The Remediation Series — Part 4
Cyber Frameworks and the Delineation of Roles
Addressing the cyber jobs gap requires not only the training of relevant skills, but the organization of these skills into roles that enable an organization to attain operational completeness. Such delineation assists industry managers by dividing responsibilities into manageable categories that reduce ambiguity, provide clear boundaries, and support effective resource allocation[1]. Currently, the industry lacks a universal lexicon and taxonomy system, resulting in organizations requesting prospective candidates maintain an overly diverse and often disparate set of skills. Such pressure leads candidates to over-generalize to meet the pantheon of requirements companies put forth, preventing specialization and mastery of a core set of relevant KSA’s.
For example, the Department of Homeland Security’s National Integrated Cyber Education Research Center (NICERC), published a Career Profiles document designed to encourage primary and secondary school cyber education[2]. This document advertises nine different job profiles including Encryption Expert, Cyber Forensics Expert, Vulnerability Analyst, and Cyber Security Engineer, among others. Each job descriptor offers insight into the common job duties of the respective profiles in addition to common soft skills, median salary, expected job growth, and typical educational requirements. What one will notice when reviewing the common job duties of these nine roles is the considerable overlap of expected duties. Red teaming, secure coding, networking, and forensics are among the most noted regardless of position. While this may not be a surprise, considering the preceding article’s discussion of the most requested KSA’s, it presents a deceptively difficult problem.
By outward appearance, it seems mastery of these four fundamental skills would qualify a candidate for most of the listed jobs. However, the reality is each of these four general categories each consist of a vast body of knowledge, requiring a substantial amount of time and effort to learn and develop. Of course, there are many instances in which descriptions for posted jobs are inaccurate, with organizations not expecting prospective employees to possess an eclectic knowledge base. Again, this seemingly innocuous occurrence is deceptively harmful. Inaccurate postings scare off potential applicants who are qualified but lack the standard bachelor’s degree, a requirement previously established as a poor indicator of industry competence[3]. Conversely, organizations may hire a candidate who appears to be qualified in theory but lacks the relevant practical skills and experience to minimize hiring costs and onboarding time.
Neither of these outcomes are intentional, rather they are the result of a pervasive disconnect between educators, managers, and regulators, with employees and students caught in the crossfire. To address the disconnect, two popular frameworks provide excellent insight as to how workforce organization should pan out: the DHS Information Technology (IT) Security Essential Body of Knowledge (EBK) and NIST’s NICE Cybersecurity Workforce Framework. The EBK was developed to act as a framework for analyzing the security training and workforce management needs of organizations by mapping security roles, competencies, and functional perspectives to a matrix of security needs[4]. As noted, the primary goal of this framework is to provide a methodology for mapping the roles of IT security personnel with security competencies and assigned work functions[5]. The NICE Framework also serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the KSA’s needed to complete tasks that strengthen an organizations security posture[6]. Most importantly, the Framework offers a consistent lexicon that categorizes and describes cybersecurity work. Both frameworks offer a flexible baseline from which businesses can develop organization-specific operational frameworks.
Comparatively, the NICE Framework is more granular when discussing the delineation of tasks by first establishing seven general categories. These seven categories are then divided into thirty-two specialties, each with their own set of common tasks and KSA’s. The Framework then lists five core functions: Identify, Protect, Detect, Respond, and Recover; with each category being a combination of two or more of said core functions[7].
Above is an example of a Framework-defined work role with suggested descriptions and relevant KSA’s listed. Each of the listed Tasks, Knowledge, Skills, and Abilities can be referenced within the Framework to communicate expectations to candidates. Of the four areas, Knowledge has the most overlap between roles and categories, with Tasks being the most role-specific and Skills and Abilities sharing some limited overlap between roles.
The EBK, in contrast, divides cybersecurity into fourteen competency areas and ten operational roles[9].
