NICE Framework

How to align NICE Cybersecurity Workforce Framework KSAs with roles in your organization

Claudio Dodt
September 14, 2020 by
Claudio Dodt


Dealing with the many emerging cybersecurity challenges is a daunting task. With the ever-increasing number of attacks and cybercriminals that constantly update their techniques, it is easy to fall a step behind in an unfair competition.

Usually, when we talk about cybersecurity, the first thing that comes to mind is the cutting-edge technologies offered by the many manufacturers and suppliers, all with the promise of simplifying the noble act of protecting a business. 

While it is true that technology has always played a key role in reducing exposure to many cyberthreats, despite the evolution of concepts such as machine learning and artificial intelligence, even the most advanced security solutions are still dependent on cybersecurity experts to make sure they work with the necessary effectiveness.

In fact, relying exclusively on technology against cyberattacks is not only a poor strategy, but may also give you a false feeling of protection. This means the next attack will hit even harder than you ever imagined.

The solution to this puzzle appears quite simple: focus on your team and developing their cybersecurity skills. The problem is, this can be easier said than done. Cybersecurity is a multidisciplinary field: in order to ensure the effectiveness of your security team, it is extremely important to have a clear view of what skills need to be developed for each role. This is exactly where the NICE Cybersecurity Workforce Framework can provide great value for managers and organizations committed to effective cybersecurity enforcement.

What is the NICE Cybersecurity Workforce Framework?

The NICE Cybersecurity Workforce Framework is a NIST Special Publication that categorizes and describes cybersecurity work. The NICE Framework establishes a taxonomy and common lexicon describing cybersecurity work and workers regardless of where or for whom the work is performed, so it can be easily applied in the public, private and academic sectors.

Seem interesting? It is! The NICE Framework facilitates many activities related to structuring cybersecurity teams or even the development of specific cybersec roles within your organization. NIST has a complete resource center for the framework, but a fundamental first step toward the effective use of the framework is understanding its core components and knowing how they are related.

  • Categories: There are seven Categories described by the NICE Framework, all of them composed of Specialty Areas and work roles. Categories were created based on extensive job analyses and group together work and workers that share common major functions, regardless of job titles or other occupational terms.
  • Specialty Areas: The current version of the framework includes 32 Specialty Areas, each representing an area of concentrated work or function within cybersecurity and related work.
  • Work Roles: These are the most detailed groupings of cybersecurity and related work described in the Framework. It includes a list of attributes required to perform that role in the form of knowledge, skills and abilities (KSAs) and tasks performed in that role.
  • Knowledge, Skills, and Abilities (KSAs): As you may already have guessed, KSAs are attributes required to perform work roles. In general terms, they are demonstrated through relevant experience, education or training.
  • Tasks: Each task in the framework is a specific defined piece of work that, when combined with other identified tasks, comprises the work in a specific specialty area or work role.

In general terms, the NICE Framework can be understood as an excellent high-level tool for organizations and managers who want to improve the process of identifying, recruiting, developing and retaining cybersecurity talent. Using the Framework, you can effectively define your cybersecurity workforce and identify gaps in your current team.

While there are several audiences that can benefit from the use of the NICE Framework, such as training and certification providers, education providers and technology providers. And certainly, one of the departments that receives the most benefits in using the framework is cybersecurity managers. For instance, many managers believe that their teams may not have the necessary knowledge and skills to prevent the next cyberattack. Using the NICE Framework, managers can accurately detail each role their team is taking, know exactly what skills are needed and create a custom training and qualifications roadmap.

This is why KSAs are so important in the NICE Framework. Of course, having a high-level description of each Specialty Area and Work Role is excellent, but nothing compares to a detailed view of the Knowledge, Skills and Abilities necessary for this role to be performed effectively, ensuring your business is protected.

How to use NICE KSAs

The requirements for cybersecurity can vary widely from organization to organization. A role that can be extremely relevant to a specific business may not make sense for a smaller company or even a larger one but that works in another segment.

The fact is that, regardless of your business' cybersecurity needs, developing and retaining talent can be quite difficult, especially if you do not know what really matters. And that is exactly where the NICE Framework can help. As previously mentioned, there are several work roles detailed in the publication, with the precise objective of empowering cybersecurity in your organization's workforce.

For example, we know that some of the more common IT positions, such as a software developer or database administrator, routinely deal with aspects related to cybersecurity. But how can we ensure that this is being done properly? Simple! By using the NICE Framework mapping of KSAs associated with these work roles. 

In the case of a software developer work role, the framework describes 44 Knowledges, 14 Skills and 5 Abilities, including basics such as knowledge of computer programming principles, knowledge of complex data structures, but also knowledge of software-related information technology (IT) security principles and methods. 

In terms of skills, the software developer should also be capable of conducting vulnerability scans and recognizing vulnerabilities in security systems and perform software debugging. As for abilities, a good professional for this role should be able to develop secure software according to secure software deployment methodologies, tools and practices and apply cybersecurity and privacy principles to organizational requirements. The same goes for the database administrator, with a full set of KSAs specific to that role.

In fact, with a total of 52 work roles in the NICE Framework, mapping the existing positions in your organization will be a pretty straightforward process if the roles in your company align with NICE. Even if they do not, the framework provides sufficient information on each work role, making it easier to adapt to your context . After that, KSAs can be used either to decide how to develop your existing team, or even be included as part of the job description for a new hire. 

It is worth mentioning that KSAs are also aligned with several training and certification programs. These programs can either be part of the training roadmap for your team or be a part of the requirements during a selection process.

If you are about to start using the Framework, a practical tip is to download this reference spreadsheet, also published by NIST on its resource center. It can be a huge timesaver, since it contains details of all Categories, Specialty Areas, Work Roles and KSAs.

Concluding thoughts

Given the current shortage of professionals with proficiency in cybersecurity, developing and retaining talent is a vital task. As always, it is important to remember that information security is everyone's responsibility. The smart choice is to adopt a strategy where key positions in your organization — and not just the cybersecurity team — include KSA requirements related to protecting corporate information.

More than just hiring cybersecurity professionals, you need to be sure of the relevant and impacting requirements in the context of your organization. More than allocating responsibilities to employees, it is necessary to know the best way to develop them in order to add real value in cybersecurity, according to the role they play in your company. Doing so without the support of an established framework can not only be expensive, but also inefficient. It will expose your organization to unnecessary risks.



  1. NICE Cybersecurity Workforce Framework Resource Center, NIST
  2. National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST
  3. NICE Framework Specialty Areas and Work Role Table of Contents, NIST
Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.