A new draft of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) (
Work role details are nearly 95 percent defined—a significant improvement from approximately 50 percent completion in the previous version—with much of the new content focused on categories that would be considered offensive in nature (penetration testing, for example). Notably, the tasks and KSAs supporting Cyber Protection Team work roles still require additional details. I expect future versions will address this critical area.
The NCWF is a positive step toward defining the tasks and skills needed across cybersecurity in general. It provides traceability to many other standards and brings all of those references together in the framework. However, it stops short, by design, and only defines
A Team Approach Is Needed
The ultimate challenge in workforce development is not in the adequacy of
It seems we continue to define individual work roles without looking at how to practically combine them into teams. The NIST Cybersecurity Framework outlines everything an organization must do (as an integrated team), but most organizations don’t know how to take all the work roles from NICE/NIST 800-181 and map those to build out a workforce.
Circadence wants to postulate different team structures (and sizes) for all of our missions in order to capture what is and is not working. We can then share this data so organizations can adapt their concepts around team approaches to both offense and defense.
Simplicity Is Key to Widespread Adoption
Another challenge with the NCWF is the complexity of work roles. Although the 52 work roles outlined are aligned with job codes for the Office of Personnel Management (government), this is not the case for corporate America, where the tasks and KSAs for a security analyst can vary greatly among organizations.
Because of this, we spend a lot of time trying to create a common lexicon so that different people who use different tools can work together and pass information quickly. I’m advocating for SIMPLICITY built around TEAM requirements to ensure there are no gaps or substantial overlaps (although some overlap of skills makes sense for timeliness in the response). This will allow organizations to make a more practical application of the NIST and NICE frameworks, encouraging a more widespread adoption.
Future versions of the NCWF should offer more of a practical application through team concepts and simplified definitions of work roles. Embracing the TEAM APPROACH and SIMPLICITY will encourage more widespread adoption of the framework from enterprise security organizations, bringing more standardization of work roles and the associated skills. This will also help to define cybersecurity career paths for the next generation, which in turn will address the growing workforce shortage.