While the number of roles and competencies seem limited when compared to the NICE Framework, the EBK provides another dimensional perspective that adds depth to the relation between the aforementioned roles and competencies. The “Functional Perspective” lists four events that assist in describing the different categories of job functionality: Manage, Design, Implement, and Evaluate. This third dimension illustrates how roles and competencies interconnect, creating a matrix that maps competencies to functions resulting in specific roles that can be assigned to personnel[10].
One immediate benefit the EBK provides is the matrix’s use of a hierarchical structure, defining not only roles but their respective positions in a standard management chain. This can assist hiring managers with assigning priority when attempting to identify organizational needs. As noted earlier, the NICE Framework does provide a level of granularity that the EBK falls short of. For larger organizations capable of fielding a greater number of staff, such specificity can assist in ensuring organizational completeness. The IT EBK framework, on the other hand, may be more accessible to smaller organizations looking for a prefabricated structure to implement.
However, if an organization is looking to implement the NICE Framework in a condensed manner, the Department of Homeland Security has distilled ten different roles that address mission critical operations[12]. This distillation can assist organizations that anticipate working closely with the federal government. For entities that anticipate much of their business to occur in the private sector, the Center for Strategic & International Studies has also identified nine key roles that serve to benefit an organizations cyber security. These roles omit executive roles as well as ones tailored to federal organizations, further streamlining the process of establishing an effective cybersecurity team[13].
Industry adoption of a common taxonomy and lexicon as put forth by the NICE and EBK Frameworks is essential for delineating responsibility and encouraging specialization. The adoption of such measures creates new applicant pools, as candidates with non-traditional backgrounds are encouraged to apply, and resets the expected standards of those coming from traditional backgrounds to a more competent and prepared level. To meet that new standard, we must now examine what changes must occur within the educational pipeline.
[1] Conklin, W. A., & Mcleod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework (10.1080/15536548.2009.10855862). ResearchGate. https://www.researchgate.net/publication/279912178_Introducing_the_Information_Technology_Security_Essential_Body_of_Knowledge_Framework
[2] CISA. (2020). Find Your Path to Cyber. Department of Homeland Security. https://cyber.org/
[3] National Initiative for Cybersecurity Education. (2017). NICE Framework Work Role Capability Indicators (8193). National Institute of Standards and Technology. https://csrc.nist.gov/publications
[4] Conklin, W. A., & Mcleod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework (10.1080/15536548.2009.10855862). ResearchGate. https://www.researchgate.net/publication/279912178_Introducing_the_Information_Technology_Security_Essential_Body_of_Knowledge_Framework
[5] National Cyber Security Division. (2008). Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development. Department of Homeland Security. http://www.cisokorea.org/data_file/board/EBK2008.pdf
[6] National Cyber Security Division. (2008). Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development. Department of Homeland Security. http://www.cisokorea.org/data_file/board/EBK2008.pdf
[7] National Initiative for Cybersecurity Education. (2017). NICE Cybersecurity Workforce Framework. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-181
[8] National Initiative for Cybersecurity Education. (2017). NICE Cybersecurity Workforce Framework. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-181
[9] Conklin, W. A., & Mcleod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework (10.1080/15536548.2009.10855862). ResearchGate. https://www.researchgate.net/publication/279912178_Introducing_the_Information_Technology_Security_Essential_Body_of_Knowledge_Framework
[10] Conklin, W. A., & Mcleod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework (10.1080/15536548.2009.10855862). ResearchGate. https://www.researchgate.net/publication/279912178_Introducing_the_Information_Technology_Security_Essential_Body_of_Knowledge_Framework
[11] Conklin, W. A., & Mcleod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework (10.1080/15536548.2009.10855862). ResearchGate. https://www.researchgate.net/publication/279912178_Introducing_the_Information_Technology_Security_Essential_Body_of_Knowledge_Framework
[12] Homeland Security Advisory Council. (2012). CyberSkills Task Force Report. Department of Homeland Security. https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%20-%20Final_0_0.pdf
[13] Evans, K., & Reeder, F. (2010). A Human Capital Crisis in Cybersecurity. Center for Strategic & International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/101111_Evans_HumanCapital_Web.pdf
