CyberWire Daily - Interview Select: Jeff Welgan, Chief Learning Officer at N2K Networks is expanding on the NICE framework in strategic workforce intelligence. [Interview selects]
Episode Date: September 4, 2023This interview from August 25th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Jeff Welgan, Chief Learning Office...r at N2K Networks, to expand on the NICE framework in strategic workforce intelligence. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
And it is my pleasure to welcome to the show one of my N2K colleagues, our Chief Learning Officer, Jeff Welgan.
Jeff, welcome.
Hey, Dave, thanks. Thanks for having me on the show.
You know, one of the things that I was really excited about when the CyberWire merged with CyberVista and we became N2K Networks
was having access to all of the learning facilities and expertise that you all have on the CyberVista side of things.
And today we're going to take advantage of that. I want to talk to you today about the NICE
framework and how folks can implement that and really expand on it as well. Can we start off
with some high-level stuff here for folks who might not be familiar with it? Can you describe NICE for us?
Yeah, yeah, absolutely.
So NICE actually is an acronym that stands for the National Initiative for Cybersecurity Education.
It sits within the Department of Commerce under NIST.
So they have created, a while back, sometime around 2010, earlier workings were around 2008,
back sometime around 2010, earlier workings were around 2008, cybersecurity workforce framework to address these issues that we see day to day in this industry related to what the heck are the
job roles, what's expected out of job roles, and how do we actually create a framework around that
for employers? So what are the fundamental building blocks here? Yeah, so NICE, I think it's really important that our listeners understand that it is a framework, right?
And as such, it constantly evolves and updates.
So there have been a number of iterations of the NICE framework over the years.
I think the first one they put out was in 2012, and they put another one out in 14, 17, 2020.
And they're constantly working with government and industry to improve
that framework. To date, though, they've kind of rested on a framework that existed with these
seven categories, 33 specialty areas, and 52 defined work roles. Again, they're always evaluating
that to see if it needs improvements. So that's kind of the core of it.
There's more to it than that.
And that's kind of where our expertise comes in and how do we leverage it for its greatest strengths, but also account for some of the weaknesses as well.
Well, let's dig into that.
I mean, how do people both on the government side and in the private sector typically come at implementing this NICE framework?
private sector typically come at implementing this NICE framework?
Yeah. So I think one of the big challenges that NICE was addressing when they put out the framework was that they needed a common lexicon for the industry. I'm sure you're well aware, Dave,
when you go out into the market, you can call a SOC analyst. There's a number of different
job titles for that. So they wanted to normalize just work role titles, particularly for the government side, just so they can kind of
organize the workforce in a way that made sense with different job identification codes, etc.
So that's really where it started. And then I think, as such, they really needed to identify,
well, what are the expectations for those work roles? Like what knowledge, skills, abilities, tasks are required for those? So if you ever hear the term
K-STATs, that's kind of where that term came out of those knowledge, skills, abilities, and tasks
that since evolved to like TKS statements, tasks, knowledge, and skills. So they're constantly
playing around with it and tweaking it and making improvements to it. And so for folks who are using it as an organizing framework here, I mean,
how do they typically come at that? How do they measure success?
Yeah, I think it really comes down to, I think a lot of commercial entities that are leveraging it
use that for job classifications, just trying to organize the
workforce. So it becomes part of a human capital strategy related to how do we title these
particular job roles and what are the expectations for those people in those roles when we're trying
to do talent acquisition. Now, there are challenges to that. Leveraging the NICE framework one-for-one can be challenging because people who are familiar with it, as you examine some of the work roles that they've identified in there, they don't always match up one-to-one to what commercial entities would actually call a work role.
For example, I mentioned SOC analyst.
I say SOC analyst.
Everybody knows what a SOC analyst. I say SOC analyst, everybody knows what a SOC analyst
is. If you put that out as a job rack on Indeed or whatever your talent acquisition recruitment
tool is, people who are in those fields are drawn to that. NICE actually defines that work role as
a cyber defense analyst. Okay, you can make the connection, but it's not necessarily something that's as
common in the commercial industry to see cyber defense analysts versus a SOC analyst. So I think
that's one of the drawbacks of the framework, although it is also one of those things they're
trying to solve for because of that problem of job titling and the variations of job titles that
exist for certain professions.
