct impact of ransomware, cyberattacks and data breaches.
While some organizations may resign themselves to the fact that they may have to face this Sisyphean task alone, others are beginning to take a new approach: following the NIST NICE Workforce Framework for Cybersecurity.
So what is the NICE Workforce Framework, and what could implementing it mean for your organization's hiring and employee development efforts?
To help explain more about how to implement the NICE Workforce Framework and share his thoughts on best practices and lessons learned, Infosec sat down with Slim Beamon, Dean of CyberEDGE Academy and Senior Cybersecurity Program Manager at Leidos in a recent Infosec Inspire Session.
Phishing simulations & training
What is the NICE Framework?
Also known as the National Initiative for Cybersecurity Education (NICE), which is led by the National Institute of Standards and Technology (NIST), the Framework was the result of a government, private sector and academic partnership to help promote cybersecurity education, training and workforce development.
More of a reference structure than regulation or program of its own, the NICE Framework helps organizations to standardize and define cybersecurity roles based on the knowledge areas, skills, and abilities that comprise them.
Defined in the NIST Special Publication 800-181, the NICE Framework breaks cybersecurity roles into what they call "building blocks that describe the work to be done (in the form of Tasks) and what is required to perform that work (through Knowledge and Skills)." In other words, as the Publication describes, Task statements describe the work, while Knowledge and Skill (K&S) statements describe the learner.
Based on these building blocks, the NICE Framework has identified 52 cybersecurity work roles, each with its own detailed description of the knowledge, skill, and task statements that make them up. These work roles and their descriptions can be implemented by organizations or modified as needed.
"The beauty of the NIST NICE work role framework is that it is adaptable. And we have been able to create the Leidos cyber work roles that fit our mission across all of our groups," notes Beamon.
What does a NICE Framework implementation look like?
While every organization can use the NICE Framework in its own way, Beamon and the cyber workforce development team at Leidos have used the work roles that fit their mission across their groups, adapting them when they need to and utilizing the descriptions as a starting point.
In doing so, organizations of all sizes and industries can have a more concrete understanding of their cyber professionals' work and the skills they need to recruit and retain.
"We all have a common understanding of what [each cyber work role] means to each other and the types of individuals that we're going to need in order to do the mission," notes Beamon, "It helps us to be efficient and effective in our communication so recruiters can now understand what you're looking for. Hiring managers can be effective at what they're looking for with the job descriptions, and program managers can now communicate priorities in the right places, based on these work roles."
Organizations can also use the NICE Framework to help with what Beamon refers to as "reskilling and upskilling," which is helping to identify the core elements of what makes for an effective cyber practitioner in a particular role and providing specific training to an individual looking to cross-train or career-change.
What are the benefits of implementing the NICE Framework?
While NIST initially designed the NICE Framework to help describe and share information about the work performed by those in cybersecurity roles, as Beamon points out, there are many other benefits to implementing it, at least in some form.
Some of those benefits include:
- Putting a consistent and recognized structure to their cyber work roles: The NICE Framework helps organizations categorize, organize, and describe key cybersecurity functions, ultimately helping to communicate needs, regardless of size or industry.
- Helping to build pathways for career and professional development: Identifying the knowledge, skills, and abilities (KSAs) that are important to help shape learning opportunities, facilitate cross-training, and pinpoint the real-life skills that make for an effective cyber professional.
- Quantifying the skills and attributes that make up a successful cyber professional: Helping hiring managers and managers to look past a resume and focus more on the passion, skills, and abilities of a potential hire (especially from a different career field) to find the right work role and organizational fit.
Beamon also highlights that having one organization poach an experienced professional from another will not solve the cyber skills gap.
It will mean finding new professionals — from other fields and backgrounds — who want to learn and apply their skills to solve a new kind of problem.
"It's about identifying the 'cyber DNA,' and when we say cyber DNA, again, we go back to the KSAs," Beamon describes CyberEDGE Academy's approach. "We meet a candidate where they are when they are there. If they're a business analyst, we understand that they have strengths as a business analyst that can translate into cyber security."
With the help of the knowledge areas, which map to the work roles, organizations can then identify the specific training required to get that employee operating effectively in their new cybersecurity position.
The NICE Framework: Taking the next step
The NIST NICE Framework is more than just a reference guide; when implemented and used as a standardized method to identify key job functions, share resource needs, and define what makes up a successful cyber professional, it makes for a powerful way to push back against the growing cyber skills gap.
In fact, according to a 2021 Infosec study, 57 percent of hiring managers utilizing at least part of the NICE Framework are more satisfied with their ability to fill open roles.
To that end, Beamon also shared that if his organization could do the implementation over again, they would begin with a person-based skills assessment.
"We would've put the assessment piece first and made sure that we understood the 'cyber DNA' of an individual and their KSAs as we go back to the NIST NICE work roles and then on for our roles. By doing that, now we can really tailor our training specifically for the individual and for the work role that we're looking to put them in."
It is perspective changes like these, enabled by the NICE Framework and demonstrated by Leidos, which focus more on the person than the resume, that may finally help reverse the tide toward creating a fulfilling and productive new generation of cyber professionals.
Sources:
- Predicting What 2022 Holds for Cybersecurity, Forbes Magazine
- Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication 800-181 Revision 1, National Initiative for Cybersecurity Education (NICE)
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- The NIST NICE Framework: How to improve cybersecurity role clarity and recruiting
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization