Given the current 300,000+ cybersecurity job openings in the USA, there is much focus on training needs to develop more qualified cybersecurity professionals. Filling these jobs is critical to our future, but even more critical is making sure organizations are training their current cybersecurity and security-related staff. These are the people at the controls: the people that are not patching; the people missing IOCs, for months; the people falling prey to phishing emails; and, the people not elevating cybersecurity to the boardroom level. To underscore the importance of cyber-education, the Center for Internet Security (CIS) dedicates one of its CIS- 20 critical cybersecurity controls to security skills assessment and training. Further, awareness and training (AT) is a principal function of the NIST Cybersecurity Framework Core function: Protect.
The good news is if we better align cybersecurity training with cybersecurity staffing, we better define the training needs to help fill those 300K+ positions!
Where to Start?
A challenge I find is there are so many training options, varying widely in their competency and capabilities: masters degrees to four-year undergrad degrees to professional certifications to boot camps to online training to hackathons to capture the flag exercises, and much more. To illustrate the market scale, check out the NICCS (National Initiative for Cybersecurity Careers and Studies) and its 3239 courses!
Rather than trying to categorize and make sense of all the training offerings, I propose focusing on the demand side of the equation. Specifically, if we define the knowledge, skills, and abilities required of a particular security or security-related role, we will be in a much better position to determine the right training for the job.
Finding a Frame of Reference
As I recently posted, I achieved certification on the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) courses developed by UMass Lowell and itSM Solutions. I chose this program because it is an advanced, standardized, training program, providing organizational/governance knowledge, skills, and abilities (KSAs) to plan, organize and stand-up a NIST-CSF centered cyber operation. A course chapter is on cyber workforce development, based on the National Initiative for Cybersecurity Education (NICE). After going through this chapter, I realized that the NCSF-CFM, when coupled with NICE, provides an excellent framework to map a cyber organization’s training requirements against training options in the marketplace.
The NICE program evolved from cybersecurity skills and training work started in 2008 with the Comprehensive National Cybersecurity Initiative (CNCI). I believe NICE is the most complete and practical ontology of cyber roles. As shown in figure 1, the NICE framework defines seven functional categories, 33 specialty areas, and 52 work roles.
Directly mapping all training options to the 52 work roles is quite challenging, especially since so many jobs require both hard and soft skills. In looking for a better way to go about this, I find the UMass Controls Factory Model maps very nicely to the NICE roles, across the following three CFM workforce enablement tracks:
- Business Integration Track – These jobs most closely align with the business organization, including the oversight and governance positions as well as strategic planning, legal, and training. I also put the NICE Investigate category in this track because forensics and incident response must tightly hook into business governance and operations.
- Engineering Track – These are the roles that define the core functions of cybersecurity, including overall software development, system architecture, vulnerability and threat management, and overall risk management.
- Technology Operations – These roles center on the Security Operations Center (SOC) and the operations and maintenance of cybersecurity technology.
Overlaying the seven categories, 33 specialty areas, and 52 roles onto the three NCSF-CFM tracks facilitates mapping training programs by track. For example, as a first pass, I would include UMass NCSF-CFM and ISACA/CISM as well as some ISC2 and ISO27002 cert training in the Business Integration Track. I could also see some CompTIA and SANS fitting in there. Similarly, most of the vendor-specific training would fall under the Technology Operations Track, and most of the technical cert programs from ISC2, SANS and ISO27001 would fall under the Engineering Track.
The end result of this exercise is an effective and efficient way to define and align competency-based training to the core competencies of the cyber organization. This will help the existing staff be more successful and provide better guidance for people looking to fill the organization’s open positions.
Onward and Upward
In a later post, I will return to this and add more granularity by mapping specific classes/programs to the three NCSF-CFM tracks. In the meantime, I first want to get back to my previous discussion on a new cyber operations model and figure out the best way to layer on the CIS-20.
I would love to hear from folks on their training challenges and if they are using NICE as a guideline to better define roles, responsibilities, tasks and the associated knowledge, skills and abilities necessary for success.