NICE Framework

Two ways to build a cybersecurity team using the NICE Framework

Susan Morrow
May 6, 2021 by
Susan Morrow

The area of cybersecurity and cyberthreat detection, prevention and response challenge all organizations across every industry. Finding the right people to take on the roles within a cybersecurity team is difficult when the skills gap in security remains wide with the 2020 Cybersecurity Workforce Study finding a global shortfall of 3.5 million people.

NIST Special Publication 800-181 Revision 1, “Workforce Framework for Cybersecurity (NICE Framework),” provides an organization with a series of guidelines to build an effective cybersecurity team. The NICE Framework focuses on defining the optimal roles and competencies behind the members of a cybersecurity team.

How does the NICE Framework for Cybersecurity apply to a cybersecurity team?

The NICE Framework for Cybersecurity offers a set of conditions and advisories that standardize how a particular team is structured. The conditions for optimizing team membership map competencies to roles. The framework can be used to develop a model of a cybersecurity team that will have all the core requisites and skills needed to help establish a robust security posture in an organization.

The NICE Framework defines the certifications, knowledge and skills needed by each team member. However, it is important to note that the framework is generalized, and each organization may have specific requirements for team members, above and beyond the framework’s remit. However, a team leader can apply the tenets of the NICE Framework, whilst still having the flexibility to add the staff and skills needed to create an exemplary cybersecurity team.

Examples of roles and competencies within a secure software development team

A robust and effective cybersecurity team is populated by skilled and experienced personnel. The staff has the specialist competencies, and skills needed by a cybersecurity team that will be expected to tackle some of the most complex and impactful cyberthreats today. Cybersecurity, as a discipline, is challenging and complicated and a mix of skills is needed to build the dream team.

The NICE Framework for Cybersecurity suggests two team-building models:

  1. Top-down: a role-centered approach to building teams
  2. Bottom-up: building teams with competencies

Top-down: Work role-centered approach to building teams

Using a “top-down” approach begins with outlining the work roles required to populate the cybersecurity team. The NICE Workforce Framework sets out the basic roles that map to the skills needed to deal with the challenges inherent in modern cyberthreat mitigation, as well as dealing with compliance and data protection regulations. The basic set of roles are in line with the five functions of the NIST Cybersecurity Framework:

  • Identify, risk manager: This is a new role from the NICE Framework. The risk manager is responsible for assessing and managing the risk of a given project in line with business objectives. They must be able to communicate to all stakeholders about any risk.
  • Protect, security control assessor: This role is responsible for assessments of the management, operational and technical security controls and control enhancements of any IT system to determine the overall effectiveness of those controls.
  • Detect, cyber defense analyst: This role uses data collected from security tools such as firewalls to analyze events to help with the mitigation of threats.
  • Respond, cyber defense incident responder: A role responsible for the analysis, investigation and response to cyber incidents.
  • Recover, communications specialist: This is another new work role from NICE. Modern cybersecurity management requires that breaches are communicated to stakeholders, including the public and press.

Building a cybersecurity team using a top-down approach would typically start with asking what is the project or goal? In other words, identify the work. The work is split into compartments or work packages using a work-centered model. The NICE Framework suggests using the “Core” from the “Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).”

This framework provides a list of cybersecurity objectives and helps an organization to manage cybersecurity risks in line with its existing cybersecurity and risk management processes. Tasks and work roles are used to determine the roles needed to support those objectives.

An example of a team based on a top-down approach

Building an effective red team using a work-centered, role-led approach, would look at the different tasks needed to complete a typical red team project. Red team members need to work together to detect vulnerabilities and flaws in systems and software that a real attacker would make use of. Using the list of roles suggested using the NICE Framework, some suggested roles for the team would be:

  • Vulnerability assessment analyst
  • Cyber defense analyst
  • Exploitation analyst
  • Target network analyst
  • System testing and evaluation specialist
  • Communications specialist
  • Risk manager

Bottom-up: Building teams with competencies

Using a bottom-up approach to building a cybersecurity team requires an understanding of the core competencies needed within that team. NIST offers a list of NICE “core competencies” to refer to for bottom-up team management. One of the advantages of the bottom-up method is that it encourages a “learning environment” where people with the right skills can move into role positions in the team as the work goals change. Bottom-up teams provide a structure where innovative individuals can stand on the shoulders of experts in their domain.

Using a bottom-up model when building a cybersecurity team is particularly useful in an ever-changing cyberthreat landscape, as employees can actively add to their skills portfolio through certification and specific courses. Leaders of bottom-up teams can harness employee knowledge to create learning opportunities that cut across field domains.

An example of a team based on a bottom-up approach

Building an effective red team requires a set of complementary skills. This spectrum of skills is required to allow the team to detect vulnerabilities and flaws in systems and software that a real attacker would make use of. This skill spectrum is wide and includes competencies such as software development, deep knowledge of systems and software, penetration testing, social engineering tricks, communication skills and so on.

A red team is defined by its collective competencies and these skills can then be mapped to roles. The NICE Framework uses red team building as an example of how to use a bottom-up approach. It sets out the following competencies to make up the team:

  • Engagement planning
  • Rules of engagement
  • Pentesting
  • Data collection 
  • Vulnerability exploitation

A cybersecurity dream team

NIST makes an ambitious statement: “Prepare, grow and sustain a cybersecurity workforce that safeguards and promotes America’s national security and economic prosperity.” When building an effective and committed cybersecurity team this kind of ambition is welcomed.

Cybersecurity is an interesting career and can be very satisfying, but the team needs to be robust with the right people in place. Whether you build a team using top-down or bottom-up or even a hybrid of the two, the NICE Framework for Cybersecurity will help guide your staff choices.



NIST Special Publication 800-181 Revision 1 “Workforce Framework for Cybersecurity (NICE Framework), NIST

NICE Cybersecurity Workforce Framework: Close your skills gap with role-based training, Infosec

2020 Cybersecurity Workforce Study, ISC2

Cybersecurity Framework, The Five Functions, NIST

NIST Cybersecurity Framework, NIST

NICE Core Competencies Draft, March 2021

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.