What about expanding beyond the NICE framework?
Are folks using it as a foundational element and then going beyond that, fine-tuning it to their own organizations?
You see a range, right?
The earliest adoption of it, the folks are just kind of dabbling with it.
A lot of times they're just doing a one-for-one matchup.
Okay, these job titles kind of line up to this work role per NICE, and it's a straight line.
Organizations that are a little bit more familiar with it may actually go a little bit further and start looking at some of the KSAs or TKS statements,
or actually looking at the competencies that are defined within NICE to kind of align those two work roles.
nice to kind of align those two work roles. At N2K, we kind of go above and beyond all of that to kind of say, you know what, job roles are pretty unique at companies. A software engineer
at JPMorgan Chase may be a little bit different than the regional bank, right? So the hats you
wear at those organizations can vary significantly from company to company. So what we want to do is not
necessarily lean in on just the work roles and the predefined list of KSAs or TKS statements.
We want to work with customers and say, okay, well, what does your software engineer look like
there? What do you expect for that particular work role? And above and beyond NICE, we want
to actually define proficiency levels of those work roles. Because NICE beyond NICE, we want to actually define proficiency levels of
those work roles. Because NICE does not say, oh, you need to understand encryption, subject matter
expertise mastery, or beginner level mastery. They do not do that work. So at N2K, we kind of do that
with our customers. We want to say, okay, sure, encryption is important, but how important is it to the work role? And we'll
quantify that for our customers. So it's a matter of establishing where people are in their
educational journey of expertise and then figuring out where they need to go as well?
That's right. That's right. There's also one other thing that we've done at N2K to kind of account for some of these, what I would call nuances or gaps within the framework to help it translate a little bit better for the commercial world.
The structure of the NICE framework with these seven categories and 33 specialty areas, I feel are very much like putting a work role into a box and your pigeonholed into that box, at least
definitionally. What we've done is we've created another layer of taxonomy on top of NICE that
we've mapped to. So we've created these, what we call functional tags, 14 functional tags or groups
that are a little bit more common in or in line with what you would see from a team structure within cybersecurity
at any organization. So we've created things like analysis and analytics or cyber defensive
operations or GRC or leadership and IT and cyber leadership. That way, it kind of translates a
little bit better to the org chart of like, okay, I know I have identity access management analysts
here. They fit within that functional team, right? So they fit in that
functional group. And on our backend, we've kind of done the mapping back to nice to kind of say,
hey, this is how it maps back to the nice framework. Here are the KSAs or competencies
or the specialty areas that associate with those functional groups we've identified.
What are your recommendations for organizations
who think there's value in the NICE framework,
but then also want to expand on it?
How should they come at that?
I think you have to take an approach
that helps to standardize things.
Standardization in this field is extremely helpful,
especially when you're looking at something as complex
as talent, human capital. So leveraging it, I think, is a good start. But like any other framework that
governments put out, whether it's the cybersecurity framework or whether it's the
cybersecurity workforce framework, they're intended to help organizations as a guide.
So you might have to make some tweaks and modifications to make sure that the framework
works for your organization.
Same is true here with the NICE framework, the Cybersecurity Workforce Framework.
So I think being able to look at the framework as a good starting point,
but knowing that you are empowered to not live within how the framework has predefined everything,
that you can actually take competencies that are associated with a different work role and align them to a work role that you have at your organization because the
employees in that work role do functions like that or need to understand those competencies
or need to perform certain tasks. That's kind of, I think, where the power of it comes into play.
And I can't speak for NICE, but I think that's their intent too.
I think they truly want to use it as a resource for employers to adopt and then adapt as necessary for their own enterprise. All right. Well, Jeff Welgen is the Chief Learning Officer here at
N2K Networks, my colleague. Jeff, thanks for joining us. It's a pleasure to be here. Thanks
for having me, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.