The theme for week two of National Cyber Security Awareness Month (NCSAM) focuses on what organizations can do to create a culture of cyber security within the workplace, including the use of the National Institute of Standards and Technology’s (NIST) Cybersecurity Workforce Framework. With new threats emerging every day, it’s important that everyone in the workplace understands their role in preventing data breaches and attacks.
Although everyone has a role to play, you can start by evaluating your security teams to make sure they thoroughly understand their roles. The first step is to understand your current cyber security workforce posture. Do you have the people in place on your security team with enough knowledge, skills, and training to handle these threats? If not, do you have the resources to train them? How do you know?
One resource that can help is the Cybersecurity Workforce Framework (NCWF), which was created by the National Initiative for Cybersecurity Education (NICE) and published by NIST in August 2017. This framework provides a common lexicon that enables employers to determine the skills and abilities of their current cyber security team. This framework, developed through cooperative efforts of government, academia, and industry, can help you identify strengths and weaknesses in your team, including possible skills gaps, so you can get them the training they need.
The NCWF provides direction to identify cyber security tasks, roles, and functions throughout your organization. There are also two immediate benefits of the NCWF:
- Recruiters can use NCWF descriptions in job postings to make it easier for potential candidates to find specific positions for which they are interested, capable, or qualified; and
- Hiring authorities can more effectively communicate what’s expected of particular roles by using NCWF descriptions of job duties and responsibilities, along with essential knowledge, skills, and attributes (KSAs)required to perform various tasks.
How the NCWF Works
The NCWF identifies and describes the KSAs and tasks associated with cyber security roles based on the kind of work that’s required, broken down by category and specialty area. It provides an easy-to-follow guide for developing workforce capabilities and a roadmap for increased cyber security responsibility.
According to the framework, the NCWF helps organizations prioritize roles and responsibilities through the following components:
- Categories – A high-level grouping of common cyber security functions.
- Specialty Areas – Distinct areas of cyber security work.
- Work Roles – The most detailed groupings of IT, cyber security, or cyber-related work, which include specific knowledge, skills, and abilities required to perform a set of tasks.
- Tasks – Specific work activities that could be assigned to a professional working in one of the NCWF’s Work Roles.
- KSAs – Attributes required to perform tasks, generally demonstrated through relevant experience or performance-based education and training.
For example, in the Cyber Security Management (MGT) specialty area in the Oversee and Govern (OV) category, you can see that there are roles for Information Systems Security Manager (ISSM) and Communications Security Manager. Focusing on just the ISSM, we can see that they are responsible for the cyber security of a program, organization, system, or enclave and that it is coded as OV-MGT-001. From here, you can plainly identify from a list of thousands of KSAs and tasks just the ones this role needs to be successful.
How Your Workforce Benefits
Using the NCWF as a guide, you can better identify training and qualification requirements and use it to develop, maintain, and track individual training plans for your cyber security workforce. It can help align work roles and the necessary skills needed for those roles.
Furthermore, it can help define your cyber security position descriptions and job postings using pre-defined skills and qualifications for targeted recruitment of cyber security professionals. By translating the technical needs of your organization into human resource language, you can ensure that your hiring process perfectly matches your needs. The NCWF can help you find the right candidate with the requisite skills for all your needs, cutting down on the potential time, cost, and effort spent in the hiring process.
With the threats increasing and the gap in cyber defense skills widening, it pays to understand your cyber security workforce capabilities. It’s important that you conduct an honest assessment. With the NCWF, the work of identifying the workforce you need to help fill the gaps and fight the ever-persistent threats is done for you.
As NCSAM keeps rolling through October, we invite you to check out our blogs and infographics about each week’s theme. Take a look at our week one discussion about simple online safety steps your workforce can practice.
Delta Risk’s experienced cyber training instructors can you apply the NCWF to your organization, as well as help sharpen the skills and abilities of your security teams to meet your business needs. Contact us to learn more.