- An organization led by the National Institute of Standards and Technology (NIST) developed a new resource to ensure that organizations can “more effectively identify, recruit, develop and maintain its cybersecurity talent” and create a strong cybersecurity workforce.
NIST-led National Initiative for Cybersecurity Education (NICE) created a draft Cybersecurity Workforce Framework (NCWF), and “provides a common language to categorize and describe cybersecurity work,” according to the NIST website.
“When identifying their cybersecurity staff, many organizations overlook cybersecurity tasks being performed by lawyers, auditors and procurement officers,” NICE deputy director and lead author of the document Bill Newhouse said in a statement. “The NCWF can help an organization identify cybersecurity tasks within a work role that are vital to its mission and then examine if its current staff can perform those tasks and, if not, hire staff who can.”
The NCWF defines more than 50 work roles, each with extensive sets of related knowledge, skills and abilities (KSAs) and tasks.
For example, the list includes “cyber legal advisor” and “vulnerability analyst.”
The resource can also assist organizations in creating a more realistic image of their cybersecurity workforce, NIST explained. Employers, current cybersecurity staff, students and workers considering a career in the field, as well as educators and workforce trainers can all benefit from the NCWF.
Furthermore, the NCWF uses the following components to outline how entities can organize each role and responsibility:
- Categories – A high-level grouping of common cybersecurity functions;
- Specialty Areas – Distinct areas of cybersecurity work;
- Work Roles – The most detailed groupings of IT, cybersecurity, or cyber-related work, which include specific knowledge, skills, and abilities required to perform a set of tasks;
- Tasks – Specific work activities that could be assigned to a professional working in one of the NCWF’s Work Roles;
- Knowledge, Skills, and Abilities (KSAs) – Attributes required to perform Tasks, generally demonstrated through relevant experience or performance-based education and training.
“The NCWF can be viewed as a cybersecurity workforce dictionary, and consumers of the NCWF can reference it for different workforce development, education, and/or training purposes,” the guide’s authors explained in the executive summary. “For instance, it provides a starting point and helps set standards for developing academic pathways, career pathways, position descriptions, and training content.”
By investing in their existing workforce and staying focused on retaining and properly training the right talent, organizations can better realize their risk management objectives and prepare accordingly, the NCWF added.
“Cybersecurity tactics are ever-changing, always identifying new ways to gain information advantage through technology,” the authors wrote. “As we evolve, the ways we perform cybersecurity functions continue to evolve, as must the components of the NCWF.”
NIST will be accepting feedback on the draft until January 6, 2017.
Keeping pace with evolving cybersecurity threats has been a priority for NIST, as it announced earlier this year that it would soon be updating its own Cybersecurity Framework.
NIST explained that it would be making changes to the informative references, clarify guidance for implementation tiers, and place cyber threat intelligence in the core. Furthermore, NIST said it also started a “self-assessment criteria to support organizational understanding of cybersecurity risk management business practices.”
A draft of the next Framework version will be available for comment in 2017.