A new draft of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) (NIST Special Publication 800-181) was just released and among the many revisions, the framework draft includes most of the tasks and knowledge/skills/activities (KSAs) supporting the 52 work roles previously outlined.
Work role details are nearly 95 percent defined—a significant improvement from approximately 50 percent completion in the previous version—with much of the new content focused on categories that would be considered offensive in nature (penetration testing, for example). Notably, the tasks and KSAs supporting Cyber Protection Team work roles still require additional details. I expect future versions will address this critical area.
The NCWF is a positive step toward defining the tasks and skills needed across cybersecurity in general. It provides traceability to many other standards and brings all of those references together in the framework. However, it stops short, by design, and only defines what needs to be done, not how or by whom. Unfortunately, the omission causes many organizations to struggle in applying the NCWF to real-world situations.
A Team Approach Is Needed
The ultimate challenge in workforce development is not in the adequacy of individual work roles, but rather in the completeness of the set of work roles as applied to a given scenario that the organization or business expects to face. Only by considering a full set of work roles in a scenario can the gaps in a cyber defense strategy be seen.
The Circadence® Project Ares® platform maps cybersecurity training missions and skill building to the tasks and KSAs for all work roles outlined in the NCWF. Within the platform, cybersecurity professionals can work individually or in teams to fulfill both offensive and defensive missions to defeat real-world threats in high-fidelity environments. Missions, security tools and objectives are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This gives us at Circadence a unique perspective on the practical application of both the NIST and NICE frameworks.
It seems we continue to define individual work roles without looking at how to practically combine them into teams. The NIST Cybersecurity Framework outlines everything an organization must do (as an integrated team), but most organizations don’t know how to take all the work roles from NICE/NIST 800-181 and map those to build out a workforce.
Circadence wants to postulate different team structures (and sizes) for all of our missions in order to capture what is and is not working. We can then share this data so organizations can adapt their concepts around team approaches to both offense and defense.
Simplicity Is Key to Widespread Adoption
Another challenge with the NCWF is the complexity of work roles. Although the 52 work roles outlined are aligned with job codes for the Office of Personnel Management (government), this is not the case for corporate America, where the tasks and KSAs for a security analyst can vary greatly among organizations.
Because of this, we spend a lot of time trying to create a common lexicon so that different people who use different tools can work together and pass information quickly. I’m advocating for SIMPLICITY built around TEAM requirements to ensure there are no gaps or substantial overlaps (although some overlap of skills makes sense for timeliness in the response). This will allow organizations to make a more practical application of the NIST and NICE frameworks, encouraging a more widespread adoption.
Future versions of the NCWF should offer more of a practical application through team concepts and simplified definitions of work roles. Embracing the TEAM APPROACH and SIMPLICITY will encourage more widespread adoption of the framework from enterprise security organizations, bringing more standardization of work roles and the associated skills. This will also help to define cybersecurity career paths for the next generation, which in turn will address the growing workforce shortage.